Arcade File Downloads Support Forum
Email
Confirm email
Articles File Help Startup DB Tips Service DB Hijack This! Analyzer

 

XP SP2 Firewall warning
NEW HijackThis automated log analyzer! Get your logs analyzed INSTANTLY!

This will greatly slow down virus makers how?

Well, the dumber ones will code into the program an address to connect to for instructions... What that will do is create a nice trail for the feds to follow and apprehend the virus developer. That's what Microsoft is hoping for at least.... In the real world nobody will be stupid enough to do it that way. What they would do is simply turn the firewall OFF and be back to business as usual.

Microsoft even provides a DOS based administration to this (only exploitable if user is logged in with admin rights). If you'd like to disable the Firewall do this from the command prompt:

netsh firewall ipv4 set opmode mode=disable

An alternate route is through vbscript

Set objFirewall = CreateObject("HNetCfg.FwMgr")
Set objPolicy = objFirewall.LocalPolicy.CurrentProfile
objPolicy.FirewallEnabled = FALSE

A great place for information on bypassing this firewall can be found in its MSDN pages. It's open for discussion in our software forum too. I'm very interested in windows exploits.

Another place I was reading was here.

Application white list. Prior to SP2, applications needed to call the ICF APIs to enable the necessary listening ports to be open to send and receive messages. This proved difficult in peer-to-peer situations when the port was not known in advance. Further, it was up to the application to close the hole in the firewall, which could lead to unnecessary openings in the firewall should the application terminate unexpectedly. Additionally, these holes could only be opened by applications running in the security context of a local administrator. In SP2, an application that needs to listen to the network can be added to the Application White List. An application on the white list will have the necessary listening hole created automatically. By having an application on the white list, only necessary ports are opened, and they are only opened for the duration that the application is listening on it. This prevents an application from opening up a port it's not using and either deliberately or inadvertently exposing another application or service to network traffic from that port. Further, this also allows applications listening to the network to run as a regular user. Applications that work with stateful filtering do not need to be placed on the white list. Only administrators can add an application to the white list.

This explains what that box above is for. It is for setting the White list. However there is NOT an application black list. That is something that is a part of any decent firewall program and it's what we're whining about.

Other than stealthing all of your ports the boot time security is something that they DID do right. I don't believe I've seen a third party application capable of allowing this.

Boot time security. In earlier versions of Windows there is a window of time between when the network stack started and when ICF provided protection. Consequently, a packet could have been received and delivered to a service without ICF filtering it, potentially exposing the computer to vulnerabilities. In SP2, the firewall driver has a static rule called a boot-time policy to perform stateful filtering. This will allow the computer to perform basic networking tasks such as DNS and DHCP and communicate with a Domain Controller to obtain policy. Once the firewall service is running, it will load and apply the run-time ICF policy and remove the boot-time filters. This change should increase system security without affecting applications.

Written By: Martin
Date: 6-24-04
Printer Friendly

Article Index:
Page 4 -->
Copyright 2003-2009 I Am Not A Geek Inc.