Microsoft firewall should not be trusted
I have a windows 8 machine that is using windows 8 firewall to block outbound ipv4 pings(ICMP, any process) that are not on the local subnet and a Virgor hardware router that logs and then blocks any outbound pings to the internet
Trouble is the MS-Firewall is not blocking these pings that I assume are coming from a virus and yet the ms-firewall works just fine from CMD.exe when I try a manual ping even with a short TTL.
I have ran Wireshark and MS-Network Monitor (MSNM) to check that these pings are indeed coming from what I assume is an infected machine and they are but I cannot find the process because MSNW lists the offending connections as “UnKnown” and it looks like to me that MS-Firewall just passes any traffic where it cannot workout which process is making the connection so its a good job I used the routers firewall.
This cleaver little virus only pings when other programs are using the internet on ports 80,443 but uses a very short (4-6) TTL for the ping and I have inspected the data element and it does not have the usual ‘abcdef…’ inside and the addresses it pings are those of web-sites that were visited by a browser running on the machine about two minutes ago but the virus stops sending pings if the browser is set-up to use a proxy server on the local LAN
I’ve killed just about every process I can and have stopped dozens for services, looked inside SvcHost but still unable to see anything unusual but at odd times I have seen the process”Explorer” (Not IExplorer) kicking out to the internet so it could be inside that
.
Yes I know how to re-build a machine, ZoneAlarm and others but I don’t think they connect low enough down the network stack to catch this one that seems to exploit one of the many back doors Microsoft deliberately leaves open and I would like to nail this virus myself so any help would be appreciated if you know something I have not already pointed out.
Facts are Microsoft does not want anyone to block outbound connections and are unhelpful in helping users to prevent data being pulled from their machines because most the time it is Microsoft that is doing the pulling and that is why most of the win-apis needed to build a firewall will not work with Visual Basic or C# and rely on pin-invoke on API’s that get broken on every new upgrade or service pack.
Bottom line is to get yourself a hardware firewall as a last line of defence, not a Vigor unless you are illogical because that’s a minimum requirement to understand the logic needed to program firewall rules on a Vigor router
