We have all been using the built-in firewall through the control panel, set the in/out permissions and consider ourselves safe, but how fool-proof is it? For example, I had noticed in the past (a few years ago) that some apps can change or alter those rules. Once I had installed VirtualBox and it added its own firewall rule to allow itself internet access (both in and out). However, I removed those rules, but when I upgraded VirtualBox to a newer version, it recreated those rules again! This led me to the question, how safe is the firewall really? If any app can add/substract the rules, then what good use is the firewall. Suppose, somebody writes an app that adds a firewall rule to allow a free access, then do everything they want (like create a botnet, etc.) and then remove that rule. What will happen then? Will such event even be recorded somewhere to later prove that the app did it?
You told Windows you trusted Virtual Box by Ok'ing the UAC prompt you got before it let you install it You probably wouldn't do that for malware And I'm not certain, I don't use VB, but it's possible during set up it asks if you want it to create automatically, firewall rules
k. That means apps that don't ask UAC prompts won't be able to alter the firewall? That makes me feel somewhat better, but even then, is there an Event Log or something written when an app actually does modify the rules? (I clearly remember that VB did not ask my permission regarding internet access rules at that time. However this was an early 3.x version, I have found that later 4+ versions of VB didn't change the firewall rules).
Apps that don't ask for UAC are not installed at an administrative level (With Administrator privileges) , which is required to make administrative changes, such as changing firewall rules Have a look in event viewer for logs
Thanks, I've found it here: technet.microsoft.com/en-us/library/ff428140(v=ws.10).aspx The events are actually found in Application and Services Logs=>Microsoft=>Windows=>Windows Firewall With Advanced Security=>Firewall. My doubts are now cleared
k. So does that mean that granting Administrative privilege on the UAC prompt will provide something like the root access in the linux world? Meaning that the program can do just about anything it wants including formatting the hard drive and wipe off the partitions?
Yeah, it's basically the Windows equivalent of "sudo". However, it's important to note that UAC is only really secure in its highest setting ("always notify"). The other settings grant silent auto-elevation to some of Windows' own executables, which is less annoying, but could potentially be exploited by malicious apps. That's the tradeoff between security and convenience.
Interesting thread, thank you... Is the "Allowed Programs" a way to see ALL "apps" that have admin priviledge? F.e. do I need to allow Nvidias Shield streaming?
If you are talking about Windows Firewall, then no. It doesn't grant the app admin privilege, but only allows it to pass through the firewall. Admin privilege is a different thing where you right-click the app and click on "Run as Administrator" (or in case of some setup/msi installation files, that happens automatically as they try to perform some privileged tasks like changing the firewall rules and you get a UAC prompt). As a general rule, you don't allow any program admin privilege unless you face any issues and specifically know that allowing that privilege is going to solve that issue.
Given you can easily turn it completely off, it's not fool proof at all. It does a reasonable job of keeping things out, but has always done a poor job of monitoring, inspecting, and limiting outbound communication. As to fool proof things in general, as soon as they build a fool proof anything, along comes a better fool.