Guest Posted August 9, 2020 Share Posted August 9, 2020 (edited) Hello, im using ESET Internet Security and i checked the firewall settings and found this "Also evaluate rules from Windows Firewall" In automatic mode, allow also incoming traffic allowed by rules from Windows Firewall, unless explicitly blocked by ESET rules. so i was wondering if this is a potential flaw because i recently saw videos of malware tests with only Windows Firewall/Defender where it would successfully execute code that adds a lot of different rules to the Windows Firewall and downaload a bunch other stuff. If ESET allows everything that is allowed through a rule in Windows Firewall the same thing could happen if u use ESET or exploit other existing rules maybe. Or am i wrong about that im not an expert at all but im very interested to know how it works and if i should disable it. Also i would like to know if it is a good idea to set my network profile for my normal home connection to "public network" instead of "private network". I always thought if i go with "public network" profile the security would be better and would use stronger settings. Is that true does it provide any security improve even if it is minor ? I never had a problem with it. Thanks in advance Computerjul Edited August 9, 2020 by Computerjul Link to comment Share on other sites More sharing options...
itman 1,659 Posted August 9, 2020 Share Posted August 9, 2020 (edited) 49 minutes ago, Computerjul said: "Also evaluate rules from Windows Firewall" In automatic mode, allow also incoming traffic allowed by rules from Windows Firewall, unless explicitly blocked by ESET rules. This applies to existing Win firewall rules pertaining to inbound network traffic unless specifically blocked by an existing Eset firewall rule. 49 minutes ago, Computerjul said: so i was wondering if this is a potential flaw because i recently saw videos of malware tests with only Windows Firewall/Defender where it would successfully execute code that adds a lot of different rules to the Windows Firewall and downaload a bunch other stuff. Allowing inbound Win firewall rules is basically "a doubled edged sword." Whereas this option allows for trouble-free operation of a lot of legit Win 10 network traffic such as Store apps, the problem lies in how Win 10 firewall rules at stored. They are stored in clear text in the Registry and are not natively protected from modification. Although not a frequent occurrence, attackers have been able to create Win firewall rules to allow their inbound traffic. Mitigations against this are custom Eset HIPS rules that monitor Registry modification utilities and the like use such as reg.exe, etc.. Edited August 9, 2020 by itman Link to comment Share on other sites More sharing options...
Guest Posted August 9, 2020 Share Posted August 9, 2020 8 minutes ago, itman said: This applies to existing Win firewall rules pertaining to inbound network traffic unless specifically blocked by an existing Eset firewall rule. Does that mean if ESET is already running (without any new custom made HIPs rules) on my computer and somehow a executable manages to run code to add a rule to Windows Firewall does that traffic is allowed or not ?` 10 minutes ago, itman said: Allowing inbound Win firewall rules is basically "a doubled edged sword." Whereas this option allows for trouble-free operation of a lot of legit Win 10 network traffic such as Store apps, the problem lies in how Win 10 firewall rules at stored. They are stored in clear text in the Registry and are not natively protected from modification. Although not a frequent occurrence, attackers have been able to create Win firewall rules to allow their inbound traffic. Mitigations against this are custom Eset HIPS rules that monitor Registry modification utilities use such as reg.exe and the like. And thank you for the explanation. Do u or anyone else know what exactly is changed in terms of security and settings (allowed and denied connections) between public and private network? Because i always used public network profile for my home connection. Link to comment Share on other sites More sharing options...
itman 1,659 Posted August 9, 2020 Share Posted August 9, 2020 (edited) 2 hours ago, Computerjul said: Does that mean if ESET is already running (without any new custom made HIPs rules) on my computer and somehow a executable manages to run code to add a rule to Windows Firewall does that traffic is allowed or not ?` If the question is if Eset by default monitors for modification of Win firewall rules, the answer is no. 2 hours ago, Computerjul said: Do u or anyone else know what exactly is changed in terms of security and settings (allowed and denied connections) between public and private network? Because i always used public network profile for my home connection. If this is in regards to the Eset firewall, the simplest answer is the following. The Eset Public profile will not allow by default any inbound traffic from other devices on your local network other than the router. Edited August 9, 2020 by itman Link to comment Share on other sites More sharing options...
Recommended Posts