Welcome
Welcome to vistafirewallcontrol

You are currently viewing our boards as a guest, which gives you limited access to view most discussions and access our other features. By joining our free community, you will have access to post topics, communicate privately with other members (PM), respond to polls, upload content, and access many other special features. In addition, registered members also see less advertisements. Registration is fast, simple, and absolutely free, so please, join our community today!

Wish: Alert about changed executables

Wish: Alert about changed executables

Postby sp4096 » Sun Feb 12, 2017 4:27 am

Would it be a large scope-creep to ask about changed files? Currently Sphinx sees changes by full path, I believe. But a check, MD5 or SHA, would really be nice. And a prompt about the change with Yes/No. Or automatic deny + alert on change.
I realize that Windows, especially 10, makes so many changes, it might be unmanageable to be flooded with prompts, but perhaps it could be done.
sp4096
 
Posts: 101
Joined: Tue Apr 26, 2016 2:57 am

Re: Wish: Alert about changed executables

Postby VistaFirewallControl » Sun Feb 12, 2017 2:16 pm

Honestly the option was discussed many times, implemented in a previous version and finally discontinued.

Actually you need to verify process integrity, not an exe file.
A network activity is issued when exe file is launched, i.e. by process, not by a file.
A process typically loads a lot of DLLs, so the option would require checking all the DLLs loaded.
The process can load DLLs dynamically, so the firewall should trace DLLs loading/unloading as well. (i.e trace the process behavior from within the process, far beyond the direct firewall purpose. Right?)
Moreover DLLs can be injected dynamically by third party processes. The operation is pretty legal, well documented and used by a lot of very useful third party applications.

What was done in that version is process memory hash checking.
But as appears amount of false alarms ruined the option sense.
The process memory can mutate significantly under normal circumstances.
As the result amount of false alarms forces to switch the option off first and exclude it completely finally.
VistaFirewallControl
Site Admin
 
Posts: 1479
Joined: Fri Mar 27, 2009 11:25 am

Re: Wish: Alert about changed executables

Postby sp4096 » Mon Feb 13, 2017 3:42 am

It would be scope-creep.
You put a nice perspective on this for me, thanks. (Actually Outpost (on XP and 7) does much of that complicated stuff, but it is not a pure packet filtering job.)

Re: "Actually you need to verify process integrity, not an exe file."
Both really. If there was no Microsoft interference/update, and explorer, rundll, wscript, regsrv, hash changed, that would be bad news I wouldn't mind being alerted about as the first line of monitoring.
But I see your point of it being insufficient and causing false positives. Belongs elsewhere I suppose (in HIPS, Behavior, Exploits, fileless memory injections...) to keep this firewall to be a pure traffic watch.
sp4096
 
Posts: 101
Joined: Tue Apr 26, 2016 2:57 am

Re: Wish: Alert about changed executables

Postby VistaFirewallControl » Mon Feb 13, 2017 12:46 pm

> (Actually Outpost (on XP and 7) does much of that complicated stuff, but it is not a pure packet filtering job.)

Probably because it checked hashes on exe-s only.
This can be bypassed easily, as a marketing option it looks good though.


>But I see your point of it being insufficient and causing false positives. Belongs elsewhere I suppose (in HIPS, Behavior, Exploits, fileless memory injections...) to keep this firewall to be a pure traffic watch

Actually process monitoring is a different area.
Maybe sometime we make the step into
VistaFirewallControl
Site Admin
 
Posts: 1479
Joined: Fri Mar 27, 2009 11:25 am


Return to What is VistaFirewallControl, features

Who is online

Users browsing this forum: No registered users and 0 guests

suspicion-preferred