RE: Give XP SP2 a chance

[Nick FitzGerald <nick () virus-l demon co uk>]

Goencz, Otto wrote:

[restructured to cure top-postingitis]

> > > I installed XP service pack 2, sure the firewall was there did it bitch
> sure
> it did but I left it up. Told it to allow the applications that use the net
> to work.<<
>
> > Does the XP firewall do application level outbound blocking? I thought it
> > just blocked incoming connections?
>
> Yes, it does bi-directional filtering...

Not really...

The new XP firewall asks to allow unknown applications to bind to a 
port -- that is, to set up as listeners.  That is only part of what 
most folk consider "application level outbound blocking".  For 
instance, a bot that simply connects outbound to an IRC server will not 
raise a warning, but if it tries to bind a port to setup a direct 
access backdoor or run a simple TFTP or HTTP server (perhaps to provide 
copies of itself to other machines it has scanned and compromised with 
a call-back payload), the firewall will alert.

MS had to walk a fine line there between providing a more useful PFW 
and being dragged into court for anti-competitive practices if it 
provided a "full function" PFW that would clearly be detrimental to an 
independent group of software developers.


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html