How vulnerable is FFW to malware attacks?

[maestropss]

Hi.

Certain manipulations with group policies, WFW settings and WFW registry ACL settings allow completely block any possibilities to disable built-in windows firewall to avoid any attacks from malware, as well as prevent any modifications of the rules.

What can you recommend to minimize attack surface for Fort FW (except for blocking traffic option in the settings, password protection of uninstall and general advice to install AV).

• For example, how to protect Fort driver from being unloaded by a malware (does "disable service controls" option prevent driver unloading)?
• How to block or protect with a password adding rules from command prompt which a malware can stealthily make in the background?

Thanks

[tnodir]

How to block or protect with a password adding rules from command prompt which a malware can stealthily make in the background?

Commands from command prompt are processed by Fort's UI process. So, it'll request a password for commands too.

[tnodir]

how to protect Fort driver from being unloaded by a malware (does "disable service controls" option prevent driver unloading)?

There is no protection for Fort's driver. Admin can stop or uninstall it.

The "disable service controls" option is for Service only.

[tnodir]

FFW's driver can be opened by any user now. It is required to work without service.

I'm going to restrict access to driver to Administrators (and System) only.

---

So, if you will use FFW without service, then you will have to run it as Admin.

(Or add "HKLM/Software/Fort Firewall/isDriverNonAdmin=1" registry value.)

---

What do you think?

@Emi-Emi-Emi

[ghost]

Yeah I tested that too, in this other computer where I have the admin account enabled and the normal user was added in the Users group and removed from the admin one. Installed Fort in the admin account, then restarted computer, it logged me in the normal user, double click Fort icon and it worked normally without any difference and no admin required.

[tnodir]

Yeah I tested that too

Double checked now and it indeed works fine without admin rights! Very strange, fixing..

[tnodir]

Please check the v3.14.4-test01.

[ghost]

Tested it and works fine now.
Without admin rights -> Access denied and black tray icon.
And with registry string value works again without admin rights as soon as Fort is opened.

[tnodir]

Also, uninstalling Fort, doesn't seem to remove the Explorer Integration, at least not in Win11 24H2.

@Emi-Emi-Emi The Explorer Integration installs for current user only (HKCU).

Uninstaller runs as admin and can not remove the Explorer Integration for all users.

[ghost]

Sounds fine, that would be a good way of handling this, better security for most users who install it normally, and still a way for admins to override it through the registry, like any other policy, if needed.

[maestropss]

Thank you for looking at improving the security of this excellent app. The idea looks very promising.
May I ask you 2 questions in this regards?

1. "FFW's driver can be opened by any user now" - What do you mean by "open" the driver in this case? Does it mean "to get the full control over the driver"?
2. As far as I can understand, FFW can be run without the service and still be able to effectively filter traffic. What do you mean by "it" in this case? "So, if you will use FFW without service, then you will have to run it as Admin."

Please forgive me my intentions to get the full and clear picture of this. My eldery parents are rather illiterate in computer security. So, I should do my best to make their computers as protected as possible.

[ghost]

If you want more/max security for your parents, switch their accounts to be User only and enable the inbuilt Admin account and manage it that way, so they don't run anything as admin and that means malware won't be able to do much damage in a system, many programs still allow to install software without admin rights, even browsers, so it's not as restrictive as anyone would think, but it will lock down the computer so no changes in system files are made, which is always good.
This is always going to be an issue with Windows, they made admin accounts default to everyone and that opened many issues, so switching people to User will be better for most people who have a person who can manage it.

About the driver, you always need admin rights to install it and disable it and remove it, just as with the Service.
Fort without service requires Fort to be running in order to do the filtering, and once installed, it meant anyone could just open Fort and use it, so this change would require Fort to be elevated to work without the service, or admin needs to add the registry key to make it work unrestricted.

So in terms of change, this shouldn't change too much for most people, because most people will install it normally with the background service and all. This change is more for people who only want Fort to work without service but without allowing non-elevated users to have access to it so easily, one layer of protection, because more protections for something important like Fort, is never a negative.

[tnodir]

1. "FFW's driver can be opened by any user now" - What do you mean by "open" the driver in this case? Does it mean "to get the full control over the driver"?

• Driver creates a Device Object
• Device Object can be opened by user-mode processes to control the Driver's configuration

2. As far as I can understand, FFW can be run without the service and still be able to effectively filter traffic. What do you mean by "it" in this case? "So, if you will use FFW without service, then you will have to run it as Admin."

• Any process can open the FFW Driver's Device Object and configure it how to filter traffic
• After recent changes, only Admins should be able to configure the Driver by opening its Device Object
• So, you have to run FortFirewall.exe ("it") as Admin, if you did not install FFW Service (or workaround by registry key)