Bypassing The Firewall From "Within" A Firewalled System

Is it possible to slip data past a firewalled PC? Does “leaking” (invisible transfer of data), within it’s scope, pertain to outgoing data, as well?

When hard to trace rootkits attempt to communicate with the outside world, will they be caught by the firewalls, revealing their presence?

In short, is it possible to veil an outgoing connection?

It depends.

If you’re talking about a “pure” firewall, which is looking at the traffic hitting the NIC, then yes, it is possible, bit it depends on the leakiness of the firewall in question.

Comodo Internet Security (CIS) has a firewall and a HIPS-type component (Defense+). The two in combination look at the traffic hitting the NIC and what sent it, which can give sufficient info to the user.

Hope this helps,
Ewen :slight_smile:

Hmm…so if I understand correctly, firewalls monitor network activity by hooking the NIC driver(?) - a “.sys” file(?). How will a HIPS, such as Comodo’s Defense+, which doesn’t monitor at network level, detect such an attempt?

Can hidden process(inactive?) hide their activites(active?) as well? For eg. If I were to install Comodo on a PC infected with a certain rootkit - hidden deep in the system - would it’s attempts at anything at all, be caught by Comodo? Can hidden processes hide their activites as well? Case - Say, a protected a .sys file under “My Protected Files\Folders” is under attack by a rootkit, will Comodo detect it, or since the rootkit is hidden, will the activity will be hidden too?

Yes

When hard to trace rootkits attempt to communicate with the outside world, will they be caught by the firewalls, revealing their presence?

Sometimes yes, sometimes not.
Because it’s really hard to detect. They change their shape everytime.(mutated rootkits)

In short, is it possible to veil an outgoing connection?

Yes.

HIPS is based on process activities.
Defense+ monitors a system(files, memories, regstries etc)
If HIPS can’t find a rootkit which is veiled well, it’ can’t recognize rootkit activities.
Because rootkits already take the control you PC. It means your PC is under hacker’s control.

Can hidden process(inactive?) hide their activites(active?) as well?
Yes.
For eg. If I were to install Comodo on a PC infected with a certain rootkit - hidden deep in the system - would it's attempts at anything at all, be caught by Comodo? Can hidden processes hide their activites as well?

Sometimes yes, sometimes not.

Case - Say, a protected a .sys file under "My Protected Files\Folders" is under attack by a rootkit, will Comodo detect it,

Sometimes yes, sometimes not

or since the rootkit is hidden, will the activity will be hidden too?
Sometimes yes, sometimes not.

Everything is depands on rootkits.
If the rootkits which is unidentified and poweful, we can’t find it with normal software
(firewall, antivirus, anti rootkits etc).
We should find it manually with forensic and reverse engineering softwares.
That’s why rootkits are very dangerous.

In the real world,

Year 2008.
Hackers made special rootkits.(these kind of rootkit are not for public people,
we say ‘under world rootkit’)
They injected rootkits to one of the administrator who is working for xx company.
The administrator was infected by e-mail.
And then the hackers injected other rootkits into the server.
Any antivirus tools, firewalls(expensive based on hardware) couldn’t find it.
It means it bypassed all of firewall systems.
Finally, they took over 10 million personal informations.

What about setting Comodo’s firewall to “Block All” mode? Would that prove futile too?

I think rather pulling out the cable than using ‘block all’ mode.

Well, if someone finds malware which can bypass 32 bit version of CIS (3.9) in proactive config settings he or she may post it here.

Virus will be here, but rootkits go to the black market with nice price.

Yes, you are right. However we shouldn’t be affected by those private rootkits and D+ remains hard to bypass, which HIPS is stronger (ok, the current Online Armor could be as good)?

So, basically, I’ll never be 100% secure, unless I stop using a computer; is that what you are alluding to?

Pretty much so,apparently even the pentagon has just had ~1TB worth of data stolen pertaining to sensitive information.

This type of stuff you are extremely unlikely to encounter,don`t let it spoil your enjoyment of the web

You are not 100% safe because of attack techniques first before defense techniques.
You should have SOCD(Security obsessive-compulsive disorder) if you are
working for a security company as an information security specialist, a network specialist
or a computer forensic specialist etc.
You should think that everything is suspicious.
Otherwise, you don’t need to have SOCD.
You’ll be a neat freak if you think too much security stuffs.
My point is ‘think about security deeply but not too much’.
Because, the attackers are always looking for someone’s blind spots.