Can firewall monitor pcap packets?

Is CIS FW V12.x able to automatically create Allow/Block/Ask rules (or manually add those) rules for applications that use PCap to create their own packets and sending them to the network adapter directly (so bypassing the TCP/IP stack)?

In other words, does CIS FW 12.x monitor and intercept PCap packets?

No you won’t get firewall alerts if applications send low level packets using winpcap or npcap.

Is it technically possible to add that feature? It would increase the FW to a much higher security level.

Besides, older FW versions had this feature in the past (see screenshot).

Why is that feature taken out of V12.x?

You have to realize that the alert would be for Windows Operating System and not the actual application making the low level requests, also the required network packet drivers would need to be installed and started before applications can use them. The ability to monitor other NDIS protocols was removed since version 6.x there is a wish to bring it back but that is likely never to happen as it doesn’t really provide much value in having it.

Also you can use HIPS to monitor such access by adding the device name object to protected files/folders. For Npcap you would add \NPCAP and for WinPcap I think it would be \NPF.

Thank you for the feedback.

I understand that the network packet driver has to be installed on a low level and that it has to be hooked on to the network adapter, I think version 5 did this.

In my opinion there are some quite important aspects in having this packet monitoring feature.

A smart malicious application or a smart virus could utilize this FW bypass and send user data out to the internet without being intercepted by the FW. The user as such would not notify that data is going out because there are no FW popup Alerts.

Also (I discovered this myself) when you run applications in a virtualized OS and the virtualization software connects to the local hardware network adapter via PCap then all applications running in the virtualized OS can make connections to the internet, again without being notified to the user. Sometimes disabling the virtualized network adapter is not an option as some applications require it for their needs (e.g. for reading MAC address or just for a loopback network)

I understand that the added value of having this feature may be low for regular users but it would certainly raise the FW to a much higher protection level and that can be sold as an important feature to earn money with.

Could you forward this request to add the feature to a future release?

I will try your proposed HIPS settings to check if that can be used as a workaround to block PCap packets.

Thank you.

As a test I’ve added the file group “3rd Party Protocol Drivers” (which contains all the device name objects) to the HIPS Rules “protected files/folders”->“blocked files/folders” of the virtualization software to prevent it from accessing the PCap driver.
The HIPS rule does work, however the downside is that the virtualization software at startup complains about not having access to the PCap driver and as such it removes the virtualized network adapter from the virtualized OS. So HIPS rule plugged in, virtualized network adapter plugged out.

Without using the above HIPS rule I found out that when the FW is set to the “Stop Network Activity” mode this also blocks the PCap packets (a virtualized ping could not go out), this is good to know. It seems that the “Stop Network Activity” mode works on a low level.

However the feature of monitoring and intercepting PCap packets is more than welcome!