Block apps from accessing internet by default...

3. Running the batch every time will indeed create duplicate firewall rules. I wish there was some built-in checks that prevents duplication.

For now, the only solution I can think of (and tested to confirm it works) is to reset the Firewall to default settings every time before running the batch file. That way there won't be any duplication.

I hope someone helps with answering the remaining questions.

Thanks.

I have set all incoming and outgoing connections to be blocked by default.

Now, Windows Firewall comes with a default set of rules for most of its essential services and processes, so these are automatically whitelisted in the outgoing connections. Changing all outgoing connections from 'allow' to 'block' don't affect existing rules, because connections are only blocked by default for those programs or services for which a rule doesn't already exist.

I found that Windows Update and SmartScreen service stopped working. These were enabled by creating a new outbound rule whitelisting them as follows:

Allow the respective processes under Outbound rules:

1. Windows Update: %SystemRoot%\System32\svchost.exe

2. Windows SmartScreen: %SystemRoot%\System32\smartscreen.exe

Windows Store works fine and apps can be updated. I am yet to check if new apps can be downloaded, but I think that should work too because the Microsoft Store is probably whitelisted by default.

So now every time a new program is installed from outside the Store (I am still not aware of a way to block Store apps), and it tries to connect to internet, it should be blocked with a prompt/ notification by Windows Firewall. I will update this post as I discover them.

Once this method works satisfactorily, I think I will switch to this method instead of running the batch file every time I install a program and after resetting the Firewall.

It is too much work with this method of blocking all outgoing connections by default. Too many things to be manually configured. Besides, I couldn't find a way to whitelist Microsoft Store apps (e.g. Mail and Photos among others stopped syncing), OneDrive stopped syncing, iTunes stopped working, etc.

I am trying to avoid a 3rd party solution, so will stick with using the batch file (which itself is downloaded from a website, but I guess it is safe) for now.

No one knows how to do this because they know it's a pointless exercise.

This article from 2013 hasn't been updated or replaced since the core issues haven't changed and it's as applicable to your attempt as to the 3rd-party firewalls it was originally written about.

Why You Don’t Need an Outbound Firewall On Your Laptop or Desktop PC

When Microsoft created the Windows Filtering Platform (WFP) that all current firewalls use to manage connections, they also included the ability to monitor these, making it easy for antimalware like Windows Defender to view them as well.

This is the method that Microsoft provided for dealing with this issue, since rather than trying to set a static set of outbound traffic blocks, this monitoring can dynamically watch for and alert to known or potential attacks that happen to include a "phone home" capability.

This is just one more of the many inputs that the Microsoft machine-learning (AI) systems use when they try to detect potential new malware.  If Defender thinks it's found one of these, it can also use the WFP system to dynamically block that outbound connection as well, so you don't need to.

Rob

Hello Rob,

Thanks for the explanation and the links.

But I am not fully convinced that it is a pointless exercise. Not every malware is like a ransomware that will damage/ encrypt local files. Most of them can just have trackers/ adware/ etc. trying to steal data. So while they may be harmless for the local files, they may upload your information to outside servers. Basically a privacy risk more than a security risk.

Even though we take care to download only well know software, there can be a 'man in the middle' type of attack where your downloaded file is a modified one (we don't always run a Checksum). Also, the lack of security (inability to block internet access) heavily limits the number of software we can download just to try them out.

This is isn't an ideal world. We don't know the developer, we don't understand security vulnerabilities, etc. But as a thumb-rule, it would be fine to say that by blocking internet access completely, we can secure our system to a very great extent, since not all malware is ransomware/ virus.

I wish there were built-in tools to block all programs (or executables) within a specified folder/ path, as well as tools to grant LAN access only, and no internet. I have been trying to look for such a solution, and it is strange that none exists even today (or lets say there is none that I am aware of, and I have searched for such a solution extensively).

I found this link:

https://old.reddit.com/r/Piracy/comments/btxlmc/how_to_automatically_add_everything_in_a_folder/epr971j/

Basically, running the following command in Powershell as Administrator will automate this process:

Get-ChildItem -Path C:\Programs -Filter *.exe |

Select-Object Name,FullName |

ForEach-Object `

{New-NetFirewallRule -DisplayName "Block $($_.Name) Inbound" -Direction Inbound -Program "$($_.FullName)" -Action Block;

New-NetFirewallRule -DisplayName "Block $($_.Name) Outbound" -Direction Outbound -Program "$($_.FullName)" -Action Block}

Get-ChildItem -Path C:\Programs -Filter *.dll |

Select-Object Name,FullName |

ForEach-Object `

{New-NetFirewallRule -DisplayName "Block $($_.Name) Inbound" -Direction Inbound -Program "$($_.FullName)" -Action Block;

New-NetFirewallRule -DisplayName "Block $($_.Name) Outbound" -Direction Outbound -Program "$($_.FullName)" -Action Block}

Here, C:\Programs is the folder where I am installing the programs. You have to change that to the location where you install your programs.

That said, I have already run both the above commands on my computer. The question is will this keep duplicating the firewall entries as before? Or only add the new ones?

Further, has anyone set this up successfully?

Sounds to me like you've defined your own personal issue, which is wanting to download software from anywhere and install all sorts of potentially risky software, but wanting to protect from something unexpected getting through that potentially risky activity.

Most of us have learned that avoiding this practice of installing and testing all sorts of software is the better method, carefully choosing the relative handful of important apps and only installing from the vendors or another highly vetted source like the Microsoft Windows 10 Store.

This is the direction that Microsoft has taken with Windows 10 S mode, not only limiting apps to the Store, but also removing most of the vulnerabilities from the operating system itself that have consistently led to malware.  On top of this, it removes many of the scripting and other tools that have been abused and sandboxes apps which only have limited ability to access the operating system and none to modify it.

This is where Microsoft is focusing efforts, with the obvious eventual intent to drop Windows traditional desktop and executables completely, since that's the true problem you're trying to solve with a firewall workaround.

You're putting lots of effort into an unwinnable game, playing with potential malware rather than truly avoiding it.  I've seen this many times in my computing career, while the only methods that truly work are always much simpler.

Rob

I consider my usage 'low risk'. Thats because I always scan every executable that I download with the resident security solution (BitDefender/ Norton/ Malwarebytes/ etc.), then I upload the file to virustotal.com for a second opinion. Only then I actually install the software, and I also pay attention to the options the installer gives to avoid unasked bundles. Despite all that, I have made a mistake a handful of time with very well known softwares like FileZilla, etc. And yeah, I always download from the official site, unless they link me to something like sourceforge, etc.

Given that I do believe that my usage behaviour constitutes 'low risk', I have also decided to stick with Windows Defender & Windows Firewall for security, despite having over a year remaining in my current BitDefender Total 2020 subscription. Thats because I want to keep my system as lean/ lightweight, and therefore as fast, as possible.

On a personal level, I like to have variety on a few choices, and therefore I like testing/ experimenting with stuff. This also has the benefit of not monopolising existing players, and giving opportunities for new developers to bring out new products and support development. 

Before installing any software, I read several online reviews before narrowing down my choice. For example, there is no video file that VLC can't play, yet I wanted to try a different video player because I was tired of VLC interface. So based on several reviews, I found most of them recommended PotPlayer, so I tried it out. But I found that upon launching, it started giving me video recommendations, and I don't like that 'feature'. I just want it to play my local files and do absolutely nothing more. One way of doing that is to completely disable internet access to that app. I will update it as and when I want. Same principle holds true for other apps too.

While it is a good practice to stick with tried and tested softwares (by the way the latest version of VLC is flagged by one of the engines on VirusTotal) only, I think it is also fine to try a few other alternatives available in the market.

As with sticking with Store apps alone, while I too want to move in that direction, but we know that some of the best solutions live outside the store (probably to increase developer income) for genuine reasons. Why not support those? I don't mind paying for a software, but only as long as I am able to put sufficient safeguards in place.

By the way, what do you think about TinyWall (https://tinywall.pados.hu/)? It seems to have the ability to allow LAN only access, something I (desperately) want.