Can your software firewall be easily disabled – a reality check

This question is once again making the rounds. We are again seeing claims being made that never seem to get backed up by those that are saying a software firewall can be disabled easily. I’d agree that the threat exist for any form of security to be disabled given the right situation. What I don’t agree with is the fact that in most cases this can be easily done. There is no solid evidence to back this up. Even though this claim has been running around the internet like folklore for years now. Yet we haven’t seen any wide spread reports of users being infected do to their protection being disabled. That fact is solid – no hype – no hysteria – no paranoid delusion or scare tactic – the fact is machines aren’t being exploited do to security software being disabled. If this was occurring as easily as some claim. You would see a massive uproar from security product customers and the security community in general. I’ll provide the text from my replies in several forum threads below. This will hopefully shed further light on why I feel the way I do.

“A software firewall installs on your system using undocumented interfaces, generally slows everything down, is within easy reach of malware that wants to disable it, and protects a single system.” quote from dave

Someone wanted this comment to be shown wrong. I recently in this forum and at other times have covered this. It’s sad that at times we don’t see real honesty in this forum. What we do see are very large biases displayed on a daily basis. Some consider my opinion extremely bias.

I’ve never seen any evidence that a software firewall slows down your system. Many people have made this claim in regards to antivirus as well. I’d say if either product is slowing your machine down there is a problem needing resolved with the software. Especially if your running a fairly modern system.

Time and time again we see the malware will disable your software firewall claim. When in fact reality has shown that we don’t see large instances of this occurring. While this is possible. Software firewall haters forget to point out the same could theoretically be done with a router.

More of my thoughts on that can be found here

Forums » Security » Re Just a quck mention about SW Firewalls

Everyone seems to forget that routers are run by software called firmware. We have seen many cases where this firmware has contained flaws that can be exploited. Meaning a well crafted exploit could allow access to your machine. It also seems to skip peoples minds that for a software firewall to be disabled in most cases a user would have to download then activate a piece of malware of their own free will. Before the malware could do it’s dirty work. You would hope that an updated antivirus would be in play and stop a user from activating this exploit.

Your not going to visit a website and your software firewall will magically shut down. At least at this time there is no way of this occurring that I am aware of.

It could be argued that antivirus and software firewalls have been show at times to affect broadband speeds. Then again a router that isn’t properly configured ( which most aren’t ) can cause a nightmare of problems as well. Such as slower broadband speeds. Lets also keep in mind that a misconfigured router can leave holes open for bad people to gain access to your machine.

This is why most people have always advocated a layered approach. In case one wall of protection fails the other will cover your backside. Also keep in mind that a router doesn’t offer outbound protection and other features to keep your operating system safe from exploit. Although the Nvidia firewall that is chipset based does include some levels of protection that are similar or exact to a software firewall.

It should also be kept in mind that over the years software firewall and antivirus vendors have strengthened their products against exploit. Everyone seems to forget to make the claim that antivirus can be disabled easily for some reason. But they sure make it left and right in regards to software firewalls.

If it was so easy to disable these products. We would be seeing mass reports daily of this. This doesn’t occur. So this would lead me to believe it’s not as easy to pull this off as many braggarts and paranoid souls would like to claim.

“In the absence of rogue code – they both offer the same protection.” quote from qrkx

I wouldn’t agree 100% on that. Do to most routers not offering outbound protection. I do agree that an injection of some sort of malware is needed. Which with both products has the possibility of creating a bad day for the end user.

2 thoughts on “Can your software firewall be easily disabled – a reality check”

  1. I have just found out that zonealarm firewall has been disabled (although it “says” its enabled) on two laptops. This was spotted when one of those laptops was plugged into my network and my own zonealarm firewall (on y PC) started to reported what seems to be a port scan from the laptop. On further inspection I found I could ping the laptop (even though the firewall on that laptop was set to disallow a ping reply). I double checked this with my own settings on my PC and found I found not ping my PC and my own zonealarm firewall was disallowing the ping request (reported in the log). After checking a 2nd laptop, I found the same issue in that the zonealarm firewall was not workign at all, however it was reporting to be on.

    I do not know if this is a faulty install of zonealarm (I installed all of them and keep them updated). You could claim I don’t know what I am doing, however I am an experienced software developer with more that 24 years solid experience – I know what I am doing.

  2. Normally the tone you took would have me just delete your comment. The article above was in relation to many discussions that had taken place in regards to the subject.

    Just because you can be pinged does not in fact mean your firewall is not doing it’s job. Yes I’m aware that you stated you had the firewall product set for stealth mode. However this setting may not have taken for some reason. Also many people will in fact allow pings for certain online test. Then forget to enable the stealth setting again. Sometimes if an update is installed settings will be placed back into default mode.

    Part of the reason firewall users of any brand should install updates is to harden the product against attack. These updates normally include fixes for any known issues.

    There have been many debates in regards to stealth versus pingable in the past. Again just because you were pingable DOES NOT mean your firewall was not doing it’s job.

    If you feel you have valid evidence that the firewall product was in fact disabled. I would ask if you have been in contact with the vendor and shared your data with them?

    Closed or stealth ports the debate rages on

    Readers should keep in mind some older articles may not have valid links to old content. A few host changes over the years created this situation. I try my best to update these article links when I come across them.

Leave a Comment

Your email address will not be published.