Desktop or Personal Firewalls

Incident response
Intrusion management
Network security
1) How can an application detect that a Desktop or Personal Firewall is blocking a port or binary image? 2) Also, how can application get vendor specific information about the running firewall? Thanks for you help

Answer Wiki

Thanks. We'll let you know when a new response is added.

Well, as a general principle, you should NOT be able to tell that a firewall is running. That would allow retro-software to know it’s there and attack it in some fashion.

The security professional in me wants to know “Why do YOU want to know?” But security by obscurity is unreliable at best.

That said, if a firewall were running (Norton, Zone Alarm, McAfee, etc.), and were detectable, I would assume that any identifying “marks” (or signs) would be unique to the manufacturer.

In general, if an application is within a firewalled environment, there are going to be two general types of “responses” to improper traffic: 1) dead silence, and 2) a refusal of some kind. The refusal could take the form of an ICMP destination unreachable -> Port unreachable/administratively prohibited (for UDP traffic), or a TCP RST (for TCP traffic).

Take the case of the “dead silence”, which might be the case if the traffic were simply being dropped. If the target system(s) were reachable on other ports, but a connection timed out on the intended ports, you could readily presume that traffic was being blocked by a firewall. However this still leaves the question of WHERE the firewall might be – source machine, target machine, or network equipment somewhere.

If I were looking for such things, I’d probably do a file search for logs with a time stamp within a few seconds of my last attempt, but that’s no guarrantee.

This may not be the answer you were looking for, but it’s what I can come up with off the top of my head.


Discuss This Question: 1  Reply

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.
  • Poppaman
    As stated in the previous reply, ideally, an application should not even be aware that a firewall (local or network) is present; and as also previously stated, the only way ( again ideally) an application or user should know of it's existance is by means of message(s) from the firewall or by inabilityo connect over a given port(s) when connectivity has otherwise been confirmed. That being said, if a "rogue" application queries the registry for a specific key or keys, it would then be able to identify whether a local software firewall is present. Of course, the application would need to run with admin priviliges to query the registry, which in and of itself may imply system compromise....
    0 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

Thanks! We'll email you when relevant content is added and updated.


Share this item with your network: