17. Firewall
The Firewall
module evaluates all local Windows firewall rules
and tries to detect suspicious entries by using white- and blacklists.
17.1. Samples
Aug 26 17:51:25 server23.local.net/10.19.2.17
THOR: Warning: MODULE: Firewall
MESSAGE: Zeus Local Port defined in Firewall rule
SIGNATURE: ZEUS
RULE_NAME: Appsense_Input
PORT: 7771
SCORE: 75
Jul 29 11:19:48 serverx-print/10.255.80.56
THOR: Warning: MODULE: Firewall
MESSAGE: Suspicious Trojan/Backdoor Local Port defined in Firewal rule
SIGNATURE: Strange Value
RULE_NAME: XXXCloudProxy.exe
PORT: 8080
SCORE: 75
17.2. Typical False Positives
Legitimate rules for non-white-listed programs
Legitimate rules on suspicious ports (e.g.
WinSSHd
on port60022/tcp
,Apache
on port4443/tcp
)
17.3. Attribute Evaluation
Attribute |
Question |
Answer |
Indication |
Weight |
---|---|---|---|---|
RULE_NAME |
Does the name look suspicious? |
Yes |
Bad |
Low |
PORT |
Does the port relate to the rule name? (e.g. |
Yes |
Good |
Medium |