Helping people with computers... one answer at a time.

A firewall traditionally protects you from threats coming from the network. A technician's remote access session might well have been invited in.

I recently allowed a tech from a VOIP voice router company to remotely take over my computer in order to try and fix a router problem. I was amazed at how quickly he manipulated things within my computer and router, but I have been thinking, although I gave permission, which was only protocol from his company to ask for, how easy it must be for a pro hacker to do the very same without any permission. Then I'm thinking how good was my firewall, etc. It didn't even seem to have a clue as to what was going on; I would have thought that I might have needed to shut down my firewall for him to get access to my computer, but no, it was just too easy. I wonder what your thoughts are on this. I'm using Windows 7 Home Premium 64 bit.

This is a wonderful example of how even the best, most securely protected computers can still get infected.

No, I'm not saying that you got infected. Chances are what you allowed was above board and without malicious intent.

But understanding how it happened (that your firewall wasn't involved) is pretty key to understanding how malware can still spread.

You invite it in.

Vampire at the door

When your computer is behind a firewall - including your router acting as a firewall - malware becomes much like the mythical vampire: it can come to your door, but it cannot enter until you actually invite it in.

That, by itself, stops a lot of malware from ever reaching your machine. There are active botnets and infected machines on the internet that are tirelessly searching for unprotected machines; upon finding one, they will gain entry and install malware.

"I prefer to focus on prevention ..."

With your firewall in place, that won't happen.

Because you won't invite them in.

That remote access was probably by your invite

Most remote access - including what you described - is not initiated by the remote technician.

Chances are the technician first had you run a program on your computer or visit a website that installed some software on your machine. That software then initiated the connection from your machine to that of the technician. Essentially, that invited him in. Once the connection was established, the software on his computer could use it to remotely access yours.

Because the connection was an outgoing connection, established from your computer to his and not the other way around, your firewall was OK with it. The firewall might not even be paying attention to outbound connections.

In this case, the connection was established for a legitimate purpose.

Sadly, it's not always legitimate.

Inviting in malware

Hopefully, you can see now that while a firewall protects you from one class of malicious software, it cannot protect you from everything.

Specifically, it cannot protect you from malicious software that you explicitly invite on to your machine.

What do those "invitations" look like?

  • Email you download that contains malicious attachments. When you download email, your computer requests it - meaning it's an outgoing connection to your email server that invites it to deliver email to your machine. Once on your machine, running or opening a malicious attachment can in turn infect your machine.

  • Web pages that you visit that contain malicious content. When you visit a web page, your computer requests the contents of that page - meaning it makes an outgoing connection to the web server and requests that it download the contents of the page to your computer, so that it can be displayed. Malicious web pages can then cause malware to be installed, often by establishing their own outgoing connection to their own servers where they "invite" the download of spyware and/or viruses.

Outgoing Firewalls

While a firewall's primary purpose is to block uninvited guests, software firewalls (including Windows' own) will often monitor outgoing connections as well.

In other words, some firewalls can keep an eye on those outgoing invitations.

Now, I'm not a huge fan of outgoing firewalls, but there are many who disagree with me. My take is that by the time the outgoing firewall has something to catch, it's too late - malware already has its hooks into your machine, making that outgoing request. The outgoing firewall can prevent things from getting worse, but the fact is there's already something going on.

I prefer to focus on prevention; before there's ever a chance to make those malicious requests, you should be aware of how visiting malicious sites and opening malicious attachments are basically inviting malware on to your machine.

Article C5090 - February 27, 2012 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

9 Comments
Lou
March 2, 2012 8:46 AM

I thought that Windows 7 Home Premium did not support Remote Desktop Connections, so how did the technician connect? I would like to be able to help my friends by connecting to their computer so how was it done?

Remote desktop is a feature in Windows that's not enabled for Home edition. However there are many third party solutions to do the equivalent, such as LogMeIn, TeamViewer and more.
Leo
03-Mar-2012
Paul Schmidt
March 2, 2012 8:59 AM

A third party app like "TeamViewer" was installed.

connie
March 2, 2012 9:15 AM

@Lou,
Here's an article with lots of info on remote desktop:
What is remote desktop?

Rich
March 2, 2012 12:01 PM

The article provided useful information an how infection occurs, but the article implies the answer is "Don't visit malicious sites."? We never know which sites are malicious, maybe even after infection. So, should we avoid browsing the web at all? How about an article on how we can know if sites are malicious?

That's this article, already on the site: What is a "questionable" or "suspicious" website?
Leo
03-Mar-2012
daffey
March 2, 2012 2:33 PM

OK leo, So every body knows if you click on a link that's infected your done for. But the problem is, in order to move around on the web, you have to click a link. I had occasion to do just that, click a link, and get socked. Fortunately, I've read Leo, and lots of other stuff about malware, and after a bout getting RKILL running using a pseudo name, and Malwarebytes, I was able to regain control. So using a test machine I went thru the same steps as before to get to the poisoned page and it was OK. I had saved the link (original) so I revisited the link directly by clicking on it, and that one was still corrupt. I know there was something different in the links, but never figured it out. I assume how I got to the link had some bearing in getting to the bad one. The point here is; There was no flag saying this is a bad link. It can be (was) an innocent enough site , nothing in my firewall, antivirus, anti spyware stopped it. ''My' conclusion is there is no guarantee there is such a thing as a "safe web"? And do we (the public) belong on it?

Other than running on a live CD, or other stand alone environment what are our options?

SamG
March 2, 2012 5:15 PM

@daffey, run sandboxie. everything in the sandbox. I tried that for a few months and it was too much trouble. At the time I was adjusting to Wins7 and dual booting OSs. So needed to download lots of troubleshooting and tips. Also downloading drivers and files. The experience was something like hitting oneself in the arm hard as you can. And I agree with Leo. If a file or program is dialing out it's already on the computer. Run antimalware weekly and rootkits occasionally if anything strange appears to be happening on your computer. That's another reason Wins update has to ask me if it's okay to download and install. A busily running harddrive and hard drive light to me is a cause for suspicion. And yes, Verizon techsupport in India did the same thing with me a few years ago. Bewildering. But I got a laugh from it when they couldn't navigate well while I was using a desktop replacement program and my 32" lcdtv as a monitor.

Snert
March 3, 2012 12:17 AM

My firewall alerts me to any 'phone-home' attempts. That tells me something is happening that it thinks I want to know about, which is the idea. If there's nothing obvious that needs to do this I KNOW I have something to look for.

Mark
March 3, 2012 9:42 AM

about letting a technician access your machine.

simply put as already mentioned there Has to be a high level of Trust whether it be VOIP or any security suite.my focus will be on the latter.I had a suite that featured the option to talk to a ''technician'''
let's just say they do have a good reputation for their firewall But if you need to uninstall the suite for any reason you have to allow them to access your machine as they do not have a way to uninstall even in add/remove or in safe mode with a downloaded zip package.however as usual there are workarounds for this such as revo uninstaller,ccleaner,ect.
to the matter at hand:
a machine in my network with said suite installed on it suddenly just stopped working and would not update itself as it was supposed to.came to find out later the machine was ridden with viruses.it belonged to a female in the network so long story shorter a local tech and myself put it through a battery of tests to find out why what happened did.at first we could not pinpoint the problem then finally tested for malware,trojans,etc.at last we had an ah ha moment.after the suite was removed everything worked but when the vendor was contacted (they had a guarantee) they asked for a sample to test.no one even suspected some things got through so samples wetre out of the question.
windup was MSE was installed instead with the free ZA firewall because from my understanding both Microsoft essentials and Windows firewall were limited in what they can and can't do.
word to the wise.
NOT everything works as advertised even some HIPS programs.
as an example one time said tech from them was allowed on my main machine to attempt to rectify something wrong.shortly after the same machine was telling me my network adapters were not any good however when bypassing the Vista OS(now Win7) with Umbutu that proved false.needless to say they became history and were replaced with another security suite that is highly recommended .no problems to date and the only vendor out there besides Microsoft that offers Lifetime subscriptions for about what others renewal cost.
plus their technicians are right here in the states not in India someplace IF you ever need them.
NO this is not an endorsement of any kind for anyone nor do I work for them.it is just a situation that relates to others accessing your computer.

Daniel R.
March 5, 2012 6:07 PM

Discretion is the better part of valor.The keyword is trust.If you have ANY doubt,do not allow.Do additional "homework" until trust is verified.

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.