You have said that when an outbound firewall stops something it is already too late. But don’t you think outbound firewall might stop a key logger from at least sending logs to an email or remote computer? Or would it not?
A firewall with outbound detection can be of use, but you’ve captured my thoughts already: if it detects something, in a way it’s already too late: your machine is infected.
Let’s review what outbound firewalls are, why I rarely recommend them, and perhaps why your key logger wasn’t detected.
Become a Patron of Ask Leo! and go ad-free!
Firewalls protect you from certain classes of bad things out on the internet. The primary function of a firewall is to monitor traffic coming from the internet (inbound) and prevent bad stuff from reaching or affecting your computer.
Its job is to protect you from “them”, where “them” means the bad guys on the internet.
My article Do I need a firewall, and if so, what kind? has a good overview of firewalls in general, how they do what they do, and my recommended approach.
To summarize: my preference is to use a hardware device, such as a router with NAT (Network Address Translation) enabled. This does an incredibly effective job of hiding your computer from outside access. You can connect out, but outside computers cannot initiate a connection without you having explicitly configured your router to allow it.
Using a router also takes the burden of that work off your computer. In fact, a single router can act as a single effective inbound firewall for all computers connected behind it.
A traditional firewall monitors traffic heading toward your computer from the internet. An outbound firewall does just the opposite: it looks for threats originating on your computer attempting to connect out to the internet.
In a sense, it’s protecting “them” from you.
While it’s very generous of you to protect everyone else from your computer, the real difference is that it should block and alert you when something suspicious is happening, so you can take corrective action.
Outbound firewall shortcomings
In my opinion, outbound firewalls have several shortcomings, both technical and conceptual.
It’s too late
As you pointed out, when an outbound firewall detects something malicious, it’s because your machine is already infected. Something in your inbound security failed, and your machine very likely has malware.
Of course, it’s nice to be alerted, but your inbound defenses – firewall and anti-malware scanners – should have already either prevented or detected the problem. With adequate inbound protection, an outbound firewall is mostly redundant.
Outbound firewalls are only practically available as a part of third-party software firewalls you install on your machine. That means these firewalls take up additional resources to do their job.
A router will give you the inbound protection you need without taking up any additional resources.
It’s frequently wrong
I’d say that the most common complaints about outbound firewalls are that it throws warning messages that are either incomprehensible or overly frequent, and it doesn’t give enough information to make an informed decision about what action to take, if any.
Frequently, they simply report an outbound connection attempt, with little or no information beyond the remote IP address.
They often generate warnings arising from totally legitimate processes on the machine, accessing the internet for things like software updates, or even just the current time and date.
With too many errors, indecipherable messages and false positives, people tend to ignore all the warnings after a while, rendering the outbound firewall completely ineffective.
The case for an outbound firewall
Is there a case for an outgoing firewall at all?
Many experts will disagree with me and say they add a lot of value, and the issues I’ve raised are simply off target or overstated.
Yes, it can act as an additional warning system. If it’s not too intrusive, it might even be relatively benign.
But I remain of the opinion that if an outgoing firewall is, in fact, adding value, it’s because your incoming protection is inadequate. If you’re going to focus additional energy and resources on security, I’d much rather you focus on preventative solutions, rather than solutions that only kick in after something has happened.
Detecting your keylogger
Now, about your keylogger.
If it’s showing up in the system tray, I’m not sure I’d classify it as malware.
It’s open about what it’s doing and easily visible. A key logger isn’t of itself necessarily malware – there are many legitimate uses for the technology. Since it’s not behaving like malware, I’m not surprised it’s not detected as malware.
It also may not be reaching out to the internet. It may be storing the keystrokes it logs locally, or it may simply delay its upload of your activity until it’s collected a certain amount of data, or until some other time.
But let’s assume you did get infected by a truly malicious keylogger – one that was attempting to hide and send all your keystrokes to some overseas hacker in real time.
Well, at the risk of repeating myself too many times: it’s too late. Your machine has been compromised, and you can no longer trust it – and that includes trusting your firewall. Yes, your outbound firewall might block the transmission – or it might not. The malware could, in fact, include additional code to actually reconfigure your firewall to let the malware’s communication through.
This is almost worse than having no outbound protection at all. With the outbound firewall you might think you’re protected when in fact you are not. Without an outbound firewall, you know, and you know to focus your efforts on inbound protection to avoid the problem in the first place.
I know that others will disagree with me, and I’m sure there’ll be some compelling cases made in the comments.
But I remain unconvinced, and outbound firewalls are not something I use personally or generally advise.