A user with standard (non-administrator) privileges reports a Windows Security notification stating "Windows Defender Firewall is turned off." The user has not made any recent configuration changes, and no Group Policy settings should affect this standalone workstation.
Which of the following is the MOST likely reason the firewall was disabled?
A recent Windows Update temporarily turned the firewall off after a successful install.
Malware on the system has disabled the firewall to avoid detection.
Battery saver mode automatically shut down non-essential services, including the firewall.
The display driver crashed, causing Windows Security Center to report the firewall as off.
Many malware families attempt to weaken host defenses by disabling the operating-system firewall, antivirus, or other protective services. This lets the malicious code communicate freely with command-and-control servers and reduces the chance of detection. Battery-saver settings, driver crashes, and routine Windows Updates do not normally turn off the Windows firewall.
MITRE ATT&CK technique T1562.004 (Disable or Modify System Firewall) documents adversaries disabling firewalls as a defense-evasion tactic.
A CISA advisory on the Kimsuky APT describes malware that zeros Windows firewall registry keys to prevent security alerts.
Therefore, the unexpected firewall-off notification is most likely caused by malware on the system.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is MITRE ATT&CK and how does it relate to disabling firewalls?
Open an interactive chat with Bash
How does malware disable the Windows Defender Firewall?
Open an interactive chat with Bash
What should a user do if malware disables the firewall?