This is more of an IR-esque tool.
It is not intended to ship with Windows.
While I can understand the logic concerns, there is a such thing as an IPS and IDS.
While you can disagree with their logic as well, they have proper application.
This is not intended to be a licensed/sold firewall in PowerShell but more of a SoC toolkit to quickly drop on a target and monitor IPs quickly for malicious scores with an automatic email report back.
It’s in case the firewall is not picking stuff up, which can happen during an attack. This assumes perhaps the firewall IP scoring is not relevant enough, or otherwise we just want to doubly verify no malicious IP activity on our endpoint. Kind of a pretty freaking cool tool, to for example drop for 24-48 hours and then pull it back off.
Pulling in multiple sources of IP threat intelligence to get as many possible scores as possible - then to generate an alert to a security team, this tool has the potential to save some arse
P.S. I know initially I never fully explained, because as you can see above that is a lot to type lol
Ah yes, 1 final point - with WFH (work from home) since COVID is going kinda cray cray, lotta folks may not have all peeps VPN’d in and so there is a slight chance this could be useful to send to staff… and say, hey click this (under least ideal circumstances where we see someone clicked a malicious link but we have no remote deployment).
Or an attempt could be made to remotely push this to remote endpoints (those working from home), which may not be covered under a firewall product otherwise such as Palo Alto or whatever else.
So, hopefully we can all get the point now.
This is merely intended as a SoC tool, to remotely deploy to an endpoint where we just want to see “Hmm, over 24-48 hours what is goin’ on?”
Because sometimes a simple AV product is not enough, a firewall only on when endpoint is on VPN is not enough, and even whitelisting apps is not enough when there is potential to punch through stuff with a macro from a phishing email.
Soo… this is for “Ah crap, this person might be hacked.” What now? It’s not a silver bullet, just my thought on how to better check a system than “Ah, well they should be good.”