Hi, thanks for the thorough guide. At the "Block all incoming connections with Microsoft Defender Firewall" line, what are we supposed to read/find in the URL?

Looks like the comment was deleted. Thanks for the info.

See
https://web.archive.org/web/20210701053642/https://malwaretips.com/threads/what-would-happen-if-a-legimate-program-os-or-game-somehow-had-a-virus-or-malware-installed-on-it-from-the-official-source.108861/page-2#post-949038

If you have a malicious process running then you've already lost. The problem is again due to this term - "application security model"

Now, windows does have a sane application security model for the new UWP apps but they also insist on maintaining about 30+ years of binary compat with the legacy win32/desktop application system. Desktop application system itself has no real security at all. All apps can read all your data, modify it and even snoop on each other's data. A few toggles to restrict camera and mic for desktop apps is a step in the right direction but it isn't enough to fix this issue

If you have a malicious process that can send data outside of your computer it almost always is using the insecure desktop app approach to exfiltrating this data. Without a proper application security model you cannot block outbound traffic by definition. In most cases whatever malware it is, it's almost always also running with a high integrity level so they can just remove your filtration rules. You can see how quickly this stops making sense. The only reason the firewall even stops any traffic at all is because it is running at a higher privilege level than the application itself. Without an application security model it is meaningless to even try to block outbound traffic as an attacker can just work around your blocks. Malware can also choose to just become the kernel itself by loading a malicious driver or abusing a vulnerable driver already present on the system. And kernel drivers on a monolithic kernel system are the kernel itself, they can bypass all of the fancy security you have because an operating system isn't subject to restrictions imposed by itself

Restricting outgoing traffic is just pointless security theater without a proper application security model in place. If a malicious process is running then you have already been compromised and a firewall rule is the least of your concerns

Mobile operating systems like android have a very different way to achieve this. On recent android phones the only process to ever have root access is a very tiny portion of the early boot code. Once that code exits there is no process on the system with unrestricted privileges. Even core system services are heavily restricted and nothing -- not even system code -- is trusted. Everything on the system is sandboxed and a default deny permissions model is enforced throughout the system. This permissions model can actually control internet access correctly and guarantee that bypasses are impossible. Applications can never get higher privileges and even if they do get higher privileges, remember that the system does not have ultimate trust. That is the kind of security you'd need to have on windows before you think of blocking outgoing traffic

There are just too many ways for malware to exfiltrate data. Even if their own process is blocked from the internet they can just trick the system into sending data, they could use a lolbin and they can even just use inbuilt OS features like DNS resolution to send your data to others. There are just way too many bypasses and unless microsoft seriously locks down the OS it is a pointless cat and mouse game that will never lead to sound security and often to a system that's just broken and user unfriendly

The situation is even worse when you don't use windows firewall and use a third party firewall. Technically, it is possible for Microsoft to implement a proper outbound traffic filter using windows firewall and OS components can actually call into this to check if an application actually has privileges to use a certain feature (like the DNS bypass I briefly talked about earlier). This isn't the case for third party software. It is technically a security risk to have system components call third party code just like that so these APIs can never be safely exported to third party firewalls and now if a third party firewall does enforce a block rule, then if malware somehow manages to make the system send out the data by using the system's own provided functions, the system has no idea that the action is blocked and would just allow it anyway. Again, this feature itself isn't implemented but you can see how bad the situation will get with a third party firewall

The majority of zero days that come from your network are due to windows allowing inbound traffic to a bunch of system processes in the first place. Blocking inbound traffic can never break system functionality for the average home user, it's a feature only enterprises use if ever and simply dropping all incoming traffic is going to instantly boost your security. Not to mention, almost 90% of home users are never even going to run into issues with all inbound traffic being blocked as they never really use a service that requires this. Torrent clients and the like that do need inbound functionality often will continue to function as long as there is a server that can make connections to other peers

Thanks for the quick answer. I found an earlier answer of the same user that said the following:

I just keep a separate windows OS image lying around on an HDD. I then connect this HDD to my computer and boot off it for stuff like games. When I connect the HDD and reboot, TPM attestation instantly fails so my main OS won't boot without the bitlocker recovery key (that is fine). I can then boot off this into an OS where I run my games and other desktop applications I don't really trust
When I'm done I just shut down and disconnect the HDD. The motherboard then automatically updates the boot variables again and attestation now passes. I can go back to my original OS
If attestation fails after disconnecting the HDD then somebody was tampering with my bios or the windows boot partition. I have a USB drive with a minimal Linux OS image that restores both if that ever happens. If it still fails aftter restoring then a very advanced attack has happened and I just RMA the board and other hardware.

What do you think of this setup? It seems very secure to me while still being convenient.
If you are of the same opinion, do you think you could give me some pointers as to how to achieve this setup, please?
Mainly for the TPM attestation stuff and for the Linux OS image to restore BIOS and Windows Boot Partition.
I'd be grateful if you could help me!

I wouldn’t recommend anyone such an setup.
If you want that anyway, just use an VM.

the most secure solution would be using cloud gaming.

Thanks for your opinion, I could try a VM yes! Didn't think of it.