I have a Windows host with a malware problem. The malware is installed in the boot sector. The malware "calls home" to enable external exfiltration. I know when the malware is installed because it blue screens the computer often, causing me to reboot often. I suspect that malware gets installed when an unknown file is read. I can remove it by reinstalling the MBR. It gets reinstalled when I browse a certain archive directory. Two malware scanners I tried did not found it.
I want to block outgoing IPs and watch Firewall Live View to see if an unknown IP is calling home, but without allowing it to connect. If that is confirmed I will enable the connection and record packets both ways with Wireshark.
For the first step I want normal network functions to work such as DNS, but block everything else.
My first rule is: Allow, DMZ net, *, DMZ address, 53(DNS)
My second rules is: Block, DMZ net, *, *, *
This seems to work. Any comments?