Aren't desktop firewalls useful in cases where attackers use malicious PDFs/Office documents/browser exploits to run reverse shells? If the exploit tries to connect to evilhost.com:443, how can a server firewall know that the connection is not a legitimate HTTPS connection?
As far as I understand, desktop firewalls would block attempts like these, as long as the connection isn't initiated by a whitelisted program. Of course the exploit payload could include methods to whitelist itself, but I assume there is no one single method to do this, so the payload would have to include custom methods for each of the personal firewall vendors.
Disclaimer: I have no experience with personal firewalls, and if I'm talking out of my ass, please correct me.