Shields up will run a probe of the public IP address that may or may not be the same as the computer's IP address. For example, the broadband routers has DHCP assigned IPs for the internal network, usually in the 192.168.1.0/24 range. If the broadband router blocks outbound "chatty" protocols, such as MSRPC, UPnP, etc., Shields Up will not detect them, despite the fact that these ports might be detected by nMap internally.
The Shields UP scan resulted in stealth mode for my Windows 8.1 laptop; however, this is what nMap scan shows internally:
Take this laptop to a wifi hotspot, or directly to the Internet, where these ports could be exploited, if there's a remote exploit for these services.
The Windows firewall is generally configured as allowing the outbound chatty protocols (ports) for private networks. The wifi hotspot also uses private DHCP assigned IPs that could even be the same as the home network defined by the broadband router. As such, if the wifi hotspot's firewall does not block the outbound chatty protocol, they could be discovered on the Internet. Even if the wifi hotspot blocks these protocols going out to the public network, any other wifi hotspot users could discover and exploit these ports open.
I hope this is clearer...
Yes, I think your concern is a bit more clear now. However, remeber that the Shields Up Test is only designed to test for vulnerabilities that are "uninvited." However, it appears that you are primarily concerned with outbound vulnerabilities in high-risk areas; yes? If so, then I agree that one has to understand the intent of the Shields Up Test and one should not get a "false feeling of comfort" that "all is well everywhere" just because they got a stealth rating. However, it is very easy to "invite" malware into your PC by simply clicking (unsuspectingly) on a link to a malware download and I have found that the best defense for this is an "early warning flag" from a good 3rd party AV or malware software that gives you a chance to abort the connection before the malware is fully downloaded and can start running on your PC. Anyway, congrats on a nice response and the clarity of your issue.
You are correct that one would need an AV and other security measures to protect against malware, but...
AV will stop known malware, but pretty much useless against unknown ones and as such, the AV definition update is critical for the detection. It is also important to keep the system/applications security patches up to date, don't logon with the admin account, and use additional security protection such as MS EMET, Winpatrol, etc., to keep the malware off of a system.
Shields Up only sees ports that allow inbound connection from any IP address when it scans for open ports, or services, and it cannot scan for "uninvited vulnerabilities".
This is due to how these uninvited programs work. Once the malware establishes itself on a system, it contacts the command and control center, or CCC, for instruction on a periodic basis. The connection initiated by the host can be on any ports, that does not really matter. What matters is that the destination of this connection is defined within the malware code. It's pretty much a point-to-point connection that does not show up in the port scan, even in nMap, as an open port.
In theory, my Windows 8.1 could have malware running it; the nMap scan posted earlier cannot determine the existence of the malware and there's no easy way to see, if the system is infected with just a port scan. One would need to analyze running processes, established outbound network connections, and capture the network traffic on a switch/router to reasonably determine the existence of malware. That is especially true with the "industrialized/modern" malware that is hard to detect.
PS: Thanks for "thumbs-up"!