Creating outbound rules for the Windows 7 Firewall

[itman]

There are major differences between WFC and WFN.

WFN uses the WIN 7 Firewall API. As such, the rules created by WFN are actual WIN 7 outbound firewall rules accessable via the WIN 7 firewall GUI. WFN made a valiant attempt and creates firewall rules by service but could not catch them all. Hence, most users end up with the total insecure rule of allowing all outbound access to svchost.exe TCP port 80 and/or 443.

WFC is an entire front-end to the WIN 7 firewall. Rules created by WFC are WFC rules only. I believe WFC also has the same problem with outbound svchost.exe and creates a global rule to allow outbound TCP port 80, 443. I know this is true for the free version.

WFN is still buggy due to the fact it was developed is maintained by a single French developer. Guy works at his day job and works on WFN as time permits.

[AMIGA500]

ive tried windows firewall control but the resource usage is astronomical for such a "small" app.plus there were freezing issues.

[alexandrud]

Quote:

Originally Posted by Beethoven1770

ive tried windows firewall control but the resource usage is astronomical for such a "small" app.plus there were freezing issues.

I am working on an improved version of WFC which will retain the functionality but will get rid of the enhanced graphics. It seems that the custom windows with a lot of transparency and fade effects made the program to be rendered entirely in software mode which uses the CPU intensively. Also the memory usage will be improved to use less by recycling the memory. The new version will be available soon.

[Werderforever]

Quote:

I believe WFC also has the same problem with outbound svchost.exe and creates a global rule to allow outbound TCP port 80, 443. I know this is true for the free version.

Alexandrud, is this true, that WFC allows all Outbound traffic for svchost.exe?
And only for free version or for registered version too?

Werderforever

[Ring0]

Quote:

Alexandrud, is this true, that WFC allows all Outbound traffic for svchost.exe?

Fiuuuuu, need an eternity to understand.

[alexandrud]

Quote:

Originally Posted by itman

WFC is an entire front-end to the WIN 7 firewall. Rules created by WFC are WFC rules only. I believe WFC also has the same problem with outbound svchost.exe and creates a global rule to allow outbound TCP port 80, 443. I know this is true for the free version.

Well, I am the developer of Windows Firewall Control and I must say that you misinform the people. The rules created by WFC are the same ones used by Windows Firewall and vice versa. They are read from Windows Firewall API. I think you are confusing the products.

There is one product named WFC (Windows Firewall Control) which is developed by me and published on binisoft.org. WFC does not allow svchost.exe at all. It is blocked. All programs are blocked, including system ones.

There is a second product which is called W7FC (Windows 7 Firewall Control) which is developed by Sphinx software. This one, indeed allows svchost.exe in the free version. Also other system applications.

Quote:

Originally Posted by Werderforever

Alexandrud, is this true, that WFC allows all Outbound traffic for svchost.exe?
And only for free version or for registered version too?

Werderforever

There was a misunderstanding from itman. WFC blocks all programs, including svchost.exe even if you are a registered user or not. He was referring to another product.

[itman]

Quote:

There is a second product which is called W7FC (Windows 7 Firewall Control) which is developed by Sphinx software. This one, indeed allows svchost.exe in the free version. Also other system applications.

Yes, that was the one I was thinking of. Sorry about that.

To many Windows Firewall front-ends to keep track of

I do have a question about WFC. Does it maintain WSH integrity?

[luciddream]

It's threads like this that leave me in no hurry whatsoever to "upgrade" to Win7. Good grief... the outbound control on this native FW sounds like an absolute nightmare.

I'd hate having to use 3'rd party software when there's an integrated (and feather light) solution there. But I hate headaches as well. I may just have to hang on to Comodo FW when I make this switch. I know I can depend on it, worry/headache free, for easy, granular rule setting.

[luciddream]

Quote:

Originally Posted by itman

There are major differences between WFC and WFN.

WFN uses the WIN 7 Firewall API. As such, the rules created by WFN are actual WIN 7 outbound firewall rules accessable via the WIN 7 firewall GUI. WFN made a valiant attempt and creates firewall rules by service but could not catch them all. Hence, most users end up with the total insecure rule of allowing all outbound access to svchost.exe TCP port 80 and/or 443.

WFC is an entire front-end to the WIN 7 firewall. Rules created by WFC are WFC rules only. I believe WFC also has the same problem with outbound svchost.exe and creates a global rule to allow outbound TCP port 80, 443. I know this is true for the free version.

WFN is still buggy due to the fact it was developed is maintained by a single French developer. Guy works at his day job and works on WFN as time permits.

Here on my XP Pro box svchost.exe doesn't require any internet access for my setup to function properly. Is this not the case on Win7? If so, what exactly is the access required for? Some service(s)?

For all the claims of this OS being "more secure", based on actual real world observations I see quite to the contrary. Out of the box, sure. But when you harden XP Pro, compliment it with the right software, and exercise safe habits, I think you can make it safer than you could possibly get Vista or 7. Because you don't have dozens of services/processes that need to be running and granted internet access for it to function.

I have 11 processes running and 9 services "started" at boot up. Only 2 instances of svchost, neither requiring internet access. From what I gather there are like a dozen instances of svchost alone on 7.

I think I'll stick with XP Pro until EOL do us part...

[wat0114]

Quote:

Originally Posted by luciddream

Good grief... the outbound control on this native FW sounds like an absolute nightmare.

Actually, it's 100% logical once you get the gist of it.

[adrenaline7]

I used Stems thread on here and it was about a 30-40 minute process whitelisting my outbound apps and turning outbound protection to blocked. Takes about 1 minute to add a new app if I install something new. Pretty easy, if I used a 3rd party firewall it would be for the HIPS not the firewall. Overall I like the built in one but would like pop ups on what is blocked without installing something else or having to view logs. I can live without that though.

[AMIGA500]

Blocking svchost.exe? ..is that advisable seeing as its a windows service.
Sorry im useless with firewall logic.lol.

[wat0114]

Quote:

Originally Posted by Beethoven1770

Blocking svchost.exe? ..is that advisable seeing as its a windows service.

No need to block it. Rather, control it:

Code:

Rule Name:                            svchost - service: wuauserv.exe to ports 80 & 443
----------------------------------------------------------------------
Enabled:                              Yes
Direction:                            Out
Profiles:                             Public
Grouping:                             
LocalIP:                              Any
RemoteIP:                             4.27.3.0/24,65.54.51.0/24,65.54.95.0/24,65.55.0.0/16,204.160.125.0/24,206.108.207.0/24,207.46.0.0/16,209.84.24.0/24
Protocol:                             TCP
LocalPort:                            Any
RemotePort:                           80,443
Edge traversal:                       No
Action:                               Allow

This an older rule controling it for Windows update servers (more remote ip addresses are required). Note the service "wuauserv.exe" tied to svchost.

[Kirk Reynolds]

Quote:

Originally Posted by Aventador

Avast's updates automatically the way it should be. Like I said I tried them all. Same thing. Anyone else experiencing this issue? Anyone solve it? When Avast Updates, either manually or automatically "avast.setup" runs. It cannot be found in the program folder either. Hidden or not. That is the exe which needs to be allowed but how can you add it when its not even there?

You can add a path in the firewall without the file actually existing or being visible at the time that you add it. These are the three rules that I have for Avast and it updates fine using Win7 advanced firewall.

C:\program files\avast software\avast\setup\avast.setup
C:\program files\avast software\avast\avastui.exe
C:\program files\avast software\avast\avastsvc.exe

[Aventador]

Quote:

Originally Posted by Kirk Reynolds

You can add a path in the firewall without the file actually existing or being visible at the time that you add it. These are the three rules that I have for Avast and it updates fine using Win7 advanced firewall.

C:\program files\avast software\avast\setup\avast.setup
C:\program files\avast software\avast\avastui.exe
C:\program files\avast software\avast\avastsvc.exe

Do those rules work when you select block all outgoing that do match a rule? I tried that. Did not work. But this did.


http://www.wilderssecurity.com/showp...&postcount=570

[Kirk Reynolds]

Quote:

Originally Posted by Aventador

Do those rules work when you select block all outgoing that do match a rule? I tried that. Did not work. But this did.


http://www.wilderssecurity.com/showp...&postcount=570

Yes, I block all outbound that don't match a rule.

I don't use the Avast Web Shield. It enables all traffic sent via proxy. Although it may not make a difference in your case, try turning off the Avast Web Shield and see if that changes anything.

I haven't used Tiny Wall. You may want to try disabling it too and just using the Win7 firewall while you troubleshoot it.

[Ring0]

Quote:

Originally Posted by alexandrud

Well, I am the developer of Windows Firewall Control and I must say that you misinform the people. The rules created by WFC are the same ones used by Windows Firewall and vice versa. They are read from Windows Firewall API. I think you are confusing the products.

If someone is able to write two lines of code (GUI-with exaggerated memory usage) does not mean to understand firewall logic.

To open the discussion both sides should understand the minimum of the argument of which discussion proceeds. I try and then decide if it is worth continuing. To verify the minimum logic, I have the first question ?

Quote:

Originally Posted by alexandrud

There is one product named WFC (Windows Firewall Control) which is developed by me and published on binisoft.org. WFC does not allow svchost.exe at all. It is blocked. All programs are blocked, including system ones.

If you believe in what you write, and written are right? because WFC with the first installation suggests "Create system rules (recommended)" and creates different Block.. svchost.exe rules like (Outbound rule to block WFC - Akamai Technologies) ?

[luciddream]

Quote:

Originally Posted by Beethoven1770

Blocking svchost.exe? ..is that advisable seeing as its a windows service.

I don't grant anything access unless it's either necessary, or useful. svchost.exe is only needed for me once a month when I update Windows. So I don't actually have it blocked. I have no rule set for it. Then that once a month when I update Windows I grant it access on that per case basis, then don't hear from it again for 30 days.

Perhaps it is needed for more functionality in Windows 7? Essential even for a stable system? That's not the case in XP.

[moontan]

Quote:

Originally Posted by luciddream

svchost.exe ...

Perhaps it is needed for more functionality in Windows 7? Essential even for a stable system? That's not the case in XP.

it has to be allowed on Windows 7 to surf the Internet.

[alexandrud]

Quote:

Originally Posted by Ring0

If someone is able to write two lines of code (GUI-with exaggerated memory usage) does not mean to understand firewall logic.

You don't have to be impolite. Just because a software uses more memory than you are used with other applications, it does not mean it is a crappy software. I invite you to write some software by yourself and then talk again about "writing two lines of code".

Quote:

Originally Posted by Ring0

To open the discussion both sides should understand the minimum of the argument of which discussion proceeds. I try and then decide if it is worth continuing. To verify the minimum logic, I have the first question ?

If you believe in what you write, and written are right? because WFC with the first installation suggests "Create system rules (recommended)" and creates different Block.. svchost.exe rules like (Outbound rule to block WFC - Akamai Technologies) ?

The default behaviour of Windows Firewall is to allow all outbound traffic. For WFC this means "Low Filtering" profile. You can enable filtering of all outbound traffic and all programs that do not have a rule will be blocked by default. For WFC, this means "Medium Filtering" profile. Now, about svchost.exe rules. The rules that are recommended by WFC to be installed at installation are: allow Windows Update and Windows Time Syncronization and block common known locations where different components of the OS are trying to connect through svchost.exe: Akamai, VeriSign, Microsoft Limited, etc.

For "Low Filtering" some of svchost.exe connections are blocked by these rules and the others are possible. These are the common locations where svchost.exe tries to connect.

For "Medium Filtering" all svchost.exe connections are blocked, with the exception of Windows Update and Windows Time, which are allowed. But, any other connections for svchost.exe are blocked.

The discussion was in the context where the W7FC from Sphinx allows all traffic for svchost.exe, rundll.exe, etc, in the free version. My program can block svchost.exe even if you are not a registered user. Ans, also you can define a rule to block all traffic for svchost.exe. This can't be achieved in the free version of W7FC from Sphinx.

[Ring0]

Quote:

Originally Posted by alexandrud

....it does not mean it is a crappy software.

Excuse me, with no intention to be rude, if GUI such as WFC is using memory as video editing software ? then yes I say it in a loud voice, it is a little crappy GUI.

Quote:

Originally Posted by alexandrud

For "Low Filtering" some of svchost.exe connections are blocked by these rules and the others are possible. These are the common locations where svchost.exe tries to connect.

This level there is no need (rename it, allow all), because confusing simple user, provides false sense of security with three block rules.

Quote:

Originally Posted by alexandrud

For "Medium Filtering" all svchost.exe connections are blocked,..

Exact, but with DNS services disabled learning mode not work and GUI return to allow all level, very useless. I see that you're not going to try to understand importance of controlling svchost.exe connection, and if this is not clear to yourself, learning further would be rather inefficient.

[alexandrud]

Quote:

Originally Posted by Ring0

Excuse me, with no intention to be rude, if GUI such as WFC is using memory as video editing software ? then yes I say it in a loud voice, it is a little crappy GUI.

Video editing software use hundreds of MB of memory. WFC uses in full load 50-60MB. Look in Task Manager at your internet browser for memory consumption. Is it low ?

Quote:

Originally Posted by Ring0

This level there is no need (rename it, allow all), because confusing simple user, provides false sense of security with three block rules.

This is just your personal opinion. It is stated in the description of this profile that "outgoing connections that do not match a rule are allowed". There is no false sense of security. This can't be named "Allow all" if there may be rules that block programs.

Quote:

Originally Posted by Ring0

Exact, but with DNS services disabled learning mode not work and GUI return to allow all level, very useless. I see that you're not going to try to understand importance of controlling svchost.exe connection, and if this is not clear to yourself, learning further would be rather inefficient.

The following Windows services are required to be enabled for the notifications to work: "DNS Client" and "TCP/IP NetBIOS Helper". If these two are stopped the notifications provided by Learning Mode does not provide the real remote IP address of the connection. It will show the IP of your local router. But even in this case, the filtering is done properly. I don't see where is the problem.

If you are such a svchost guru, please enlighten us with how the svchost connections should be handled.

Quote:

Originally Posted by alexandrud

If you are such a svchost guru, please enlighten us with how the svchost connections should be handled.

svchost.exe est le plus difficile à configurer, lui même ne se connecte pas (jamais vu en tant que processus "parent"), sauf dans le réseau local, ce sont ses processus "enfant" qui le font, Bitdefender pas moins de 10 à 15 règles dans le pare feu... Ring0 a raison de souligner cette difficulté.



Svchost.exe is the most difficult to configure, even he does connect not (never seen as "parent" process), except in the local network, these are processes "child" that do, Bitdefender not less than 10 to 15 rules in the firewall... Ring0 was right to point out this problem.

[alexandrud]

Quote:

Originally Posted by Spiedbot

Svchost.exe is the most difficult to configure, even he does connect not (never seen as "parent" process), except in the local network, these are processes "child" that do, Bitdefender not less than 10 to 15 rules in the firewall... Ring0 was right to point out this problem.

I agree that svchost.exe is used by some services to connect to the internet. In this case, when Learning Mode is enabled and notification level is set to High, all connections that are blocked and don't have a rule defined are notified to the user. Including for svchost.exe. In this way the user can allow them, if they are needed.

If you enable outbound filtering in Windows Firewall from cmd line, anyway you will not see any notification and svchost.exe will be entirely blocked.

1. Windows Firewall blocks connections. WFC does not block anything.
2. WFC can inform the user about these events by providing notifications.
3. Again, I don't see the problem here with WFC regarding svchost.exe.

[SSri09]

Quote:

Originally Posted by wat0114

No need to block it. Rather, control it:

Code:

Rule Name:                            svchost - service: wuauserv.exe to ports 80 & 443
----------------------------------------------------------------------
Enabled:                              Yes
Direction:                            Out
Profiles:                             Public
Grouping:                             
LocalIP:                              Any
RemoteIP:                             4.27.3.0/24,65.54.51.0/24,65.54.95.0/24,65.55.0.0/16,204.160.125.0/24,206.108.207.0/24,207.46.0.0/16,209.84.24.0/24
Protocol:                             TCP
LocalPort:                            Any
RemotePort:                           80,443
Edge traversal:                       No
Action:                               Allow

This an older rule controling it for Windows update servers (more remote ip addresses are required). Note the service "wuauserv.exe" tied to svchost.

Thanks for the remote IP. Do you have an updated remote IP addresses for windows update please? If not, do you encounter any problems (like failed updates) as Microsoft may have a complete set of different remote IPs for windows update?

Do you bind all svchost.exe to remote IPs?

The microsoft advise against defining the IP address for windows update. They state that their IPs constantly change for reasons of security.

http://social.technet.microsoft.com/...9-dcfc5c5bf22d