another Windows Firewall Control?

[Greg S]

Quote:

Originally Posted by alexandrud

The rules for the same program have to use different names because the modifying of a rule is made by its name.

I like it this way. After adding back the WFC description, I now have all the rules that I want showing up in Manage Rules dialog. I noticed the above in the process which was great because I did have some different rules with the same file path but were named differently. File Name TCP & File Name UDP

Has the option so sort rules alphabetically been brought up yet?

[Macolm]

After installing newest version following your instructions, I got a grayed out "Display" combo box in "Manage Rules" window. Is there any simpler way to read/display WFwAS's rules except exporting/importing "from WFwAS"?

[alexandrud]

Quote:

Originally Posted by Greg S

Has the option so sort rules alphabetically been brought up yet?

I will add suport for sorting them by clicking on the column. It is a little bit difficult to do it because there is no such option for ListView in C#.

Quote:

Originally Posted by Macolm

After installing newest version following your instructions, I got a grayed out "Display" combo box in "Manage Rules" window. Is there any simpler way to read/display WFwAS's rules except exporting/importing "from WFwAS"?

Those combo boxes are available for only to registered users, but I was thinking again, and in the final version, these will be available for all users.

[Broadway]

Quote:

Originally Posted by alexandrud

...
I think "Workstation" has nothing to do with "Network Location Awareness". They are not dependant. You have to create more rules to allow than to block to fully setup svchost.exe. And you must be very careful with svchost.exe because many things are related to it.

svchost->dnscache is activated by default in Windows Firewall. It's name is "Core Networking DNS (UDP-Out)" and it allows port 53 UDP for dnscache.

Yes you are right, they are not dependant. What I wanted to say is:
When WFC pops up, one of the given information is a Process ID.
With this ID you can identify svchost and the underlying services with Sysinternal's "Process Explorer". I defined "Allow svchost->"whatever service" according to this. Afterwards I set svchost to "hidden notifications". Although everything related to this Process ID was allowed now, there were still connections blocked (same Process ID), as I could read from the event manager. How is this possible?
In the end I gave up and allowed svchost "all" except the rules predefined by WFC.

[Broadway]

Quote:

Originally Posted by alexandrud

No, it can't. The rules for the same program have to use different names because the modifying of a rule is made by its name. Otherwise, when you modify a rule, these modifications are made for all rules with the same name. If you have 3 rules named "Internet Explorer" and you choose to edit one of them, when you press Apply, the modifications will be made for all of them. That is why they must have different names. Those random strings are for this purpose. I know they are not looking fine, I don't like them either, but they are necessary.

But you can change the name of the rule via WFAS. In this case you have to make sure that the rule still has (any but) a different name, isn't it?
In another context you explained that if there is as well an "allow" as a "block" rule for the same program the block rule will be stronger.
How is this related to the "name convention"?

[alexandrud]

Quote:

Originally Posted by Broadway

Although everything related to this Process ID was allowed now, there were still connections blocked (same Process ID), as I could read from the event manager. How is this possible?

Go to Task Manager and go under Services. You can see that for ID 1252 or 1480, which are all from svchost.exe, there are multiple instances with the same process ID. It seems that for svchost.exe, the process IDs are not unique. So even if you let dnscache for the ID1480, also LanmanWorkstation has the ID1480, but you did not allowed LanmanWorkstation. It is still blocked.

Quote:

Originally Posted by Broadway

But you can change the name of the rule via WFAS. In this case you have to make sure that the rule still has (any but) a different name, isn't it?
In another context you explained that if there is as well an "allow" as a "block" rule for the same program the block rule will be stronger.
How is this related to the "name convention"?

Multiple rules are applied to the same application path. You can have a rule to allow System32\svchost.exe and multiple rules to block different connections of System32\svchost.exe. They do not interfere.
If you have the multiple rules with the same name in WFC, when you modify one of them, the command that is executed to apply the changes contains the name of the rule, and the changes are applied to all the rules that have the same name. You can change the names via WFwAS but if you modify a rule in WFC and two rules are named the same, both of them will be modified.

[Broadway]

Quote:

Originally Posted by alexandrud

Go to Task Manager and go under Services. You can see that for ID 1252 or 1480, which are all from svchost.exe, there are multiple instances with the same process ID. It seems that for svchost.exe, the process IDs are not unique. So even if you let dnscache for the ID1480, also LanmanWorkstation has the ID1480, but you did not allowed LanmanWorkstation. It is still blocked.

But I allowed all services related to that ID (CryptSvc, DNSCache, Lanmanworkstation and NLASvc=all instances with the same ID) and still there where blocks listed in the eventmanager with the same ID.

Quote:

Originally Posted by alexandrud

Multiple rules are applied to the same application path. You can have a rule to allow System32\svchost.exe and multiple rules to block different connections of System32\svchost.exe. They do not interfere.
If you have the multiple rules with the same name in WFC, when you modify one of them, the command that is executed to apply the changes contains the name of the rule, and the changes are applied to all the rules that have the same name. You can change the names via WFwAS but if you modify a rule in WFC and two rules are named the same, both of them will be modified.

Understood! Thank you :-)

[alexandrud]

Quote:

Originally Posted by Broadway

But I allowed all services related to that ID (CryptSvc, DNSCache, Lanmanworkstation and NLASvc=all instances with the same ID) and still there where blocks listed in the eventmanager with the same ID.

Maybe they have some dependencies and need other components to be allowed along them.

[CGA]

I definitely cannot get the preview to work, old version installs just fine, preview crashes as soon as it is installed. Even the uninstaller crashes (same error, "This program has stopped working"). Followed every tip in this tread, even changed my AV software, no avail. Oh well, guess I'll wait for the stable version and hope for the best.

[ibydos]

Quote:

Originally Posted by Broadway

Alex explained that here:
http://www.wilderssecurity.com/showp...&postcount=528

I know what the button "[x] Dont allert me again about this program" does.
But my problem is that I add something like Allow 1.1.1.1:111 TCP and it askes me over and over again about Allow 1.1.1.1:111 TCP again. Even if the program is closed for minutes. I still get popups. I had this behavior with mirc and svchost. I think you need to filter out popups for rules that already exist. If I check "[x] Dont allert me again about this program" sure I do not get popups anymore but I want popups, but not popups for something I already blocked or allowed. Got it?

Quote:

Originally Posted by alexandrud

For 2) about the unhandled exception, please give more specifications. I want to recreate the same usage scenario to track the problem. Is your Windows in german ? Do you use a standard user account ?

I will add these two as optional rules at the installation in the final version, besides Windows Update.

My Windows is English. Just my keyboard is German.
I am using W7_64_ultimate with SP1 and I am in the Administrator Group. UAC is disabled.

[Broadway]

Quote:

Originally Posted by ibydos

I know what the button "[x] Dont allert me again about this program" does.
But my problem is that I add something like Allow 1.1.1.1:111 TCP and it askes me over and over again about Allow 1.1.1.1:111 TCP again. Even if the program is closed for minutes. I still get popups. I had this behavior with mirc and svchost. I think you need to filter out popups for rules that already exist. If I check "[x] Dont allert me again about this program" sure I do not get popups anymore but I want popups, but not popups for something I already blocked or allowed. Got it?

Yes I got it. This is exactly the same that happened to me when trying to define positive rules for svchost and it's dependencies. Alex made that clear to me in the resulting posts above.

[Broadway]

Quote:

Originally Posted by alexandrud

For 2) about the unhandled exception, please give more specifications. I want to recreate the same usage scenario to track the problem. Is your Windows in german ? ...

Just an information for Alex: My Windows 7 x64 is German, 3.100 works flawlessly on my system.

[alexandrud]

Version 3.1.0.0 Preview 2

I have fixed some incompatibilities and added a few new checks at the program execution.

Download Link:
http:/binisoft.org/download/preview2/wfc.exe

If you already installed the first preview version, just overwrite your wfc.exe with this one.

Thank you for your support.

[CGA]

Quote:

Originally Posted by alexandrud

Version 3.1.0.0 Preview 2

I have fixed some incompatibilities and added a few new checks at the program execution.

Download Link:
http:/binisoft.org/download/preview2/wfc.exe

If you already installed the first preview version, just overwrite your wfc.exe with this one.

Thank you for your support.

Now I'm getting this, Firewall service is started (and set to automatic) according to services.msc.

http://i.imgur.com/GfDcb.png

[Broadway]

Quote:

Originally Posted by alexandrud

Version 3.1.0.0 Preview 2

I have fixed some incompatibilities and added a few new checks at the program execution.

Download Link:
http:/binisoft.org/download/preview2/wfc.exe

If you already installed the first preview version, just overwrite your wfc.exe with this one.

Thank you for your support.

"The URL specified was not found"
?
EDIT:
I see there is
http://www.wilderssecurity.com/binis...eview2/wfc.exe
behind the above link.

[Broadway]

Quote:

Originally Posted by alexandrud

Version 3.1.0.0 Preview 2
...
I have fixed some incompatibilities and added a few new checks at the program execution.
...

As I just overwrote the old wfc.exe with the new one, I could not see the "few new checks" you added. What did you add?

Everything working fine so far...

[alexandrud]

Quote:

Originally Posted by Broadway

As I just overwrote the old wfc.exe with the new one, I could not see the "few new checks" you added. What did you add?
Everything working fine so far...

"A few new checks" is referring to the code. There is nothing that you could see. The last preview version helped me out to find out what the problem had CGA. I hope this week I will finish the website and publish the new version.

[CGA]

If only all developers were as responsive as you alexandrud, nice work solving this.

[Greg S]

Quote:

Originally Posted by CGA

If only all developers were as responsive as you alexandrud, nice work solving this.

I agree!

[Greg S]

My only complaint now is that the alert system does not know when a rule has been created for allow or deny. Example: wmplayer.exe wants outbound, create a rule to block specific address and apply. WFC continues to alert for that specific address. Same goes for if you create an allow rule. The buggy part is that the file in question(wmplayer) could have been closed ten minutes or more prior and the WFC alert continues on disregarding whatever rule was made for it. For testing purposes, and using the wmplayer process which I just previous made a block rule for, I blocked it again and get another rule. The rule has wmplayer path but next to it, it will have something like this (qixnvcezoa). <--- that is not an exact match to what is between the ( ) but you get the idea. Ok, that rule has been created but here comes another popup alert, I create another rule for it and the gibberish between the ( ) changes and so on.

As you can see in the picture below, I've already made a rule for blocking in WMP. I open up WMP and get an alert and make another block rule just above the rule that has been made for some time now. Notice the gibberish that goes along with the path. And as you can see from the alert, two rules have already been made but here is another alert for the same thing. That remote address in the alert is now in both created rules and being alerted to again.

[alexandrud]

Quote:

Originally Posted by Greg S

My only complaint now is that...
Attachment 230280

I will try to find a workaround.

[alexandrud]

Quote:

Originally Posted by ibydos

But my problem is that I add something like Allow 1.1.1.1:111 TCP and it askes me over and over again about Allow 1.1.1.1:111 TCP again. Even if the program is closed for minutes. I still get popups. I had this behavior with mirc and svchost. I think you need to filter out popups for rules that already exist. If I check "[x] Dont allert me again about this program" sure I do not get popups anymore but I want popups, but not popups for something I already blocked or allowed. Got it?

Quote:

Originally Posted by Greg S

The buggy part is that the file in question(wmplayer) could have been closed ten minutes or more prior and the WFC alert continues on disregarding whatever rule was made for it.

Indeed, if the last entry from the security log is from ten minutes ago it could be possible to show you again a notification for this connection. I already fixed this, and now, if the last entry is older than 3 seconds it will be skipped.

Now, about the other thing. If you have a rule to allow a program and the connections details match that rule criteria, there will be no event ID 5157 logged into the security log. This means everything is ok, no connection was blocked, no notification to show.

If you do have a rule to block a program, even if it matches a rule criteria (there is a rule to block it), even if it has no rule defined, WIndows Firewall will write into the security log about the fact that a connection was blocked, a new event 5157. WFC reads this and shows a new notification. For this purpose is that check box "Don't alert me again about this program".

To summarize, there are no problems with rules that allow something, there is a problem with rules that block something. To avoid this, choose to not to be alerted again. I'm sorry but this is the only solution right now.

[alexandrud]

Version 3.1.0.0. available

I have resolved some of the problems, the ones which have a solution. I have uploaded the new website and the final version 3.1.0.0 is available for download. Other problems that could appear will be fixed in a future version.

http://binisoft.org

Please share here your opinions about the new version and about the new interface of the website.

Thank you for your support,
Alexandru

P.S. The version for 125DPI is not ready yet. Maybe tommorow I will finish it.

[Broadway]

Quote:

Originally Posted by alexandrud

Version 3.1.0.0. available

I have resolved some of the problems, the ones which have a solution. I have uploaded the new website and the final version 3.1.0.0 is available for download. ...

Congratulations, your website looks great!
Any advice for the update from Preview 2 to Final?
Or is it just overwriting wfc.exe again?

[majoMo]

Quote:

Originally Posted by alexandrud

( ... ) Please share here your opinions ( ... ) about the new interface of the website.

In my Maxthon...