Windows Firewall with Advanced Security (Guide for Vista)

Discussion in 'other firewalls' started by Stem, Apr 19, 2009.

Thread Status:
Not open for further replies.
  1. pandorax
    Offline

    pandorax Registered Member

    I am seeing this log regularly from Windows Firewall Notifier console. Should i set outgoing rule for svchost; UDP; 1900? I have seen a post about UDP 1900 in this thread. It was about UPnP. It is not active in my router.

    And please, tell me what rules do you use for utorrent. Can you give me a screenshot your torrent rules?

    My last question; Is there a way to disable firewall logging for particular application in Event Viewer? Let's say i don't want to see any log about svchost in Event Viewer. Or i don't want to see any log about svchost; UDP; 1900 for example.

    Attached Files:

    Last edited: Sep 26, 2011
  2. Romagnolo1973
    Offline

    Romagnolo1973 Registered Member

    Regola Torrent - TCP out Tutti Sì Consenti C:\Program Files (x86)\uTorrent\uTorrent.exe Qualsiasi Qualsiasi TCP 1024-65535 (local port) 1024-65535 (remote port) Qualsiasi
    Regola Torrent - UDP Server Tutti Sì Consenti %ProgramFiles% (x86)\uTorrent\uTorrent.exe Qualsiasi Qualsiasi UDP 1024-65535(local) 80, 443(remote) Qualsiasi
    Regola Torrent - UDP Out Tutti Sì Consenti C:\Program Files (x86)\uTorrent\uTorrent.exe Qualsiasi Qualsiasi UDP 58812 1024-65535 Qualsiasi
    Regola Utorrent - TCP Server Tutti Sì Consenti %ProgramFiles% (x86)\uTorrent\uTorrent.exe Qualsiasi Qualsiasi TCP 1024-65535 80, 443 Qualsiasi

    sorry is in italian but Tutti is all profile; Sì is yes in active; consenti is allow; qualsiasi is any in local ip, remote ip etc..
    you stil receive other several request depending on download files, servers and so on, you must allow just one this new requests or u are unable to dowloas fast. The rules I create are more or less the same I use in Comodo CIS and are the basic for dowload server, update
    Rlules I create are only for outgoing connection due the fact that incoming is allowed in seven FW rules when you install torrent (exception on winFW)
  3. pandorax
    Offline

    pandorax Registered Member

    Thank you @Romagnolo1973.
    Last edited: Sep 26, 2011
  4. Escalader
    Offline

    Escalader Registered Member


    Thanks Wat! I've downloaded yout ICMP rules.... why recreate the wheel!:cool:
  5. Athletic
    Offline

    Athletic Registered Member

    Lot of people said that the W7 firewall outbound rules are difficult to set. O.K. it could be more simplified like in other firewalls...but, you must only once setup rules for browser, torrent client, chat client,(3-5 programs) and you are without problem ? I think thats true.

    Problem can be for only users who set and want all programs to autoupdate.

    There are no popups on outbound blocked programs in W7 firewall but does it have some sort of log or window where can i see what was blocked ?
  6. EboO
    Offline

    EboO Registered Member

    Which rule do you create for bits service ? I can't upload files on emsisoft forum with chrome (tcp 80 and 443 allow)
    Thanks.
  7. EboO
    Offline

    EboO Registered Member

    After some researchs it seems i need a rule for rundll32.exe
    Is it normal ? Can i create it without security risk ?
  8. m00nbl00d
    Offline

    m00nbl00d Registered Member

    Excepting Windows itself, do you have any software that makes use of BITS? For example, Adobe Reader (at least version 10) makes use of it. So, for instance, if you'd want to update Adobe Reader using its own updating mechanism, then you should create a rule that would allow the Reader's process handling updates to use BITS.

    Other than that, if you got no application that updates itself using it, I don't think you would have to create a rule for it?

    -edit-

    I see that you mentioned you can't upload files to Emsisoft forum? Why would it need BITS? o_O :doubt:
  9. EboO
    Offline

    EboO Registered Member

    I made a mistake : i need to allow rundll32.exe for uploading files on emsisoft forum. Does bits is necessary for flash updates ?
    Thanks.
  10. kilves76
    Offline

    kilves76 Registered Member

    Is there a way to filter out broadcast packets in Event wiever custom view? It's hard to find important packet drops when most of it is broadcast traffic, source:224.0.0.252,255.255.255.255,ff02::1:3.

    For example the xml says
    <Data Name="SourceAddress">224.0.0.252</Data>
    but i don't know how to incorporate that to the filter as a NOT rule.
  11. Greg S
    Offline

    Greg S Registered Member

    Is this what you are looking for?
    http://www.wilderssecurity.com/showpost.php?p=1785367&postcount=321
  12. kilves76
    Offline

    kilves76 Registered Member

    I managed to realize the proper syntax for the custom view xml filter

    Tweaking that it's possible to have a view that only includes whatever one considers important, cleaned of noise. Now if only i knew how to output the event data into the attached task popup box... Sparviero, could i persuade you to share your code how you do it?

    Edit: seems there's a builtin limitation for 8 evaluations, so it's eventid=5157 + 7 addresses to suppress. Doesn't give room for extensive filtering but at least good for filtering out 224.0.0.22, 224.0.0.252, 255.255.255.255 + 4 more. Good if you're running ipv4 only but add ipv6 and there's too much junk to be filtered.
    Last edited: Feb 13, 2012
  13. sparviero
    Offline

    sparviero Registered Member

    Certainly possible, but do not know if you need for simple desktop. If you have a bit of experience with C# code and reading through MSDN Library like; http://msdn.microsoft.com/en-us/library/ff824007(v=vs.85).aspx, you can apply what you think most need.

    This one: http://wokhan.online.fr/progs.php?sec=WFN , I think it's the best Windows 7 Firewall Notifier available, just use it.

    have fun ...
    Last edited: Feb 17, 2012
  14. kilves76
    Offline

    kilves76 Registered Member

    Is it possible to find out which firewall rule actually made the block, from the filter information?

    Filter Information:
    Filter Run-Time ID: 68839
    Layer Name: Connect
    Layer Run-Time ID: 48

    Tried googling this but without any success.
  15. EboO
    Offline

    EboO Registered Member

    Is it necessary to create a rule for localhost ? Which application use it ?

    Thanks.
  16. sparviero
    Offline

    sparviero Registered Member

    - not bad to create a rule for localhost.

    - example: protocol; any / port: all/all / IP: 127.0.0.1 > 127.0.0.1

    Have a nice day...
  17. EboO
    Offline

    EboO Registered Member

  18. EboO
    Offline

    EboO Registered Member

    I've got another problem with windows firewall : can someone post his rules for norton antivirus please ?

    Updates blocks since norton update, if i allow outbound it works well. I don't understand why.

    Thanks.
  19. jitte
    Offline

    jitte Registered Member

    Windows Firewall with Advanced Security

    Nevermind.
    Last edited: May 9, 2012
  20. adrenaline7
    Offline

    adrenaline7 Registered Member

    Thanks for this great thread I used this to help me configure my Windows 7 firewall. I really only had to set a rule for Firefox and the rest has been easy. I liked windows firewall control but found this just as easy and the fewer apps I have on my system the better for me. I still have a few of the default things on windows allowed that I plan on researching and I've closed several windows services so I also like to investigate closing ports in windows 7.
  21. alexandrud
    Offline

    alexandrud Developer

    You don't have to disable Windows services. Neither to close ports. Many of these are myths from Windows XP era. Closing the Windows services will not give you any benefit. They may be dependencies between them, and instead of giving you a faster start-up time you will end with a longer start-up time because some of them did not started when they should. By default all ports are closed for inbound connections.
  22. adrenaline7
    Offline

    adrenaline7 Registered Member

    point taken about ports and I probably am outdated, I've just always thought the slimmer your list of exceptions is and less ports open inherently the more secure. I don't go crazy disabling services but for instance, homegroup is enabled by default and uses 2 services which I disable as I see no reason good reason to keep it enabled since its something I would never use, or something like remote registry another thing I'd never need and you would think things like remote access would be a detriment to security.
  23. alexandrud
    Offline

    alexandrud Developer

    As I know, HomeGroup is set to manual, until you really create one. Remote Registry is used by Remote Desktop Connection. In my opinion, if your system's security is compromised and an attacker has acces to your computer by using any kind of malware, it doesn't matter anymore if you have Remote Registry set to disabled or manual. Anyway, malware does not rely on Remote Registry. You better don't spend to much time on tweaking Windows services, because it won't give you any real benefit.
  24. Escalader
    Offline

    Escalader Registered Member


    There are difference twxt xp and W7 services. The best reliable source IMHO for what services can be disabled, set to manual etc are found at

    http://www.blackviper.com/category/faq/services-faq/

    Certain windows services I disable. One is windows update since I don't need M$ to hear from my computer daily asking got any updates. I turn the service on the day after patch tuesday, the other one is windows time, same rationale I know what time it is and so does my PC and my isp.

    Of course check the dependancies if there aren't any set to manual and windows will turn it on when/if needed.

    If you don't know what you are doing do nothing in this area.:thumb:
  25. adrenaline7
    Offline

    adrenaline7 Registered Member

    The 2 homegroup services were running despite being set to manual and without having ever configured homegroup. It was just an example anyways, same for remote registry, I could find other examples but its clear that we will just agree to disagree about disabling services, its a legit practice if you know what your doing IMO.
Thread Status:
Not open for further replies.