Windows Firewall with Advanced Security (Guide for Vista)

Discussion in 'other firewalls' started by Stem, Apr 19, 2009.

Thread Status:
Not open for further replies.
  1. Unity

    Unity Registered Member

    Joined:
    Sep 29, 2004
    Posts:
    112
    Location:
    Toulouse ~ France
    Thank you for this very nice guide.
    I've been using the windows 7 firewall for the past 3 months.

    What i miss tho is to be able to see which program request an outbound connection.

    The pfirewall log only shows the blocked packets but not the program which actually asked the outbound connection.
     
  2. Unity

    Unity Registered Member

    Joined:
    Sep 29, 2004
    Posts:
    112
    Location:
    Toulouse ~ France
    Anyone know how tu use avast 5 with the windows firewall ?
    I've been able to create rules for the shields but the updater doesn't work.

    I've tried to add all the exe ( to find the culprit ) in the directory but it still doesn't work ...
     
  3. johncage

    johncage Registered Member

    Joined:
    Aug 11, 2008
    Posts:
    70
    avast.png
    you should add one outbound rule for "%ProgramFiles%\Alwil Software\Avast5\Setup\avast.setup" .
    donot browse the path because it doesn't work, just type the path %ProgramFiles%\Alwil Software\Avast5\Setup\avast.setup,and allow it outbound remote port 80, then Avast5 update should work.


    Regards
     
    Last edited: Feb 10, 2010
  4. Unity

    Unity Registered Member

    Joined:
    Sep 29, 2004
    Posts:
    112
    Location:
    Toulouse ~ France
    Awesome ! thanks a lot johncage :)

    I should have looked better in the process tab of my task manager i guess :D

    Thx again :)
     
  5. adik1337

    adik1337 Registered Member

    Joined:
    Mar 21, 2010
    Posts:
    199
    thanks a lot for this tut ... great help :)
     
  6. QKhI2

    QKhI2 Registered Member

    Joined:
    Feb 7, 2008
    Posts:
    12
    Cheers Stem.
    If the overall interface functionality of Windows Firewall was not so shab, I'd def use it (if only for service-specific firewalling...)

    However, can't add addresses by hostname; no way of reviewing the blocked packets in conjuction with the processes they came from (I achieve that using SysInternals procmon to view associations between packets and executables, and the firewall log to try to link those to ones that are getting blocked).
    The windows firewall is almost great. If there was a hook so you could display prompts when a packet was blocked then someone could advance the functionality in windows firewall without having to rewrite it all (as Sphinx has essentially had to do; putting a whole new interface on WPF).

    Still, not bad first steps eh?
     
  7. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hi QKhI2,

    I have no doubt, that with the resources Microsoft have available, that they could very easily change the interface, add popups for application outbound etc. Probably many more would then use the firewall, however, then you would get all the 3rd party firewall vendors complaining of unfair competition.


    - Stem
     
  8. QKhI2

    QKhI2 Registered Member

    Joined:
    Feb 7, 2008
    Posts:
    12
    Stem:
    I've no doubt you're right. It is just a shame that the log files output by Windows Firewall do not include the process/service that triggered that was blocked (or allowed). That, or that the Windows Firewall API does not include any way to call external functionality when a block event occurs - at least, I haven't been able to find one.
    It means that adding features to the currently existing firewall is somewhat difficult (because such external code could, for example, perform reverse name resolution, etc to enable name-based rules; or could produce a pop-up, etc).
     
  9. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    When Wilders Forum had more general public audience, all 3rd party vendors would complain about Stem, making it so easy to use MS FW :D
     
  10. sparviero

    sparviero Registered Member

    Joined:
    Apr 23, 2009
    Posts:
    88
    You can do that, enable, IPsec and Windows Firewall Audit Events

    http://technet.microsoft.com/en-us/library/cc754714(WS.10).aspx

    After you do that, go Start ==> Run, type in eventvwr, the Event Viewer applet will load.

    Open Windows Logs ==> Security, double click on Keywords ==> Audit Success or Audit Failure, you'll see popup, something like this.

    Audit Success

    Audit Failure
    You can create custom fine-tuning view (by source) event log, and alert popup for permitted or blocked connection, if you wish or you need it, something like this.!

    http://i25.tinypic.com/214n0k.png http://i28.tinypic.com/2vsj0c6.jpg ;)


    Have a nice day....
     
    Last edited: Jul 25, 2010
  11. wat0114

    wat0114 Guest

    Last edited by a moderator: Jul 25, 2010
  12. QKhI2

    QKhI2 Registered Member

    Joined:
    Feb 7, 2008
    Posts:
    12
    sparviero - cheers =)
    I don't know how I missed that.
     
  13. QKhI2

    QKhI2 Registered Member

    Joined:
    Feb 7, 2008
    Posts:
    12
    On another note, since the details of blocked/allowed packets can be written to the event log, it would be possible to write a 'event log handler' to prompt users about blocked packets and update rule-sets...
    see http://www.codeguru.com/vb/vbnet30/article.php/c13315 for some details about event log handlers.
     
  14. sparviero

    sparviero Registered Member

    Joined:
    Apr 23, 2009
    Posts:
    88
    Yes you can, and how. But for the average user can be complicated writing/compiling a long code for details.

    Instead, you can create simple just informative basic blocked/allowed event popup.

    Open Event Viewer, click on keywords:Audit Success/Failure, then under (Event.., Microsoft Windows security auditing.) click on Attash Task To This Event...
    Follow Basic Task Wizard.

    To delete this event task , open Task Scheduler ==> Task Scheduler Library ==> Event Viewer Task, find and delete it.

    Have a nice day....
     
  15. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Sparviero,

    Thanks for the insight, could you help a little more explaining what task categories to filter. My goal is to set a Failure only pop-up notification when a applcation is denied outbound access by the FireWall
     

    Attached Files:

  16. QKhI2

    QKhI2 Registered Member

    Joined:
    Feb 7, 2008
    Posts:
    12
    Sparviero may have a better way of doing this (as clearly he knows this stuff better than me, given his previous response ;)
    But...
    I used the following XML filter to see only outbound connection attemps:
    <QueryList>
    <Query Id="0" Path="Security">
    <Select Path="Security">*[System[(EventID=5157)] and EventData[Data[@Name='Direction']='%%14593']]</Select>
    </Query>
    </QueryList>

    Then you can save this as a custom view, and attach a task to the custom view.

    I also only have it set up to include blocked stuff in the event log. i.e.
    auditpol.exe /set /SubCategory:"MPSSVC rule-level Policy Change","Filtering Platform policy change","IPsec Main Mode","IPsec Quick Mode","IPsec Extended Mode","IPsec Driver","Other System Events","Filtering Platform Packet Drop","Filtering Platform Connection" /success:disable /failure:enable
     
    Last edited: Jul 26, 2010
  17. sparviero

    sparviero Registered Member

    Joined:
    Apr 23, 2009
    Posts:
    88
    Open Event Viewer, open Windows Logs ==> Security, click on Create Custom View.., set like this.

    1.gif

    Event ID: message

    5152 The Windows Filtering Platform blocked a packet.

    5157 The Windows Filtering Platform has blocked a connection.

    Event 5157 indicates that a connection (Transport layer) is blocked while Event 5152 indicates that a packet (IP layer) is blocked.

    To create alert popup open Attach Task To This Custom View.., and follow Basic Task Wizard.

    To check the detail to indentify the blocked connection go Event Viewer ==> Custom Views ==> <your new custom rule>

    PS:
    If you need more custom view, to better customize system log events by configuring auditing based on categories of security events such as changes to user account and resource permissions, failed attempts for user logon, failed attempts to access resources, and attempts to modify system files, and network activities.

    Download list of Security Audit Events for Windows 7 and Windows Server 2008 R2

    http://www.microsoft.com/downloads/...FamilyID=3a15b562-4650-4298-9745-d9b261f35814

    I wish you a beautiful day...
     
    Last edited: Jul 27, 2010
  18. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    thanks a lot, really helpfull
     
  19. paolo

    paolo Registered Member

    Joined:
    Aug 14, 2010
    Posts:
    6
    Hello, I'm a new member, congratulations for the guide.
    I use 64bit Windows 7 Professional and I have a problem in creating a rule to update the definitions of standalone tool EmisoftEmergencykit.
    Although the permissions set out for the two processes:
    start.exe
    a2emergencykit.exe
    the software can not download updates.
    The update is only possible by turning off the firewall.
    Does anyone know what is the correct rule to be set?
    Sorry for my english, I'm italian. :oops:
     
    Last edited: Aug 14, 2010
  20. Syobon

    Syobon Registered Member

    Joined:
    Dec 27, 2009
    Posts:
    469
    I have one question: does this settings filter outgoing data? e.g. a malware calling home?
    It seems the svhost setting in tutorial blocks teredo to work...
     
    Last edited: Aug 14, 2010
  21. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hello paolo, Welcome to Wilders

    I have just checked and can update.

    If you start:- a2emergencykit.exe then update, does that not work?

    I have only one rule, to allow "a2emergencykit.exe" outbound. It makes updates via remote port 80


    - Stem
     
  22. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    With outbound set to block, only those programs with specific allow rules will be allowed, so direct outbound will be blocked for all else. The firewall itself will not stop indirect outbound(such as the leaktests) you would need to rely on UAC or other form of HIPS.


    In which tutorial? If you refer to the guide at the beginning of this thread, then that was only intended as a basic guide, not for a full setup of all rules needed.


    - Stem
     
  23. Unity

    Unity Registered Member

    Joined:
    Sep 29, 2004
    Posts:
    112
    Location:
    Toulouse ~ France
    Something weird is happening since a few days ( a microsoft update ? )
    Even if IExplore ( or any web browser ) is blocked in my config ( like it used to be ) , it has still access to the internet.

    The blocking works as usual for the other applications , but it looks like i cannot block any browser at all ?!

    I've even reinstalled my system.
    Import my rules , the blocking is working again.
    I fully update and *bam* , IE is not blocked anymore...

    For info i'm running windows 7 home premium 32 bits.
     
  24. paolo

    paolo Registered Member

    Joined:
    Aug 14, 2010
    Posts:
    6
    Thank you Stem, but here it doesn't work, I do not know what is. Now i use the installer version and whit it work.
     
  25. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    In Window 7 64 bit, does Microsoft Windows Management Instrumentation really require a HTTP and DNS connection rule?

    Thanks.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.