Windows Firewall Control (WFC) by BiniSoft.org

Discussion in 'other firewalls' started by alexandrud, May 20, 2013.

  1. Abdallah

    Abdallah Registered Member

    Joined:
    Oct 28, 2013
    Posts:
    124
    Location:
    N/A
    I already disabled it , but as I understand that feature , it integrates with the antivirus and in no way it will replaced by WFC or any firewall
     
  2. MrElectrifyer

    MrElectrifyer Registered Member

    Joined:
    Jul 24, 2012
    Posts:
    177
    Location:
    Canada
    Speak for yourself. It's purpose is for installing/updating software, however, the implementation is not intuitive. If it's called a mode, it should have an option for toggling that specific mode. In order to avoid context-menu clutter, simply renaming and redescribing it would make the current implementation more intuitive for new users.

    Then what is your simpler method of implementing this "High Filter (External Only)" profile? Ignore it 'cause you have no use for it?
     
  3. MrElectrifyer

    MrElectrifyer Registered Member

    Joined:
    Jul 24, 2012
    Posts:
    177
    Location:
    Canada
    Presuming your system can handle it, MalwareBytes Anti-Malware's web filtering is your alternative to KAV's port monitoring; for preventing drive-by malware attacks.
     
  4. Abdallah

    Abdallah Registered Member

    Joined:
    Oct 28, 2013
    Posts:
    124
    Location:
    N/A
    Yes I think MBAM has something to do with that , BTW I have a license for MBAM and I will try it , hope there is no conflict between MBAM and SBIE
     
  5. rock_man

    rock_man Registered Member

    Joined:
    Feb 6, 2014
    Posts:
    55
    Yes, I am pretty sure it is me posting and not an imposter. ;)

    I think we agree. The install "mode" feature is baked, but the UI / presentation of it is not yet. :cool:

    I haven't grokked this new profile "High Filter (External Only)". Can you explain it as a scenario or a requirement rather than an implementation?
     
  6. MrElectrifyer

    MrElectrifyer Registered Member

    Joined:
    Jul 24, 2012
    Posts:
    177
    Location:
    Canada
    Exactly! Glad we sorted that out :thumb:

    There are some of us (not me) who want certain computers to remain disconnected from the Internet, however, still be able to talk to other computers on the local network.

    For example, if I have a backup server, I don't need nor want it accessing the internet just for backup/restore purposes, those can all be done through the local network. So, with this profile enabled, all connections to external IPs (i.e. ones not linked to the local network) will be blocked, living just the local IPs (i.e. the LocalSubnet) accessible. Thus, I can perform those backup/restore functions without worrying about my server being hacked, and as a bonus no need for any AV software to be consuming resources (not that I notice Windows Defender consuming any), presuming it'll get caught by your other computer's AV before it propagates to the backup server.
     
    Last edited: May 12, 2014
  7. rock_man

    rock_man Registered Member

    Joined:
    Feb 6, 2014
    Posts:
    55
    Got it! :thumb: Isn't this handled with the Domain, Public and Private locations rules?
     
  8. MrElectrifyer

    MrElectrifyer Registered Member

    Joined:
    Jul 24, 2012
    Posts:
    177
    Location:
    Canada
    Not that I'm aware of at the moment. From my current understanding, those are referring to the type of network you're connected to:

    Domain - Applies the selected rules only when connected to a domain
    Public - Applies the selected rules only when connected to a public network
    Private - Applies the selected rules only when connected to a private network
    In either of the above scenarios, there could still be a connection to the internet. For example, my home network is of-course a private network, however, my computers can still access the internet.

    With this "High Filtering (External Only)" profile though, regardless of which type of network you're connected to, the computer on which it's enabled won't be able to access the internet.
     
  9. rock_man

    rock_man Registered Member

    Joined:
    Feb 6, 2014
    Posts:
    55
    Yep. I anticipated that response. i.e. In your scenario, one would allow communication on the private IP address range (assuming your LAN is setup as 192.168.*.*), and deny access to all other IP addresses outside of that range. Correct?
     
  10. MrElectrifyer

    MrElectrifyer Registered Member

    Joined:
    Jul 24, 2012
    Posts:
    177
    Location:
    Canada
    Precisely :thumb:
     
  11. Abdallah

    Abdallah Registered Member

    Joined:
    Oct 28, 2013
    Posts:
    124
    Location:
    N/A
    Hi,

    I face a problem with WFC connections log , sometime it just can't be loaded (after pressing refresh list) , and I remember that it occurred in the past and I just exited , opened WFC and I think it was salved ,

    I tried that way today when connections log looks empty after refreshing it , but I didn't see the tray icon and I didn't see the application main window , tried to kill wfc.exe in the task manager and reopened WFC without success .. so I just restarted my PC .. and after clearing logs ; connections log works again.

    Maybe if we can define a custom log interval to view (ex: minimize it to 1 hour ago) or filter connections log by application , it will solve the problem partially ?

    Anyone here face this problem ?
     
    Last edited: May 13, 2014
  12. Stukalide

    Stukalide Registered Member

    Joined:
    Jul 12, 2013
    Posts:
    65
    I like the idea of install mode, but I agree with Sm3K3R that it'd be nice if it was more easily accessible. Just some possible suggestions for thought:

    -"Install-mode" entry available on primary right-click menu of taskbar icon (i.e. not nested)
    -Rather than IM being an automatic resetting of the current profile, perhaps IM could be a separate "profile" where all current firewall rules are kept in place, but for the next X minutes, any new programs are granted their outbound connections (temporarily). This would keep the rest of the system's rules in operation.
    -Install-mode activate-able via keyboard shortcut (not a huge need, as it probably won't be used too often -- taskbar icon would be more useful)


    And I know I'm beating a dead horse with this issue, but regarding the suppression of consecutive program notifications, what about:

    -Allowing consecutive notifications based per different remote ports? For example, a notification pops for test.exe outbounding over port 80; when it tries outbounding over 443, a new notification shows.
    -Allowing option of allowing consecutive non-suppressed notifications, for users who want to see all remote ports a program attempts without having to check connection log
    -Showing the # of connection attempts/ports on a program's notification window (so if program conns over port 80, then tries 5 more remote ports, the notification shows these additional remote ports in the same window
    -A link on notification popups to jump straight into WFC's connection log window
     
  13. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,411
    Location:
    Romania
    I found another trick to prevent Steam and AppGuard from creating new rules at boot. The next version will fix this. It works right now on my computer, but I have to do some more tests.
    I will modify the Install Mode to be more intuitive.
    Regarding the profiles update, your proposal implies a lot of failure scenarios. One of them that come into my mind: Let's say WFC makes a backup of your policy, then restores the default policy and adds the rules that allows network only access ("High Filtering (External Only)"). When you switch again the profile, the backup is restored and everything should be fine. What if, you forgot about this profile and you created some new rules. When WFC restores the backup (profile changed) the newly added rules will be lost.

    For the computers that you have in your network that you want to connect only to the local network, there is this option:
    A) Restore the default set of rules on these computers
    B) Switch to Medium Filtering profile
    C) Enable File and Printer Sharing to make sure that you can access your network and these computers can be reached from the network
    D) Don't switch to High Filtering profile on these machines while you are connected with remote desktop connection
    If the Connections Log is empty, try to clear it. Sometimes, there are corrupted entries in the Security Log which makes impossible for WFC to load them. Clearing the log will clear also the corrupted entries and the Connections Log will work again. A custom interval is not possible. At least one day can be used as the minimum time. When the entries are loaded you can press on the header of any column to sort that column and this will help to easily identify the connections of interest.
    I will see what can be done from these suggestions.
     
  14. Abdallah

    Abdallah Registered Member

    Joined:
    Oct 28, 2013
    Posts:
    124
    Location:
    N/A
    Hi alexandrud,

    I know , but as it occurs frequently , many logs will be missed if I should clear it every time it occurs ,,
     
    Last edited: May 15, 2014
  15. focus

    focus Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    503
    Location:
    USA
    I have a general question about what I am seeing in the manage rules window. What exactly is the connection between the enabled and action entries for each rule? Specifically, If a rule is blocked (action) but not enabled, what does this mean? I am asking this because in looking at my rules in the latest version a rule that is blocked but not enabled shows as a white entry, where in earlier versions it seems to me that these showed as a red entry. If I look at my rules and see a red line I feel secure that that rule will is blocked, but I am not sure what the white line entry signifies. Any help on this would be appreciated.
     
  16. Broadway

    Broadway Registered Member

    Joined:
    Aug 16, 2011
    Posts:
    211
    Active (=enabled) rules are either highlighted green (allow-rules) or red (block-rules). Disabled rules (either "allow" or "block") have a light grey background.
    Rules that are not enabled do not have any effect on filtering. Consider them as note or reminder.
    So if a program that has a disabled rule tries to connect to the internet WFC will prompt you again.
     
  17. Alpengreis

    Alpengreis Registered Member

    Joined:
    Oct 7, 2013
    Posts:
    670
    Location:
    Switzerland
    Hi all,

    I have the following suggestions for a better understanding of the profiles:

    1. Change the menu entry "Profiles" to ...

    "Profiles Outgoing" or "Profiles Out-Traffic" "Profiles traffic Out" or something like that.

    2. Changing the Profile Name ...

    Variant 1)
    Max: Block All
    Med: Block All except Allow rules (recomm. for normal use)
    Low: Allow All except Block rules (recomm. for Installations)
    Off: Allow All (no filtering)

    Variant 2)
    High: Block All
    Normal: Block All except Allow rules
    Install: Allow All except Block rules
    Disabled: Allow All (no filtering)

    Or something like that.

    It would be important simply that we have a brief description. So it would be easier for (new) users without enough experience.

    Greetings,
    Alpengreis
     
  18. Sm3K3R

    Sm3K3R Registered Member

    Joined:
    Feb 29, 2008
    Posts:
    611
    Location:
    Wallachia
    I will be waiting for the Steam fix Alexandru.

    I don t understand though why Windows firewall ,even when your front end is not used ,does not ask for inbound connectivity ,even if it s specified to ask for it.
    CS GO on the other hand seems to have stopped from creating tens of inbound rules ,with latest versions of your software.4.0.8.6 and 4.0.9 were for me the best releases until now.

    Sneaky and risky app this Steam.:)
     
  19. 2muchtime

    2muchtime Registered Member

    Joined:
    Apr 8, 2014
    Posts:
    23

    Yes, never had these problems until recently that is, programs creating rules a start-up.
     
  20. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,411
    Location:
    Romania
    I don't have any control over this. Once you have created your rules, the log doesn't have such a big importance. If you don't want to clear the log, you can also use Event Viewer to check the Security log of your system, but the presentation of the data is not very intuitive there.
    There are brief descriptions for each profile in Main Panel. Using large strings in the context menu of the system tray icon will create large ugly menus.
    Windows Firewall displays it's own notifications for inbound access only for digitally signed programs. These notifications work independently from WFC notifications.
     
  21. Abdallah

    Abdallah Registered Member

    Joined:
    Oct 28, 2013
    Posts:
    124
    Location:
    N/A
    Hi alexandrud,

    The main problem now in the outbound connections log , I have no problem with the inbound connections log.
     
    Last edited: May 15, 2014
  22. focus

    focus Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    503
    Location:
    USA
    Excellent info, thanks Broadway.
     
  23. Alpengreis

    Alpengreis Registered Member

    Joined:
    Oct 7, 2013
    Posts:
    670
    Location:
    Switzerland
    Okay, that's true, and should be enough.
     
  24. pling_man

    pling_man Registered Member

    Joined:
    Feb 11, 2010
    Posts:
    599
    Location:
    UK
    New user here, and I like it so far. :thumb:

    Regarding the protection WFC offers to prevent other programs adding/changing firewall rules, I would like to suggest it might be faster/lighter to

    (a) When the user clicks the "Disable the ability of other programs ..." checkbox, change the firewall to read-only using the keys at:

    [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Defaults\FirewallPolicy]
    [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy]

    (b) Of course malware with admin rights could change these keys, so you check every 3 minutes these are still read only.
    (c) If they are read only do nothing. Restart countdown timer for next 3 minutes.
    (d) If the above registry keys have been changed, make them read only again and check the hash of the rules in Windows Firewall against WFC copy.
    (e) If the hashes are different delete the keys/repair the rules (as now).
    (f) When the user unchecks the "Disable the ability of other programs ..." restore the registry keys to allow changes to the firewall rules.

    This way the hashes only need to be made occasionally. Only the registry keys need to be read. You can probably do the checks much more often (reduced from 3 minutes).
     
  25. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,411
    Location:
    Romania
    This will not work. The Permissions will have to be defined for multiple users and WFC does not know all the users that may have access to these keys. Windows Firewall API should be used. This problem is already solved. Check the post below.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.