Windows Firewall Control (WFC) by BiniSoft.org

Discussion in 'other firewalls' started by alexandrud, May 20, 2013.

  1. focus

    focus Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    503
    Location:
    USA
    lol, sorry, should have said updating from Version 3 to Version 4, I am currently struggling with the MBAM update to version 2 from 1.75 and it is on my mind. Thanks for the note, I will edit my prior post.
     
  2. Alpengreis

    Alpengreis Registered Member

    Joined:
    Oct 7, 2013
    Posts:
    670
    Location:
    Switzerland
    @alexandrud

    First, thank you very much for the update to 4.0.9.4!

    Unfortunately a serious bug is now in the IP-Address field!

    Steps to reproduce it:

    1. Create a duplicate of an exist rule and change it two the following values ...

    Protocol = UDP
    Remote IP-Address-Range =
    Code:
    ff02::1,ff02::2,ff02::3,ff02::4,ff02::5,ff02::6,ff02::7,ff02::8,ff02::9,ff02::a,ff02::b,ff02::c,ff02::d,ff02::e,ff02::f,ff02::10,ff02::12,ff02::16,ff02::1a,ff02::6a,ff02::6b,ff02::6c,ff02::6d,ff02::6e,ff02::6f,ff02::fb,ff02::fc-ff02::fd,ff02::100-ff02::14f,ff02::181-ff02::184,ff02::18c,ff02::201-ff02::201,ff02::204-ff02::206,ff02::300,ff02::bac0,ff02::1:1,ff02::1:2,ff02::1:3,ff02::1:4,ff02::1:5,ff02::1:6,ff02::1:1000/118,ff02::2:0-ff02::2:ffff,ff02::1:ff00:0/104,ff02::2:ff00:0/104,ff02::db8:0:0/96
    -> This is the Link-Local Scope Multicast Address-Range for IPv6, I must use this in my firewall!
    -> For more info see the picture ...
    MCtestrule1.jpg

    2. Open the Windows Firewall (Outbound) and make a refresh.

    3. Make also a refresh in the WFC Rule Manager.

    4. Open this rule with WFC.

    5. Copy and paste the IP-Field and compare the string with the string in this posting above.

    Result: The addresses ca position 200 are NO MORE CORRECT!

    Also it's impossible to duplicated or import this rule, because it's invalid or corrupted ...
    MCtestrule2.jpg

    Please make a fix for this, thank you!

    Edit ...
    It could be a problem with CIDR-formatted addresses in long fields ...

    Additional 1:

    The behaviour described in posting ...

    https://www.wilderssecurity.com/threads/windows-firewall-control-4.347370/page-26#post-2353178

    is not yet fixed.

    Additional 2:

    After update of WFC, the option "The option Play sound when a new notification is generated" was no more active ... (we had this behaviour already in at least one of the older versions) ...

    Have a nice week!
    Alpengreis
     
    Last edited: May 25, 2014
  3. Alpengreis

    Alpengreis Registered Member

    Joined:
    Oct 7, 2013
    Posts:
    670
    Location:
    Switzerland
    About the problem with undesired automatically created rules ...

    I find the process with the WFC timer for unwanted rules investigated anyway problematic.

    Because the short period in which the rule exists, before WFC delete it (check is all 30 seconds, right?) is enough to send already plenty of data. Correct me please, if I'm wrong ...

    The "Disable the ability of other programs to add firewall rules" option should prohibit the ACCESS, so that rules can not be created at all!

    Alexandrud says it's not makeable with the Registry. But perhaps would be a kind of "read-only mode" possible?

    Greetings,
    Alpengreis
     
  4. Alpengreis

    Alpengreis Registered Member

    Joined:
    Oct 7, 2013
    Posts:
    670
    Location:
    Switzerland
    Because the already reported thing with ...

    [DNSBL fails for IPv6]
    DNSBL check fails for IPv6 addresses. More and more sites, services and other things (including eg Google) use IPv6 and we should really have support for it.

    You had said at the time, you need a suggestion.

    Now I have the following suggestion ...

    http://multirbl.valli.org/

    ... perhaps that would be what?

    Alpengreis
     
  5. Abdallah

    Abdallah Registered Member

    Joined:
    Oct 28, 2013
    Posts:
    124
    Location:
    N/A
    Nice update ,

    But I think the program hangs a little when trying to open its main menu screen or manage rules screen , also when selecting a rule and right click on it ... the problem occurs once every reboot and then everything works well

    I don't know but I feel this is not the situation with the previous veriosn
     
  6. iammike

    iammike Registered Member

    Joined:
    Jun 13, 2012
    Posts:
    345
    Location:
    SE Asia

    Maybe this has already been posted, but the creation of the Appguard FW Rules is a Appguard bug.

    Read here: https://www.wilderssecurity.com/threads/appguard-4-x-32-64-bit.355206/page-41#post-2355591

     
  7. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,412
    Location:
    Romania
    When you have such exotic rules to define, try to define them in WFwAS and check them in WFC. Use the following format. Note the /128 which is added after each item. In WFwAS you are allowed to define ff02::1 but Windows Firewall API returns to WFC ff02::1/128. From WFC, this format should be used. This is why when you have such complicated rules, use WFwAS and see in WFC the result. The validations for IPv6 is a long story.
    Code:
    ff02::1/128,ff02::2/128,ff02::3/128,ff02::4/128,ff02::5/128,ff02::6/128,ff02::7/128,ff02::8/128,ff02::9/128,ff02::a/128,ff02::b/128,ff02::c/128,ff02::d/128,ff02::e/128,ff02::f/128,ff02::10/128,ff02::12/128,ff02::16/128,ff02::1a/128,ff02::6a/128,ff02::6b/128,ff02::6c/128,ff02::6d/128,ff02::6e/128,ff02::6f/128,ff02::fb/128,ff02::fc/128,ff02::fd/128,ff02::18c/128,ff02::300/128,ff02::bac0/128,ff02::1:1/128,ff02::1:2/128,ff02::1:3/128
    However, in your input you have some ranges defined like this ff02::204-f02::206. Unfortunately, this can't be added neither with WFwAS. Do you have a special reason for defining such verbose rules ? It seems that a lot of time is spent for this and in my opinion there is no need to define rules like this. This does not improve the security.
    This is already fixed and tested. Anyone else having this problem ? When switching between tabs in Main Panel, the scroll bar position should reset to see always the top of the content.
    It was an update or uninstall and install ? In case of update, that flag remains unchanged in Windows Registry, but if you uninstall the program and choose not to keep the current state, then that flag is deleted.
    The timer with 30 seconds is something else. This was used to prevent consecutive notifications to be allowed for the same program. This was removed since version 4.0.9.2.
    The problem here is that Windows Firewall does not have a flag to make it read-only. So, the implementation is: WFC keeps a snapshot of the current rules. Every 3 seconds a new snapshot is made. If a new rule is added (and not through WFC) in the past 3 seconds, it is deleted because WFC can identify which rules are new since the last snapshot. I can't make this timer to make a new snapshot each second because it will use a lot of CPU time. The problem with the rules created by windows services (that have enough privileges) is that they are created before WFC service is started. This means that they will be included in the first snapshot and they will not be removed. I have changed the service name to _wfcs so that WFC service will load before any other services. On my test computers (I7 quad core, SSD drives) this works and WFC service loads first and then the snapshot trick works. It seems that this solution is not working for everyone, this is why this is still under observation. Remember that this can't be done from Windows Firewall, you can't prohibit a process which runs with administrative privileges to add a new rule. This applies for any software firewall. Once you execute something with administrative privileges, it can stop/modify any software firewall, not only Windows Firewall.

    The "Disable the ability of other programs to add firewall rules" feature works for normal scenarios when a new software is installed, executed, when they try to add new firewall rules. But, there is also this scenario with Windows services that try to register themselves into Windows Firewall at boot time. Apparently, the implemented solution does not work for all of us.
    This is not a hang. The recent fixed bug was related to a deadlock in code which blocked the user interface for 1 minute. From your description, this is a .NET Framework problem, especially when the .NET cache is not updated. This makes .NET applications to work slower.
    Thank you for posting this.
     
  8. Sm3K3R

    Sm3K3R Registered Member

    Joined:
    Feb 29, 2008
    Posts:
    611
    Location:
    Wallachia
    1.Steam is not a Windows service ,even though it runs with eleveted privilege.
    Steam creates it s rules instantly on it s own initialization.Once you click on the shortcut and the log in interface shows up ,the rules inbound are there.
    Somehow the ruleset with the rules made by Steam are not compared to the 3 seconds back situation when there are no rules ,so i would say that the way the rules creating "muter" works is wrong or bugged.The instance of wfc that exists before Steam launch is not taken into consideration by the option.
    Checking every second for the ruleset is totally insane as it would create to much hw usage.
    I am using the firewall installed on a machine with a SSD as well as on a machine with a normal HDD.In fact there are 2 machines ,on one being a SSD and a cloned Windows instance on a HDD for testing purposes and as back-up (i dont trust the SS : ) ).

    2.Now another issue , i have discovered something .similar to what i ve seen with Outpost somehow.

    With WFC installed on a HDD i am seeing some LLMNR traffic (machine name is published) being generated at windows start up ,just before desktop shows up.There are rules intended to block 5355 for this in the firewall ,and they work on the SSD install.
    This stuff shows usually when the DNS client is ON.If i turn DNS Client OFF on the HDD install there is no LLMNR traffic.
    On the other hand ,and this is interesting , on the SSD install such LLMNR traffic is no happening even with DNS Client ON
    Wireshark on my Open Suse router is used to sniff the traffic.

    I have to also say that with the DNS client OFF there are no windows updates possible DNS calls fail for Windows updates,time and antivirus.

    This LLMNR output happens even with wfc set to High filtering on the HDD install (being a HDD the Windows load time is bigger).So blocking all traffic is not working at a specific time when windows boot (like with Outpost :) ).
    So the SSD installation of wfc works somehow differently opposed to the HDD install.The HDD install is practically a clone of the SSD one so software wise are identical.
    The machine/s are AMD based ,i ma not paying for Intel corporatist stuff :)

    3.Now i also ask if some badware gets into the machines ,do they have all the abilities to make inbound rules ?This is scary somehow.For example the battlelog plug in i ve mentioned in the upper post ,which is a web browser plug in.This happens with or without your front end so it can be blamed on Microsoft ,it s not your fault ,it s the Microsoft style of doing things
    With Outpost ,Steam could NOT made it s own rules so it can be blocked to do it s own.

    4.Someone should report this issues to Microsoft so they do some patch or something ,the build in firewall looks vulnerable to me.Or maybe NSA like services enforced this ,who knows.
     
    Last edited: May 26, 2014
  9. Alpengreis

    Alpengreis Registered Member

    Joined:
    Oct 7, 2013
    Posts:
    670
    Location:
    Switzerland
    I will investigating this. Maybe I can eliminate the complicated rules to easy/easier one.

    However: the first step for me is then: I will make such (complex) rules always in WFwAS, as you said.

    The reason is, to allow only multicast addresses for some programs. (I have sent you a special mail about this).

    Thanks for your help!

    Ahh, I mean another thing, sorry. I mean the view changes within Rule Manager Window. If I change for ex. from Outbound rules to Inbound rules. Then the Scrollbar should be on top after change.

    It was an update with 4.0.9.4 over 4.0.9.2. 4.0.9.2 was a fresh install and I had sound with 4.0.9.2.

    That's all very interesting, thanks for explaining!

    Thank you VERY MUCH, Alexandrud, for your immediate and detailed answer and help!

    Alpengreis
     
  10. focus

    focus Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    503
    Location:
    USA
    Thanks, this explains 'why' the rules are being created and along with alexandruds explanation 'how' the rules are being created. This statement "Once you execute something with administrative privileges, it can stop/modify any software firewall, not only Windows Firewall" should not surprise me, but it did.
     
  11. Alpengreis

    Alpengreis Registered Member

    Joined:
    Oct 7, 2013
    Posts:
    670
    Location:
    Switzerland
    Sorry, but this is not correct: My range is ff02::204-ff02::206 (for ex.) and this is no problem, neither in WFwAS nor in WFC!

    Edit:
    But I have discovered in my string: It has the invalid range ff02::201-ff02::201 - it should be ff02::201-ff02::202 ...
     
    Last edited: May 26, 2014
  12. Alpengreis

    Alpengreis Registered Member

    Joined:
    Oct 7, 2013
    Posts:
    670
    Location:
    Switzerland
    But it's not always /128 ...

    For CIDR /128 this is right, yes. But for ex. ff02::db8:0:0/96 this is not possible to enter ff02::db8:0:0 only - because it's a range!

    The right thing then should be:

    ff02::db8:0:0-ff02:0000:0000:0000:0000:0db8:ffff:ffff (without CIDR) or really ff02::db8:0:0/96.

    However: it seems to be really necessary to enter such rules in WFwAS only for ensure, that the addresses are always correct!

    Greetings,
    Alpengreis
     
    Last edited: May 26, 2014
  13. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,412
    Location:
    Romania
    Ok, this was never fixed. I will fix this too.
    I was able to reproduce it. It will be fixed in the next version.
     
  14. Alpengreis

    Alpengreis Registered Member

    Joined:
    Oct 7, 2013
    Posts:
    670
    Location:
    Switzerland
    That's good.

    Also not yet fixed is the thing with the unwanted rule-opening after partial export.

    I have this every time after export of ONE rule. I really confirm the save dialog only ONCE with Enter, nevertheless the rule is then opened.
    When exporting multiple rules at once, it's ok.

    Alpengreis
     
  15. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,412
    Location:
    Romania
    Hi again. I need some help with testing the new approach that is used to determine the unauthorized rules. I changed the old thing with the snapshots at every 3 seconds, with a new implementation that can detect when a new rule is added. I have compiled a new beta version (stable) which I want to ask you to test (especially the ones with problems with AppGuard and Steam) if this works for you or it still needs to be tweaked.

    After installation, if you have "Disable other...." check box checked just unthick it and then thick it again to apply the new option.

    These are the fixes until now:
    - Fixed: A new approach is used to determine if an unauthorized rule is added. This should fix the problem with AppGuard and Steam.
    - Fixed: The scroll position does not scroll to top when the user filters the rules displayed in Manage Rules data grid from the Display and Filter combo boxes.
    - Fixed: The active state of the notification sound is not preserved in case of an update to a newer version.

    Download location: http://binisoft.org/download/beta/wfc4setup.exe
    SHA1: 6ce720ce0fcd32a40ec3a5e63eea17b56a3ca333

    Looking forward for your feedback.
    Thank you,
    Alexandru
     
    Last edited: May 27, 2014
  16. Sm3K3R

    Sm3K3R Registered Member

    Joined:
    Feb 29, 2008
    Posts:
    611
    Location:
    Wallachia
    I have tested it a little.On 2 machines i have discovered that the option to mute applications in generating rules works for Steam.
    So Steam is finally muted when that option is ticked.Seen this on 2 machines ,but ... :)

    Tested on one machine.
    Another bug showed up.When the High Filtering policy is set there are DNS leaks happening.
    So i ve set High Filtering and watched Wireshark.
    1.Applied the High Filtering policy (from Medium) and then restarted.At start up there were DNS connections to Microsoft.
    2.Keeping the High Filtering i have started Firefox which made DNS calls but was not able to connect to Google
    3.Closed the Firefox and attempted another try and this time no DNS occurred ,nothing was sniffed/seen by Wireshark.
    4.Switched back to Medium ,it remained stuck in not connecting at all.

    So when rules are applied there is some kind of lag from the time you set them and until they work.
    Install Mode was not used ,no minutes were ticked for the option.

    So the install mode may be generating a bug.

    Last observation is that the package it has a detection in some antivirus in virustotal.

    So Steam is blocked in creating rules ,but policies are applied when they want.
    Microsoft antivirus is used.
     
  17. Sm3K3R

    Sm3K3R Registered Member

    Joined:
    Feb 29, 2008
    Posts:
    611
    Location:
    Wallachia
    Check the policies if they work normally ,select from right click between medium and high filtering and see if the option reacts without lag when it s set.
     
  18. Sm3K3R

    Sm3K3R Registered Member

    Joined:
    Feb 29, 2008
    Posts:
    611
    Location:
    Wallachia
    When the High Filtering policy is set there should be no connectivity at all as it was with previous version of the front end.
    The problems is that High Filtering is not working as before even when it s left for minutes and you test browser connectivity.
    That suggestion is nice though for other scenarios.
    So it s more than that.

    LE: Firefox definitely connects some time after the High Filtering is Applied via right click ,even though everything should be blocked.
     
    Last edited: May 27, 2014
  19. focus

    focus Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    503
    Location:
    USA
    Testing on W7x64 - initial check after install found the two appguard rules there, but I can't be sure they were not there before, I imaged and rebooted prior to WFC update so... There is some problem with high filtering as Sm3K3R noted. I set it and everything still connects, open rules panel while set to high and no blocking rules, look at profile panel and it is dropped to medium? If I set high while rules panel is open I can see blocking rules being set and all is good for high. Not checking with Wireshark though.
     
  20. 2muchtime

    2muchtime Registered Member

    Joined:
    Apr 8, 2014
    Posts:
    23
    Problem: Set to "High Filtering" after rebooting it is sets itself to "Medium Filtering"
     
  21. focus

    focus Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    503
    Location:
    USA
    Uninstalled version 4.0.9.5, reinstalled 4.0.9.4. High profile settings are unreliable in latest, even when I could see the 'core networking' blocking rules, I was still wide open to internet. I will say that I did not see any appguard rules created in 4.0.9.5 after several reboots and did find two immediately after reinstalling 4.0.9.4 and rebooting.
     
  22. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,412
    Location:
    Romania
    Thank you for your feedback. Indeed, there is a problem in the beta version with the High Filtering profile because those "Core rules" are not created properly to be seen by WFC and they get deleted if "Disable other..." is active. Even if they appear in Rules Panel, if you refresh the view, they are gone. Thank you for reporting this. It is already fixed. I am glad that the the other problem is resolved. That was a tough one. I will make a new release very soon that will include these fixes. Thank you again.
     
  23. Sm3K3R

    Sm3K3R Registered Member

    Joined:
    Feb 29, 2008
    Posts:
    611
    Location:
    Wallachia
    Anytime.
    Just take your time and release a good version. :)


    When did i ever said ZA is not broken ?! :)
    A ZA discussion should not be made in this thread and i will not do it here.
     
  24. clubhouse1

    clubhouse1 Registered Member

    Joined:
    Sep 26, 2013
    Posts:
    1,124
    Location:
    UK
    I've decided to drop the Web filtering of Avast (I'm not happy about it though:D)...But I'm using Adguard and its web filtering....Will it work happily with WFC?
     
  25. Alpengreis

    Alpengreis Registered Member

    Joined:
    Oct 7, 2013
    Posts:
    670
    Location:
    Switzerland
    Alexandrud,

    of course, only with ticking the checkbox to override the validation, it is possible to enter (such) complex IPv6 rules, as I have described above.
    Code:
    ff01::1,ff01::2,ff01::c,ff01::fb,ff01::fc-ff01::fd,ff01::100-ff01::13e,ff01::140-ff01::14f,ff01::181-ff01::184,ff01::18c,ff01::201-ff01::202,ff01::204-ff01::206,ff01::300,ff01::bac0,ff01::1:1000-ff01::1:13ff,ff01::2:0-ff01::2:ffff,ff01::db8:0:0-ff01::db8:ffff:ffff
    Nevertheless, it should be clear, that then WFwAS can change such rules to an invalid state for WFC - even if all addresses in the input string are WFwAS-valid!

    Here, the user should be warned for this (at least included in hoover-text), when he tick this checkbox!

    Greeting,
    Alpengreis

    PS: Also an important thing is, as I had tested in v4.0.9.2 (? I believe), If I had split the string at shorter pieces, the rules were correct and valid (even with some CIDR)!

    PPS: I have make a test with input in WFwAS itselft (with CIDR). All was no problem to enter and apply. Then first, it was OK in WFC too ((some) single IPs with CIDR /128, but this is OK. BUT THEN (maybe after reboot), the rule were invalid and had corrupted IPs! This is definitive a problem with WFC, or not?
    And once again: in a older test: until char 200 or 201 (can not exactly say), the IPs were correct - after position no more!
    Now, I have really a problem: I can enter such rules in WFC, the rule becomes invalid - and I can enter such rules in WFwAS, the rules becomes invalid too (in WFC)! Maybe it's would go whithoud CIDR, but then then rules are even longer ...

    Edit:

    This is the newest problem example:

    Original String ...
    Code:
    ff01::1,ff01::2,ff01::c,ff01::fb,ff01::fc-ff01::fd,ff01::100-ff01::13e,ff01::140-ff01::14f,ff01::181-ff01::184,ff01::18c,ff01::201-ff01::202,ff01::204-ff01::206,ff01::300,ff01::bac0,ff01::1:1000-ff01::1:13ff,ff01::2:0-ff01::2:ffff,ff01::db8:0:0-ff01::db8:ffff:ffff
    After refresh with WFwAS ...
    Code:
    ff01::1,ff01::2,ff01::c,ff01::fb,ff01::fc-ff01::fd,ff01::1003e,ff01::1404f,ff01::18184,ff01::18c8c,ff01::20102,ff01::20406,ff01::300,ff01::bac0,ff01::1:1000:13ff,ff01::2:0:ffff,ff01::db8:0:0-ff01::db8:ffff:ffff
    As you can see, until position 60 it's okay, then the following IPs are false:

    "3e,ff01::1404f,ff01::18184,ff01::18c8c,ff01::20102,ff01::20406"

    after it's right again!

    In WFwAS it seems to be correct, but in WFC it's now an invalid rule!

    Edit 2:

    I don't know, if it's related to internally fully uncompressed addresses - these would be:

    Code:
    ff01:0000:0000:0000:0000:0000:0000:0001,ff01:0000:0000:0000:0000:0000:0000:0002,ff01:0000:0000:0000:0000:0000:0000:000c,ff01:0000:0000:0000:0000:0000:0000:00fb,ff01:0000:0000:0000:0000:0000:0000:00fc-ff01:0000:0000:0000:0000:0000:0000:00fd,ff01:0000:0000:0000:0000:0000:0000:0100-ff01:0000:0000:0000:0000:0000:0000:013e,ff01:0000:0000:0000:0000:0000:0000:0140-ff01:0000:0000:0000:0000:0000:0000:014f,ff01:0000:0000:0000:0000:0000:0000:0181-ff01:0000:0000:0000:0000:0000:0000:0184,ff01:0000:0000:0000:0000:0000:0000:018c,ff01:0000:0000:0000:0000:0000:0000:0201-ff01:0000:0000:0000:0000:0000:0000:0202,ff01:0000:0000:0000:0000:0000:0000:0204-ff01:0000:0000:0000:0000:0000:0000:0206,ff01:0000:0000:0000:0000:0000:0000:0300,ff01:0000:0000:0000:0000:0000:0000:bac0,ff01:0000:0000:0000:0000:0000:0000:1000-ff01:0000:0000:0000:0000:0000:0000:03ff,ff01:0000:0000:0000:0000:0000:0002:0000-ff01:0000:0000:0000:0000:0000:0002:ffff,ff01:0000:0000:0000:0000:0db8:0000:0000-ff01:0000:0000:0000:0000:0db8:ffff:ffff
    Edit 3:
    IMPORTANT NOTE: If I split the string in pieces not over 60 Chars, then I can enter all (with CIDR) without invalid state after! I don't know where is the exact border, but so it was not a problem. Alexandrud, it seems to be really a problem with the length ...
     
    Last edited: May 28, 2014
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.