Windows Firewall Control (WFC) by BiniSoft.org

Discussion in 'other firewalls' started by alexandrud, May 20, 2013.

  1. hjlbx

    hjlbx Guest

    Hello Alexandru,

    I am not sure if the issue reported below is by design or is a bug:

    NOTE: Using Settings Sync Host as example here; issue occurs with other applications.

    Settings Sync Host attempts connection and WFC notifies.

    Create custom rule from within notification that includes local port.

    All future connection attempts by Settings Sync Host using a different local port/remote address are blocked and WFC does not generate any outbound connection notification.

    BUGS:

    Also, when you double-click on the vertical scroll bar in the Rules pane, it opens the firewall rules customization window.

    When typing into the search field this is a long hang\delay.
     
    Last edited by a moderator: Mar 3, 2015
  2. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,411
    Location:
    Romania
    Only the path, remote ports, remote addresses and protocol are used to determine if a new notification is displayed or not. Local ports are not used for comparison. Try to remove the local port from your rule and a new notification will appear. Is there any reason why you define local ports for your rules ?

    I couldn't reproduce the double click behavior on the scroll bar. I tried on several machines with different Windows versions and double click does nothing on the scrollbar.

    Depending on the CPU, the search works faster or slower. I will check if I can improve this.
     
  3. hjlbx

    hjlbx Guest

    "Is there any reason why you define local ports for your rules ?"

    No reason. I know it is not necessary...simply in process of learning to use software.

    With WFC installed certain outbound connections for System and svchost.exe are showing up in recently blocked connections log. If WFC is not installed these connections are made.

    I do not have advanced knowledge of IP addresses, but they seem odd to me (ff02.., 224.0.0.X - LocalSubnet??) ...and they always show up in System Monitor as "Listening" when my system is in use. If I recall correctly one IP address was for "mult-tasking/video" according to WHOIS. In another case, the source and destination ports were the same (loop-back). Others are to Akamai (security/privacy risk?).

    No alerts are generated for NT Kernel System, Host Process for Windows Services (svchost.exe); I only became aware of them by viewing the recently blocked connections log.

    In any case, I am not too sure whether or not it is necessary to allow the above connections. However, I created rules just in case which are shown below. No big deal as they can easily be deleted if not required.

    Host Process for Windows Services (svchost.exe)Windows Firewall ControlC:\windows\system32\svchost.exeAllYesAllowOut 239.255.255.2501900UDP
    Host Process for Windows Services (svchost.exe)Windows Firewall ControlC:\windows\system32\svchost.exeAllYesAllowOut ff02::1:35355UDP
    Host Process for Windows Services (svchost.exe)Windows Firewall ControlC:\windows\system32\svchost.exeAllYesAllowOut 224.0.0.2525355UDP

    NT Kernel & System (System)Windows Firewall ControlSystemAllYesAllowOut ff02::16 ICMPv6 IPv6 not supported?
    NT Kernel & System (System)Windows Firewall ControlSystemAllYesAllowOut ff02::16 ICMPv6
    NT Kernel & System (System)Windows Firewall ControlSystemAllYesAllowOut ff02::16 ICMPv6
    NT Kernel & System (System)Windows Firewall ControlSystemAllYesAllowOut137192.168.1.255137UDP


    "I couldn't reproduce the double click behavior on the scroll bar."

    It seems I cannot duplicate this issue on my machine. If it happens again I will make small AVI video that can be viewed using common video player.

    By the way, thank you for a really nice product.

    SUGGESTION: It would be ideal to be able to save rules and logs in text format...but I know integrating this functionality is not as simple as it seems.
     
    Last edited by a moderator: Mar 3, 2015
  4. hjlbx

    hjlbx Guest

    Hello Alexandru,

    On my system if I allow a connection for a specific IP address, all future connection attempts to different IP addresses are simply blocked by Windows Firewall without WFC notification.

    The only difference is the IP address = file path, remote port, protocol are identical (local address and port set to "Any").

    Should there not be a notification for same path, remote port, and protocol to new IP address connects?

    More importantly, it is curious that Windows Firewall is automatically blocking identical path, protocol, remote port but new connection attempt to different IP address with WFC installed.


    Also, when an application attempts to connect to multiple IP addresses at the same time only one alert is being generated. I select create custom rule, the 1st IP address is allowed, but all additional IP addresses are blocked without notification.

    My system is W8.1 AMD and do not use proxy or web filtering software. Using WFC Medium settings - obviously. Not using Secure Boot setting. Using "All" locations - Domain, Public, Private for rules.
     
    Last edited by a moderator: Mar 3, 2015
  5. silver0066

    silver0066 Registered Member

    Joined:
    Dec 31, 2004
    Posts:
    994
    I can't update or clean install WFC 4.4.0.1.

    I get the following error message:

    "This file is not intended to be executed directly. It must be launched by the original installer."

    Please advise. I have tried updating, uninstalling and installing all with the same message.

    EDIT: I just tried a new install running as administrator and it installed. I have never had to do this in the past.
     
  6. marzametal

    marzametal Registered Member

    Joined:
    Mar 19, 2014
    Posts:
    766
    @hjlbx

    "No alerts are generated for NT Kernel System, Host Process for Windows Services (svchost.exe)" - I think the alerts are generated when you switch to HIGH notifications.

    "I do not have advanced knowledge of IP addresses, but they seem odd to me (ff02.., 224.0.0.X - LocalSubnet??)" - the ff02 is IPv6 related, and the 224.x.x.x is multicast IGMP.

    "Others are to Akamai (security/privacy risk?)." - Content Delivery Networks are the spawn of true internet evil. However, they cannot be avoided. Akamai seems to be the only one that people bitch and moan about, I reckon they all can choke on a grenade. Seriously, put convenience higher than security? In this day and age? Ahhhh I don't think so!

    I've disabled them all, but it isn't recommended...

    "Also, when an application attempts to connect to multiple IP addresses at the same time only one alert is being generated. I select create custom rule, the 1st IP address is allowed, but all additional IP addresses are blocked without notification." - This is by design. Instead of receiving 20 popups for 20 IP connections for the ONE application... it dishes out 1 popup for 1 application but the IPs in the list change. Remember, there is a 30 second timer before default choice is executed (block). No use trying to filter through 20 popups, you won't get to the end before 30 seconds is reached. To cover your ass, just go through the Connections Log and copy the IPs one by one over to Manage Rules.
     
  7. hjlbx

    hjlbx Guest

    Thank you marzametal.

    I do not use High filtering; I use all Medium settings.

    However, once a rule is created no further notifications are generated on my system for the identical path, protocol and remote port and all subsequent connection attempts to different remote address are blocked.

    Consequently, I am having to create vast majority of rules manually...which I did not expect.

    I have changed the default timer to 300 seconds ... which gives me more than enough time to respond to alerts.

    Furthermore, when an app attempts to connect to multiple IP addresses concurrently there is only one notification. Once I respond to that notification the window closes and there is no additional window to create rules for the additional IP addresses. The additional IP address connections are simply blocked.

    See my previous post.

    Is there no support/notifications for same path, protocol and remote port - but different specific IP addresses?
     
  8. marzametal

    marzametal Registered Member

    Joined:
    Mar 19, 2014
    Posts:
    766
    Damn, looks like you gotta' take this up with the Dev, mate.

    Have you tried to work with the Merge feature yet? Also, I just noticed if you click on more than one entry in the Connections Log, right click and select Customize and Create... it will append IPs together into one rule box. BUT, the remote ports have to match. Maybe this could be something that the Dev expands on, making ports combine too.
     
  9. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,797
    Thanks for the reply. 2013 is way back in time but I think the last statement is very important to be highlighted to users of WFC; especially for those who may have installed the older version and still have the self-signed cert installed without realizing it. Maybe put a note on your site??
     
  10. hjlbx

    hjlbx Guest

     
  11. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,411
    Location:
    Romania
    Usually, when WFC is not installed, outbound filtering in Windows Firewall is disabled. When you install WFC and switch to Medium Filtering profile in WFC, you enable the outbound filtering. The notifications for System and svchost.exe are displayed only if you use High notifications level in the Notifications tab.
    In Manage Rules window, select one or more rules and press on your keyboard CTRL + C. This will copy to clipboard all the details of the selected rules.
    In Connections Log window, select one or more entries and use the right click context menu. There is a menu item named Copy... which does the same thing.
    This is how it works. Let's assume that you don't have any rule for iexplore.exe. On the first blocked attempt you receive a notification. You create a new rule for a specific IP address. Then you try to use the same program but it will try to use a different remote IP address. WFC should display a new notification. The same applies if you create the first time a rule for remote port 80 and then the program wants to use port 443. A new notification is displayed.

    If you create a generic rule to allow all connections for a program, can it connect ?
    Do you have UAC disabled ? I couldn't reproduce this. If it happens again, please try to give some more details.
    The timer gets disabled when the mouse pointer is moved over the notification dialog.

    There is support for the same path and it should work.
    - Do you have this problem with all programs or with just a few ?
    - Do you use any encryption software for the drives or the folders for which you have this problem ?
    - Do you use PeerBlock, MBAM, etc ?
    - If you check the Connection Log, do you see all the blocked attempts for a program ?

    I will update the next version installer to check and automatically remove this obsolete self signed certificate.
     
  12. pling_man

    pling_man Registered Member

    Joined:
    Feb 11, 2010
    Posts:
    599
    Location:
    UK
    Is there anything I need to do when I update to ensure that I get all the recommended firewall rules?

    I was thinking for the next update I would export the rules I have setup myself, delete all the others, let the installer create new recommended ones, then import all my own rules again? Or is this a waste of time?
     
  13. marzametal

    marzametal Registered Member

    Joined:
    Mar 19, 2014
    Posts:
    766
    Toss a coin, could be a waste of time, could be worth executing...
    When an update is released, I just make a backup of current ruleset as a precaution, then install the new version over the top of current version (unless Dev explicitly mentions to do an uninstall).

    Why not backup your current rule set, then navigate to the Rules tab and click on "Restore WFC recommended rules", then search for duplicates and remove... that way you have your set plus your set with recommended rules. Some of these custom rules are worth keeping, each to their own I suppose.
     
  14. hjlbx

    hjlbx Guest

    Once an allow rule is created that specifies a remote address, WFC generates no notification for subsequent outbound connections attempts to a different IP address - the connections are simply blocked and logged. Consequently, I have to create rules containing remote addresses manually from the recently blocked log list. Alternatively, see next item.

    Apps are able to connect if I create a generic Allow rule. Yes.

    If I specify a remote address in the original rule, then WFC generates no notifications for any subsequent connections; all connects are blocked and logged.
    No encryption software.
    Do not use PeerBlock, MBAM, no web/content filtering other than IE Smart Screen, no proxy, no VPN, etc ...only Windows Defender at this very moment.
    All blocked connections are logged.

    Notifications are not working properly on my system. For example, I attempted to scan using HitmanPro. The HitmanPro scanner downloads without an install and normally makes connections to about 10 or so IP addresses.

    WFC notified that HitmanPro was attempting an outbound connection - but it only alerted to one remote address and displayed <1\1>. I used the create custom option to include IP addresses. Once I created the rule all other concurrent connection attempts were blocked and logged...and there were no additional notifications..

    The above issue occurs for all applications.

    Like I previously stated, the only way I can allow outbound connections:

    1. From within the notification allow only the protocol and remote port without a remote address
    2. Manually create rules that include a remote address from within the Recently Blocked Connections Log
     
    Last edited by a moderator: Mar 5, 2015
  15. hjlbx

    hjlbx Guest

    BUG:

    When Connection Log and New Rules Wizard contain a large number of entries, if quickly click on vertical scroll bar then the Customize and Create window opens.

    OneDrive download link to short video of bug in Flash Player format: https://skydrive.live.com/redir?resid=2C645D108A1E40C7!3365

    OneDrive download link of same in AVI (Intel Indeo/IYUC) format: https://skydrive.live.com/redir?resid=2C645D108A1E40C7!3366

    NOTE:

    On my system the AVI format video is viewable using Windows Media Player. Alternatively VLC or Classic Media Player can be used. If you cannot play the video within your browser it is generally viewable after downloading. It depends upon which browser video plugin is enabled, if any.
     
    Last edited by a moderator: Mar 5, 2015
  16. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,411
    Location:
    Romania
    Install the update, then delete manually the WFC recommend rules and then recreate only the recommended rules from the right click context menu. But the recommended rules don't change very often. You should do this only if the changes log contains something related to the recommend rules, otherwise there is no need to do this.
    I was able to reproduce this. If you select an item from the data grid and you double click on the scroll bar (which is also part of the data grid) it executes the double click event on the selected item, which opens the Properties dialog. I will fix this in the next version. Thank you for your help with this.

    Regarding the missing subsequent notifications I am investigating this. I was able to reproduce it when also the remote port is specified. I'm working on it.
     
    Last edited: Mar 5, 2015
  17. focus

    focus Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    503
    Location:
    USA
    Just an FYI, I found several binisoft certificates in my certificate storage.
     
  18. Broadway

    Broadway Registered Member

    Joined:
    Aug 16, 2011
    Posts:
    211
    Me too, I've got 10 Binisoft certificates in certmgr.msc !
     
  19. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,411
    Location:
    Romania
    I will remove them all in the next installer/updater. Different WFC versions were using different certificates. This explains the presence of several items.
     
  20. hjlbx

    hjlbx Guest

    Thank You.
     
  21. hjlbx

    hjlbx Guest

    This question pertains to the suggested WFC rule for Windows Explorer while using a Public network.

    WFC recommends blocking all connections for Windows Explorer when on a Public network. WHOIS indicates all the remote addresses belong to Akamai or Microsoft.

    Would allowing these connections pose a security or privacy risk - or both?

    I assume the concern is not so much the remote address, but rather that it is unencrypted traffic over a Public network.
     
  22. hjlbx

    hjlbx Guest

    Hello Alexandru,

    Beta 4.4.0.2

    With some apps, like OneDrive (SkyDrive), they shoot through local ports in rapid succession to make an outbound connection...so quickly that it seems that WFC cannot detect them fast enough. WFC does eventually notify, but it misses the first two or three local ports due to the detection/notification delay. This is really not an issue.

    I do not see any real value in specifying local ports from either a security or privacy perspective. Besides, specifying local ports requires knowledge that is way above and beyond that of the typical WFC user. For the most part, setting local ports in a rule is more apt to cause problems.

    While it is nice to have the capability to specify a local port, I think it is best to keep it limited to the built-in recommended WFC rules.

    I am not suggesting that the ability to set a local port in a rule be removed...I am just making an observation.

    Just food for thought...
     
  23. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,411
    Location:
    Romania
    Actually, WFC doesn't miss the first items. If an existing notification for a software is already displayed, and a new connection gets blocked for the same path, the details of the notification which is already displayed is automatically updated with the latest values. If the software switches quickly between several ports to find an available port, then, the displayed notification is also quickly updated.
     
  24. Alpengreis

    Alpengreis Registered Member

    Joined:
    Oct 7, 2013
    Posts:
    670
    Location:
    Switzerland
    No, please let it for all!
     
  25. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,411
    Location:
    Romania
    Windows Firewall Control v.4.4.1.0

    What's new:
    - Improved: The notification dialog was modified to accept larger language strings. A line splitter was added which can be used to modify the width of the content.
    - Fixed: A new notification is not displayed for a blocked connection if an existing rule have set the remote ports and the remote IP addresses.
    - Fixed: Local ports are not taken into consideration when the Notifications system decides if a new notification should be displayed or not.
    - Fixed: The path displayed in the notification dialog for the files executed from a RAM disk is not resolved. Added support for resolving paths from RAM drives.
    - Fixed: Sometimes, Windows Firewall determines the path for some programs with the old 8.3 file name style. It is impossible to create a new rule from the Notification dialog nor from the Connections Log when such paths are received. Added support for short names used in paths.
    - Fixed: Double click on the data grid scroll bar in Connections Log and New Rules Wizard views, opens the Properties dialog when an entry is selected.
    - Fixed: When an entry is selected in New Rules Wizard, Enter key moves the selection on the next row instead of opening the Properties dialog.
    - Fixed: Toolbox buttons from Rules Panel have truncated labels even if the toolbox area is enlarged.
    - Fixed: The installer/updater gives an unhandled exception if .NET Framework 4.5 is not installed on the machine.
    - Fixed: The unlock button from the Notification dialog is disabled when the program is locked and a new notification is displayed. The user must open Main Panel to unlock the program.
    - Fixed: Old self signed certificates used until WFC 4.0.2.2 are not removed from the computer even if they are not used anymore. Please answer YES if at the end of the installation/update you are asked: "Do you want to DELETE the following certificate from the Root Store?" with the subject "BiniSoft.org".

    Installation notes: Use the new installer to update to this new version or use the auto check for updates feature.

    Download location: http://binisoft.org/download/wfc4setup.exe
    SHA1: ffa7062b47d5e534355bb417ffbc3172ab0e233c

    Please let me know if the reported bugs are fixed.

    Have a great weekend,
    Alexandru

    P.S.: The list of improvements and fixes is still open. If I forgot something, please let me know.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.