Windows Firewall Control (WFC) by BiniSoft.org

Discussion in 'other firewalls' started by alexandrud, May 20, 2013.

  1. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,411
    Location:
    Romania
    This post explains the differences between the two modes:
    https://www.wilderssecurity.com/threads/windows-firewall-control-4.347370/page-59#post-2475181

    Generic rules, are the rules which apply to all programs, the rules with Program = ANY.
     
  2. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    A couple of issues after WFC installation.

    1. Emsisoft behavior blocker warned me of hidden downloader i.e. Trojan activity from WFC today at first cold boot time after WFC install. Why is WFC doing hidden Internet activity when it has defined it's own outbound rule for updating?

    2. I thought WFC gives 30 secs to make a block or allow connection and during that time the connection is blocked? I have had multiple instances of a connection being allowed while the WFC alert screen has been displayed and 30 secs. have not elapsed. For example, Adobe Reader update connection was allowed prior to me indicating a decision on the WFC block/allow screen. Very dangerous if that dial-out was malware.
     
  3. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,411
    Location:
    Romania
    1. This is a false positive. There is no hidden Internet activity in WFC. The recommended rule which allows WFC to connect to our website is allowing WFC to check the file http://www.binisoft.org/update.xml if a new version is available. This check is made automatically after one minute when WFC is started in case the auto check for updates is enabled or on request by the user when he manually checks for updates. That's the only Internet activity that WFC is making.

    2. WFC doesn't block or allow anything. WFC notifies the user when a connection was already blocked by Windows Firewall or by another software which uses Windows Filtering Platform and logs the activity in the Security log of the system. If you have programs that can still connect while using Medium Filtering, even if they don't have an allow rule, then Windows Firewall does not work correctly. This usually happens when a software proxy, web filtering module, etc, is installed and the network traffic is not redirected back to Windows Firewall. In this case Windows Firewall rules are not applying. What other security products do you use ?
     
  4. Alpengreis

    Alpengreis Registered Member

    Joined:
    Oct 7, 2013
    Posts:
    670
    Location:
    Switzerland
    Or even a better variant:

    Enhanced notification mode: Generic rules (rule for any programs) are recognized. Eliminates undesired notifications but in certain cases, possibly desired notifications are not generated.

    Eventually it would be even better to replace the "Enhanced" through "Optimized" to make it clearer, which mode generates more notifications?!

    Alpengreis
     
  5. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,411
    Location:
    Romania
    I will keep this in mind for the next version.
     
  6. clubhouse1

    clubhouse1 Registered Member

    Joined:
    Sep 26, 2013
    Posts:
    1,124
    Location:
    UK
    Generic rule to me is a bit vague...If say I wanted to prevent itunes from calling out and I have "enhanced" selected what generic rules would apply?
     
  7. Alpengreis

    Alpengreis Registered Member

    Joined:
    Oct 7, 2013
    Posts:
    670
    Location:
    Switzerland
    I have wrote generic rules, because the developer named it so. However: generic rules are rules with "Program = Any" in their preferences (means for all programs).
    So for example: if you have a generic rule which blocks you iTunes too, you do not receive a notify, if you try to make an outbound connection with your iTunes.

    Unfortunately, it's even more complex, if the enhanced mode is activated: then, WFC checks for exist allow rules for the related thing too. If an allow rule exist, you should also not receive a notify. Alexandru has this implemated for compatibility reasons, because it exist other external programs (NOT Win Firewall) which block connections and uses the Windows Firewall protocol to generate the entries for blocked connections.

    I have suggested a workaround to Alexandru (not detailled here in the forum). But probably he will not use it and I can understand him (it has arguments pro and cons, in technical view only pro *g* but not for the usability/(new)user questions).
     
    Last edited: Apr 1, 2015
  8. Alpengreis

    Alpengreis Registered Member

    Joined:
    Oct 7, 2013
    Posts:
    670
    Location:
    Switzerland
    It seems, it's for the "normal" user not easy to understand the new enhanced mode. My personal opinion is: we should NOT have two modes.

    If a user choose notification level high, he should receive all notifications, even it's from an external (non Win Firewall) program, regardless which filtering mode is selected (except high of course).

    WFC should NOT check for allow rules (as in enhanced mode now is the case), but should check, if a related block rule is exist in the Windows Firewall. If this is not the case (blocked externally through entry in Windows Firewall log), WFC should display a notify but WITHOUT the possibility to create a new rule (would be sensless, because not Win Firewall has blocked) - instead show the notification for ex: "Blocked connection not through Windows Firewall" create new rule is not possible or something like that. So even if a user then creates manually a rule (sensless), WFC would re-display this notify - and the user should see, WHY it's blocked (through external program).

    Then to prevent undesired notifications, if generic rules are exist (Program = Any, means for all programs): WFC should make a re-check for generic rules as follow: is the IP included in the generic rule, is the protocol included in the generic rule and so far.

    With this solution, we would have ONE mode, ONE logic - maybe user-questions too, but not technical difficulties and the hole thing would be more understandable ...

    However: the most importand thing should be: the complicated things should be intergrated in the program (code) and should be automatized - so much as possible. The user should prevented from such things - so much as possible. The firewall things are complex enough ...

    It's just my opinion ...

    Alpengreis
     
    Last edited: Apr 1, 2015
  9. jwcca

    jwcca Registered Member

    Joined:
    Dec 6, 2003
    Posts:
    772
    Location:
    Toronto
    This app is a UI for Microsoft's Windows Firewall, not for any other program that has firewall powers.
     
  10. clubhouse1

    clubhouse1 Registered Member

    Joined:
    Sep 26, 2013
    Posts:
    1,124
    Location:
    UK
    Thanks Alpengreis, I think I'll stick with this enhancement disabled. I simply what to be told an app (exe) is trying to call out with a allow or disallow option.
     
  11. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    I don't think its a false positive. I get that alert when something is trying to install crapware on my PC. No problem, I have EAM blocking WFC from that type of activity.

    Looked at this a bit in more detail. Adobearm and Acrord32.exe are indeed blocked. So guess what Reader will use in this instance? Svchost.exe with a connection to Akamai. Why am I not surprised ............................
     
  12. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,411
    Location:
    Romania
    Windows Firewall Control is out since 2010. I never included any toolbars, advertisements, offers or other programs in my installer which is also developed by me. I had many offers for making money from this kind of stuff, but, like everyone here, I hate such installers bundled with useless and annoying things. Also, if you take a look at my website it is simple and clean, no ads, no pop-ups, no offers from your last search on Google, ~ Snipped as per TOS ~. What makes you think that WFC wants to install something on your computer ?
     
    Last edited by a moderator: Apr 1, 2015
  13. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,411
    Location:
    Romania
    Hello all. Indeed, a lot of questions appeared related to the new enhanced mode. I am thinking to remove it and change the behavior to the following:

    1. High level - WFC will display all blocked connections for all programs. The search for matching rules (to see if a new notification should be displayed) when a new connection is blocked will be made in this order: all block rules defined for the same path, all block rules that apply to all programs, all allow rules that apply to the same path (for compatibility purposes).

    Before adding this infamous "enhanced mode", the match through all block rules that apply to all programs was not done. Because of this, some notifications may appear extra. This is new and will be kept in the new search for matching rules.

    After further testing I came up with the conclusion that the search through all existing allow rules that apply to all programs may skip a lot of notifications and the gain is less than the loss. As a result, this search will be removed.

    2. Medium level - Currently WFC skips notifications for svchost.exe and System. The search for matching rules will be the same as for the High level. The new thing here will be that WFC will skip all notifications that contain C:\Windows in their paths and off course, System. Here are included explorer.exe, rundll32.exe, etc. The notifications for these will be available only on High level. The reason for this change is that many users want to define only custom rules for their own software and they don't care about system related blocked connections.

    What do you think about the proposed change ?
     
  14. Broadway

    Broadway Registered Member

    Joined:
    Aug 16, 2011
    Posts:
    211
    What I don't get is why should one use a "generic rule"? Does anyone create "generic rules" for what purpose?
    When I scroll through my ruleset in WFC I see some "generic rules" (I notice them because there is no path to a program related to those),
    and what I find are some rules "File and Printer Sharing: ICMPv4, ICMPv6, RPC-Epmap" (inbound) as well as
    some rules "File and Printer Sharing: ICMPv4, ICMPv6", and "Core Networking: 11 different ICMPv6 rules" (outbound).
    I never created those rules, so I assume they were created by Windows 7 itself.

    Alexandru wrote: "You should consider removing such rules and replace them with specific rules for specific programs. If you are forced to define an allow rule for all programs, make sure you customize it for specific ports, IP addresses, etc. Do not create generic allow all rules for all programs, because in this scenario, any phone home software will be able to connect to the Internet."

    So what do I have to do with my "generic rules"? And what are the recommendations for the checkbox "Use enhanced mode..."

    I'm using WFC from very early times on - but this is the first time I'm really struggeling with an "enhancement".

    Any help will be very appreciated. Thank you :)
     
  15. petok

    petok Registered Member

    Joined:
    Jan 11, 2015
    Posts:
    35
    Windows Firewall Control is good and simple piece software I used 2.5 year and work perfect, on my other pc but is not fast, for testing analyze software is good.
     
    Last edited by a moderator: Apr 1, 2015
  16. Broadway

    Broadway Registered Member

    Joined:
    Aug 16, 2011
    Posts:
    211
    But in Medium Level I do get a notification when explorer.exe or rundll.exe try an outbound connection for the very first time?
    And after that any time, the connection does not match a rule defined prior to it?
     
  17. Alpengreis

    Alpengreis Registered Member

    Joined:
    Oct 7, 2013
    Posts:
    670
    Location:
    Switzerland
    1) This is true of course, but I meant of course only external programs, that uses also the WINDOWS FIREWALL LOG (programs without own filtering drivers).
    2) Note also: even in actual state, WFC uses the check for allowed rules for compatibility with other EXTERNAL Programs as I described above.
    3) Even *I* would avoid this! Because this, it should not make this check. But if a connection is blocked in the WINDOWS FIREALL LOG, then it could be sensful to display this (with no possibility to react further). So the user would know, in the WINDOWS FIREWALL LOG is a blocked connection. However, this point is not the most important.

    That was the idea. This would be even prevent, that WFC looks also to allow rules for compatibility purposes with EXTERNAL (see above) programs.

    Also I know: it's a difficult thing and could be lead to another questions/problems.

    Okay, after more thinking about this and read the last post of Alexandru: we should probably not implement this. The newest suggestion from Alexandru would be a "mix", which should be enough and enough easy to handle!

    Thanks for your response and opinion!
     
  18. Alpengreis

    Alpengreis Registered Member

    Joined:
    Oct 7, 2013
    Posts:
    670
    Location:
    Switzerland
    Yes, that would be a "mix" and more important would prevent the enhanced mode!

    So we would have for the notification levels:

    Medium = The old enhanced mode (v4.4.2.4)
    High = Without old enhanced mode (v4.4.2.4)

    After thinking further: at least after THIS solution then: it would be not necessary to implement my other idea (show nofiication for blocked connection from non-Win-Firewall but through Windows Firewall log entry). Because the "High shows all" concept (without regarding to allow rules) would be enough and good.

    So we would have an "easy" (for the user) and good solution, even for (more) complicated firewall-settings too.

    If I am right with this above, then definitive +1 from me!

    Thanks, Alexandru
     
    Last edited: Apr 1, 2015
  19. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    I think this is a good move.

    Take rundll32.exe for example. It needs to run to clear IE temp settings, cookies, etc.. A better way to control it is to take a close look at scheduled tasks set up that use it.

    Consent.exe is used by UAC and dials-out for cert. validations.

    I don't know about allowing everything under C:\Windows though. What would be great would be a editable whitelist on all processes there that require internet access but that would be a lot of work.
     
  20. marzametal

    marzametal Registered Member

    Joined:
    Mar 19, 2014
    Posts:
    766
    Looks like I will be using the High setting from now on... I don't see why some Windows files require internet access, but scream for it...
     
  21. Alpengreis

    Alpengreis Registered Member

    Joined:
    Oct 7, 2013
    Posts:
    670
    Location:
    Switzerland
    It has nothing to do with consent.exe or rundll32.exe. They are related to the OS, that's right.

    But we talking here about the following - see in the Rule Manager:

    rules with Program = SYSTEM
    ... Some of "File and Printer Sharing" rules for example have this (here on Win 7)

    rules with Program = svchost.exe

    ... The default "Home Group" rules for example have this (here on Win 7)
    ... Some of default "Windows Media Player" rules for example have this (here on Win 7)

    rules with Program =

    ... (no entry = blank), means = ANY, means = for ALL programs
    ... these are generic rules
    ... Some of default "Core Networking" rules for example can have this (here on Win 7)

    About the whitelist: If you reset your Windows Firewall rules, you should have a default whitelist (the default allow rules) - this should be enough. The rest should be the decision of the individual user. If you have the filtering level = Low, all is allowed outgoing anyway except the explicit blocked.

    Then with WFC YOU CREATE your own whitelist: set the filtering level = Medium and you receive a notification, if the outgoing connection is blocked through Windows Firewall - if you will allow, create the rule!

    I will no default whitelist from WFC ...

    Alpengreis

    EDIT: For Low note also (if this has not changed): "If a program is digitally signed and you use Low notification level, it will create a generic allow rule on the first attempt of connection of that program."

    EDIT 2: In medium: you receive the notification: if there is no related allow rule already and/or no related block rule (block rules have higher priority than allow rules).

    EDIT 3: Ok, for the NOTIFICATION (LEVEL MEDIUM & HIGH), probably things in "C:\Windows" are meant (too) but NOT for FILTERING LEVEL(S)
     
    Last edited: Apr 2, 2015
  22. clubhouse1

    clubhouse1 Registered Member

    Joined:
    Sep 26, 2013
    Posts:
    1,124
    Location:
    UK
    Is there a repository for older versions?.....I'd prefer WFC as was rather than be plunged into becoming an expert on firewall configurations.
     
  23. Alpengreis

    Alpengreis Registered Member

    Joined:
    Oct 7, 2013
    Posts:
    670
    Location:
    Switzerland
    Have patience to the coming update. If Alexandru make this with the High and Medium Filter Level for Notifications, then it should be enough for you to set to High and you should receive all the notifications which are related direct to the Windows Firewall program (the program itself, not the complete Windows Firewall Log) ...

    Even because overmatched users (sorry!) I have complained over the new enhanced mode!

    But I would not use older version(s), because they have all more or less other problems or even bugs ...

    I'm VERY sure, Alexandru make a really easier new update!

    BTW: I had to ask some things too about the enhanced mode AND other things ...
     
    Last edited: Apr 2, 2015
  24. smith2006

    smith2006 Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    808
    Agreed.

    Webroot SecureAnywhere also detected the installer for v4.4.2.1 as Win32.Gen previously.

    I reported it as false positive & it had been rectified.
     
    Last edited: Apr 1, 2015
  25. MikeMT

    MikeMT Registered Member

    Joined:
    Feb 7, 2015
    Posts:
    63
    Location:
    Malta
    Hi @clubhouse1.. I have 4.3.0.1 & 4.4.0.1 versions that are working perfectly on my Win 7 & 8.1 endpoints that I will upload to one of my clouds if you require?

    Regards

    Mike
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.