Windows Firewall Control (WFC) by BiniSoft.org

Discussion in 'other firewalls' started by alexandrud, May 20, 2013.

  1. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,412
    Location:
    Romania
    You should not struggle with this enhancement. The new "enhanced mode" is by default disabled when you update to the last version. This means WFC will work the same it worked in the past. Just because we are doing a brainstorming, it doesn't mean that you have to do any extra work in configuring your rules. When I say to avoid generic rules, I refer to the ones created by the users by mistake. I receive a lot of full policies on email to check them and I've seen a lot of these kind of rules. Windows Firewall has his own generic rules but they are targeted to specific services, protocols, ports. I didn't refer to them. Those ones should be left untouched.
    The point of these discussions is to improve WFC. Thanks to this forum, WFC got a lot more features and many bugs were fixed. WFC works the same way it did in the past, even if the last posts are more technical. I wouldn't recommend to use an older version. For this reason, there is no repository with previous versions.


    I will make the proposed changes and I will publish a new version soon. The enhanced mode will be removed and partially integrated into the existing modes.
    Thank you all, for your valuable feedback.
     
  2. Broadway

    Broadway Registered Member

    Joined:
    Aug 16, 2011
    Posts:
    211
    Thank you, Alexandru, I think this will help a lot. :)
     
  3. buffering

    buffering Registered Member

    Joined:
    Jan 16, 2015
    Posts:
    7
    WFC means a lot to me which is why I happily donated. Antivirus is a thing of the millennium. Today firewall is more important than antivirus in my opinion. The Notification system (i use medium), Manage Rules, and Connections log is just perfect. (I remember using Sunbelt Kerios FW with notifications in Windows XP days). Hope to use WFC when Windows 10 comes : )
    Once again, thank you for your creation, sir.
     
  4. Alpengreis

    Alpengreis Registered Member

    Joined:
    Oct 7, 2013
    Posts:
    670
    Location:
    Switzerland
    About the Windows 10: this should be happily not a problem, see ...
    www.wilderssecurity.com/threads/windows-firewall-control-4.347370/page-57#post-2467620
     
  5. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Does this mean you're going to allow outbound everything in C:\Windows directory for the Medium profile?
     
  6. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Emsisoft verified this is a FP and whitelisted wfc.exe.
     
  7. Alpengreis

    Alpengreis Registered Member

    Joined:
    Oct 7, 2013
    Posts:
    670
    Location:
    Switzerland
  8. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Sorry I meant this reply for Alexandrud since he was the one proposing allowing everything outbound from C:\Windows directory.

    2. Medium level - Currently WFC skips notifications for svchost.exe and System. The search for matching rules will be the same as for the High level. The new thing here will be that WFC will skip all notifications that contain C:\Windows in their paths and off course, System. Here are included explorer.exe, rundll32.exe, etc. The notifications for these will be available only on High level. The reason for this change is that many users want to define only custom rules for their own software and they don't care about system related blocked connections.
     
  9. clubhouse1

    clubhouse1 Registered Member

    Joined:
    Sep 26, 2013
    Posts:
    1,124
    Location:
    UK

    Thanks for the kind offer, I found I had a copy of 4.4.0.1 on a usb...I'll use that until the cloud of confusion over this new option is cleared...Thanks again.
     
  10. Alpengreis

    Alpengreis Registered Member

    Joined:
    Oct 7, 2013
    Posts:
    670
    Location:
    Switzerland
    Ahh, ok, I see, sorry!

    He means, you would don't receive notifications for such things in NOTIFICATION LEVEL MEDIUM only in NOTIFICATION LEVEL HIGH.

    He means NOT the filtering levels.

    Alpengreis
     
  11. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Yeah, I finally figured out he meant notification level. I switched mine to high.

    I also have a question about the WFC default Windows Updating rule. Actually, that rule is for allowing for all outbound svchost.exe on ports 80, 443. So the naming of the rule is a bit misleading.

    Also does not %windir%\system32\wuauclt.exe need to be allowed outbound access for auto Win updating to work correctly; at least in Win 7?
     
  12. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,412
    Location:
    Romania
    This does not modify the filtering mode of Windows Firewall. This applies only to the connections that the user sees through the notifications. The connections are still blocked.
    Because Windows Update servers are switching and because they are different depending on the location of a Windows machine, it is hard to define a more restrictive rule based on remote IP ranges which is supposed to work for everyone. The user can define a more restrictive rule if he wants. Wuauclt.exe is not required for Windows Update to work, at least not on my Windows 7 x64 test machine.
     
  13. marzametal

    marzametal Registered Member

    Joined:
    Mar 19, 2014
    Posts:
    766
    Where are these certificates located?
     
  14. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,412
    Location:
    Romania
    Execute certmgr.msc and you will see all certificates installed under certain locations on your computer.
     
  15. Jack8

    Jack8 Registered Member

    Joined:
    Jan 5, 2015
    Posts:
    17
    wfc.exe is flooting the registry whis querries not found.
    Hi, from time to time i do a procmon (Sysinternals Process Monitor) run on my Win 8.1 64bit machine.
    The results for Windows Firewall Control are strange: wfc.exe is flooting my machine with qerries not found. The registry keys envolved are:

    HKLM\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\
    HKLM\System\CurrentControlSet\Services\Dnscache\Parameters\
    HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\
    HKLM\System\CurrentControlSet\Services\TCPIP6\Parameters\Interfaces\
    HKLM\System\CurrentControlSet\Services\NetBT\Parameters\

    There are thousands of querries over a short time period, where NONE of the DWORDS wfc.exe is searching for exists in my registry and i guess on almost no machine. This endless querries go on and on in a loop, never stops, maybe because never resolved.

    So, what is the reason for this CPU-intensive behaviour and can you maybe change that?
    Best regards
     
  16. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,412
    Location:
    Romania
    WFC uses Windows Registry to store user settings. But the calls are very few for this purpose. Also, WFC uses Windows Firewall API and a lot of .NET Framework assemblies. All of these assemblies generate read events in Windows Registry for specific functions. When you make a filter on wfc.exe you see the activity of all references that wfc.exe uses. Process Monitor results are not relevant regarding the CPU usage of an application. In other words, what you see there means nothing much. I just filtered the results to see winamp.exe activity. Guess what ? Thousands of queries in a short period of time. The same for explorer.exe, just launch My Computer and at least 12000 new queries to Windows Registry will appear instantly.
     
  17. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    I have had the toolbar icon shutdown at least 3 times this morning for no reason with the latest release. The last time it shutdown, I could not restart it using the desktop shortcut. Had to reboot to get the toolbar icon back.
     
  18. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,412
    Location:
    Romania
    1. When this happens, do you see the process wfc.exe in Task Manager ?
    2. If you manually kill it and then you restart wfc.exe, does it appear ? I reboot is not required.
    3. Do you have any antivirus that may flag wfc.exe as malware ? False positive, off course.
    4. Please go to Event Viewer (eventvwr.msc). Under "Applications and Service logs" category, there is a subcategory named WFC. Here are logged all errors from WFC. When you are there, on the right panel is a button named "Save all events as...". Use this button to export an *.evtx file and send it to support@binisoft.org to check the log.
     
  19. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Just sent you the log. In regards to:

    1. Yes, wfc.exe was running in Task Manager.
    3. Again, I received a hidden download Trojan warning from Emsisoft Antimalware at boot time about wfc.exe. This occurred after they whitelisted it and one plus WFC update connections have occurred successfully.
     
    Last edited: Apr 3, 2015
  20. NSG001

    NSG001 Registered Member

    Joined:
    Jul 14, 2006
    Posts:
    682
    Location:
    Wembley, London
    @itman
    FYI
    I use a combo of WFC and EAM on one of our machines and have experienced no such issue/s.
     
  21. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Are you using the paid version with real time and behavior blocking protection? The alert is coming from the behavior blocker.
     
  22. NSG001

    NSG001 Registered Member

    Joined:
    Jul 14, 2006
    Posts:
    682
    Location:
    Wembley, London
    Yes i am and have been for some years.
    If it helps this is on a Win 7 64 bit machine.
     
  23. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Same here; WIN 7 x64 SP1.
     
  24. Jack8

    Jack8 Registered Member

    Joined:
    Jan 5, 2015
    Posts:
    17
    Thank u for ur quick reply! Well, as it turns out, i did the recent wfc update without a rebooting afterwards. Seems to me that was the reason for the problem i described above. Now, after rebooting the computer, wfc.exe actually not showing up in procmon when filtered by 'name not found', even after some minutes. To sum up, i recommend a reboot after each update of wfc. Problem solved.
     
  25. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    I am starting to believe I picked up a bad download in the WFC update yesterday?

    I just saw 6 blocked outbound connections in my WIN 7 event log from wfc.exe this afternoon. None of these exist in the WFC log. Further the IPs involved 72.21.91.29 and 205.234.175.175 are bit dodgy rep wise per Robtex. The 205. IP is cachefly.net in Amsterdam. I reside in the U.S..They certainly are not listed in the built-in WFC update rule that shows IP 50.87.146.202.

    The question is how did these get blocked if WFC is filtering my outbound web traffic? Of course, I received no alerts from WFC about these connections.

    Note: These wfc.exe dial-outs occurred immediately after I had allowed a Mozilla maintenance outbound connection for Thunderbird e-mail.

    WFC Mozilla.png

    Also the IP 205.234.175.175 is associated with Digicert which digitally signed the Mozilla maintenenceservice.exe. Perhaps this was some type of certificate check by WFC? Why is WFC doing that?

    -EDIT- I now suspect this was explorer.exe dialing out for a Thunderbird digital cert. update. I noticed I had a block all explorer.exe rule created in WFC. Only problem with this is there is zip log history anywhere when WFC blocks a rule of what the source program was? You have to be aware enough of what new rule was created to determine the source?
    Determining what is a valid explorer.exe dial-out is difficult since many processes use it; i.e. cert. updating for example. The program is not allowed for Public profile in WFC which I use.
     
    Last edited: Apr 4, 2015
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.