Windows Firewall Control (WFC) by BiniSoft.org

Discussion in 'other firewalls' started by alexandrud, May 20, 2013.

  1. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,411
    Location:
    Romania
    A reboot after WFC install or update is not required.
    The only IP where WFC should be allowed to connect is 50.87.146.202, and only when it checks for updates. An xml file on binisoft.org website. Other connection attempts should be blocked, as they are generated by the operating system, not by WFC code. However, in the notification dialog context (when a new notification is displayed), WFC checks if the program has a digital signature. On other cases, the operating system checks if there is a valid certificate for WFC, or even referenced assemblies may check for a valid digital certificate. All these are made in the name of wfc.exe even if I don't trigger such verifications from WFC code. One thing is sure, WFC doesn't do any hidden activity on your system.
     
  2. clubhouse1

    clubhouse1 Registered Member

    Joined:
    Sep 26, 2013
    Posts:
    1,124
    Location:
    UK
    Alex, would it be possible to allow a "paste" of multiple ip's in the blank rule "create new rule" option...Would be useful if you wish to add a string of ip's.
     
  3. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,411
    Location:
    Romania
    Already possible, but they must be on the same line, separated with comma and without empty spaces. That text box doesn't allow multiple lines, so you have to format your input string before pasting it in that textbox.

    OK: 92.122.212.10,92.123.96.0-92.123.111.255,95.100.0.0-95.100.15.255,23.32.0.0-23.67.255.255

    Not OK:
    92.122.212.10
    92.123.96.0-92.123.111.255
    95.100.0.0-95.100.15.255
    23.32.0.0-23.67.255.255
     
  4. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,411
    Location:
    Romania
    Windows Firewall Control v.4.4.3.0 - New version

    What's new:
    - New: Enhanced Mode for notification system, which was introduced in the previous version, is now integrated in the existing old modes.
    - New: Medium notification mode was updated to display notifications but without the connections attempts of programs located in C:\Windows and its subfolders.
    - New: High notification mode was updated to display notifications for all programs, including system ones located in Windows folder and its subfolders.
    - Update: The light gray color of read only rules was changed to dark grey to improve the readability.

    Updated translation strings
    203 = Display notifications for all blocked outbound connections, including the connection attempts of programs located in Windows folder or its subfolders.
    205 = Display notifications for all blocked outbound connections, but do not display them for programs located in Windows folder or its subfolders.

    Removed translation strings
    213 = Use enhanced mode when deciding to display a new notification

    Download location: http://binisoft.org/download/wfc4setup.exe
    SHA1: 091ef801387dfa976c25fa39033081ad00ac6fb7

    Thank you for your feedback and for your contribution to this project.
    Have a great Sunday,
    Alexandru
     
  5. Daniel Fortes

    Daniel Fortes Registered Member

    Joined:
    Jan 23, 2015
    Posts:
    12
    When I turn on my PC, I ocuure this (Catch)
    high Mode and Medium
    I sent a zip file with technical data to your email
    Windows 7 x64

    thank you very much

    Edit:
    I created a rule for ICMPv6 Output (block) and no problem starting the PC

    http://i.imgur.com/3JVkDYl.jpg
     
    Last edited: Apr 5, 2015
  6. Alpengreis

    Alpengreis Registered Member

    Joined:
    Oct 7, 2013
    Posts:
    670
    Location:
    Switzerland
    First, thanks for the new version ...

    Does NOT work again! No notification in filtering = medium and notification = High for "Ping v4 AND v6"!

    I have meant notification level = high is the old version without activated the enhanced mode and notification level = medium the old version with activated enhanced mode - this is definitive not the case ...

    This means for me, I can no more use filtering level = medium again ...

    EDIT: If I deactivate ALL outgoing block rules, it works ... I know this effect from a "pre-pre ..." version/beta, but this is not good! Even the most block rules are NOT related to the test-scenario with location private - instead the most are related to Domain & Public, which should be NOT involved.

    EDIT2: For ICMPv4 I have analysed it and have found the reason: it's a generic rule which blocks ECHO for Location = Public, but while the test I was in Location = Private! This was NOT a problem in the 4.4.2.4 (without active enhanced mode), but as said in "pre-pre ..." release or beta!

    Alexandru, please test with my hole policy (which I had sent already)!


    Not the readability was the problem, this was okay before. The DIFFERENCE beteen deacitvated rules ("black on white") and read-only rules ("grey on white") is the problem, now with dark-grey it looks almost identical and worse than before.

    Alpengreis
     
    Last edited: Apr 5, 2015
  7. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    The default outbound ICMPv4 rule WFC created on my PC is/was for all locations and all ICMP types. I disabled it and created my own only allowing echo request.
     
  8. Alpengreis

    Alpengreis Registered Member

    Joined:
    Oct 7, 2013
    Posts:
    670
    Location:
    Switzerland
    This is possible. Nevertheless I must have this block rule active to prevent possible auto-created allow rules for Location Public (I cannot activate the secure rules in my network, because it's undesired). At least except an installation removes this block rule (this is possible, I have such a case with a program, but have nothing to do with this case, so then I make a rule with the GPEdit.msc), it adapt more security in Public Locations for my Laptop (in Public WLANs for ex.).

    However, Alexandru knows this behaviour/problem, because it was already a problem - as I described in my posting (was in "pre-pre ..." release/beta already a problem).

    The problem seems to be (again) with the Locations, which are no more recognized through WFC.

    This means, it must be resolved whithin WFC, not through User-Workaround.

    So, your workaround is NOT a principal solution.

    Alpengreis

    PS: And the exist IPv6 problem is also back again. I have not (yet) analysed, but Alexandru knows probably the reason here too (is probaly also the location thing).

    PPS: Also, you describe probably a "default" allow rule - and I mean a not-default block rule. Or have you DEFAULT (after installation) outbound block rule(s) on your system, probably NOT.
     
  9. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    I don't know if this has been reported before.

    My WIN 7 event log is full of warnings from WFC about SysInternals procexp64.exe. Perhaps because this is a spawned process from procexp.exe?

    WFC Process Explorer.png
     
  10. Alpengreis

    Alpengreis Registered Member

    Joined:
    Oct 7, 2013
    Posts:
    670
    Location:
    Switzerland
    Last edited: Apr 5, 2015
  11. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,411
    Location:
    Romania
    Please check my email. I have used the policy you sent me earlier. After I have disabled two rules that you had that allowed IMCPv4 requests on Private location, a new notification was displayed when I tried to ping another computer from my local network. I also was connected to Private location. To me, it seems it works correctly.

    Regarding the color, please make a screenshot and highlight the problem, because I do not understand which color on which color is hard to distinguish.
    I tried the same scenario and on my machines I don't get this warning. What happens if you move this file and execute it from a different partition ? Are these warnings still generated ? Do you see this warning only for this program ?
     
  12. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Sorry, I should have elaborated a bit more. Originally, procexp64.exe requested outbound access, so I allowed it. As a result, WFC created an allow rule for it. I am still unsure why this program needs outbound Internet access.

    On the other hand, I was having a lot of issues with WFC yesterday after this last update on Saturday afternoon. For the first time ever, EMET failed to start up after yesterday's first cold boot. This was the first cold boot after the last WFC update. After some finagling I finally got EMET to start and it has been fine since. Also yesterday, WFC was slow to start up after re-boot; sitting there with an explanation point for around 10 secs.. This was confirmed by accessing WIN 7 Action Center and observing nothing was running and took a while to show Emsisoft AM was protecting everything.

    Today everything seems OK except for a slightly slower than normal startup after first cold boot.

    I will retest the Process Explorer issue and post back my findings.
     
  13. NSG001

    NSG001 Registered Member

    Joined:
    Jul 14, 2006
    Posts:
    682
    Location:
    Wembley, London
    Process Explorer [procexp64.exe] needs internet access only for VirusTotal lookups.
     
  14. Alpengreis

    Alpengreis Registered Member

    Joined:
    Oct 7, 2013
    Posts:
    670
    Location:
    Switzerland
    No, it does not work correctly.

    Also, I can't deactivate this "first" rule, because it's a generic rule FROM OS, which is activated automatically after reboot again (I believe). AND - last but not least - it's a rule, which is necessary and present on MUCH MUCH systems, because, if you activate the file sharing, then this first rule is generated through the OS.

    AND - important - If I had deactivated some BLOCK RULES (not all, but I do not remember right now) WITHOUT deactivating your reported rules, it works with ICMPv4!

    Also, why are now allow rules involved in the new notification level HIGH?

    AND: why it works before the actual version (without enhanced mode) and now no more?

    Normal rules looks "equal" to read only-rules. Here are screenshots ...

    This is an example of a NORMAL deactivated rule:
    NotEnabeldNormal.JPG

    And here a READ ONLY deactivated rule:
    NotEnabeldReadOnly.JPG

    This is an example of a NORMAL activated rule:
    EnabeldNormal.JPG

    And here a READ ONLY deactivated rule:
    EnabeldReadOnly.JPG

    Here as "single lines" and with compressed picture it's easier to see, but uncompressed (original) in a hole policy, you cannot see the difference easy ...

    However, they should not look similar, because

    Alpengreis

    PS: Alexandru, WHY it's necessary to be compatible to other external programs (with recognize allow rules)? WFC should be not look to other programs, if other external program blocks outgoing connections (through entry in Windows Firewall log), THESE PROGRAMS should be responsible to show a notification, so the user would know, why WFC displays a notification and so it's no possible to make this connection functionally through create an allow rule whithin WFC.
    At least in notification level HIGH, WFC should NOT recognise
    allow rules ...

    Oh man, in german language I could explain such things much better ...


    PPS: This is even now gradually too much for me with the complicated notification module. My opinion is: WFC should have a notification level to SHOW ALL, REGARDLESS TO OTHER EXTERNAL PROGRAMS (COMPATIBILITY)! Now it's MUCH MUCH TOO COMPLICATED. How should a user know, which rules are to deactivate, even allow rules? Better to answer other questions, if a problem exist with an external program on a user pc, than such complex WFC things ...

    EDIT:

    After new test: if I deactivate THIS block rule below, it works:
    ToDeactivate.JPG

    WITHOUT deactivate further allow rule!

    WHY is this rule involved in a privat location (again)?

    Unfortunately: in real life, I cannot deactivate this rule! The only alternative would be to integrate this with GPEdit.msc ...
     
    Last edited: Apr 6, 2015
  15. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,411
    Location:
    Romania
    You had in your rule set an allow rule for ICMPv4 protocol for Private location. Indeed, it is a rule created for File and Printer sharing by the operating system. Your complain was that you didn't receive a new notification for ICMPv4 when you were in Private location. You also said that you had a block rule created for protocol ICMPv4 and Public location. The reason why you did not received a new notification was one of your rules which allowed the connection. The one which I had to disable in order to see if the notification system works. And it works like it is supposed to work.

    The notification system was created to display notifications for blocked outbound connections which don't match an existing rule. Not to see live all outbound connection attempts.
    A) So, if you have an allow rule that matches a specific connection, then a new notification will not be displayed. The connection is allowed by a rule, why a new notification should be displayed ? To annoy the user ? No.
    B) Also, if you have a block rule that matches the blocked connection, a new notification should not be displayed because the user already decided about it. He already created a rule. How many times should the user see the same thing again and again ? He already blocked it.

    Allow rules were always used when searching for a matching rule. Why ? Because the notification system works based on the events generated in the Security log by Windows Filtering Platform. When the user uses a program like PeerBlock or MBAM to avoid visiting malicious websites, these programs may block several connections. When a connection is blocked, it gets logged in Security log of the system. As you already know, WFC is subscribed to these events.

    For example, you use Firefox to connect to a malicious website which gets blocked by PeerBlock. So, a new event is generated for a dropped packet in Security log. WFC reads it and tries to see if there is a block rule that matches this connection. Should I display a new notification or not ? There is no block rule, so display it, why not ? But wait... this is wrong. What, why ? I already created an allow rule for my firefox.exe. Then, the question comes ? "If I (the user) already created an allow rule for firefox.exe why WFC still asks me what to do ? I already created an allow rule ! Why is it not working ?". Now, WFC has to check also the allow rules to see if there is a matching rule. If there is an allow rule that matches the connection, a new notification will not be displayed. Why ? For compatibility purposes. Because all dropped packets go through the same filtering driver from Windows.

    What does not make sense in what I have explained above ?
    There is nothing complicated. WFC works the same way. However, the user has to pay more attention to the rules that he maintains in his set of rules. But this applies to all firewalls, not only to Windows Firewall + WFC.

    ------------
    I have to apologize for expressing here so many technical details. I saw that this created confusion among the users of WFC. I will try to keep the technical details out from the future discussions to not discourage the users from using WFC because all of these. For more technical details/internal stuff, please use support@binisoft.org and not this topic. Thank you.
     
  16. Alpengreis

    Alpengreis Registered Member

    Joined:
    Oct 7, 2013
    Posts:
    670
    Location:
    Switzerland
    Alexandru, the block rule has location = public NOT private and should be not involved - the rest via mail ...
     
  17. hjlbx

    hjlbx Guest

    Hello Alexandru, (SUGGESTION).

    In the course of testing various malicious files, I have come across more and more that surreptitiously deactivate Windows Firewall.

    The white X in the red button warning for Action Center is very easy to miss... and sometimes the malwares even disable the AC tray pop-up warning or Action\Security Center altogether.

    Not sure if this is within the realm of WFC's code (reg key monitoring), but any possibility that WFC can display a prominent "Windows Firewall has been disabled." pop-up warning if it is turned off?

    I use the term disabled in the warning language, as opposed to turned off... as whether the user or malware turn WFW off it is in a disabled state either way.

    In any case, just food for thought...

    Best Regards,

    HJLBX
     
    Last edited by a moderator: Apr 7, 2015
  18. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,411
    Location:
    Romania
    The revert mechanism to a specific profile after X minutes, available in the Profiles tab, gets activated if the profile is switched by the user from WFC. I could extend this behavior to all scenarios where Windows Firewall filtering level is turned off by an external application and also make sure that the Windows Firewall service is restarted if it was disabled. I will think about it. Anyway, to disable Windows Firewall, the malware needs administrative privileges. If the user gives these privileges, then the malware can do a lot of harm. The best protection is to pay attention on the programs that the user executes.
     
  19. hjlbx

    hjlbx Guest

    Yes, I am aware of those facts.

    Unfortunately, there are three problems that I see in malware testing:

    1. Usually UAC is disabled along with WFw; and
    2. Typically the user is signed-in with Administrative privileges*; and
    3. Even using UAC and paying really close attention, some malware disables Action\Security Center in such a way that it will continue to report WFw filtering is still active.

    * Although, I have seen malware disable UAC and WFw while using a limited Guest Account as well, but that is more sophisticated and rare.

    The malware writers are getting ever better at disabling Windows' built-in security measures and hiding it from the user.


    That WFw can be disabled remains its most serious flaw.

    Your propositions would mitigate this in the vast majority of typical cases.

    In any case, I appreciate you at least considering it.

    Best Regards,

    HJLBX
     
  20. jwcca

    jwcca Registered Member

    Joined:
    Dec 6, 2003
    Posts:
    772
    Location:
    Toronto
    How frequently would WFC be required to check if WF had been turned OFF?

    I ask because:
    - if the time between checks is too great, for example 10 minutes, then malware would have a 'good' window of opportunity to accomplish it's objectives.
    - if the time between checks is very small, for example 1 second, then 'thrashing' could occur, i.e. the malware turns WF OFF and begins it's evil tasks, WFC turns WF back ON, the malware turns WF OFF and continues it's evil tasks, WFC turns WF back ON, the malware turns WF OFF............, ad infinitum...............until the malware succeeds.

    In the latter case, WFC would need to recognize the 'thrashing' and pop up a big window to warn the user to disconnect from the internet immediately by physically pulling out the ethernet cable or turning the wireless router OFF. The user would still be left with a compromised PC needing to be cleaned because the malware might have the ability to resume once the internet connection was restored. If the user had software that allowed going back to a previous state in which the malware did not exist, then that would be the best solution, but that depends on how old that previous state is.
    J
     
  21. Aleks111

    Aleks111 Registered Member

    Joined:
    Apr 13, 2015
    Posts:
    3
    Hello everybody.
    I found this topic in Google and registered here to just make know developer of WFC that's new notification system is absolute ~ Snipped as per TOS ~. No more, no less.
    Before update I hadn't any problems. As an experienced user I set notification level to high, because I want to know if any programs from system directory try to connect, to allow or deny it. Some programs were blocked manually by me and everything worked fine but then I updated and then it started.... When some of the blocked programs from system directory tried to connect to the internet I saw a popup notification every single time. One after another... popups... popups... popups... Becouse there are some programs that try to connect before they succeed, but I don't want them to do it. I thought well... I'll try to set notification level to medium. And did it. Problem solved, but another appeared. Now when some programs from system directory try to connect to internet I just don't know about it. And every time when something is working wrong I start guessing, looking for different sollution and then... an insight... maybe firewall is the problem? Look at it. Yes it is.
    Isn't it logically, that if user set for some system programs blocking rule he doesn't want to see a popup every time when the program was blocked. On the other hand if some programs from system directory (maybe new) don't have a rule yet firewall should request user for creating new rule when this programs try to connect for the first time, but not just block them without any "noise".
    That's it. Sorry for any mistakes in my english.

    P.S. I read this post again and decided to clarify something because maybe it's not obvious. Under blocking rule I meant not "block all" rule, but "allow only selected IP's" rule. In this case this popups blow mind.
     
    Last edited by a moderator: Apr 13, 2015
  22. Charyb

    Charyb Registered Member

    Joined:
    Jan 16, 2013
    Posts:
    679
    Connecting to OneDrive worked until installing WFC4. Spent some time trying to find OneDrive executable when I should have been searching for SkyDrive.exe. Microsoft left the name of the executable the same. I added a new rule and now am connected.

    A couple questions:
    1. Why didn't I receive notification that OneDrive was trying to connect?
    2. Why doesn't WFC4 create a default rule for OneDrive (skydrive.exe)?

    I have all settings in WFC set to recommended.

    edit: Windows error reporting also would not connect. Again, no notification. I changed the notification level to high instead of recommended. There really needs to be default rules added if you are going to recommend medium notifications.

    The attached are the two rules that were blocking onedrive and error reporting.
     

    Attached Files:

    Last edited: Apr 15, 2015
  23. ellison64

    ellison64 Registered Member

    Joined:
    Oct 5, 2003
    Posts:
    2,587
    Im also not sure about the altered notifications,and agree with aleks111because i had similar experience .I installed WFC on default settings...activated my licence and set notifications to medium which ive always done in the past ,and my epson printer status monitor and updater wouldnt work,and no notification on medium (recommended) which is what I always used in the past.To be honest I dont always read the change logs and it took me nearly an hour to realise that I now needed notification settings on high to see the blocked epson driver ( C:\windows\system32\spool\drivers\w32x86\3\e_tarnh3e.exe) which is in system32.I dont think I like the idea that on "recommended settings" common programmes now dont show outbound notification.
     
  24. skull66

    skull66 Registered Member

    Joined:
    Apr 16, 2015
    Posts:
    3
    Am running WFC in Medium Filtering and have a wireless hp printer (photosmart 7510) cannot get it to print no matter what I have tried, if I switch down to low filtering can print no problem, has anyone got a fix for this, if I wasn't already bald it would be driving me hairless!
     
  25. skull66

    skull66 Registered Member

    Joined:
    Apr 16, 2015
    Posts:
    3
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.