Windows Firewall Control (WFC) by BiniSoft.org

Windows Firewall can't be configured to skip the logging for those connections. It logs all or it logs nothing. The filters from Connections Log are just for viewing purposes in that window only. What is logged in Security log of the system is beyond configuration from WFC or Windows Firewall.

No. To avoid switching the profiles by mistake, I didn't add this functionality. It can be done but I do not like it.

 

To all,

Where is the "New Rules Wizard"?
I just updated from 4.4 to the latest.
I cannot find the wizard in any menu.

Has the feature been removed? I think that's crazy.
I use it regularly. And it is very annoying to have to open up Windows Explorer, travel the path, filter for executables, and then whitelist them.
It was much more convenient doing this through the WFC GUI...with the added benefit that it could dig through layers of subfolders with virtually no input on my part.

Is there any plans to bring this feature back? If not, please let me know so I can look for alternative solution. I know many others are not bothered by the loss of such a feature, but I used it regularly and can't stand the current method.

 

"New Rules Wizard"? Do you mean connection logs?

http://i.imgur.com/8oYKXaj.png

 

Is it expected to have apps with outbound 'allow' rules to be blocked during system boot? There are often a few Svchost or System blocks, but sometimes other apps as well - updaters etc... If I clear the log once the boot is complete I usually don't have any unexpected blocks.

what is the rational for 'medium' notification level Vs 'high' - assuming svchost & system have outbound allow rules there shouldn't be any blocks - correct? or is it just because of what i mention above - blocks during boot?

 

New Rules Wizard was removed in version 4.7.0.0. As an alternative you can use My Computer to navigate to a specific folder and search for *.exe files. The result will show all executable files from all sub folders. By using the context menu and the Shell Integration from WFC you can do the same allow/block rules from Windows Explorer instead of New Rules Wizard. I never thought that New Rules Wizard is actually used. Currently, there is no plan to add it back because it wasn't an important feature that is used often.

During the system boot there can be blocked connections if the network is not initialized yet. Windows Firewall logs in the Security event log packet drops. So, if a packet does not reach the destination, it is logged as a dropped packet. What we call in WFC a "blocked connection" in Security log is a "packet drop".
1. Are these blocked connections inbound or outbound ?
2. Do you have allow rules that allow all connections for svchost.exe and System ? Not a good idea.

The difference between Medium and High notification level is the amount of notifications that are displayed to the user. As a user I don't care about svchost.exe and System which do a ton of connections (from my side, they can be all blocked) but I am interested to see if other programs are blocked. In this case I will use Medium notification level because I am not interested to see notifications for svchost.exe or System. I'm fine to have them all blocked.

 

1) outbound - I managed to delete all my inbound rules setting up WFC, but it seems I didn't need any of them anyway - no issues so far
2) what is recommended? I've just been looking around and see mixed opinions. I have not set any restrictions for svchost.exe or System yet - in the past I've left it up to Emsisoft to do this

 

Thanks Broadway and Shamshi Adad for the tip. Didn't realize that I could do that

 

You're quite welcome, Rafales. Isn't it always some little thing that brings a little smile?

Peace. Alan

 

After updating to version 4.7.2.0 my anti-executable is alerting this command line:

I think it's triggered by wfcs.exe due to this new feature right?

 

I've been using WFC for years with no problems and now this:

I was on Version 4.7.0.0 I believe and noticed one of my other machines WFC got an update notice and I updated to 4.7.2.0 with no problem.

My workstation never received an update notice even though it has the same settings. I clicked "Check now if a new version is available" and it gave me:

"Unable to connect to the update server. Make sure you have the required rule to allow connections for this program and a correct proxy configuration, if required.

System.Net.WebException

Unable to connect to the remote server
An attempt was made to access a socket in a way forbidden by its access permissions [ip address here]"

I changed the profile from Medium to Low and the update checker worked. I updated to 4.7.2.0 with no problem, then checked the updater again and it has the same problem.

I checked the firewall rules and found only one specifying WFC and it was set to Allow. I checked all the Blocked rules and found none that seemed relevant to WFC.

I deleted the rule specifying WFC with no effect. I can't think of anything I've done recently to the software to cause this.

Just to be clear, with the profile set to Medium the update checker fails. With the profile set to Low the update checker works.

System:
Windows 7 Ultimate 64 bit

I'll gladly relate further specifics if it is needed to troubleshoot this problem.

Thanks guys,

 

Important Announcement

Make sure the rule for WFC is changed,
@alexandrud maybe this topic should be a sticky ?

 

Yes. That command enables Windows Firewall if it is disabled and also forces it to refresh the firewall rules. You should add an exception in your anti-executable software to allow this one.

 

1) I like this new feature principally!

2) And if the previous level was Low, it allows all outgoing traffic nevertheless per default (except user had created related outgoing block rules already EVEN RELATED TO THIS NEW DRIVE PROGRAMs (non-default of course) which are active)?

3) And if the User has set the Filtering Level Low anyway? here has the new feature no effect, so it allows all outgoing traffic nevertheless per default (except user had created related outgoing block rules already EVEN RELATED TO THIS NEW DRIVE PROGRAMs (non-default of course) which are active)?

4) So, based on 2) and 3) (IF I AM RIGHT): a better way could be to switch always to Filtering Level Medium - even from Filtering Level Low, not to the Previous (maybe with a little Nofitication Box "You have inserted a new removable drive. WFC has changed the Filtering Level for safety reasons to Medium!" or something like that).

5) Is a removable drive (after disconnect) the next time "new" again? Or is it possible to make it known (trustable)?

Thanks!

Why? I meant only the difference from greyed out to normal text was not good. But to show the special groups is senseful IMHO. Why you don't just change the font color or the background?

EDIT: Uhh, I forgot: THANK YOU for the new update!

 

Thanks for that, but the specified IP is the correct one, and it's the IP specified in the error message I get: 66.198.240.5:80

Also, I deleted the rule for WFC - Windows Firewall Control Updater, same behavior.

OK, as I was typing this I realized that WFC rule probably needs to be there, so I restored the default WFC recommended rules and VOILA!

IT WORKS!

Thanks for the help!

 

If the previous profile was Low Filtering maybe the user had a reason to have it enabled instead of Medium Filtering. As a result, if the previous profile was Low Filtering WFC will revert Low Filtering. If it was Medium Filtering, WFC will revert this profile. If the user uses Low Filtering profile he assumes that any program without a block rule can connect anytime to the Internet.

Each connection of a drive is detected as a new connection. WFC does not keep a list of connected drive (trusted). An USB drive can become infected in the meanwhile so having a removable drive as "trusted" is not a good idea, especially if you use it a lot on other machines too.

 

Thanks for detailed explaining! And yes, a trusted drive which is used on untrusted devices would be really dangerous!

Okay, all right then, cool new feature!

 

To all,

When I install the latest version and enable "Secure Rules" (and reboot)...my internet & network places don't work anymore.

In Windows 8.1 Pro, I go to "Advanced Sharing Settings" in Control Panel, and it shows that "Turn OFF Network Discovery" & "Turn OFF File & Folder Sharing" have been checked. When I try to switch them to the respective "ON" settings, it just automatically reverts to "OFF".

Am I doing something wrong? Or is this some sort of bug?

Note: This is installation on "fresh" OS that only has drivers installed. So I don't think program conflict is issue.

 

Maybe in the future, could there be "Allow/Block" context menu item for folders?
For example: User could right click folder, choose "Allow/Block", and all exe's in folder/subfolders would be sent to WFC for processing.

In my situation, Windows search is slow because I have "File names AND contents" enabled. This is good for my research work because I constantly search documents. But it makes tasks like gathering all exe's from folder slow, because it also includes files that have text containing letters "exe".

 

Have you created the necessary Authorized Groups in the Security Tab?

 

Not possible. Windows Firewall cannot handle wildcards. And a converting from WFC to Windows Firewall was discussed long time ago with the result: will be not implemented.

 

No. I saw a similar warning when I enabled the feature...but I have no idea what that means.

I liked the idea of the "Secure Rules" feature.
But I don't know what must be done to make it function properly.

In the end, I want Windows system things to function properly...but software should not be able to sneak in Firewall rules without notification.

 

See the Security tab/page of WFC. If you ACTIVATE the Secure Rules (this has nothing to do with "sneak-in" because YOU made this decision), all Rules without a defined Authorized Group become deactivated or deleted (depending on your choice).

This means: if you have the following ...

Rule 1 with group name "Test A".
Rule 2 with group name "Test B".
Rule 3 with group name "Test B".

And Autorized Groups = "Test B", your Rule no 1 become deactivated or deleted.

So, if YOU activate this non default WFC option, you have to deal with.

The sense behind this Secure Rules function is to disable the ability of other programs to add Windows Firewall rules. Secure Rules should work now with most/all? such programs (don't know the last stand about this exactly).

 

a few more questions... mostly on topic

1) when a 'non-windows' executable is blocked outbound - then in the WFC log it is followed by several attempts by wfc.exe on port 80. What is wfc.exe up to - does it need a generic outbound rule on port 80? I just have the default rule for the update check.

2) I have the default Windows Firewall rules for 'core networking' and 'network discovery' inbound & outbound, but a few of the rules don't seem to be working - for example - there is a default outbound 'System' rule on port 137, but it was still being blocked so in WFC I made a new identical rule (just in a different group) and it works fine... anyone have any ideas why this would be?

3) @alexandrud if I'm understanding your advice on setting rules (i've read posts back a few months) - it's to use generic rules for apps and lock down Windows with port/address/service restrictions. The generic rules are obviously easy enough, but how are rules for Windows most efficiently created with WFC - for example 'Low' level notification can't be used, and options like 'LocalSubnet' don't seem to be in the remote address list when customizing a rule during a block notification. So far I've been using a combination of the WFC notifications and referring back to the rules in my Online Armor firewall. Does MS have a reference you use listing executables with ports/address/service used? Also, is this advice based on blocking malware or blocking privacy leaks to MS.

4) Online Armor only has 1 entry option for ports - I'm assuming this is equivalent in Windows Firewall to the 'remote port' for outbound rules and the 'local port' for inbound rules.

 

1. When the notifications are enabled, WFC checks if a program that was blocked is digitally signed. Not wfc.exe itself wants to connect to the Internet but some parts of the .NET code that is used for this purpose. The source of the connection appears to be wfc.exe but it isn't directly.

2. Check the location of these rules and the actual location that is seen by Windows Firewall. If these default rules are set for Private location and you are in Public location, then this might be the reason.

3. For Windows rules take the existing default rules and keep enabled only the ones that you actually need. For example, do you need the rules from the group "Remote Assistance" ? If not, disable them or even remove them if you want a rule set without many unused rules. Easier to follow and to manage. "LocalSubnet" is a keyword which can be set manually in the notification dialog. The advice is for blocking malware and for privacy purposes regarding the encrypted data sent to Microsoft servers. Nobody knows actually what info is collected and how it is used because it is encrypted.

4. Probably, it makes sense to define local ports for inbound rules and remote ports for outbound rules.

 

Great - thanks for the reply
1) so a generic outbound rule for WFC on port 80 is needed then - maybe could be default?
2) nope - same rule - i'll keep scratching my head...
3) ok - this is essentially what i've done - i've just made some of the default rules less restrictive. there's a ton of outbound blocks & I'm assuming some of these might be needed - I guess the best thing is to shut down the services i don't need and see what outbound blocks are left.