Windows Firewall Control (WFC) by BiniSoft.org

Discussion in 'other firewalls' started by alexandrud, May 20, 2013.

  1. imuade

    imuade Registered Member

    Joined:
    Aug 4, 2016
    Posts:
    751
    Location:
    Italy
    Here

    Immagine.jpg
     
  2. aldist

    aldist Registered Member

    Joined:
    Nov 8, 2017
    Posts:
    1,103
    Location:
    Lunar module
    To imuade
    Let's wait for explanations from alexandrud.
     
  3. imuade

    imuade Registered Member

    Joined:
    Aug 4, 2016
    Posts:
    751
    Location:
    Italy
    OK :)

    So, just to complete my overview, when I set rules No. 1 and 2 I kept "all programs and services" under Services --> settings

    Like that svchost can connect only to ports 53 (UDP) and 80, 443 (TCP) unless it's running the wuauserv service (and in this case it gets full outbound connectivity)

     
  4. imuade

    imuade Registered Member

    Joined:
    Aug 4, 2016
    Posts:
    751
    Location:
    Italy
    Maybe @guest can shade some lights :)
     
  5. guest

    guest Guest

    i dont use the 3rd one , and WU works fine.
     
  6. HKEY1952

    HKEY1952 Registered Member

    Joined:
    Jul 22, 2009
    Posts:
    657
    Location:
    HKEY/SECURITY/ (value not set)
    Sir, the point is this:

    What one must arrive to understand is that the Microsoft Windows 10 service-hardening rules govern the Microsoft Windows Defender Firewall for both Outbound and Inbound connections regardless of any firewall rules that may exist. Microsoft owns Ring 0 of the firewall. Ring 0 is governed by the service-hardening rules. Any firewall rule created or modified by the end user service client that violates the "service-hardening rules" will be warned with an firewall alert message within the firewall rule. Heed that warning, unless one knows exactly and precisely what they are doing.

    As an example: Allowing svchost.exe Full Unrestricted Outbound. That rule violates the Microsoft Windows 10 service-hardening rules. Now of course the rule is going to work, however, because of the service-hardening rule violation the security of the Microsoft Windows 10 Operating "Service" (System) has now been configured to an possible security breach state. Any source from within calling svchost.exe for outbound access exists unrestricted access Out. That's BAD. [please read the entire sentence in #1 of quote]


    The default setting for the Microsoft Windows Defender Firewall Control Panel is to ALLOW ALL OUTBOUND and BLOCK ALL INBOUND.
    The default setting for the Microsoft Windows Defender Firewall Rule Base exists NO OUTBOUND BLOCK RULES.
    The default setting for the Microsoft Windows Defender Firewall Rule Base exists an select list of Microsoft Predefined Rules that are set to ALLOW OUTBOUND.
    [for the above three, please read the last sentence in #2 of quote]

    Now did you notice, that when you set the Windows Defender Firewall to allow all outbound, and you create an outbound allow rule, the created outbound allow rule does not show in the Windows Defender Firewall Monitoring Tab. Why? Because the firewall is allowing all outbound and Ring 0 is going to ignore that rule, and will continue to ignore that rule unless the firewall is set to block all outbound, or the rule its self is set to block if the firewall is set to allow all outbound.

    Now did you notice, that when you set the Windows Defender Firewall to allow all outbound, all of the Microsoft predefined outbound allow rules show in the Windows Defender Firewall Monitoring Tab. Why? Because Ring 0 is monitoring those Microsoft predefined rules, and will continue monitoring those Microsoft predefined rules regardless if the firewall is set to allow all outbound or block all outbound, or the rule its self is set to allow or block. The same also applies to the Microsoft predefined inbound rules.

    Now, among all of those Microsoft predefined outbound and inbound rules, each and everyone of those Microsoft predefined outbound and inbound rules can be programmed by the end user service client to become "orphaned" by enabling or disabling the respective security settings within the Windows Settings and/or by disabling the respective service that is bound to the rule located in the Microsoft Management Console and/or Group Policy Editor and/or by removing the application package that is bound to the rule by utilizing power shell commands (get-appxpackage | remove-appxpackage) and/or by modifying an registry key/s and/or by clicking on 'disable rule'. Thus resulting in that the Microsoft predefined outbound and inbound rule/s are now "orphaned" and will be ignored by Ring 0 and the service-hardening rules because the source for the predefined rule is no longer available.

    With that, why do that? It defeats the purpose of built-in security!


    So, what is left to allow or block when the Microsoft Windows Defender Firewall Control Panel is set to allow all outbound and block all inbound?.....The answer is NOTHING.

    We are not going to block CCleaner, we are not going to block Windows Updates, we are not going to block Browsers, we are not going to block.....etc.


    Listen, the Microsoft developers, especially the top level developers that control groups of developers, are not your every day ordinary people. These people are highly intelligent and skilled developers. I express to you now.....use the Default Settings in the Microsoft Windows Defender Firewall, and study Post #3611.

    Please continue using the Binisoft Windows Firewall Control, it is an great front end for the Microsoft Windows Defender Firewall and the logging is superb.


    EDIT: clarity/simplicity



    -HKEY1952
     
    Last edited: Nov 14, 2017
  7. guest

    guest Guest

    No way for me to let Windows Firewall on "Allow All Outbound" if i don't use a 3rd party firewall or something blocking maliciously created rules...
     
  8. imuade

    imuade Registered Member

    Joined:
    Aug 4, 2016
    Posts:
    751
    Location:
    Italy
    So, the rules I set should be fine, since they ALLOW OUTBOUND to TCP 80 and 443 for ANY Application or ANY Service that calls svchost.exe.
    Plus, when svchost.exe is bound to wuauserv service, then ANY OUTBOUND to ANY port (thus including TCP 80 and 443) is allowed.

    I noticed that you get the same warning about svchost.exe on Windows 7 too, so I don't think it's related with Windows 10
     
  9. imuade

    imuade Registered Member

    Joined:
    Aug 4, 2016
    Posts:
    751
    Location:
    Italy
    Thanks guest, I'll try that too and check if WU is working :thumb:
     
  10. HKEY1952

    HKEY1952 Registered Member

    Joined:
    Jul 22, 2009
    Posts:
    657
    Location:
    HKEY/SECURITY/ (value not set)
    [1] Norton SafeConnect Policy number 3 (199.85.126.30/199.85.127.30)
    [2] Firewall Router
    [3] Windows Defender Firewall set at Default settings
    [4] Windows Defender Virus and Threat Protection set at Default settings
    [5] Binisoft Windows Firewall Control set at Low Filtering

    What maliciously created rules?
    Oh! you must be referring to the locally created rule by the end user for svchost.exe that allows all outbound without any service or application package being bound to the rule that violates the Windows 10 service-hardening rules!

    The end user is the only security threat to security breaches in Windows 10.


    -HKEY1952
     
  11. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,210
    Location:
    Among the gum trees
    I think you mean Norton ConnectSafe. ;)
     
  12. HKEY1952

    HKEY1952 Registered Member

    Joined:
    Jul 22, 2009
    Posts:
    657
    Location:
    HKEY/SECURITY/ (value not set)
    I did.....Thanks Krusty

    -HKEY1952
     
  13. guest

    guest Guest

    No, i meant a malware (say keylogger) undetected by Windows Defender (or whatever AV) creating an outbound rules to connect to the attacker machine. I saw it plenty of times.
    It is why at Emsisoft we created a Windows Firewall Fortification module on our software, to prevent those attempts.
     
  14. HKEY1952

    HKEY1952 Registered Member

    Joined:
    Jul 22, 2009
    Posts:
    657
    Location:
    HKEY/SECURITY/ (value not set)
    We are both off topic now, so if the moderators will allow.

    Microsoft Windows Defender Virus and Threat Protection can detect SOME software keyloggers, but not all software keyloggers.

    Microsoft Windows Defender Virus and Threat Protection can not detect HARDWARE keyloggers.

    The likelihood of an hardware keylogger getting installed on an home users device without the users consent is well below nil.

    The likelihood of an software keylogger getting installed on an home users device without the users consent is next to nil.

    [1] Secure the DNS [posts #3628 & #3627] This is the most important first layer of defense. (please follow the link and read)
    [2] User Account Control set at Default settings
    [3] Automatic Windows Update and Security Enabled
    [4] Use Binisoft Windows Firewall Control's superb Logging to lookup programs using network connections and instantly Block or create an outbound/inbound Block rule.

    Aside from keyloggers
    [5] Today 11/14/2017 Microsoft Automatic Updates updated the Microsoft Windows Malicious Software Removal Tool and Windows Defender Antivirus to detect and remove the Ransom:Win32/WannaCrypt (WannaCry).
    https://www.microsoft.com/en-us/wds...edia-description?Name=Ransom:Win32/WannaCrypt

    Besides automatically running monthly through Automatic Windows Updates, one can run the malicious software removal tool any ole time their little ole hearts desire by navigating to:
    C:\Windows\System32\MRT.exe


    Can not believe the marketing BS thrown at consumers for monetary gain.

    All third party security vendors try to portray Microsoft as completely incompetent in regards to security.

    Get real people, with the advent of Windows 10 third party security software is now on the threshold of next to nil.



    -HKEY1952
     
    Last edited: Nov 14, 2017
  15. guest

    guest Guest

    first i wonder why you get so aggressive, did i touched a nerve?

    Yes sure... tell that to the people who were infected by banking trojans and other ransomware like Wanacry, you will find plenty asking for help to remove them...
    Sure, they shouldn't download or click on unknown executables or files, but will you blame them for their ignorance?

    MS let obsolete features like SMBv1 active until millions get infected, they let Powershell installed on Home versions (when no one use it except ITs or Sysadmins) which is the n°1 interpreter used for exploits, they let people using Admin account as default account? come on...That is the real BS, not security vendors that deploy counter-measures that try to prevent those security holes to be exploited.
    Luckily now, MS understood that they need to built stronger security mechanism in their latest OS, i approve them since they started in Win8, but a bit late isn't it...?

    People in forums believe that all users have their knowledge and have safe habits...This isn't true.
    You gave some advices (DNS, etc...), most average Joe won't even understand what you are saying, only those with some decent computing knowledge will...
    I was a repair guy long time ago, and i can tell you most of my ex-customers didn't know more than just push the power button and click only on their software's icon button to launch them...
    People in computing/security forums live in another world.

    Anyway i gave my opinion, you are free to disagree, i won't go further.
     
    Last edited by a moderator: Nov 14, 2017
  16. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,064
    Location:
    Canada
    I confirm this and agree with @alexandrud 100%. It works exactly as I would it expect it to in Win 7 but it definitely does not work on Win 10 (I can't confirm Win 8 but I expect the same issue as well).

    In fact there was one svchost with PID 3180 where the Event Viewer Security logs reported it blocked to remote MS IP address, port 443, and even after I allowed the service under it to any remote address and remote port it was still showing blocked, and of course the update check still failed. In spite of some very long posts extolling the virtues of Microsoft's technical brilliance, they have, imho, failed miserably on the firewall w/advanced security since Win 7.
     
    Last edited: Nov 14, 2017
  17. imuade

    imuade Registered Member

    Joined:
    Aug 4, 2016
    Posts:
    751
    Location:
    Italy
    What is beyond my understanding is why different people with the same OS have different answers for the same question... maybe there's a difference among Windows 10 versions? I'm using the Home edition

     
  18. aldist

    aldist Registered Member

    Joined:
    Nov 8, 2017
    Posts:
    1,103
    Location:
    Lunar module
    Firewall in all editions of Windows 10 is the same. To get updates for Windows only rule #2 is enough, it works for me. But I still install updates only offline, having previously studied, what good or what portion of telemetry they will add to my system.
     
  19. imuade

    imuade Registered Member

    Joined:
    Aug 4, 2016
    Posts:
    751
    Location:
    Italy
    OK, thanks :)
     
  20. aldist

    aldist Registered Member

    Joined:
    Nov 8, 2017
    Posts:
    1,103
    Location:
    Lunar module
    My questions on this screenshot
    1.png
    Please help me, how do I have a screenshot in my message, and not a link to it?
     
    Last edited: Nov 15, 2017
  21. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,413
    Location:
    Romania
    The first group name is empty. It means it will clear the group name and set it to None. I will add a tooltip for that empty entry.
     
  22. JRViejo

    JRViejo Super Moderator

    Joined:
    Jul 9, 2008
    Posts:
    97,440
    Location:
    U.S.A.
    aldist, if you are talking about attaching an image to a post, see Basic Image Attachment Uploading (on XenForo), and then use the Test Forum to test attach images.

    Keep in mind that as Policy, you need to own your image, not use third party images which may run afoul of copyright laws. Enjoy testing!
     
  23. aldist

    aldist Registered Member

    Joined:
    Nov 8, 2017
    Posts:
    1,103
    Location:
    Lunar module
  24. JRViejo

    JRViejo Super Moderator

    Joined:
    Jul 9, 2008
    Posts:
    97,440
    Location:
    U.S.A.
    aldist, you're welcome! Take care.
     
  25. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Totally forget to ask this question, and I'm still using an older version of WFC, but is it possible to assign names to an app in the connections log? For example, with SpeedFan you don't get to see anything in the name column.

    http://www.almico.com/sfscreenshots.php
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.