Windows Firewall Control (WFC) by BiniSoft.org

Discussion in 'other firewalls' started by alexandrud, May 20, 2013.

  1. aldist

    aldist Registered Member

    Joined:
    Nov 8, 2017
    Posts:
    1,103
    Location:
    Lunar module
  2. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,411
    Location:
    Romania
    I am exploring this possibility. While playing with this, I managed to lock me out of accessing that registry key (from regedit.exe), I even made WFC to not be able to start again. Replacing the owner is not a good idea from my point of view. Indeed, by updating the permissions, WFC could disable entirely the access for other programs to add firewall rules (WF.msc, netsh, WF API) right from the start. Then the current implementation of Secure Rules could be simplified a lot.

    The new Secure Rules will be just a check box that will change the permissions so that no application, other than WFC service will be able to change back the permissions.

    With the same approach, I could add a Secure Profile checkbox which with the same mechanism will prevent other applications (netsh, WF API) from modifying the filtering mode of Windows Firewall, so that the profile can't be changed externally.

    With this solution, WFC will be the only application which will be allowed to add new rules or change the profile if these check boxes will be checked.
     
  3. aldist

    aldist Registered Member

    Joined:
    Nov 8, 2017
    Posts:
    1,103
    Location:
    Lunar module
    If I understand everything correctly, any of the ways will do, if only for the uninstallation of the WFC the rights would return.
    But the first way seems to me more correct, even the GUI does not have to be changed.
     
  4. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,411
    Location:
    Romania
    The uninstallation will revert the permissions to their default values.
    The GUI will change a little bit since the concepts of Authorized Groups and Unauthorized Rules will become obsolete. Secure Rules will be just a check box. If checked, only WFC will have the permissions to add/modify/delete rules. If unchecked, any program that has administrative privileges will be able to add new rules.
     
  5. aldist

    aldist Registered Member

    Joined:
    Nov 8, 2017
    Posts:
    1,103
    Location:
    Lunar module
    alexandrud
    OK, very well! We are waiting :thumb:
     
  6. bORN2BWILD

    bORN2BWILD Registered Member

    Joined:
    Oct 3, 2016
    Posts:
    26
    Location:
    Greece
    It seems that a Windows Reboot fixed the (real) problem.
     
  7. Alpengreis

    Alpengreis Registered Member

    Joined:
    Oct 7, 2013
    Posts:
    670
    Location:
    Switzerland
    That can happen and have nothing to do with WFC (it seems a windows "thing"). I had this too and the Developer know it. It CAN help to de- and reinstall WFC. Also a possible workaround can be (sometimes): if you have a partition backup, restore to a stand before the latest Win Update and install the Win Update again.

    EDIT: OR - as you said - a reboot is even sometimes enough, yes!
     
    Last edited: Feb 16, 2018
  8. tcarrbrion

    tcarrbrion Registered Member

    Joined:
    Dec 15, 2007
    Posts:
    105
    I use WFC with secure rules on and notifications disabled. The problem with this is all the programs that install under a directory with a version number. They appear to update at random and then stop working. I need notification off as I share the computer and other users would not not know what to allow. The most worrying this is that Windows Defender now installs under a version number directory and it could update and stop working properly at any time. Microsoft have really messed up here.

    Would it be possible for WFC to have a list of programs with wildcards for a single directory name for which it automatically creates a new rule when just the version number changes? Could this use the notification mechanism but without a notification? There are not many programs like this that I use but it is annoying to have to add new rules all the time for something that is already installed.
     
  9. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,411
    Location:
    Romania
    When a new version of a Windows Store application that you have installed is receiving an update, the path of the executable file changes. Because Windows Firewall rules are applied per path basis, after such an update a new rule is required. This can become very annoying especially if an application is updated very often. This is how Windows Firewall works and this is not something that Windows Firewall Control can change.

    As a workaround, instead of creating a firewall rule for a specific executable file:
    • Create a rule that applies to all programs and set an empty group name for this rule. Setting an empty group name is important for the next step.
    • Launch Windows Firewall with Advanced Security (wf.msc) and edit your newly created rule.
    • In the Programs and Services tab, press on the Settings button under the Application Packages group box, select your specific application package and save the rule. Now you will have a working firewall rule, even if the program gets updated and the path changes. Now, you can add this firewall rule in any Group you want.
    Note: The rules with a group name set can't be modified from Windows Firewall with Advanced Security. Also, the application package can't be set from Windows Firewall Control, yet. I am still working on this.
     
  10. tcarrbrion

    tcarrbrion Registered Member

    Joined:
    Dec 15, 2007
    Posts:
    105
    Thanks. This does work for application packages. I don't think it will work for Windows Defender which is the most important one for me. When it first changed to be in a numbered directory under ProgramData I think I had to add my own firewall rule.
     
  11. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,411
    Location:
    Romania
    On my Windows 10 machine, Windows Defender stays in C:\Program Files\Windows Defender only. In C:\ProgramData\Microsoft\Windows Defender it keeps the definition files and the quarantined items. I never saw any notification for Windows Defender from ProgramData folder.
     
  12. tcarrbrion

    tcarrbrion Registered Member

    Joined:
    Dec 15, 2007
    Posts:
    105
    New monthly updates now go to a directory like C:\ProgramData\Microsoft\Windows Defender\Platform\4.12.17007.18011-0. The newer programs for Windows Defender run from ProgramData and older ones from C:\Program Files\Windows Defender.

    See:

    https://support.microsoft.com/en-gb/help/4052623/update-for-windows-defender-antimalware-platform

    I don't know which programs require network access for the protection to work but I have firewall rules for both the old and new locations.
     
  13. tcarrbrion

    tcarrbrion Registered Member

    Joined:
    Dec 15, 2007
    Posts:
    105
    I just tried deleting all the firewall rules for Windows Defender and it still can access the internet. It looks like it is not a problem.
     
  14. tcarrbrion

    tcarrbrion Registered Member

    Joined:
    Dec 15, 2007
    Posts:
    105
    It is a problem. My attempt at a rule for an application packages had let all programs out. No wonder it worded. I need a rule for C:\programdata\microsoft\windows defender\platform\4.12.17007.18011-0\msmpeng.exe for Windows Defender to work and possibly other rules as well.
     
  15. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,411
    Location:
    Romania
    I am using the latest version of Windows 10 (official MSDN ISO from December 2017), I have the latest updates, and that folder is empty on my computer. I will keep an eye on this.

    upload_2018-2-18_0-44-46.png
     
  16. guest

    guest Guest

    It is empty because you have the "old" client version (4.12.16299.15) which is still installed into C:\Program Files\...
    This has been changed with newer versions.
    Old location: %ProgramFiles%\Windows Defender
    New location: %ProgramData%\Microsoft\Windows Defender\Platform\<Version>
     
  17. Special

    Special Registered Member

    Joined:
    Mar 23, 2016
    Posts:
    454
    Location:
    .
    What tcarrbrion says it correct, the new location is in ProgramData folder for whatever reason, you can open task manager > open file location to see where the process that runs resides.
     
  18. nin7qpzm6

    nin7qpzm6 Registered Member

    Joined:
    Aug 21, 2016
    Posts:
    2
    Location:
    Earth, somewhere
    Indeed. OS version 1607. MsMpEng.exe new path.

    MsMpEng.exe new path.png
     
  19. minimalist13

    minimalist13 Registered Member

    Joined:
    Mar 28, 2016
    Posts:
    15
    I have notifications set for 1 second to combat this problem.
     
  20. Alpengreis

    Alpengreis Registered Member

    Joined:
    Oct 7, 2013
    Posts:
    670
    Location:
    Switzerland
    Or set a password and lock WFC?
     
    Last edited: Feb 20, 2018
  21. AmigaBoy

    AmigaBoy Registered Member

    Joined:
    Sep 12, 2015
    Posts:
    205
    Rules Panel suggestion: in the context-menu, above or below the "Add to group >" entry, add a direct "Add to WFC group" entry. It is commonly used (I assume) and sometimes having to scroll down and find the WFC group through the many available default groups can be cumbersome.
     
  22. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,411
    Location:
    Romania
    Not very commonly used since rules created through WFC are already in the group named "Windows Firewall Control". Anyway, you can select multiple rules at once and add them all together to the same group, so there is no need to do this multiple times for each rule separately.
     
  23. ravenise

    ravenise Registered Member

    Joined:
    Jul 18, 2009
    Posts:
    92
    "When you use Medium Filtering profile, you already have enabled inbound filtering protection and outbound filtering protection. This means only the programs that have an allow rule will be able to connect to the Internet. I don't see the point here for a new profile that will do the same thing as Medium Filtering. What else should happen when this "sleep mode" gets enabled ?"

    Multiple customizable profiles is a great idea. A simple switch to a profile that only allows one program (or two or whatever). Because now, if I only wish to allow one or two programs, (this means only one or two possible security holes) for the night or for vacation or something else... I have two options, 1. Don't change anything, or 2. Selectively disable every single firewall rule except for "only this program." Then I must do this each time. Then undo each one each time when I wish to switch back.

    "The first option is not very nice because WFC might disable several network cards and they also must be re enabled automatically when the user uses again the computer (mouse movement, keys pressed on the keyboard, etc)."

    That's great, disable all adapters sounds great. Best would be an option to disable selectively. Hardware level exploitation may bypass Windows high filters; disabling the network card could prevent this and save electricity. I think both options would be great, then the user has the choice to do whatever they want.

    "The second approach would be easier to handle. Anyway, until I will think about this, you could use Task Scheduler to create a task that would disable your network cards when the computer is idle for a configurable amount of time."

    "Regarding the MAC address, I can change it from code, but I don't see where to put this kind of action in the user interface. Changing the MAC address is not something that you do very often. Actually, I never changed the MAC address of any of my devices because I had no reason to do it. If you change your MAC address often, you could create a batch file that can be used for this purpose. I really don't see where this feature would fit in WFC."

    Under "security" would be a great place. Spoofing Mac addresses upon every new connection mitigates against a variety of Local Network level & VPN exploits; Exploits and hackers often use the Mac address to identify a given target; AND to Identify exploitable Firmware / Hardware routers and Network Cards like the one I just posted on over here. Randomizing the Mac makes the job of identifying the victim much more difficult; Attackers will always attempt to initiate an exploit that is designed for the specific Hardware; if this is spoofed, the exploit will fail. Here is an example of how they do it. https://www.youtube.com/watch?v=IxgLVk4ozs4 They (NSA and other nasty groups) use this same technique and have a database of every single vulnerability ever made public (or not made public) for every Windows O/S, Linux O/S, Android, Mac, Iphone, Router, Hardware, Browser, everything. Mac randomization It is one of the best defenses!

    A similar example of this is Spoofing the UserAgent in a web browser mitigates against nearly every kind of exploit that exists for web browsers, done by automated botnets, hackers, and exploits in the web! Especially in the Akami cloud, they ALWAYS try to target known exploits for the browser & operating system you SEEM to be using. If you are in Windows using Firefox, but all the internet sees is "Debian Chrome", the hackers will always try to use known exploits for Chrome/Debian. So you are amazingly protected. Make sense?
     
    Last edited by a moderator: Feb 26, 2018
  24. ravenise

    ravenise Registered Member

    Joined:
    Jul 18, 2009
    Posts:
    92
    I confirm my network card; which has an exploitable Intel Management chip enabled, is disabled when the adapter is shut off; the light on my switch goes off and it appears I am safe from hardware level exploitation. Though intel ME is said to be accessible even while the computer is turned off completely. This may vary from version to version. On my machine (Intel Management 5.0) Intel ME will allow my NIC to remain enabled even during reboot / post in certain circumstances, including BSOD (probably to enable remote assistance for repairs), after disabling my Network card in the bios, and after running certain linux distributions; the quickest way to disable this is to unplug the computer and remove the cmos battery; no longer does the NIC boot at post via Minix, the linux distro inside ME mounting on-board LAN out of band. At any time during its running operation, Intel Management is vulnerable to simple Metasploit attacks leveraged against the Lan card; Certain exploit databases will certainly flag the mac address as vulnerable. Randomize the mac, the attack surface is greatly diminished. Here is the list of exploits on Metasploits homepage. https://rapid7.com/db/search?utf8=✓&q=amt&t=a
     
    Last edited: Feb 26, 2018
  25. tcarrbrion

    tcarrbrion Registered Member

    Joined:
    Dec 15, 2007
    Posts:
    105
    It has just updated and I now need a rule for C:\ProgramData\Microsoft\Windows Defender\Platform\4.12.17007.18022-0\msmpeng.exe
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.