Windows Firewall Control (WFC) by BiniSoft.org

I don't expect an official answer at all. I'm simply wondering how you formed your opinion as you seem pretty adamant that "you cannot block windows telemetry using a windows firewall". I've not seen a single post or article on the internet from someone who has actually tested and found Microsoft executables bypass windows firewall. I'm happy to be corrected if evidence exists.

If windows processes don't bypass the firewall then I wonder (thinking logically):
If someone uses the Microsoft update catalog server to download and install updates offline, and blocks all Microsoft executables from accessing the internet via windows firewall. How does Microsoft send telemetry to its servers?

Thinking logically, maybe you can block windows telemetry using windows firewall?

 

Hello,

Let's assume the following WFC settings:

• Medium Filtering is On
• Log Connections is On
• Display Notifications is On
• Secure Rules is On
• Secure Profile is On

What if I now stop WFC service (wfcs.exe) ?
I assume that:

• Filtering will still work with current rules
• Logging will still occur
  
• Notifications (outbound) won't be displayed anymore
• Protection related to Secure Rules won't be active anymore

Am I right?

And what about the protection related to Secure Profile?
Will it still be performed?
How is this thing working?

 

Happy New Year to all and many thanks to Malw... Alexandru Dicu for the nice new version!

About Connections Log/Log Allowed Connections: this seems to be the only setting that is not retained when updating WFC- it always gets reset to 'enabled'. I searched and re-read your older reply (quoted below, Feb 27, 2019).

I've noticed this though: when I import my exported settings from the .wfs file, this setting is indeed imported properly (= it gets disabled after import).

Couldn't somehow the import/export system be used automatically/internally to maintain this setting as well during an update? Not a problem, just a minor annoyance and I promise not to ask again.

 

Btw, I understand that Log Blocked Connections is critical to the operation of WFC and would make much more sense to reset it back to "enabled" every time. But if I get it correctly, Log Allowed Connections isn't really that important.

 

Yes, you are correct.

Secure Profile will be still enabled even if wfcs.exe is stopped. Secure Profile is achieved by removing some access rights from certain Windows Registry keys. They are applied even if WFC is stopped.

WFC has no property or variable from where it could read the status of the logging of allowed/blocked connections. This is the reason why WFC always enables both so that it can have a starting value. Can't improve/fix this.

 

svchost.exe is completely blocked in WFC. Windows 10 was monitored for three hours under WireShark and SmartSniff, and not a single attempt to access Microsoft servers.

 

how is your system going to check for time synchronization and windows updates?


"Windows Update? Install offline, or use non-system solutions, or use a temporary resolution. After the updates, check the firewall rules and delete the ones added by Windows itself.
Today, the fight against Windows telemetry is 90% successful."


Who has time to do all these? Windows update on Win 10 is done daily "behind the scene" and yet, the OP claims "fight against Windows telemetry is 90% successful"

in telemetry , either you block it 100% or you allow it 100% . there is nothing like "spying a little bit"

 

Ok then, thank you. I can confirm though that importing the *.wfs file does restore the previously exported "Log Allowed Connections" status correctly, whether it was enabled or disabled. Tried it many times in previous versions, and even right now with both enabled/disabled status, and it always imports the exported status.

 

Question from a rookie WFC user: the WFC connections log shows inbound Chrome connections despite the fact that I've disabled all Chrome inbound rules (there were three) AND added a rule to block all inbound Chrome connections. How can it still be getting through? Thanks!

 

I only have 'out' rules and connections for chrome itself. Can you post screen shots of your chrome rules and connections logs. have you customised the rules at all? check your invalid rules, and your other rules that may allow all incoming apps to override the chrome rules. Svchost app can be a leaky app that can be used by some programs or browser addons to bypass the main app's rule.

 

Please post a screenshot of your Chrome rules and the entries from the Connections Log. Make sure to include all columns.

 

(PDF with screenshots attached) I took screenshots of the chrome rules, the properties of each rule, and the most recent entries from the connections log. To assure a clean picture, I restarted my PC and waited for WFC to load. As expected, there were no chrome connections since the reboot. I then started chrome, refreshed the connections log, and found inbound connections. Those connections are in the final screenshot in the doc. Again, thanks for your help.

 

Chrome is listening of mDNS on port 5353 for device discovery or something. Windows Firewall allows query/response on mDNS, but blocks all announcements. The source of the communication is your local IP, then multicast is sent to all devices from your local subnet and it gets back to your local IP too, where it is allowed. I think it is related to the fact that Windows Firewall doesn't block loopback communications. I have the same behavior on my machine when I use Chrome. My main browser is Firefox which does not create such entries.

 

Excellent, thank you! A little more research points to LAN device or web server discovery using multicast (as you suggest). There appears to be no way to configure chrome to stop it. What you describe is pretty innocuous, so I think I'll just live with it ... or switch to Firefox. Thanks again.

 

hi

i noted that windows updates didnt automatic daily check for new updates, so i checked the firewall rules.
I should open the 80 port for windows update. ?

https://postimg.cc/hX0nKy69

 

For svchost.exe open outbound TCP, remote ports 80,443.

 

@aldist
thanks

i restored windows firewall rules + wfc raccomanded rules

i have another issue, from the log i found: Dnscache service, blocked udp 5355 port.
Should i open this port?
https://postimg.cc/mPgpt8YF

 

It's for Network discovery for Multicast name resolution. If you are not on a local area network you can block it. Better yet, if your firewall is set up as default deny, you don't need a block rule, as it will be automatically blocked without a specific allow rule in place.

 

hi

I connected to the router with ethernet, if this port is blocked can cause dns server issue ?

 

If you are able to surf the Internet without sites breaking, then it's fine. Try it out. I feel 99% sure it can be disallowed.

 

If you run Win 10, is almost impossible to determine which component to block and which to allow; with any updates ,Windows can change IP's, functionalities, domains.
It is a futile exercise to try to block things in Win 10.
Since I decided not to use any firewall , I have a very smooth experience with my PC and Win 10.

 

Are you sure? The first contradicts the second

 

100% sure. Win 10 is doing what is supposed to do without my interference.
I decided to stop fighting against "telemetry", I am not equipped with necessary skills to fight Microsoft. I am 100% convinced that one way or another Microsoft will get the needed info from you, regardless of which firewall you use.

So, what's the point of trying , and in the process block some other Win10 functionalities?

 

A firewall can be used to allow/block other processes too, which are not related to the operating system. A software firewall, like Windows Firewall is, has its utility in many use cases. The users decide the level of interaction that they are willing to put into this. Some users may find difficult the process of allowing/blocking different components of the operating system, but this does not mean a firewall is not good or useful.

 

Can you give me an example of telemetry Microsoft can collect through any firewall ?

Preventing data exfiltration in the event of a compromised system (external firewall).
Preventing telemetry uploads.
Because it's interesting to see and have control over all outgoing connections on your system.. If you're into that type of thing .

Just because you've given up doesn't mean everyone has.