Windows Firewall Control (WFC) by BiniSoft.org

As I said before, if a developer wants his application to communicate over the internet can easily bypass Windows Firewall to do it. Windows Firewall doesn't add an additional layer of security; it is just the satisfaction that you did something, you blocked something.
Any application which is determined to communicate with the outside world can and will bypass the Windows Firewall.

 

I think @popescu is right that MS telemetry can't be stopped - at least not completely - but I think it can be tamed to considerable degree. When Windows updates are downloaded and installed there is probably some telemetry taking place. There are processes used such as svchost.exe, BITS, clicktorun if you use Office, onedrive if you use that, App Installer, Windows Security, Smart Screen, Windows Device Management Enrollment Service, Windows Device Management Certificate Installer, Windows Device Management Sync Client....and on and on it seems to go, so it's hard to believe there isn't some forms of data collection going on with all these MS processes.

Many of these can be blocked or controlled (think specific protocols and ports) with a firewall without crippling Windows. It is a challenge, though.

It is one reason why I'm migrating away from Windows.

 

I do not agree with this statement which I consider to be incomplete. A software must have administrative rights to be able to add Windows Firewall rules. And for this scenario WFC has implemented Secure Rules feature which can disable/delete such rules when this happens. If you have UAC enabled and use known software, Windows Firewall can be effective. Indeed, if a user accepts and grants elevated privileges to anything that UAC blocks, then Windows Firewall should be their last concern. An unknown piece of software that gains elevated privileges, because the user allows it in the UAC prompt, can do a lot of damage to our Windows operating systems. But in this case, it is not a Windows Firewall problem, since Windows Firewall is not a HIPS antivirus.

 

It is not about that. Is about parent-child application.

Let's say that you allowed in WFC an application good.exe to connect to the internet and blocked bad.exe.

Now , bad.exe can be designed in such a way to act as a parent application and launch good.exe and connect to internet through good.exe. WFC will not blink, because good.exe is allowed to connect to the internet.

PC Tools Firewall Plus was the first firewall to implement this way of preventing firewall bypass and I was able to see this mechanism of bypassing on Malwarebytes Antimalware.

 

Windows Firewall is a packet-filtering firewall. WFC is an alternative user interface for Windows Firewall. What you describe is called process injection and this should be detected and stopped by your antivirus, not by your packet-filtering firewall. I agree that there are security products that contain an all in one solution, but Windows Firewall is not such product.

 

No , an antivirus will detect and stop a "process injection" only if deemed malicious. For example graphics driver’s like NVIDIA’s inject DLLs to accomplish a variety of graphics-related tasks.
The example I provide above (Malwarebytes) it is not malicious , yet for telemetry purpose Malwarebytes will bypass a regular firewall like Windows Firewall.
Please understand, I have nothing against WFC; is a beautiful interface of a totally useless application (Windows Firewall)

Windows Firewall was not designed to be used as a layer of protection in our security suites and using it through various interfaces ( WFC, TinyWall) will just create an illusion of added security.

 

NVIDIA is a known process. NVIDIA is required to comply with many items to be certified by Microsoft since they are using system drivers. The discussion was about normal processes which can't inject themselves to other processes that easy like you suggest here.

WFC and other Malwarebytes products are blocked if they do not have an allow rule in Windows Firewall and outbound filtering is enabled. Your assumption that they bypass Windows Firewall with some behind the scenes hidden connections is wrong. I use both on my computers and if I enable outbound filtering in Windows Firewall, telemetry is fully blocked. Also, the download of new updates.

 

I believe, popescu meant the following scenario (at least similar):

You install Software from company A, because you need it.

1) Program A1 is good and program A2 is NOT malicious.
2) You generate an allow rule for program A1, because you need this outbound traffic.
3) Program A2 is NOT malicious - however: program A2 make a process injection in program A1 and send output traffic through program A1, which is NOT desired.

How can you avoid that program A2 sends outbound traffic? Related antivirus will not block it, because it's not malicious.

 

That's why you need to use tools like SpyShelter and HMPA in order to block code injection and process hollowing. You can't blame WFC or Win Firewall for not stopping this, it was never designed to block advanced malware. If you block code injection, then WFC will easily block most malware from making outbound connections.

 

Have you ever looked into the problem that I described months ago? Sometimes when I want to give apps outbound access via "click on a prgram window to allow connecting", the rule does show up, but in red and it won't get access. It happens mostly when I run apps sandboxed via Sandboxie. To be honest, I can't find the old post that I made about this. Because of this bug, I wanted to make the switch to the new TinyWall, eventhough I'm quite happy with WFC, except for this annoying bug.

 

WFC is not a HIPS, if you want to stop what your example are suggesting then setup some kind of HIPS solution.

 

This is EXACTLY what i wanted to say, and the example is the same Malawarebytes.

Malwarebytes has "Program1" used for updates, which I want to allow.
Malwarebytes has also "Program2" used for telemetry , however "Program2" tries to connect to the internet in two ways: directly , and I can block it and by launching "Program1" as child application , which I cannot block it because "Program1" is already allowed by a rule.

If I wouldn't have used PC Tools Firewall prior to Win10 , I wouldn't have known about this.

Presently there is no firewall which would employ this protection of being bypassed; also you cannot create a HIPS rule for code injection specifically for applications which try to connect to internet.

 

You cannot create a HIPS rule for code injection, specifically for applications which try to connect to internet.

 

Have you ever actually used HIPS? You don't have to create rules beforehand, it simply alerts you when some app wants to modify memory of another process in order to bypass the firewall. And I have no clue what you mean, even child processes should be blocked from making outbound connections.

Thanks, I couldn't find it, how did you do this, it's almost like magic.

 

Even without a HIPS, you just have to do the following:

1. create an allow rule for program A1 to connect to a specific port, a specific protocol and a specific ip address(es) that only program A1 requires.

That's it. So even if program A2 injects itself into program A1 and attempts to connect to the specific ip address(es) it requires, it can't. Of course not all firewalls offer this kind of rules granularity, but many do, so there's no reason why one can't utilize it to restrict how a program connects outbound.

 

Not exactly, but close.
HIPS will alert you when an app wants to modify memory of another process, that it. HIPS cannot figure out if this modification is intended to bypass the firewall or for other purpose.

If you have a HIPS set up like that, you will get hundreds of alerts, some of them may be related to firewall bypass but will be impractical.

The HIPS in PC Tools was specifically designed to alert you ONLY for injection intended to bypass the firewall.

 

@wat0114

And what if program A2 uses the same IP, Protocol, Port (etc.) as program A1?

 

The only issue is , most programs use dynamic addressing, so is impossible to figure out "specific IP addresses" , this info may not even be available.

 

This information will be in the firewall's logs. Most firewalls will allow rules using subnet masking or CIDR notation, so that's one way.

@Alpengreis

if you're okay with program A1 connecting to a specific remote host, then what's the issue with program A2 connecting to the same?

 

@wat0114

Could be - for example - that program A2 phones home with data about your system or something like that - not malware, however you don't want share it with the program company ...

I know, we discuss here over a case which is (hopefully) not a usually one - but it's interesting anyway ...

 

Yes, it is in the logs, but are you suggesting for an user to verify the logs several times a day to see which IP is now current?

 

If there's that much concern about a non-malicious program phoning home then it's probably best to remove it.

I've been down that path many times before, using a firewall with built-in HIPS or a firewall/HIPS combo, and in the end I found it's just too much wasted time and effort, with little to gain in terms of privacy or security. An anti-executable for Windows is enough for me.

 

There's no reason for a legitimate program to be connecting to vastly different remote hosts on a daily or even weekly basis. That's why I mention the use of subnet masks or CIDR ranges, so if the network portion is 178.220.100.xxx, then a subnet mask of 255.255.255.0 could be used for handling 254 different hosts. Admittedly it does get more cumbersome with Windows updates as there are numerous updates servers utilized by Microsoft, so restricting a process like svchost.exe gets a lot more involved.

As I alluded to just above, using a HIPS to control process injection and and all other ways a process tries to manipulate itself on the O/S is mostly a waste of time and effort, imho.

 

I bet you never used PC Tools Firewall Plus.

With any firewall I tried , after this, I reached the same conclusion: too much wasted time and effort, with little to gain in terms of privacy or security.