Windows Firewall Control (WFC) by BiniSoft.org

This is on purpose. The Program property must be the same for the Merge feature and must have value. Merging rules for all programs can be dangerous as the user may create allow all rules that will allow anything.
A new version is not ready because I can't fix yet the problem with the Properties dialog that some of you have.

 

Sometimes, I get Chrome internet connection problems caused by WFC. I can simply recognize it's caused by WFC because no new webpages would load, and these which already have been opened and loaded before the "connection has been lost" can be refreshed like normal but they work more like refreshing a cached version of the webpage, for example; new images can't be zoomed anymore (I'm using Chrome extension Imagus for it), hotlinks on that page aren't loading, the opened YouTube Music tab keep playing music and loading new songs continuously, getting Windows 10 Action Center Chrome notifications from different webpages but when hit any of the notification, they load forever in a new Chrome tab, and when I hit a shortcut key for my WFC rules list, the interface opens but all I can see is "loading" and it loads them forever. It happens once or twice a month or so, and the only way I've found to fix it is to restart the PC, sometimes once, twice, triple or more times... and sometimes I need to shut down the PC and start it again to get it to work again. Killing the wfc.exe process and wfcs.exe service isn't helping, only a restart/shutdown. When killing them, the interface wouldn't come back and I can only see the task icon and information about the service being not running, though it's running. I've tried to reinstall this software but it hasn't helped. Any help?

 

WFC ? Are you sure ? WFC is just an alternative GUI for Windows Firewall, it doesn't even inspect your network traffic, therefore it does not block or allow any connection. To me, it seems like your network adapter is disconnected or your Internet is down from your router or from your ISP. I have a similar problem every few weeks, I can't browse half of webpages that I usually visit while YouTube works. In my case, I have to reset the router from my ISP. Unfortunately, I can't change it because the optical fiber goes directly in it and is pre-configured by them. Anyway, unplugging it for a few seconds and reconnecting it fixes the problem for another few weeks.

 

I'm completely sure it's caused because of WFC. It happened for the first time for 4 months ago, and I've checked it properly within this time, before I've decided to write about this issue today. I've tried to figure this out, and find what was causing it. Started with simply restarting the PC back in time, and some days needed to restart/shutdown it couple of times in a row, until it got fixed. Then I've killed processes one after one, until I've found WFC interface is somehow broken, loading forever, so I've killed wfc.exe and wfcs.exe, cleaned NETcache, run /ipconfig release and /renew commands in cmd, and after couple of minutes it started to work again. It happened more often in February and March, much less in April, 0 times in whole May and I've just experienced it today, again. Internet connection isn't down and I can use it like normal on any other device while connected to the same WiFi network, nor the network adapter is disconnected. I guess I'd see all that and don't post stupid things here, if there wasn't a problem caused by the WFC. I've never tried to turn the router off since all other devices can use internet at the same time like normal.

 

I doubt it is WFC's fault. Network connectivity problems are not caused by WFC in any circumstances. Please check the Troubleshooting section of the user manual if WFC does not work as expected. If Rules Panel do not load Windows Firewall rules, then something may be wrong and WFC log can provide more info about this. For network connectivity problems, try with Low Filtering profile in WFC. This is the default operation mode of Windows Firewall. If you still have the same problem, then WFC is out of discussion.

 

I also think that the problem is not in the WFC, but in the OS. Disable startup for wfc.exe and wfcs.exe, and even better, uninstall it completely, leaving its rules. Work like this for a couple of weeks, watch. The system at this time will be protected by the Windows Firewall, without WFC.

 

The symptoms you describe - existing web pages working (up to a point) and new ones not suggests a DNS problem, especially if the browser applications are cacheing DNS results (so not having to ask the OS again for a new DNS lookup, or - if they bypass OS-provided DNS services they're not directly asking your ISP or other DNS servers for DNS lookups). That is, internet traffic to known ip addresses works but DNS doesn't. It's likely that DNS results might be being cached by your browser (some do as it's more efficient), certainly by your OS's DNS service, almost certainly by your router... and after that if you don't explicitly define DNS servers (eg from Google or OpenDNS or whereever, you're at the mercy of your ISP's DNS servers. Often ISP's DNS servers are poor.

Restarting the PC might solve this as it forces your machine to reconnect to your router (and via DHCP etc it reaquires dynamic DNS configuration details). Also using ipconfig /flushdns and/or /registerdns might help.

When you have a problem, what happens when you issue a ping or traceroute command to some external site that you have not visited recently (ie to one whose DNS lookup result will not be in the OS's cache)? I'd expect the initial DNS lookup to fail.

 

Feature Request for "M_A_L_W_A_R_E_B_Y_T_E_S" firewall: Directory and Process name executable wildcard auto block/allow rules, in-house WFC rules accessed from a button in the WFC rules menu. This would be great for avoiding malware, and so many other uses; such as auto blocking installers and *tmp* files and folders, allowing program updates, commonly known names for malware, developers whos software changes regularly, and just saving a good amount of time over the months and years.

https://i.postimg.cc/W3q9rf13/example.png

 

Windows Firewall does not support wildcards (*).

 

Exactly, that is why Malwarebytes Firewall should add it.

 

If Windows Firewall does not support wildcards, then WFC cannot add this.

 

Just that, there is no such product Malwarebytes Firewall. If it will exist at some point in the future, it will probably have the features that you mentioned. This will also mean that WFC will be retired. Anyway, I don't think it will not happen any time soon.

 

Oh please, windows firewall does not support secure boot, or shell integration, or automatically removing rules not created by Binisofts WFC... but WFC makes this possible. HOW is THAT? WFC pops up with a window when a new connection is made, this window includes data associated with the name of the executable, WFC can therefore add its own in-house rules for wildcard detection, then apply simple default auto allow/block rules to windows firewall for automation.

 

https://i.postimg.cc/Kj9KMzZ6/Malwarebytes.png


I'm just wondering if Binisoft Malwarebytes Firewall Control should include wildcard for "allow", it is dangerous and could potentially be exploited. Auto block is safe

 

You seem not to understand which parts of the system do what. The traffic filtering firewall code that Windows has built-in does not offer the facility.

WFC is a replacement for the very basic, hard to use MS-supplied way of configuring what their OS firewall code does. So eg WFC makes it easier for you to manipulate sets of rules. But the rules are used by the OS-supplied firewall code. MS would have to change the actual filtering code to support wildcards before WFC could make it easier to define a rule that told the OS-supplied firewall to do that.

Windows also generates information about what the firewall has just done, and WFC makes that easier to see and understand.

If I understand correctly, you suggest that WFC could act on notification that some traffic has just been blocked, and set up some sort of rule to allow that traffic. I expect you're right... after all YOU could look at the notification and then set up a precise rule for that. But such a rule will not stop the next failure unless the next attempted traffic has the exact same executable name, port, traffic type etc as the one that was just blocked. In the situations where wildcards would be useful, the next attempted traffic doesn't have the exact same parameters as the just-failed one.

 

Exactly, that is why I suggest that WFC should add it. WFC does not require Windows Firewall to use wildcards. WFC already has the file path and name passed onto it in the display window popup that appears, thats all it needs.

Exactly. That's why WFC automatically generates rules that work with OS-supplied firewall code and not ones that don't work.

 

You're missing the point. Suppose WFC did generate a rule automatically from that notification. The new rule does not allow the just-tried-and-rejected traffic magically to work. The application that attempted to send it will have to try again. How do you think WFC is going to arrange that?

The new attempt will only work if it uses exactly the same criteria as the originally rejected one. Suppose the application (running from the same-named .exe) randomly picks a port to use (and maybe a destination ip addresss too)? The just-created rule won't match the port / address used on the next attempt; of course the automatically created rule could allow "all ports / all addresses" but it's not providing much security then, is it?

And suppose (as is often the case) the application was one of those that when run creates a temporary .exe with a random name, then runs that. The notification from which the rule was automatically generated might be for, say "\temp\xpq67r\942.exe" but next time, a completely differently named .exe. So unless your automatically created rule allows traffic for (say) any .exe inside \temp or its subdirectories, it's not going to work in all future cases. And if it does allow all of those, it's opened a huge security hole.

 

So, this would be an advanced learning mode in which you can define some wildcards so that WFC will auto create allow rules based on the defined wildcards. You will be able to define C:\ProgramData\*\mysoftware.exe or C:\Program Files\MySoftware\*.exe. This has some drawbacks:
1. For a wildcard defined in WFC, it will create multiple allow rules. If this was at Windows Firewall level then you would have 1 firewall rule defined with a wildcard. Having this in WFC, you may end up with 10 different rules (more or less) depending on how many programs match the wildcard.
2. This will not delete old obsolete rules. For example, if you use this feature to auto allow a program that has a new path after each update, then the previous rules will still remain and you still have to cleanup your rules set once in a while.

 

Wildcard blocks could block files on all ports/ip's globally without any issues... this is good for security and importantly, suppressing unwanted recurring notifications.

 

There is no need for auto creating outbound block rules. If you are using Medium Filtering profile, these connections are already blocked, therefore a block rule for each already blocked connection will just clutter the rules set. If you use Low Filtering profile, then the entire feature is useless since anything without an explicit block rule is allowed by default.

 

It will clutter your screen with popups, but if you automatically apply to all ports, all incoming and outgoing addresses, then there will be no clutter in the rule sets... one to rule them all. You can also offer two options, block with temporary rules or permanent.

 

One to rule them all until a block rule blocks all allowed rules and then then my inbox will become full of support tickets. I am involved in other projects and this has really low priority.

 

hello, there is a small problem when an app is located in another user profile or in a folder which the wfc ui user do not have read rights: the rule is in red text in WFC rules panel and so you can't edit it (apply button is greyed-out), i guess running the ui as admin would fix it for apps located in other users profiles but it's not ideal to need to run things as admin and also i think it would not work when the admin do not have the ntfs rights to read into the folder where the app is located, i guess the best would be to allow to edit a rule even if the rule is in red text, maybe with a warning before applying. thanks for this awesome software


edit, also sometimes i see errors in the event viewer - WFC log, not sure if i should report them or not.
this one appear every 24hours, at the around same time:

Spoiler: crash

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="WFC" />
<EventID Qualifiers="0">911</EventID>
<Level>2</Level>
<Task>0</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2020-06-18T00:49:55.132576100Z" />
<EventRecordID>4682</EventRecordID>
<Channel>WFC</Channel>
<Computer>PC</Computer>
<Security />
</System>
- <EventData>
<Data>System.Threading.Tasks.UnobservedTaskExceptionEventArgs was caught.</Data>
<Data>Exception: System.AggregateException: A Task's exception(s) were not observed either by Waiting on the Task or accessing its Exception property. As a result, the unobserved exception was rethrown by the finalizer thread. ---> System.AggregateException: One or more errors occurred. ---> System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.WebException: Unable to connect to the remote server ---> System.Net.Sockets.SocketException: No connection could be made because the target machine actively refused it 127.0.0.1:443 at System.Net.Sockets.Socket.InternalEndConnect(IAsyncResult asyncResult) at System.Net.Sockets.Socket.EndConnect(IAsyncResult asyncResult) at System.Net.ServicePoint.ConnectSocketInternal(Boolean connectFailure, Socket s4, Socket s6, Socket& socket, IPAddress& address, ConnectSocketState state, IAsyncResult asyncResult, Exception& exception) --- End of inner exception stack trace --- at System.Net.HttpWebRequest.EndGetRequestStream(IAsyncResult asyncResult, TransportContext& context) at System.Net.Http.HttpClientHandler.GetRequestStreamCallback(IAsyncResult ar) --- End of inner exception stack trace --- --- End of inner exception stack trace --- at System.Threading.Tasks.Task`1.GetResultCore(Boolean waitCompletionNotification) at WindowsFirewallControl.Manager.SendUpdates() at System.Threading.Tasks.Task.Execute() --- End of inner exception stack trace --- ---> (Inner Exception #0) System.AggregateException: One or more errors occurred. ---> System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.WebException: Unable to connect to the remote server ---> System.Net.Sockets.SocketException: No connection could be made because the target machine actively refused it 127.0.0.1:443 at System.Net.Sockets.Socket.InternalEndConnect(IAsyncResult asyncResult) at System.Net.Sockets.Socket.EndConnect(IAsyncResult asyncResult) at System.Net.ServicePoint.ConnectSocketInternal(Boolean connectFailure, Socket s4, Socket s6, Socket& socket, IPAddress& address, ConnectSocketState state, IAsyncResult asyncResult, Exception& exception) --- End of inner exception stack trace --- at System.Net.HttpWebRequest.EndGetRequestStream(IAsyncResult asyncResult, TransportContext& context) at System.Net.Http.HttpClientHandler.GetRequestStreamCallback(IAsyncResult ar) --- End of inner exception stack trace --- --- End of inner exception stack trace --- at System.Threading.Tasks.Task`1.GetResultCore(Boolean waitCompletionNotification) at WindowsFirewallControl.Manager.SendUpdates() at System.Threading.Tasks.Task.Execute() ---> (Inner Exception #0) System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.WebException: Unable to connect to the remote server ---> System.Net.Sockets.SocketException: No connection could be made because the target machine actively refused it 127.0.0.1:443 at System.Net.Sockets.Socket.InternalEndConnect(IAsyncResult asyncResult) at System.Net.Sockets.Socket.EndConnect(IAsyncResult asyncResult) at System.Net.ServicePoint.ConnectSocketInternal(Boolean connectFailure, Socket s4, Socket s6, Socket& socket, IPAddress& address, ConnectSocketState state, IAsyncResult asyncResult, Exception& exception) --- End of inner exception stack trace --- at System.Net.HttpWebRequest.EndGetRequestStream(IAsyncResult asyncResult, TransportContext& context) at System.Net.Http.HttpClientHandler.GetRequestStreamCallback(IAsyncResult ar) --- End of inner exception stack trace ---<--- <---</Data>
</EventData>
</Event>

any idea how i can find what is causing that and what's the problem?

 

wfc.exe does not need administrative privileges. The firewall rules that are red are invalid because the file for which they are created is not found on disk. Apply button is disabled on purpose so that the user will not create a rule that does nothing. Once you select a file that exists the Apply button will become active. Or you can select the rule to apply to all programs.

Regarding the exception that you see every 24 hours it is already fixed and will be included in the next WFC release. It does not do any harm and no functionality is affected. I still have to fix one strange bug (Properties dialog not showing in some circumstances) and then a new WFC release will be published.

 

Error ID911 appears if mbcut.dll, mbcut32.dll, Newtonsoft.Json.dll are deleted from the WFC folder.