Windows Firewall Control (WFC) by BiniSoft.org

Discussion in 'other firewalls' started by alexandrud, May 20, 2013.

  1. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    982
    Location:
    UK
    No issues with WFC, but looks like windows firewall in win10 is buggy.

    I have a LAN rule I carried across it basically allows traffic to/from lan subnets which saves me making rules for services/apps that only get used for lan traffic.

    On win8 no issues, on win10 it works but occasionally a packet gets blocked randomly in the firewall, I notice as of course it triggers a notification, it happened just now with me sat at PC, winNUT lost connection to my router when was blocked, but then the windows firewall a minute later allowed it to connection again.

    --

    After looking at the event log, I can see "An account was successfully logged on" entry, and also can see the windows firewall momentarily switching to public profile and then back again to private, that is why the rule didnt do anything as its on private profile only, but the mystery left as to why the mode got changed. The logon type was 5, A service starting up.

    Then same again very shortly after for back to private.

    This was logged in system log at same time, getting closer. "The access history in hive \??\C:\ProgramData\Microsoft\Provisioning\Microsoft-Desktop-Provisioning-Sequence.dat was cleared updating 0 keys and creating 0 modified pages"
     
    Last edited: Feb 6, 2021
  2. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Yes but that's the thing, is it really useless? To me it may indicate that such an app might be a bit shady. But what I was trying to say is that when you already block incoming connections like the Win Firewall does and you allow such an app to accept incoming connections, are you then at risk? What can such an app achieve what it couldn't already do with permission to make outbound connections? So basically it's a technical question.
     
  3. Roberteyewhy

    Roberteyewhy Registered Member

    Joined:
    Mar 4, 2007
    Posts:
    610
    Location:
    US
    Sorry if asked before. Let's say 1 rule has 'Allowed- Microsoft Edge- Local Port Blank-Remote address xxx.xxx.xx.x- 443-UDP. Then a later rule, everything the same, except blank Remote address and Block. Does rule 1 take precedent because it was created first/lower on the rules chain?

    Edge has so many prompts! Firefox, I have to 2 rules (1 TCP and 1 UDP). Never bothered again.

    Do not just want to give Edge global access for both TCP and UDP.

    Thanks,
    Robert
     
    Last edited: Feb 6, 2021
  4. aldist

    aldist Registered Member

    Joined:
    Nov 8, 2017
    Posts:
    1,103
    Location:
    Lunar module
    Don't know if I understood your question correctly. In Windows Firewall, a Deny rule takes precedence, regardless of the location of the rules above or below and the time of creation earlier or later.
     
  5. Roberteyewhy

    Roberteyewhy Registered Member

    Joined:
    Mar 4, 2007
    Posts:
    610
    Location:
    US
    Thanks, that's what I need to know.

    Robert
     
  6. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,064
    Location:
    Canada
    One question I have, svchost rules are restricted by specific service in my ruleset. I've had svchost connection attempts for the following:

    Connected users experience and telemetry (DiagTrack)
    Windows Push Notifications Systems Service (WpnService)

    I've refused both so far, although I'm thinking the WpnService connection might be okay and possibly required to allow, as long as I restrict it to my set of Microsoft update server IP ranges. Has anyone encountered problems blocking these? Thanks.
     
  7. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    982
    Location:
    UK
    If it is only web browsing on basic sites, give it outbound ports 80,443 tcp/udp (quic), port 53 also unless you disable the internal dns resolver.

    Then set a block rule to match other ports to avoid getting more alerts, you may need to turn on a option under notifications that silences alerts if a block rule captures it.
     
  8. Roberteyewhy

    Roberteyewhy Registered Member

    Joined:
    Mar 4, 2007
    Posts:
    610
    Location:
    US
    Thanks. That is what I have done. Damn M$, wants to connect to everywhere!

    Same old story...

    Robert
     
  9. aldist

    aldist Registered Member

    Joined:
    Nov 8, 2017
    Posts:
    1,103
    Location:
    Lunar module
    Disable this services forever, disable access to the network.
     
  10. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,064
    Location:
    Canada
    In group policy I've disabled Customer experience Improvement, Telemetry, Error reporting, Cortana, etc., but ofc it doesn't completely disable it all. I may look into disabling services, or at the very least either block comms or restrict to a pool of MS update IP address ranges.

    Thanks for your suggestion!
     
  11. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    982
    Location:
    UK
    I have tasks and services disabled for ceip etc. and WFC got prompts anyway :p
     
  12. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    2,002
    Location:
    Member state of European Union
    According to somehow old German's BSI analysis DiagTrack is key component of Windows 10 telemetry and you may disable this service to stop most of Windows 10 telemetry data collection.
    Related Wilders thread https://www.wilderssecurity.com/thr...fice-bsi-publishes-telemetry-analysis.410559/
     
    Last edited: Feb 8, 2021
  13. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    982
    Location:
    UK
    I debugged the profile flipping further after it flipped 3 times in 30 minutes.

    I checked task manager for any tasks that ran at the same time the firewall flipped to public, and was two tasks.

    Office 365 updater
    Windows management provisioning logon.

    I ran the office 365 on demand and it didnt flip, I cannot run the latter on demand, but did read it is problematic and supposedly no adverse effects to disabling it, so I have disabled it (at least for now), just to see if the behaviour stops.
     
  14. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,064
    Location:
    Canada
  15. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    982
    Location:
    UK
    Noticed an issue when using the WFC recommended rules whilst "also" deleting the microsoft built in rules.

    It seems if the microsoft file sharing rules dont exist, windows will auto deactivate file sharing, I noticed as it worked on the PC where I set it to disable unauthorised groups, but on the PC where I told it to "delete" unauthorised rules it just wouldnt turn on, I then exported the file sharing rules, and imported them to other PC and it works again, they dont need to be enabled, but just to exist.
     
  16. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,412
    Location:
    Romania
    No risk if you allow a known application to accept incoming connections. For example MS SQL or MySQL. They are both legitimate products and if you want to query their databases, you have to allow inbound connections to them. The risk would be an unknown software that is listening for inbound connections, waiting for a remote attacker to connect to your machine to execute some "cool" scripts.
    This is happening because when you enable/disable File and Printer Sharing checkbox, the OS is trying to enable/disable the firewall rules from that group. If the rules are not found, then it doesn't recreate them. This is an old bug since Windows Vista.
     
  17. Tiamati

    Tiamati Registered Member

    Joined:
    Feb 1, 2021
    Posts:
    12
    Location:
    Canada
    Hello guys!

    Anyone knows why WFC block its own outbound connections?

    upload_2021-2-10_1-35-15.png

    And, @alexandrud are you still in the development of WFC right?
    Any idea why there is no option similar to Learning Mode, but that blocks unnsigned requests instead of asking for it? It would be a step between disabled and learning mode. I believe it could be a great option to use with WFC after learning mode was used for a while.

    upload_2021-2-10_1-41-25.png
    ----------------------------------------------------------------my paint model hahaha


    Cya
     

    Attached Files:

  18. aldist

    aldist Registered Member

    Joined:
    Nov 8, 2017
    Posts:
    1,103
    Location:
    Lunar module
    Previously, the WFC checked for updates to 66.198.240.5 (binisoft.org) and this was a predefined rule. Perhaps, after the rebranding, the address changed to 151.13 ..., but the author forgot to change the predefined rule. Or you do not have predefined rules.
     
  19. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,412
    Location:
    Romania
    I know. Because this is how it should be. No allow rule, no connections out. And this must apply to WFC too :)
    Yes, I am still the developer of WFC. This mode does not exist because it wasn't requested until now. The idea behind the notifications is that users want to know what is going on. The mode you propose will allow signed programs and block unsigned ones. There will be no more notifications. Since this tab is called Notifications, when they are not Disabled, users are expecting to see some notifications.
    The predefined rule does not include any IP address anymore since many years ago.
     
  20. Tiamati

    Tiamati Registered Member

    Joined:
    Feb 1, 2021
    Posts:
    12
    Location:
    Canada
    I believe this new mode would be useful for some users. For example, I'm currently using a shared PC with the learning mode active. I'm barely seeing any notifications, so i would activate the disabled notifications soon. However, I'm not always with this PC, so if it could allow signed files connections, it would reduce the chance to "break" something someone could install. Basically, it would be a locked mode with less maintenance. As you already have those 3 modes, i guess it would not be so difficult to implement the idea. ;)

    Ty. However, it's interesting that WFC control panel have a predefined allow rule for WFC checking updates through port 443 but not for the port 80. Furthermore, WFC.exe is a signed file, so learning mode should have allowed and created a new rule for it right? But i checked, and WFC didn't created it.
     
    Last edited: Feb 10, 2021
  21. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,412
    Location:
    Romania
    Yes, because I prevented in code any auto creation of an allow rule for wfc.exe. I didn't want to see here rumors about shady behavior from WFC.

    Regarding the proposed mode, I will think about it.
     
  22. Tiamati

    Tiamati Registered Member

    Joined:
    Feb 1, 2021
    Posts:
    12
    Location:
    Canada
    Thanks for answering! I hope to see new WFC updates soo too :thumb:. Any idea when are you going to release new versions?
     
  23. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,064
    Location:
    Canada
    So I have discovered, to my dismay, that svchost -> "Connected users experience and telemetry (DiagTrack)" needs to be allowed out, otherwise Windows updates will simply not download :(
     
  24. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,412
    Location:
    Romania
    When I will have some free time. I am working on too many projects right now and WFC has currently lower priority than the others.
     
  25. aldist

    aldist Registered Member

    Joined:
    Nov 8, 2017
    Posts:
    1,103
    Location:
    Lunar module
    If it is true, You can enable this temporarily and periodically, for example, once a month or once every two months. Or install updates offline.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.