Windows Firewall Control (WFC) by BiniSoft.org

Discussion in 'other firewalls' started by alexandrud, May 20, 2013.

  1. D3ltorohd

    D3ltorohd Registered Member

    Joined:
    Nov 20, 2021
    Posts:
    10
    Location:
    Germany
    No, all programs and tools located on C:

    Is this the normal way, or more an workaround ?

    Is there a way i can let this switch automaticly ?
     
  2. mantra

    mantra Registered Member

    Joined:
    Jan 25, 2005
    Posts:
    6,167
    Hi @alexandrud
    I will try it
    but often I can not even have the icon in the system tray after a cold boot , i have to reboot to have the icon
    in the past , i have never seen such issues , maybe it was the (g) kaspersky update
    can I change the boot key ? Maybe it can fix it ?
    now wfc has this keys
    Code:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    I tried to clean and reset system tray icons with Reset_Notification_Area_Icons_Cache.bat for w7 but it did not fix it

    in the log under WFC i get these errors w7 sp1 64bit
    Error: Service start failed. It seems that Windows Firewall service is not available.
    and
    System.Windows.Threading.DispatcherUnhandledExceptionEventArgs was caught.
    and i can't have the icon i get this error
    System.Windows.Threading.DispatcherUnhandledExceptionEventArgs was caught.
    thanks
     
    Last edited: Nov 21, 2021
  3. aldist

    aldist Registered Member

    Joined:
    Nov 8, 2017
    Posts:
    1,103
    Location:
    Lunar module
    Try to add wfc.exe and wfcs.exe to Kaspersky exceptions.
    Is SHA2 support added to your win7? (KB4490628 and KB4474419)
     
    Last edited: Nov 21, 2021
  4. kilves76

    kilves76 Registered Member

    Joined:
    Feb 11, 2012
    Posts:
    26
    Trying out the Windows Server 2022 Eval and the log shows a lot of dropped outbound packets, for which I have allow rules in place. WFC is set to Medium Filtering. There are no Block rules at all. Tracing with netevents.xml and wfpstate.xml come to a puzzling conclusion: they're dropped by a default outbound filter, filterid 69980?

    Example: Svchost wuauserv dir: out allow localaddr:any localport:any remoteaddr:any remoteport:80,443 proto:TCP
    Very similar drop: Svchost Cryptsvc dir: out allow localaddr:any localport:any remoteaddr:any remoteport:80,443 proto:TCP
    Note: There are no generic rules regarding svchost.exe, every svchost rule is for a defined service. There are no other rules referring wuauserv or cryptsvc. There are no rules matching all programs which could apply.
    The data below is for the wuauserv drop:

    Code:
    Netevents.xml:
        <item>
            <header>
                <timeStamp>2021-11-21T07:45:27.283Z</timeStamp>
                <flags numItems="9">
                    <item>FWPM_NET_EVENT_FLAG_IP_PROTOCOL_SET</item>
                    <item>FWPM_NET_EVENT_FLAG_LOCAL_ADDR_SET</item>
                    <item>FWPM_NET_EVENT_FLAG_REMOTE_ADDR_SET</item>
                    <item>FWPM_NET_EVENT_FLAG_LOCAL_PORT_SET</item>
                    <item>FWPM_NET_EVENT_FLAG_REMOTE_PORT_SET</item>
                    <item>FWPM_NET_EVENT_FLAG_APP_ID_SET</item>
                    <item>FWPM_NET_EVENT_FLAG_USER_ID_SET</item>
                    <item>FWPM_NET_EVENT_FLAG_IP_VERSION_SET</item>
                    <item>FWPM_NET_EVENT_FLAG_PACKAGE_ID_SET</item>
                </flags>
                <ipVersion>FWP_IP_VERSION_V4</ipVersion>
                <ipProtocol>6</ipProtocol>
                <localAddrV4>192.168.2.2</localAddrV4>
                <remoteAddrV4>13.107.4.50</remoteAddrV4>
                <localPort>50151</localPort>
                <remotePort>80</remotePort>
                <scopeId>0</scopeId>
                <appid><data>5c006400650076006900630065005c0068006100720064006400690073006b0076006f006c0075006d00650033005c00770069006e0064006f00770073005c00730079007300740065006d00330032005c0073007600630068006f00730074002e006500780065000000</data>
                    <asString>\.d.e.v.i.c.e.\.h.a.r.d.d.i.s.k.v.o.l.u.m.e.3.\.w.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.\.s.v.c.h.o.s.t...e.x.e...</asString>
                </appId>
                <userId>S-1-5-21-...-500</userId>
                <addressFamily>FWP_AF_INET</addressFamily>
                <packageSid>S-1-0-0</packageSid>
                <enterpriseId/>
                <policyFlags>0</policyFlags>
                <effectiveName/>
            </header>
            <type>FWPM_NET_EVENT_TYPE_PUBLIC_CLASSIFY_DROP</type>
            <classifyDrop>
                <filterId>69980</filterId>
                <layerId>48</layerId>
                <reauthReason>0</reauthReason>
                <originalProfile>2</originalProfile>
                <currentProfile>2</currentProfile>
                <msFwpDirection>MS_FWP_DIRECTION_OUT</msFwpDirection>
                <isLoopback>false</isLoopback>
                <vSwitchId/>
                <vSwitchSourcePort>0</vSwitchSourcePort>
                <vSwitchDestinationPort>0</vSwitchDestinationPort>
            </classifyDrop>
            <internalFields>
                <internalFlags numItems="1">
                    <item>FWPM_NET_EVENT_INTERNAL_FLAG_FILTER_ORIGIN_SET</item>
                </internalFlags>
                <capabilities/>
                <fqbnVersion>0</fqbnVersion>
                <fqbnName/>
                <terminatingFiltersInfo numItems="1">
                    <item>
                        <filterId>69980</filterId>
                        <subLayer>FWPP_SUBLAYER_INTERNAL_FIREWALL_WF</subLayer>
                        <actionType>FWP_ACTION_BLOCK</actionType>
                    </item>
                </terminatingFiltersInfo>
                <filterOrigin>Default Outbound</filterOrigin>
            </internalFields>
        </item>
    
    
    Wfpstate.xml:
                    <item>
                        <filterKey>{cf19603d-67c0-4dfb-ad77-6e818c7ce45c}</filterKey>
                        <displayData>
                            <name>Default Outbound</name>
                            <description>This is the default outbound filter which blocks or permits traffic based on user configured default settings</description>
                        </displayData>
                        <flags numItems="2">
                            <item>FWPM_FILTER_FLAG_HAS_PROVIDER_CONTEXT</item>
                            <item>FWPM_FILTER_FLAG_HAS_FILTER_ORIGIN</item>
                        </flags>
                        <providerKey>FWPM_PROVIDER_MPSSVC_WF</providerKey>
                        <providerData>
                            <data>e702000000000000</data>
                            <asString>........</asString>
                        </providerData>
                        <layerKey>FWPM_LAYER_ALE_AUTH_CONNECT_V4</layerKey>
                        <subLayerKey>FWPM_SUBLAYER_MPSSVC_WF</subLayerKey>
                        <weight>
                            <type>FWP_UINT8</type>
                            <uint8>8</uint8>
                        </weight>
                        <filterCondition numItems="1">
                            <item>
                                <fieldKey>FWPM_CONDITION_ORIGINAL_PROFILE_ID</fieldKey>
                                <matchType>FWP_MATCH_EQUAL</matchType>
                                <conditionValue>
                                    <type>FWP_UINT32</type>
                                    <uint32>2</uint32>
                                </conditionValue>
                            </item>
                        </filterCondition>
                        <action>
                            <type>FWP_ACTION_BLOCK</type>
                            <filterType/>
                        </action>
                        <providerContextKey>{2bea78de-a8db-4f30-bc98-4557ee4c985c}</providerContextKey>
                        <reserved/>
                        <filterId>69980</filterId>
                        <effectiveWeight>
                            <type>FWP_UINT64</type>
                            <uint64>9223372036854777728</uint64>
                        </effectiveWeight>
                    </item>
    Any ideas? I've no idea what the Default Outbound filter is, nor where to configure defaults for it like the description says. Fairly sure I correlated Netevents-Wfpstate properly based on the timestamp because at that moment there were no other drops, but 8 pcs of dropped wuauserv in a row.
     
  5. aldist

    aldist Registered Member

    Joined:
    Nov 8, 2017
    Posts:
    1,103
    Location:
    Lunar module
    A general allow rule for svchost on any outgoing connections is required for Windows Update to work properly.
     
  6. D3ltorohd

    D3ltorohd Registered Member

    Joined:
    Nov 20, 2021
    Posts:
    10
    Location:
    Germany
    And another Problem i have is, that no Games from the Microsoft Game Store will work online, when i have the firewall on. Only when i switch to low filtering it works. Request for rules are incoming but after this no online function in the game.
     
  7. mantra

    mantra Registered Member

    Joined:
    Jan 25, 2005
    Posts:
    6,167
    Hi
    I have added on the exceptins in kaspersky but nothing
    i don't think so
    does wfc need SHA2 for what? VirusTotal?
    thanks
     
    Last edited: Nov 21, 2021
  8. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    3,418
    Location:
    Slovakia
    For checking updates only, but once they start downloading, you need way more, like BITS, Delivery Optimization, it adds up if you use MS store. Selective svchost never worked for me, but I will it another go.
     
  9. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,412
    Location:
    Romania
    The normal way is that WFC works without any issues when returning from sleep mode. This is a workaround for your specific scenario so that you don't have to re-create already existing rules since that is not the problem. You must set again the profile so that Windows Firewall will refresh its internal state. If you don't like the manual switching the profile, you could create a scheduled task (not sure about the trigger that you need) that will execute the following command which is an alternative way of setting Medium Filtering profile: netsh advfirewall set allprofiles firewallpolicy blockinbound,blockoutbound
    If you use Secure Rules, make sure that Windows Store apps are allowed to create their required rules during installation. By default, a new Windows Store app/game will automatically add the required outbound rule when it is installed. However, this works for regular small games. If you want to play Forza Horizon, Microsoft Flight Simulator, it is not possible to allow them while outbound filtering is enabled in Windows Firewall because these games use mounted images that are loaded on each startup of the games. These paths can't be allowed in Windows Firewall. Please ask the developers of those games how to allow their games in Windows Firewall while outbound filtering is enabled.
     
  10. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,412
    Location:
    Romania
    There is no need to reboot. Just open Task Manager, kill the process wfc.exe and then manually launch again WFC. I am not sure I understand what "change the boot key" means. But, based on the exceptions that you posted, it seems that WFC service can't access Windows Firewall through Windows Firewall API. Are you able to access Windows Firewall by opening WF.MSC ? If the answer is yes, then Windows Firewall service is up and running. Try to export your rules from there and reset the default policy. See below:

    upload_2021-11-21_23-29-58.png

    I know this next suggestion is very Microsoft style, but please run in an elevated CMD window this command: sfc /scannow Maybe some system files are corrupted.
     
  11. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,412
    Location:
    Romania
    Default Outbound filter in this case means: if outbound filtering is enabled and there is no matching allow rule, then the default action is BLOCK IT.
    You can read here more about Windows Update and svchost.exe. While in Windows 7, service based rules worked just fine, in newer operating systems, not all these service based rules work anymore. I guess things got more complex and dependent on each other and this thing with service based rules remained some obsolete feature that was not taken into consideration by many teams from Microsoft. Just because you create a service based rule , wuauserv in this example, it does not mean this rule is enough. I personally don't bother with svchost.exe anymore. I allow it to connect on remote ports 80,443 and I do better things with my time. If telemetry is your concern, then forget about it. Microsoft can take this data with or without our consent anyway. I use an offline local account on my laptop. I activated my Office 365 and now when I open Microsoft Edge, I see "Welcome Alexandru". How does Edge know my name if I am using an offline user account ? It is from Office activation. Shall I not use Office anymore ? Ok, let's say I use some free open source alternative. Then I activate my Visual Studio license, they know again who I am. Let's quit using Visual Studio too.

    This is not related to Windows Server 2022. The same happens starting with Windows 8. Don't waste your time with svchost.exe connections. This is a legitimate process from Microsoft, let it connect, especially on a Windows Server where you don't want unexpected network interruptions because of svchost.exe. Too bad they designed it this way so that any Microsoft Windows service will use the same service host, making impossible to create proper rules. Or maybe they did this on purpose, who knows.

    For me neither. This does not work in operating systems newer than Windows 7.
     
  12. peter_brown_usa

    peter_brown_usa Registered Member

    Joined:
    Aug 20, 2014
    Posts:
    26
    Hi,

    I keep getting a certain application being blocked in WFC despite there being rules to allow.
    The application is acrylicservice.exe
    You can see I from the included image that it is being blocked and you can see that there are rules to allow (even one of the rules shows it properties)
    I have just started to make rules up with different ports to try to see if it can be unblocked but nothing seems to work.
    Any ideas?

    https://ibb.co/K04gtcJ
     
  13. aldist

    aldist Registered Member

    Joined:
    Nov 8, 2017
    Posts:
    1,103
    Location:
    Lunar module
    If there is no problem with your Internet access rule, add acrylicservice.exe to the notifications exceptions. If there are blocking entries only for 8.8.8.8 and 1.1.1.2, create an individual allow rule for these addresses.
     
  14. peter_brown_usa

    peter_brown_usa Registered Member

    Joined:
    Aug 20, 2014
    Posts:
    26
    First, thanks aldist for replying. I have added the rules for the IP address. I shall see a bit later if they have worked as I need to pop out for an hour.

    Here is a bit more info from the events and state logs
    Section from netevents.xml showing a block.
    Code:
    <item>
           <header>
               <timeStamp>2021-11-22T09:41:13.097Z</timeStamp>
               <flags numItems="9">
                   <item>FWPM_NET_EVENT_FLAG_IP_PROTOCOL_SET</item>
                   <item>FWPM_NET_EVENT_FLAG_LOCAL_ADDR_SET</item>
                   <item>FWPM_NET_EVENT_FLAG_REMOTE_ADDR_SET</item>
                   <item>FWPM_NET_EVENT_FLAG_LOCAL_PORT_SET</item>
                   <item>FWPM_NET_EVENT_FLAG_REMOTE_PORT_SET</item>
                   <item>FWPM_NET_EVENT_FLAG_APP_ID_SET</item>
                   <item>FWPM_NET_EVENT_FLAG_USER_ID_SET</item>
                   <item>FWPM_NET_EVENT_FLAG_IP_VERSION_SET</item>
                   <item>FWPM_NET_EVENT_FLAG_PACKAGE_ID_SET</item>
               </flags>
               <ipVersion>FWP_IP_VERSION_V4</ipVersion>
               <ipProtocol>17</ipProtocol>
               <localAddrV4>10.15.221.161</localAddrV4>
               <remoteAddrV4>1.1.1.2</remoteAddrV4>
               <localPort>58980</localPort>
               <remotePort>53</remotePort>
               <scopeId>0</scopeId>
               <appId>
                   <data>5c006400650076006900630065005c0068006100720064006400690073006b0076006f006c0075006d00650033005c00700072006f006700720061006d002000660069006c00650073002000280078003800360029005c0061006300720079006c0069006300200064006e0073002000700072006f00780079005c0061006300720079006c006900630073006500720076006900630065002e006500780065000000</data>
                   <asString>\.d.e.v.i.c.e.\.h.a.r.d.d.i.s.k.v.o.l.u.m.e.3.\.p.r.o.g.r.a.m. .f.i.l.e.s. .(.x.8.6.).\.a.c.r.y.l.i.c. .d.n.s. .p.r.o.x.y.\.a.c.r.y.l.i.c.s.e.r.v.i.c.e...e.x.e...</asString>
               </appId>
               <userId>S-1-5-18</userId>
               <addressFamily>FWP_AF_INET</addressFamily>
               <packageSid>S-1-0-0</packageSid>
               <enterpriseId/>
               <policyFlags>0</policyFlags>
               <effectiveName/>
           </header>
           <type>FWPM_NET_EVENT_TYPE_CLASSIFY_DROP</type>
           <classifyDrop>
               <filterId>143924</filterId>
               <layerId>48</layerId>
               <reauthReason>0</reauthReason>
               <originalProfile>1</originalProfile>
               <currentProfile>1</currentProfile>
               <msFwpDirection>MS_FWP_DIRECTION_OUT</msFwpDirection>
               <isLoopback>false</isLoopback>
               <vSwitchId/>
               <vSwitchSourcePort>0</vSwitchSourcePort>
               <vSwitchDestinationPort>0</vSwitchDestinationPort>
           </classifyDrop>
           <internalFields>
               <internalFlags/>
               <remoteAddrBitmap>0000000000000000</remoteAddrBitmap>
               <capabilities/>
               <fqbnVersion>0</fqbnVersion>
               <fqbnName/>
               <terminatingFiltersInfo numItems="3">
                   <item>
                       <filterId>140231</filterId>
                       <subLayer>65535</subLayer>
                       <actionType>FWP_ACTION_PERMIT</actionType>
                   </item>
                   <item>
                       <filterId>143924</filterId>
                       <subLayer>9000</subLayer>
                       <actionType>FWP_ACTION_BLOCK</actionType>
                   </item>
                   <item>
                       <filterId>145378</filterId>
                       <subLayer>FWPP_SUBLAYER_INTERNAL_FIREWALL_WF</subLayer>
                       <actionType>FWP_ACTION_PERMIT</actionType>
                   </item>
               </terminatingFiltersInfo>
           </internalFields>
       </item>
    
    And here is the corresponding section from wfpstate.xml
    <item>
                       <filterKey>{b991e2d2-bb66-4d59-992f-213e414c8dd2}</filterKey>
                       <displayData>
                           <name>Private Internet Access Firewall</name>
                           <description>Implements privacy filtering features of Private Internet Access.</description>
                       </displayData>
                       <flags numItems="1">
                           <item>FWPM_FILTER_FLAG_PERSISTENT</item>
                       </flags>
                       <providerKey>{08de3850-a416-4c47-b3ad-657c5ef140fb}</providerKey>
                       <providerData/>
                       <layerKey>FWPM_LAYER_ALE_AUTH_CONNECT_V4</layerKey>
                       <subLayerKey>{f31e288d-de5a-4522-9458-de14ebd0a3f8}</subLayerKey>
                       <weight>
                           <type>FWP_UINT8</type>
                           <uint8>10</uint8>
                       </weight>
                       <filterCondition numItems="1">
                           <item>
                               <fieldKey>FWPM_CONDITION_IP_REMOTE_PORT</fieldKey>
                               <matchType>FWP_MATCH_EQUAL</matchType>
                               <conditionValue>
                                   <type>FWP_UINT16</type>
                                   <uint16>53</uint16>
                               </conditionValue>
                           </item>
                       </filterCondition>
                       <action>
                           <type>FWP_ACTION_BLOCK</type>
                           <filterType/>
                       </action>
                       <rawContext>0</rawContext>
                       <reserved/>
                       <filterId>143924</filterId>
                       <effectiveWeight>
                           <type>FWP_UINT64</type>
                           <uint64>11529218894359166976</uint64>
                       </effectiveWeight>
                   </item>
    
    You can see from above that it was a rule for my VPN that blocked the DNS request on port 53, however I only have 2 rules for the VPN and both are ALLOW
    pia-service.exe
    Location Domain,Private and Public
    Protocols - ANY
    Local and Remote IP - ANY and ANY
    Direction - OUTBOUND
    Action - ALLOW
    Interface Types - ALL
    
    pia-wgservice.exe
    Location Domain,Private and Public
    Protocols - ANY
    Local and Remote IP - ANY and ANY
    Direction - OUTBOUND
    Action - ALLOW
    Interface Types - ALL
     
  15. peter_brown_usa

    peter_brown_usa Registered Member

    Joined:
    Aug 20, 2014
    Posts:
    26
    No, that did not work adding those rules for these IP addresses, so they are still being blocked.

    I have tried deleting all the acrylicservice rules and then adding them in as new. Nope this did not work as they still keep on getting blocked.

    I deleted the 2 VPN rules and readded them but still the IP address get blocked.
     
  16. peter_brown_usa

    peter_brown_usa Registered Member

    Joined:
    Aug 20, 2014
    Posts:
    26
    After a bit more digging around it appears that Private Internet Access VPN is to blame. It looks like the PIA vpn app is blocking the DNS as part of it's kill switch settings even though I don't have the kill switch operating.
    The kill switch is designed to block all internet traffic if the connection goes down. Now I don't have that set up but it appears that for some reason it's blocking DNS regardless if the VPN is active or not.
     
  17. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,412
    Location:
    Romania
    I wanted to suggest that PIA may be the culprit here after seeing this in your previous post:

    <displayData>
    <name>Private Internet Access Firewall</name>
    <description>Implements privacy filtering features of Private Internet Access.</description>
    </displayData>

    At least you found out the source of the problem. WFC displays what Windows Filtering Platform is logging in Security event log. These days, all security programs are using Windows Filtering Platform for packet filtering purposes. Other vendors use it too, so that they don't have to install their own drivers for this. Unfortunately, all these events do not contain a source, so a connection may be blocked by different filters, some of them created by Windows Firewall, some of them created by 3rd party vendors.
     
    Last edited: Nov 23, 2021
  18. kilves76

    kilves76 Registered Member

    Joined:
    Feb 11, 2012
    Posts:
    26
    The curious part was that despite svchost wuauserv service had an allow rule, they were still getting blocked. Something not working quite right there, not taking the service into account, but matching some other svchost rule and blocking it? Very strange.

    But now exploring into tighter firewall rules territory, there's something even more curious, which is why I kept that second sentence of yours:
    All svchost is restricted to Local Subnet, only dnscache is allowed out, to specified DNS servers (not MS). IPv6 tunnels (teredo, 6to4 and isatap) are disabled and IPHTTPS service disabled.
    Oversight: IPHTTPS was not expressly disabled by setting Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TCPIP\v6Transition\IPHTTPS\IPHTTPSInterface\IPHTTPS_ClientState to 3, so in theory it could have been that, despite there not being a permit rule for such.

    Yet there has been communications activity from svchost.exe to MS servers, uploading 100+ kB data... I cannot a find a rule which would permit this. There are no generic allow rules at all. Yet it happened as witnessed by the network sniffer which was left on overnight (and which will stay on until a cause is found, plus some extra parole time).

    Are there any other firewall rules active in the system than the user rules which WFC edits, which could cause this? For example, are the rules under
    Code:
    Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices
    actually active? Plenty of allow rules there, in addition to all the blocks.

    Or did Windows Firewall (NOT wfc!) finally start getting leaky? Maybe just homesick, sending love letter to Papa Bill.
     
  19. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,412
    Location:
    Romania
    WFC displays the firewall rules stored here:
    HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules

    Windows Firewall also has some rules stored in these keys:
    HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\AppIso\FirewallRules
    HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System
    HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System


    They are not available through Windows Firewall API and therefore they are not displayed in WFC. These are some internal rules. Why wouldn't they apply ?
     
  20. Blue Sec

    Blue Sec Registered Member

    Joined:
    Jul 15, 2014
    Posts:
    3
    What version of Windows firewall control do you use?
    The upgrades will better than the version 5?
     
  21. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,412
    Location:
    Romania
    For whom are these questions?
    The changelog is located here https://binisoft.org/changelog.txt and users can decide for themselves.
    Using the latest version is always a better idea since WFC is now digitally signed, has more bugs fixes and also some new features.
     
  22. kilves76

    kilves76 Registered Member

    Joined:
    Feb 11, 2012
    Posts:
    26
    I have never seen them mentioned anywhere. But I think they are the answer to the strange case, where data gets sent out by svchost despite there not being a single user created allow rule to permit that: these default rules ARE active at all times and there are plenty of allow rules for various executables. Need to try deleting them and see if Windows still stays functional.

    They do not override anything though, by creating encompassing Block rules for svchost no more breaches have been observed. It's just a bit difficult because the Block rule must except all DNS servers, LAN ranges, localhost, broadcast and multicast addresses, and such. And there are Allow rules for much else than just svchost.

    To save others the trouble, here's an example of a svchost Block rule that still permits communication with DNS of Cloudflare (the whole 1.0.0.0/24 and 1.1.1.1/24 provide DNS with .3 in each for family safe), Google, Quad9, OpenDNS (family .123 and normal); LAN ranges of 169.254.0.0/16, 172.16.0.0/12, 192.168.0.0/16; and necessary local broad/multicast addresses used by fdphost/fdrespub, LLMNR, ssdpsrv, upnphost (hope i didnt forget any):
    Code:
    1.0.1.0-1.1.0.255,1.1.2.0-8.8.4.3,8.8.4.5-8.8.8.7,8.8.8.9-9.9.9.8,9.9.9.10-169.253.255.255,169.255.0.0-172.15.255.255,172.32.0.0-192.167.255.255,192.169.0.0-208.67.220.122,208.67.220.124-208.67.220.219,208.67.220.221-208.67.222.122,208.67.222.124-208.67.222.221,208.67.222.223-224.0.0.250,224.0.0.253-239.255.255.249,239.255.255.251-255.255.255.254
    If you use 10.0.0.0/8 for yourself then add it, if you use a VPN service which uses any of the above LAN ranges then remove it.

    Note that this is only for svchost, if you choose not to remove the default rules under HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices then you need to review all of them for unwanted communications potential...didn't count them but looks like there's 100+ rules there. Quite a hidden gem by MS to make them invisible to the user unless one goes poking around the registry. There's a fine line between a feature and a backdoor and this is really dancing very precariously between them.
     
  23. kilves76

    kilves76 Registered Member

    Joined:
    Feb 11, 2012
    Posts:
    26
    After deleting the key Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices it recreates itself but only with Configurable subkey, all of which are empty, so good riddance to this hidden little...door.

    One should Export the key's default values into a backup file before deleting just in case, right click on the RestrictedServices key and choose Export, then delete.
     
  24. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,412
    Location:
    Romania
    Thank you for sharing this info.
     
  25. kilves76

    kilves76 Registered Member

    Joined:
    Feb 11, 2012
    Posts:
    26
    Some more questionable behavior by MS apps: download MSERT.EXE the Microsoft Support Emergency Response Tool, which does offline virus scanning. Nowhere does it say though that its behavior is anything but offline...

    Put WFC on Medium filtering, Secure Profile, Secure Rules.
    Create a Block rule for MSERT.EXE where you have it, for example C:\tmp\MSERT.EXE , both in and out block.

    Let it scan a large volume with virus/backdoor/pup/eicar test stringed programs and watch on your network monitoring application how MSERT.EXE effortlessly makes it through the firewall to Microsoft's servers.
    Now the real question is, how likely is it that this is the only MS app that treats Windows Firewall as a joke - and how many malware authors have reversed the code and are using its tricks to also bypass the Windows Firewall.

    Something about Swiss cheese.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.