Windows Firewall Control (WFC) by BiniSoft.org

Next WFC version will be able to create new rules based on the UPPERCACE notifications exceptions. Unfortunately, standard user accounts will not be allowed to create new firewall rules anymore.

 

Sounds good to me...

 

Thank you very much. And would you please consider adding auto-rules for non-admins? It doesn't have to be the default setting. Only after enabling this feature.
Many of my users do not have admin rights. As a result, various applications do not work for them.
I would be very happy to pay you for this feature.
Thank you very much!

 

Ok, so if you are not an admin, you can't define new notification exceptions, but the ones created when the process was elevated by an admin should apply even if you are a standard user. Sounds reasonable. I will give it a try.

 

Windows Firewall Control v.6.20

Change log:
- Fixed: Uppercase notifications exceptions do not work if notifications are disabled.
- Fixed: Secure Rules does not work correctly if any of the authorized group names contain the apostrophe character.
- Improved: Added extra locks in Secure Profile logic.

Download location: https://binisoft.org/download/wfc6setup.exe
SHA256: 8e0cb63ef045a16710f32c4e501219d6cae17c53a3cc346cca6571d69cf97c20
SHA512: 283e4775b85d7ccc3af4bd04c6ecad6ab9fe88e3a696369f08b78c1360a589a621dc846fa64c1a48582309c10b55f6f292161b6b38b48abd6b668bd7ad849cfa

Thank you for your feedback and your support,
Alexandru Dicu

 

@alexandrud
Hi, when I uninstall WFC but want to keep the rules created with it and manage them with the internal Windows Firewall, how do I make them "editable"? They seem to be locked.

 

@human_centric

Removing the GROUP NAME (Windows Firewall Control) should be enough.

 

@Alpengreis
Hi, I reinstalled WFC and yes, removing my rules from the Windows Firewall Control group makes them editable after uninstalling again, thank you. My 2 cents: it should do so by default when uninstalling WFC, or at least give the option if one desires.
My use case for WFC on a particular laptop is using it to basically clean the Windows Firewall, add the rules for my programs and then uninstall it and enable / disable my rules via wf.msc.

 

Back to the "context-aware offline manual" issue:

https://www.wilderssecurity.com/thr...-by-binisoft-org.347370/page-288#post-3181681

This should be possible by replacing the PDF with HTML Documentation. This is obviously just a thought for your consideration, and low-priority.

 

@AmigaBoy

It would be possible with other mechanism like eWriter or something like that. But that would mean, another components are required and the project would be bigger.

And please no .chm - this is unsecure and CHM is EOL (end of life).

You don't need Acrobar Reader, there are other Readers. I also haven't Acrobat, I use PDF-XChange Editor (FREE) for example. Or use it in a Browser (if this is acceptable for you).

 

I mean simple html files, to be opened by any web browser. Can be done even with a single, self-contained HTML file.

They should be more flexible than PDF. KeePassXC for example, includes a few html documentation files for offline use.

 

@AmigaBoy

Ah, okay, that wouldn't be a problem at all of course!

Perhaps it could even be added without much effort.

 

Windows Firewall Control v.6.21

Change log:
- Improved: Added extra checks to avoid malicious DLL injection.

Download location: https://binisoft.org/download/wfc6setup.exe
SHA256: fb3c41fad9d9ead29b9c9d22fe2a1c0c76801a2aa6feaf24289deb4b59ae0654
SHA512: 855d7c136c3219bfdec64fda71fbf347abe77bc099c092c86aa12f2556203b8404816baa59223b186bc430a5b30373c920e5abec47ad961df9a88f27d2291203

Thank you for your feedback and your support,
Alexandru Dicu

This is just a maintenance version where some attack vectors were patched.

 

Could you elaborate on that to understand a bit more please?
Describe some scenarios as examples?
Thanks in advance.

 

Hello,
I'm trying to autoupdate, also I've checked manually but it says that 6.20.00 is the latest version and that no new version is currently available.

 

Auto update worked fine for me here.

 

Check for updates is fixed now.

Regarding the new security feature, if WFC service detects unexpected injected modules (in wfcUI.exe or wfcs.exe) which are not supposed to be there, you will see the blue tray icon.
The reason will be displayed in WFC event log, something like this:



It is also important to mention that the new feature requires WFC to be installed under %ProgramFiles% folder, otherwise, the same blue tray icon will be displayed. Installing WFC under a custom folder like C:\MyApps\WFC will break the new validation. The protection against malicious injected modules can't be performed if WFC is installed in a folder where any user account has write access. Thank you for your understanding.

 

I just managed to successfully autoupdate to version 6.21.0.0. Thank you for the quick fix.

 

It would be so nice if you add such info in the User Guide, for future reference, I guess. Thanks.

 

Same here. Worked fine.

 

Windows Firewall Control v.6.22

There is always something unexpected

Change log:
- Improved: Extended the list of locations which are considered safe in version 6.21 to avoid conflicts with Windows Defender.

Download location: https://binisoft.org/download/wfc6setup.exe
SHA256: 289d4c4ab02d27ecfb420370896ead733899a7d7a79b0c1088d8e098e4a996fb
SHA512: 158b31667fe0ba2220c304363c3614ba03b099c84367d4a6a7003b34e268e39f86533339d1a25b50b125fbf0e0f42066bf7cba0f5d85237f9519a2a9866eea4e

I also updated the user guide. There is a new paragraph Important security information under System requirements section.

Thank you for your feedback and your support,
Alexandru Dicu

 

Hello Alexandru,
by opening the main WFC panel on 6.21 I now got a blank window. I managed to successfully update to 6.22 by exiting from WFC with right-click then exit and in an elevated CMD window, I ran: wfc6setup.exe -update.
You gave me that hint in the past when I had some trouble in autoupdating WFC and it worked then too.

https://www.wilderssecurity.com/thr...-by-binisoft-org.347370/page-308#post-3233049

 

WFC is installed in "C:\Program Files\Malwarebytes\Windows Firewall Control" but I only see the blue exclamation mark.
The event log shows these two errors:
Could not validate peer!
Error while subscribing client.

Edit: If this takes longer to fix, where do I find v6.20 to revert to?
Edit2: Found v6.20, works again. What is needed to get v6.22 to run?

 

Hello,
it should be at https://binisoft.org/download/old/62000/wfc6setup.exe

 

Here is the URL to version 6.20: https://binisoft.org/download/old/62000/wfc6setup.exe

The new security patch from WFC does not allow anymore injected DLLs from sources other than programs located under C:\Program Files\ or C:\Windows\. These are considered safe folders where a malicious software will need first to gain administrative privileges until they could do any harm. The reason why WFC behaves like this is because I got an important security report where an attacker could exploit WFC by injecting a DLL into WFC processes and create a new firewall rule or disable Windows Firewall. All of these actions, from a standard user account. Now, to take advantage of the same exploit, the malicious software will need first administrative privileges to be first copied into those protected system folders. But, if a malware software already has such administrative privileges to plant itself into C:\Program Files\ or C:\Windows\, WFC is your last concern since with such privileges, the malicious software can do a lot of harm already.

To summarize, as long as the programs which tend to inject DLLs into other processes are in safe folders like C:\Program Files\* or C:\Windows\*, WFC will accept them. If there is a software running from a custom location (C:\MyApps, or X:\Portable, etc) and injects its modules into WFC processes, WFC will not like it.

Please open WFC event log (eventvwr.msc) and navigate to Applications and Services Logs -> WFC, identify the error event and check the Details tab of the error event. It should contain the name and the path of the module which WFC does not like anymore to be injected into its own processes. Something similar to this one:

System.Exception: Suspicious module detected. ProcessID=1784 ProcessName=wfcUI ProcessFile=C:\Program Files\Malwarebytes\Windows Firewall Control\wfcUI.exe ModuleName='Dock64.dll' ModuleFile='C:\MyApps\ObjectDock Plus\Dock64.dll'

There are two possible options:
1. Create an exception in the offending software to skip WFC processes/folder so that WFC is left alone.
2. Use WFC 6.20 and do not upgrade to a newer WFC version.
or:
3. Make sure you install your programs in their designed folders and everything should work the same in WFC as in the previous versions.

P.S.: Since Malwarebytes acquired Binisoft, a lot of security researchers want to make some money by finding bugs and filling security reports. I know that such changes are not popular among WFC users, but I have no solution. I have to patch these vulnerabilities.