another Windows Firewall Control?

Hello,

I see similar memory usage on Vista Home Premium x64 with the most current .NET. I have been using WFC for a wile now through several different versions and memory usage has always been close to the following numbers.

Code:

Name		PID	CPU	Total CPU Time	Private Bytes	Virtual Size	Working Set	User Name			Command Line																																																		
wfcs.exe	2184		00:00:19.671	53.72 MB	593.41 MB	9.79 MB		NT AUTHORITY\SYSTEM		"C:\Program Files\Windows Firewall Control\wfcs.exe"																																																														
wfc.exe		2368		00:00:21.356	116.86 MB	789 MB		4.76 MB		KENT-HP-PC\Kent			"C:\Program Files\Windows Firewall Control\wfc.exe" 																							

 

I have a bug involving the manage rules window on Vista Home Premium x64. If I am in the manage rules window and it is maximized, if I try to close it will minimize to the task bar. However if the manage rules window is not maximized, it will indeed close as expected. The minimizing when closing only happens when the manage rules window is maximized, other times works as expected.

Also, I do not know if the manage rule window is supposed to remember its position or not, but if it is than on my machine it is not remembering the window position.

 

same in Win8RTM
Maximaized Rules just minimized

 

It was actually something of an exaggeration. I like Aero a lot, though I also think Metro is nice (not convinced about Windows 8 itself though). My real point was that I think a program can still look nice enough and not use WPF, thus maybe avoiding these memory issues (if it is really the cause).

 

I just saw this bug, it will be fixed soon. Until then, please close the Manage Rules from normal state.

Also, I want to ask you if you have encountered problems with the fade in and fade out effects of the windows from WFC ? Especially with Manage Rules, vecause it takes a lot more space and the transparency and the fade is applied to an extended area. I am thinking to remove this fade in / fade out effects because it seems that they affect the responsiveness of the program. What do you think ?

 

The fade ins and fade outs are a nice visual effect but they are not necessary IMHO. I can do without that feature (especially if it causes the process to use more memory). For the most part once you have your policy set up, the frequency of which you enter into and exit from WFC's windows becomes limited and as with me, I really do not notice it or pay that much attention to the fades.

 

yes from time to time.
+2 for remove

 

Unfortunately,the use of all the extra memory to make WFC look better,makes it less useful for light setups and for netbooks.....I bought a license because WFC was light on resources and to have decent outbound control,not for nice visuals which eat up quite a bit of memory......
No offence meant,but for a computer with many RAM,I rather prefer a full featured security suite for 20-30 MB of extra used memory....
My personal opinion is that WFC is loosing it's focus,and although it's a great program,if people can choose without having to worry about RAM usage restrictions,it simply can't compete with the big league due to it's lack of extra protection......

 

I updated my nVidia drivers to a newer beta (306.02) in case it helped, but it made no difference to RAM usage. I did however discover another memory issue...

After opening both the main and rules windows, wfc.exe uses 100 MB of my dedicated GPU memory! Like with the RAM, this memory use remains even after closing the windows.

Is this also because of WPF? Seems crazy, as I have checked other programs, even some that are graphic-heavy, and they don't use any of my GPU memory at all.

Sorry to keep finding new concerns, but I'm only doing it because I like the program and hope to see these things resolved so I can continue using it.

 

Same on my Vista Ultimate x64-Bit machine.

It didn't remember the position after the update, but after re-sizing it again, it actually did remember it even after exiting the program.


Not sure if this is intentional (perhaps a 'feature' and not a bug ), but something strange I've also been noticing is that the program randomly tends to stick in my quick switch menu (alt+tab) even though non of it's Windows are open:

http://i814.photobucket.com/albums/zz63/MrElectrifyer/Random%20Stuff/WFCInQuickSwitchMenu.png

Exiting and reopening the program appears to make it go away temporarily. Not sure what the cause is.

 

I will investigate this too and I will provide a fix. Thank you for reporting this.

 

Hello,

I hope someone can clarify the following:

I use win7 64 ultimate. A native firewall customized outgoing rules. MSE and MBAM Pro real time compliment the firewall.

I heard about the Windows Firewall Control by Binisoft. I gave it a try to explore the options. The user interface is very good. I already had a nicely working win7 native firewall. The WFC picked up all of them and added a few on the win7 firewall. Until then, my browsers (chrome and firefox) were set on the win7 firewall for a TCP protocol on ports 80 and 443.

No sooner I installed the WFC than the problem surfaced. The browsers stopped working. I examined the native firewall rules. The browser rules disappeared. I added to get the Firefox straight away. But Chrome stopped working unless I let the WFC implement the rules to work on any protocol and ports. If I disable the chrome rule in the WFC and set it in native firewall it won't work.

The WFC also sets a Remote Connection with single IP address on a remote port 80. What is it for? I did not set any. Could any one explain please?

It also blocked a range of ports with with 3 rules; one each for WFC - Akamai Technologies, WFC Microsoft Limited and WFC - Microsoft Internet Data Centre. I have not noted down the port ranges. The MBAM Pro also won't update.

I uninstalled WFC and everything went back to normal. I can browse, while I uninstalled to the pre-installation settings.

I wonder if some one can throw some light on this strange behaviour please?

 

WFC uses the same rules as Windows Firewall.
Q1: The rules that you have created before for Chrome and Firefox were created from WFwAS interface ?
Q2: After you have created these rules did you set Windows Firewall to block outbound connections for the programs that do not match a rule ? If not, your rules were not really enabled because all connections are allowed by default by Windows Firewall until you set it to block all the programs that don't have a rule.

The browsers stop working in the following situations: High Filtering is enabled on WFC or Medium Filtering is enabled but the rules for Chrome and Firefox don't exist. At installation, WFC does not delete any rules and does not modify any Windows Firewall settings. Usually, after you install WFC for the first time you have it set to Low Filtering profile. No rules are deleted in the process. Try to remember if you did not restore Windows Firewall settings to the default policy. This is the only situation that come into my mind. Chrome browser can connect normally if you create a rule for it to allow TCP port 80, 443. Please check if the connection that you tried to initialize wasn't on another port or protocol. It does not matter where you set Chrome, because WFC uses the same rules as Windows Firewall. Also, please make sure that your connection to the internet is active. On my system, sometimes the broadband connection closes itself and I must connect again manually.

This is not a remote connection. The rule name is "WFC - Windows Firewall Control Updater" and this rule is used by WFC to connect to our server to check if a new version is available. This is done always at user request, if he presses on the button named "Check if a new version is available" from the About tab of WFC. This check is never done automatically. If this rule doesn't exist, Windows Firewall will block WFC and the check is not possible. This rule is part of the Recommended rules that was checked on the installation window when you have installed WFC. All recommended rules names start with "WFC - name". These rules can be easily deleted by the user anytime. These rules are not installed if the user unchecks the corresponding checkbox at installation. They are recommended, not mandatory.

To allow MBAM to connect you must create a rule for it's executable. Then it will connect. For registered users, there is available Learning Mode which makes things easier. For non registered users, all configurations must be done manually. After you have uninstalled WFC, everything went back to normal, but this is because the default profile of Windows Firewall was restored. This means that any program can connect to the internet.

I hope this was helpful for you and for others too. If you have other questions, please post them here.

Have a nice day.

 

Indeed. I created the rule from WFwAS. The firewall property is set to block all incoming and outgoing connections unless defined by a rule. The chrome and FF firewall rules were created weeks ago with TCP protocol for ports 80 and 443.
Strange it disappeared after the installation of WFC.

No.

Please brief us why you have recommended blocking them? Thanks

Normally, the browsers need TCP for ports 80, 443. Is there a reason why WFC creates a browser rule, say for Chrome, for all protocols and any ports.

I would be happy to give it another try as a registered user before donating if I am happy.

Thanks

 

In this situation, the profile was set on Medium Filtering, and because there were not found any rules for Chrome or Firefox, they were blocked. In this case you must create the rules manually. The rules can be created automatically for signed applications, but this is available only for registered users. Indeed, it is strange that your rules were not there, but again, WFC does not delete any rule.

I choosed to create those rules, as recommended rules, to block scvhost.exe to connect to those IP ranges because Microsoft collects informations about their products without our approval. We don't know actually what informations they send back to them. This is the reason. Also, many users of Wilders Security Forums have requested this. I personally don't like to see svchost.exe connecting to various internet locations, because I did not requested those connections. I don't know their reasons for executing such connections, but they should not connect.

Anyway, these rules can be easily deleted after installation if they were created at installation on user's request.

For example, to connect to my html email version I must access a website on port 2082. To change the website I must login to port 2095 to see the CPanel. And the examples can continue. After all, it does not matter if you allow iexplore.exe or chrome.exe to connect on all ports or you set them only to 80 and 443. Let's assume that your system get's infected, and some malware tries to impersonate the process chrome.exe and tries to connect. Also, this attempt is not detected by your antivirus. It will use port 80 to look legitimate. So, in the end, if you are already in this scenario, it does not matter anymore the ports that you set in your rule. This is why, a generic rule for all ports is as good as one fully customized.

Give it another try even if you are not a registered user. There are plenty of functionality that you can use and which will help you to easily manage Windows Firewall.

Have a nice week-end.

 

Hi,

I am always skeptical of unrequested svchost.exe connections. Furthermore, the questions posted to you are for understanding. I have not deleted those recommended blocks. I am keeping them as it does not impact my browser experience.

It is strange that the rules created disappeared for no reasons. It is bizzare.

I did download and tried. I wanted to understand the type of alert that your WFC creates. You had requested $10 as a donation; it is no big deal and I happily donated this morning.

I have a number of questions:

(1) Is it not better not to specify any local port than specifying a particular local port for a connection? I know it is better to tie a local port a connection as it improves security. For example: Flash player update service is identified with local port 52305, while MBAM scheduler and MBAM.EXE are tied to I think local port 52677. Firefox UDP out is linked to local port 58337.

(2) Some applications that I use need to have a set of sub-nets. Your WFC alerts, when that application is launched, with a remote IP and a port. I tried editing that rule (after allowing it in the WFC) to include a range of IPs and ports. After a while, the WFC reverts to its originally identified IP address and the port number. I find it a little strange that the modified rule in the WFC disappears. Does it mean the modification need to be done before allowing the rules please?

Nevertheless, if I modify the subnets and port ranges before allowing/blocking, that stays intact!

(3) Is there a way where I can (i) modify the time limit for "ask later"? (ii) access the blocked/ask later rules, and (iii) globally reset the Windows Firewall Control group name to groups of my choice?

(4) I was expecting the wfc to be light in resources. It does not appear to be like that. My process shows (i) wfc.exe at 160K, and (ii) wfcs.exe to 30k (this is fine).

(5) Manage Rules: Reaction time to dragging the up and the down arrows is too long compared to the dragging the up and the down arrows on the WFwAS. My desktop is a xeon workstation with a 28GB DDR2 RAM.

(6) Is it not possible to hold the running of the application until a rule is allowed. Do we need to relaunch them please?

(7) For some reason, I am unable to connect to Chrome. The WFC has not produced an alert for Google Chrome despite several launch attempts.

Thanks and have a nice week end.

Thanks,
SSri09

 

Hi Alexandrud,

Although Notification is set to High for all blocked outgoing connections, it is once again not showing alerts. The Skype is trying to connect but there is no alert. Any ideas?

Regards - SSri09

 

It is better to allow all local ports. Specifying a few ports does not improve the security. Usually, if a program tries to connect from a local port and it is denied it will try plenty of other ports until it will find one available. To test this, when you are notified about Firefox.exe create a rule to allow only that local port from the notification. Next time when you will start Firefox.exe you will see that it will use another port, so the rule is useless. In my opinion, don't spend too much time with local ports.

The modifications should be applied after you press on the Apply button. To double check if a rule was successfully modified press on the Refresh button from Manage Rules (or press F5 on your keyboard). If the rule appear modified after a refresh of the entire list of rules it is ok, if not, there may be a problem with the communication with the Windows service.

1. No, that limit is fixed to 30 seconds. If the user does not hover the mouse over the notification in 30 seconds it will be closed automatically. The notification can show again later. If the user moves the cursor on the notification, it stays opened until the user chooses what to do. A dismissed notification can be displayed again only after 1 minute. Pressing on "Ask me later" button will close only the notification window. Nothing is happening in this case.

2. No. A logging feature is planned from long time ago, but it is only in beta phase and very buggy and resources consuming. For now, such a feature is postponed.

3. No, The default group is "Windows Firewall Control". In Manage Rules window you can change the group name for every rule that you want, including for the default Windows Firewall rules. This can't be achieved from WFwAS. The group name is not mandatory and can be left blank.
(4) I was expecting the wfc to be light in resources. It does not appear to be like that. My process shows (i) wfc.exe at 160K, and (ii) wfcs.exe to 30k (this is fine).

This is happening because of the DataGrid control from WPF which, even with the virtualization set to on, it fails to perform smooth scrolling. I will try to find an alternative for this control in the future. This is on the TO DO list. In WFwAS the scrolling is faster because they don't use WPF.

Relaunching of the application is not necessary. Just press on the Refresh button from your browser to refresh the page and it will connect without problems after you have created the rule. Also, this applies to all programs. Just press on Reconnect, Refresh, Update, etc, and they will connect. Restarting an application is not required.

On the majority of systems the notification for chrome.exe appears instantly, but on others, the notification appear after 2-10 seconds. I can't reproduce this behavior programmatically to see what is the reason for this. This is also under observation.

Is this happening only with Skype and Chrome or do you have this problem with all programs ? If you choose "Ask me later" on a notification, a new notification will be displayed again only after minimum 1 minute. For Skype, you never got a notification ? Which profile of WFC do you use ? Notifications are available only for Medium Filtering profile.

 

I did not get the notification for both of them. I then deleted the downloaded Chrome Setup and downloaded again to complete the installation. But it neither altered me nor created it. I then manually added a rule in the WFwAS.

There was no alert for Skype either. When I launched Skype, WFwAS showed me an alert. It created two inbound rules. I could not connect. I manually created an outbound rule for any protocol and ports in vain. I then deleted the rules from the WFwAS. I am unable to sign in until now.

I use a High notification (it is expected to show notifications for all blocked outgoing connections).

You missed replying to this from the previous post

 

A few questions:

I am consistently getting a dropped UDP

DROP UDP 8.8.8.8 65010 53 0 - - - - - - - SEND..that IP is the Google DNS...I can connect to google fine.

DROP UDP x.x.x.x fe80::3d7a:b408:dd04:b07c 1900 62050....no cert..blocked..

One suggestion:

I can see from your site that the user logs-in on an unsecured site. Please do not take this personally. Please do not get offended. I'm sorry for bringing this....It is all about web security. It is interesting that your site does not have https:// for log-in. We know an unprotected site is pretty easy to crack, which can compromise your registered users personal details

I am aware it costs money to buy an SSL. But, it is an investment you make to show not only the seriousness of your good venture (however part-time it may be) but also probably increase the site traffic. I think if you increase your donation by a few $ to fund the SSL certificate, I'm sure the users won't mind paying for their security. All you need is a basic SSL from a known SSL provider.

 

Use WFC to create rules for your applications instead of WFwAS. It is easier. There are several ways to create rules easier with WFC than with WFwAS.

See the screenshot below. In Figure 1 are the profiles. What Profile from Figure 1 do you have enabled ? Notifications are available only for Medium Filtering. On High Filtering, all notifications are disabled and all outbound connections are denied.

In the Figure 2 are the notification levels. Here, you have set High. If you set it to Medium, do you see any notifications ? Also, if you set it to Low, it should create automatically rules for digitally signed applications. These work for you ?

If you go in Manage Rules, is there a rule named "Core Networking - Block all outbound connections" ? If so, try to set the profile (Figure 1) to another level and it will be deleted automatically. This rule is created when High Filtering profile is enabled and deleted when another profile is set.

The versions until 3.2.0.0 were developed with Win Forms technology and NET Framework 2.0. The memory consumption was max 10-15MB in full load but there were many limitations which had no solutions.

Since version 3.2.0.0 I switched to WPF (Windows Presentation Foundation) technology which resolves a lot of the problems of the old versions and offers new possibilities. It uses a lot more memory indeed, but offers a lot more in exchange for the memory consumption. These days, the memory is very cheap. Important is for a software not to use a lot of CPU cycles. This really affects the performance. Unfortunately, there is a problem with the usage of CPU when scrolling the rules in Manage Rules and this will be fixed in a future version. About memory consumption, there is nothing much that I can do because of the WPF and NET. They like to use a lot of memory even if they don't use it, they reserve it. An empty project with an empty window in WPF uses about 20MB. So, 50MB for WFC is not that much considering the visuals and the data needed to be displayed on the screen.

I already modified the structure of Manage Rules and the singleton pattern was replaced. From now on, Manage Rules window is recreated every time. In this way, it can be Garbage Collected and can release the memory after it is closed. In this way, the memory consumption will decrease. This fix and others will be part of the next version. The new version is in testing and will be available very soon. The next version will use less memory.

 

Profile is Medium as I wanted to know the type of alerts, IPs and remote ports the WFC would suggest. On a medium profile, setting notifications to High or Medium do not make a difference to Chrome and Skype.

BTW, "Core Networking - Block all outbound connections" rule is not there as the profile, as you wrote, is Medium.

 

On a Medium Filtering and Medium or High Notification, I launched the Internet Explorer. Once again, the WFC is unable to give me an alert. I had to manually add it; I wonder why the WFC has stopped giving alerts. It is a good feature to have an alert on the medium or the high notifications.

 

Your question is absolutely normal. Regarding this topic, why would bother someone to crack our website ? We accept 10USD donations, we are not selling software that worth thousands of dollars. On the login database only the usernames and one way encrypted passwords are stored. There is no personal details stored anywhere on our website or on the server. For simple and fast login to have access to an online activation code generator, I think this does not require an encrypted session. After you login to your account, you will get access to a key generator. That's all. No emails, passwords, personal data. So, why would someone bother to crack this ? Cracking the website will cost more than the 10USD donation.

In this case, please make sure that Windows Firewall Control Service (wfcs.exe) is set to Automatic and running. If both of them wfc.exe and wfcs.exe are running and you still no get notifications, please go to Event Viewer. Under "Applications and Services Logs" you will see a subcategory named "WFC". If you have logged errors please save that log and send it to: support@binisoft.org To save the log press on "Save All Events As..." from the right panel. This will create an *.evtx file.

 

Version 3.6.0.1 available
Thank you for your support and your quick feedback.

What's new:
- Improved: Memory consumption was reduced by removing singleton pattern from "Manage Rules" window. In this way the resources that are used by this view are released on window close. This view is recreated every time but it is also disposed every time.
- Improved: Memory consumption was reduced due to programmatically calls to Garbage Collector in some critical points of the program's logic. This allows a better memory management.
- New: The windows that support resizing can now be resized from the right and bottom borders. In the previous versions the only way to resize these windows was the bottom-right corner.
- New: Minimize buttons were added to "Manage Rules" and "Create new rules from..." windows.
- Fixed: "Manage Rules" does not close and does not disappear from taskbar if it is maximized.
- Fixed: The position and size of "Manage Rules" window are not saved properly on some systems.
- Fixed: Windows of WFC appear without names in Task Manager.
- Removed: The dependency to Workstation service was removed. The notifications system works from now on without needing of this service to be enabled. "DNS Client" and "TCP/IP NetBIOS Helper" are still required to resolve the IP and ports.
- Removed: The fade in and fade out effects were removed from "Manage Rules" to improve the loading time.

Download location:
http://binisoft.org/download/wfc.exe

Your feedback is welcome. Please let me know if with this version you see a memory consumption improvement.

Have a nice week-end,
Alexandru