another Windows Firewall Control?

Discussion in 'other firewalls' started by moontan, Feb 15, 2011.

Thread Status:
Not open for further replies.
  1. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    5,703
    Location:
    North Carolina, USA
    Hello,

    I had previously enabled notification sounds with a timeout of five minutes but was still not getting any notifications on blocked actions. After researching further, I found out I also had to change notifications to high from medium in order to get alerts. In high notification mode, the only alerts that I received were for svchost.exe, but these were not tied to any particular service. After trial and error, I have found two of these services that are being blocked to be WWAHost and SystemSettings (both are being launched by svchost.exe). Neither of these services are in the drop down list for services under manage/edit rules in WFC, so I had to go to the Windows Firewall with Advanced Security UI to create two rules for these services. The rules I created were outbound rules as follows:
    • New Rule..... > Custom
    • This program path: > %SystemRoot%\System32\svchost.exe
    • Services > Customize > Apply to service with this service short name > WWAHost (first rule) and SystemSettings (second rule)
    • Protocol type: > TCP
    • Local port: > Specific Ports > 49152-65535
    • Remote port: > Specific Ports > 80,443
    • Scope > Any IP address
    • Action > Allow the connection
    • Profile > Check all
    • Name > WWAHost (for first rule) and SystemSettings (for second rule)
    So far this has worked for me, however I have not had any Metro style apps that have needed upgrading. It has solved my problems concerning entering my password to sync my Windows account and connectivity issues within the Windows Store app. I will keep monitoring and see if any other rules need to be added, but at present all is working fine. My only concern will be for updating apps in the Metro UI but I will have to wait until an update is needed.
     
  2. myk1

    myk1 Registered Member

    Joined:
    Sep 2, 2012
    Posts:
    157
    Location:
    Belgium
    Take your time....Windows 8 is a sinking ship....
     
  3. makinjr

    makinjr Registered Member

    Joined:
    Jul 13, 2012
    Posts:
    2
    Location:
    Finland
    Why not create a small, seperate "metro" application that will communication with wfc (some method Windows will provide).

    If there is a popup notification available on wfc, this small application will notify user in the "metro" environment. When user clicks app notification window, it will switch to desktop, where user can see wfc notification window. After wfc closes notification window, app will switch back to "metro" interface.

    There are quite many ways Windows applications can communicate with each other. I do not know which are available in "metro" environment (if all), I have not yet studied that. This just came to my mind as one option.

    I agree that it makes no sense to switch to .NET 4.5 in wfc code. Wfc is pretty piece of software and does excellent job as is.
     
  4. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,411
    Location:
    Romania
    Version 3.8.0.0 available

    What's new:
    - New: Added support to display icons in the Manage Rules datagrid. This option can be toggled by using the new checkbox from the column name.
    - New: Added support to display icons in "Create new rules from..." window, to improve the readability.
    - New: Added new action on the tooltip for the remote IP address in the notification window. Now, the user can check the IP through ipvoid.com with one click.
    - New: The tooltips have a mouse image with the possible mouse gestures available.
    - Fixed: The user can change the profile from the notify icon context menu even if the program is locked with a password.
    - Improved: The responsiveness of the notifications was improved by refactoring the code.
    - Improved: A lot of code was changed to improve the speed of the program, so this is a major update regarding the logic of the program.

    Download location: http://binisoft.org/download/wfc.exe
    MD5: accbe8b12f8394888e08b68ec6e59508

    The grouping (tree view) by application path is not present in this version because it breaks the virtualization of the datagrid and the performance is very poor. The logging feature is not ready yet because the filtering of the events takes ages and the performance is also very poor.

    Your feedback is welcome. The list of new features is still open.

    Thank you for your support and your feedback,
    Alexandru

    3800.png
     
  5. guest

    guest Guest

    @alexandrud
    Excelent work, I can easily notice that the interface is more fluid and faster than before.

    Thanks for the addition of the icons, now is more visual and less reading effort.
    I just miss the tree view for exe's with several rules, and the VT integration (just a link in popups and manage rules list) like spyshelter does :D
     
  6. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,411
    Location:
    Romania
    I can't integrate VirusTotal API in WFC.
    But they have this application, which you can use: VirusTotal Uploader: VirusTotal Windows Desktop Application

    About the treeview, I will try to find a way to implement it. Until then, you can filter the datagrid pretty well with the existing options to find some specific rules. There are 3 comboboxes, one search function, and the columns can be sorted. It is not a treeview, but you can filter the rules.
     
  7. guest

    guest Guest

    You don't need to use the api you create your own, to check if a file has been already analyzed (and usually they are) you just need a link composed like this

    http://www.virustotal.com/file/"SHA256"/analysis/

    for example: http://www.virustotal.com/file/04c9...d0d3bddd22659b23d3b88295677bab6e2cd/analysis/

    So it's quite simple you just need to make WFC to be able to get the SHA256 of a file.

    if the file is not found, means that has not been analyzed so its get uploaded and the website is open (without using the api)

    Take a look because this is what spyshelter does and it's totally legal.

    Regarding the VT API
    The free version of WFC is free, or you can always make WFC free :p
    And technically is a donation...
     
    Last edited by a moderator: Dec 13, 2012
  8. jwcca

    jwcca Registered Member

    Joined:
    Dec 6, 2003
    Posts:
    772
    Location:
    Toronto
    Check with VirusTotal before you do this. Technically the 'donation' is a 'purchase' of the extra features not found in the 'free' version and could therefore be considered 'commercial' software.
    (if it walks like a duck and talks like a duck and looks like a duck, it's a duck, not a horse or a donation. :))
     
  9. guest

    guest Guest

    Anyway this is for use the API, and he doesn't need to use it as I explained before.
     
  10. iammike

    iammike Registered Member

    Joined:
    Jun 13, 2012
    Posts:
    345
    Location:
    SE Asia
    Bug or ??

    Using version 3.8.0.0 on Win 7 x64

    Steps to reproduce, go to Manage Rules, Click a Rule you want to change and press Enter

    Expected Behavior would be that the rule opens, but observed behavior is that it switches to the rule below and opens that one.
     
  11. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,411
    Location:
    Romania
    Small bug. I will fix this. Thank you.
     
  12. iammike

    iammike Registered Member

    Joined:
    Jun 13, 2012
    Posts:
    345
    Location:
    SE Asia
    As always 2:thumb:'s up
     
  13. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,411
    Location:
    Romania
    Version 3.8.0.1 available

    What's new:
    - New: Added support to check the program file on VirusTotal from the notification dialog. This will not upload the file. It will check the results for the same file based on the SHA256 hash of the file.
    - Fixed: The current selection will moves on the next row in Manage Rules if the user presses on the Enter key.
    - Fixed: PageUp and PageDown don't work in Manage Rules on some scenarios.
    - Fixed: Validation fails and the save of a rule doesn't work when a rule is edited and the user has empty spaces in the input text boxes.

    Download location: http://binisoft.org/download/wfc.exe
    MD5: d38eaf1499baedff0e4732dcb2aaee2c

    The list of new features is still open.

    Thank you for your support and your feedback.
    Alexandru
     
  14. iammike

    iammike Registered Member

    Joined:
    Jun 13, 2012
    Posts:
    345
    Location:
    SE Asia

    I can confirm that with version 3.8.0.1 this "bug" has been crushed ;) !

    Thanks
     
  15. kupo

    kupo Registered Member

    Joined:
    Jan 25, 2011
    Posts:
    1,121
    Bug Report!
    The Option "Disable the ability of other programs to add firewall rules" is no longer working.
     
  16. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,411
    Location:
    Romania
    Works here. How do you test this feature ? If you have Manage Rules window opened and you use a cmd window to add a new rule by using netsh utility, you must not press on the Refresh button immediatelly. Leave it one second or two to have time to commit the changes. If you press on the Refresh button too soon the new rule is recognized as a legitimate rule. In a real use case this will not happen, because the user does not stay with Manage Rules window open and presses F5 all the time.
     
  17. kupo

    kupo Registered Member

    Joined:
    Jan 25, 2011
    Posts:
    1,121
    Hmm, odd, now it's working properly. I'll try to reproduce it if I can.
     
  18. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,411
    Location:
    Romania
    Version 3.8.0.2 quick improvements

    What's new:
    - New: High Filtering profile was updated to cut off all the inbound connections too. Now, when switching to High Filtering profile, all inbound and outbound connections will be blocked, no matter what rules are defined. All connections are blocked.
    - Fixed: The rules created automatically by High Filtering profile can be duplicated or modified if the user uses the Enter key.
    - Fixed: Cleaned up some obsolete code.

    Download location: http://binisoft.org/download/wfc.exe
    MD5: 56243a81a0b033d567694deff6670d54

    I know that the last version was yesterday. :) If you like the new things, please update, if not, you can wait until the next version.

    Thank you for your support and your feedback.
    Alexandru
     
  19. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    5,703
    Location:
    North Carolina, USA
    Hello,

    Where is the "system working set" of rules stored? I use virtualization and need to exclude that file from reverting back to a previous version on reboot...
     
  20. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,411
    Location:
    Romania
    I'm afraid that I don't understand your question. Windows Firewall rules are stored in Windows Registry. "System" is not a physical file, it is a keyword accepted by Windows Firewall. It is a name convention. What do you want to achieve ? Please be more specific. Thank you.
     
  21. Rubert

    Rubert Registered Member

    Joined:
    Dec 19, 2012
    Posts:
    6
    Location:
    France
    I am using Windows 7 and have Kaspersky Antivirus installed. It seems that Kaspersky acts like a proxy server and it ignores any rules set in the Windows Firewall. This means that all programs are allowed to make outbound connections even when WFC is set to medium filtering. Netgate and ZoneAlarm firewalls (and probably others) avoid the problem and their rules are followed by Kaspersky. Is there is some way to enable this with the Windows Firewall?
     
  22. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,411
    Location:
    Romania
    I don't know what are the modules of Kaspersky (I use MSE). Windows Firewall is incompatible with software proxies because they intercept network traffic and then they don't redirect further to the firewall. This is why your rules don't apply even if they are enabled. Many firewalls have this kind of problems. You can read on this topic more about this subject. Try to disable any software proxies from your computer and then see if the problem is gone. The incompatibility is with Windows Firewall, not with WFC.
     
  23. Rubert

    Rubert Registered Member

    Joined:
    Dec 19, 2012
    Posts:
    6
    Location:
    France

    OK Thanks. I appreciate that the problem is with Windows Firewall and not with WFC. Sorry if I seemed to be blaming WFC. It was not what I intended.

    I cannot see any possibility of disabling the offending proxy server other than by disabling Kaspersky Antivirus. I don’t want to do that. For the moment I think that I must use a different firewall. Perhaps I am making an incorrect judgement, but it does make me feel nervous about the Windows Firewall when I see that a piece of software can so easily punch a hole through it.
     
  24. gregd

    gregd Registered Member

    Joined:
    Oct 23, 2009
    Posts:
    75
    Version 3.8.0.2

    Major bug:

    WFC becomes completely disabled when I RDP into my Windows 8 laptop and I click on the wfc icon in the system tray.

    Everything on wfc becomes completely grayed out, says product is not activated, even though it was when I remoted in and if I exit and restart wfc.exe from the laptop itself, everything returns to normal.

    It's reproducible every time I remote desktop in and click the wfc icon in the system tray.
     
    Last edited: Dec 19, 2012
  25. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    5,703
    Location:
    North Carolina, USA
    Hello,

    I get a similar error on my system. Say I go into manage rules and find invalid rules. It finds five rules and I tell it to delete those five rules. I get the same thing then with the tray icon going gray and the GUI telling me WFC is not activated. I exit WFC and restart it. All is good again and I go back to manage rules and find invalid rules. I find one rule has been deleted and am told I now have four invalid rules. I tell it to delete these four rules and the process repeats itself with the tray icon graying out and GUI telling me I am not registered again. By the way my OS is Windows 8 Pro x64.

    On my previous question you did not understand, I had assumed since I did not see any specific files that rules were stored to, that they must be stored in the registry. My question then is basically what are the keys they are stored in so I can exempt them from my virtualization program. I know that I could probably do a registry search and find those keys by trial and error but thought it would be easier to just ask you. Thanks for you help as I know sometimes the language differences can make a question come across unclear.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.