Windows Firewall Control (WFC) by BiniSoft.org

Discussion in 'other firewalls' started by alexandrud, May 20, 2013.

  1. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,412
    Location:
    Romania
    I can't reproduce the problems reported with Sandboxie. I have installed it on my computer a few weeks ago and I have executed several programs this way and the notifications worked correctly and also the rules created.
    Check your email for this.
    So, if you create a rule to allow local port 59100 and remote port 80, and then you try to reconnect with the same program which now uses local port 59101 and the same remote port 80, a new notification will be displayed because the connection is blocked. From your description, it works correctly. A rule is a combination of all of it's properties. All the details of a blocked connection must match the existing rules. In the previous versions of WFC the notification for this scenario was not displayed.
     
  2. Alpengreis

    Alpengreis Registered Member

    Joined:
    Oct 7, 2013
    Posts:
    670
    Location:
    Switzerland
    Yes, exactly!

    So, hjlbx, if you will have local defined port(s), you must create a rule, which cover all the possible local ports for your program. For example: if your prog uses local port 59100, with the next connection 59101 and overnext 59109, then 59107, 59102, 59104, and so far (but never below 59000 and above 59109, then you should create a local port range 59000-59109.

    So, I have understand your problem, hjlbx, even without your last post. But if you have nevertheless troubles with your rule/connection (after the last post from Alexandru/me), then please post your rule details here, else I can not support you further. And also the connection logs (not just the latest) from related blocked connections. So, I could assist you, to create a relevant rule.

    Alpengreis
     
  3. hjlbx

    hjlbx Guest

    If I create an allow rule for OneDrive (SkyDrive),

    local port 59100
    local address 192.168.1.2
    remote port 443
    remote address 137.168.110

    then OneDrive does not connect to the network/remote address. It will remain in loop "Checking for Changes" for a few minutes, then attempt a new connection - which correctly generates a new notification.

    When I specify a local port OneDrive never establishes a connections and in the tray the icon continually shows the arrow loop - which means it is trying/in process of syncing.

    If I specify the local port, OneDrive will continue to make new connections without end since it is unable to sync. If I create a file, upload it to OneDrive via the browser, then attempt to sync with my laptop, then it cannot be accomplished if I specify local port.

    The issue is that when I specify a local port, an app cannot connect to the network/remote address ... I'm not sure which is occurring.

    I am using OneDrive as an example as it is easy to test since it dependably makes enough connections over time.

    If I eliminate any rules with a local port, then the app can make the connections.

    This issue is not limited to OneDrive, but occurs with any app if the local port is specified.

    It's really no big deal to me as I have no need to specify local ports in rules...I am just reporting my findings while testing WFC.

    I use rules that are either generic allow or those that specify only protocol, remote port and remote address.
     
    Last edited by a moderator: Mar 8, 2015
  4. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,412
    Location:
    Romania
    Good news. I have tried WFC on Windows 10 Technical Preview x64 on a VHD and it works flawlessly. The Main Panel opens instantly and also the Rules Panel. It seems that .NET Framework is better integrated with the upcoming operating system from Microsoft and .NET programs works faster. Also, a lot of other programs start a lot faster than they do on Windows 8.1 x64. If you are gonna give it a try pay attention to the App Store rules which allow all connections for all programs. If you delete all these generic rules which apply to all programs, then Medium Filtering profile will work the same.
     
  5. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Weird that you can't reproduce it, but I will ask for a fix/workaround on the Sandboxie forum. I don't think it's something you can fix, because it's SBIE that is triggering this behavior.
     
  6. Alpengreis

    Alpengreis Registered Member

    Joined:
    Oct 7, 2013
    Posts:
    670
    Location:
    Switzerland
    Ahem, my port was an EXAMPLE, probably not to use in your rule, but good - you can test the notification so too ...

    Then, where are the logs from blocked connections. It can not know, what is eventually wrong "on your side" whithout it. Please post this, as I described above ...

    I will help, but you don't make it easy ...

    So, If you will, that I assist you, please post at least the following things (as copy and paste or as screenshot):

    1) The FULL related allow rule: ALL details (not if I make this or that, the REAL rule, that you have in action)
    2) The - let me say - last FIVE FULL related details of blocked connections (see in WFC connection log (you can copy and paste there))


    ... and now additional ...
    3) Post your local PC IP and describe it's fix or dynamic (if dynamic: in which range can it be)?

    Then, I will show, if I can help you. Else, this is my last posting about this ...

    Greetings
    Alpengreis
     
  7. hjlbx

    hjlbx Guest

    Hello Alpengreis,

    I appreciate your assistance.

    On my system if you specify a local port - for any application - then it cannot connect to the internet. The issue is not new notifications, but rather that specifying a local port breaks the network connection - for any and all applications.

    For example, I set a rule with local port for an application update - but when specifying the local port in the connection rule the app does not update because the connection is immediately broken. So after a few minutes a new WFC notification appears (as it should) since the app continues to update using new connection resources.

    I do not understand what is so difficult to understand regarding the issue...specifying local port breaks the network connection (Kb in/out = 0).

    Posting rules cannot possibly fix such an issue.

    This issue was fixed in beta 4.4.0.2, but resurfaced with build 4.4.1.0 ...

    I am not trying to include local ports in any of my permanent firewall rules...as local ports add nothing to security. But others desire this functionality.

    I use only firewall rules that specify protocol, remote address and remote port...or a generic rule that specifies only protocol/remote port for those apps that connect to many different remote addresses...

    I am simply reporting that, in beta testing if a local port is specified, the app cannot connect to the network/remote address.
     
  8. Alpengreis

    Alpengreis Registered Member

    Joined:
    Oct 7, 2013
    Posts:
    670
    Location:
    Switzerland
    Because here (and probably on other systems too), this is not the case. I can make a rule with local port without any problem (v4.4.1.0) (not tested with SkyDrive, which I don't use).

    But it could make it clear(er), at least (the technical things), what could be responsible for this behaviour (EVENTUALLY).

    Here it's no problem with v4.4.1.1 ...

    See also, that is even possible, that exist Standard-Rules with defined local port (for example Core-Rule for DHCP). So it's not useless in this sense. And I desire this functionality too.

    However, I do not want you annoy (really not), but if it's running on other systems, it would be good to have all the technical details, so it would be easier to analyze the cause ... even it's a problem, that only Alexandru can solve ...

    Greetings
    Alpengreis
     
  9. hjlbx

    hjlbx Guest

    OneDrive recently blocked connection log:

    3/8/2015 7:37:46 PM | 3544 | OneDrive Sync Engine | C:\windows\system32\skydrive.exe | Out | 51330 | 134.170.108.72 | 443 | 6
    3/8/2015 7:37:46 PM | 3544 | OneDrive Sync Engine | C:\windows\system32\skydrive.exe | Out | 51329 | 134.170.108.72 | 443 | 6
    3/8/2015 7:37:46 PM | 3544 | OneDrive Sync Engine | C:\windows\system32\skydrive.exe | Out | 51328 | 134.170.108.72 | 443 | 6
    3/8/2015 7:39:00 PM | 3544 | OneDrive Sync Engine | C:\windows\system32\skydrive.exe | Out | 51332 | 207.46.101.29 | 80 | 6
    3/8/2015 7:40:02 PM | 3544 | OneDrive Sync Engine | C:\windows\system32\skydrive.exe | Out | 51336 | 134.170.108.72 | 443 | 6
    3/8/2015 7:40:02 PM | 3544 | OneDrive Sync Engine | C:\windows\system32\skydrive.exe | Out | 51335 | 134.170.108.72 | 443 | 6
    3/8/2015 7:42:18 PM | 3544 | OneDrive Sync Engine | C:\windows\system32\skydrive.exe | Out | 51338 | 134.170.108.72 | 443 | 6
    3/8/2015 7:42:18 PM | 3544 | OneDrive Sync Engine | C:\windows\system32\skydrive.exe | Out | 51337 | 134.170.108.72 | 443 | 6
    3/8/2015 7:44:34 PM | 3544 | OneDrive Sync Engine | C:\windows\system32\skydrive.exe | Out | 51353 | 134.170.108.72 | 443 | 6
    3/8/2015 7:44:35 PM | 3544 | OneDrive Sync Engine | C:\windows\system32\skydrive.exe | Out | 51354 | 134.170.108.72 | 443 | 6
    3/8/2015 7:46:51 PM | 3544 | OneDrive Sync Engine | C:\windows\system32\skydrive.exe | Out | 51359 | 134.170.108.96 | 443 | 6
    3/8/2015 7:46:51 PM | 3544 | OneDrive Sync Engine | C:\windows\system32\skydrive.exe | Out | 51358 | 134.170.108.72 | 443 | 6

    OneDrive rules:

    OneDrive Sync Engine (TCP-Out) Windows Firewall Control C:\windows\system32\skydrive.exe All Yes Allow Out 51363 134.170.108.48 443 TCP
    OneDrive Sync Engine (TCP-Out) Windows Firewall Control C:\windows\system32\skydrive.exe All Yes Allow Out 51359 134.170.108.96 443 TCP
    OneDrive Sync Engine (TCP-Out) Windows Firewall Control C:\windows\system32\skydrive.exe All Yes Allow Out 51354 134.170.108.72 443 TCP
    OneDrive Sync Engine (TCP-Out) Windows Firewall Control C:\windows\system32\skydrive.exe All Yes Allow Out 51335 134.170.108.72 443 TCP
    OneDrive Sync Engine (TCP-Out) Windows Firewall Control C:\windows\system32\skydrive.exe All Yes Allow Out 51332 207.46.101.29 80 TCP
    OneDrive Sync Engine (TCP-Out) Windows Firewall Control C:\windows\system32\skydrive.exe All Yes Allow Out 51330 134.170.108.72 443 TCP

    If specify local port, then OneDrive does not function properly...it will not sync. Kb in/out = 0 until create an allow rule without local port.

    All the WFC alerts are because OneDrive is not able to connect and so OneDrive continually tries to make a new connection. This cycle will continue indefinitely.

    PeaZip recently blocked connection log:

    3/8/2015 7:53:28 PM 10568 PeaZip, file and archive manager C:\program files\peazip\peazip.exe Out 51391 216.34.181.96 80 TCP
    3/8/2015 7:53:19 PM 10568 PeaZip, file and archive manager C:\program files\peazip\peazip.exe Out 51390 216.34.181.96 80 TCP
    3/8/2015 7:53:08 PM 10568 PeaZip, file and archive manager C:\program files\peazip\peazip.exe Out 51389 216.34.181.96 80 TCP
    3/8/2015 7:52:53 PM 10568 PeaZip, file and archive manager C:\program files\peazip\peazip.exe Out 51380 216.34.181.96 80 TCP
    3/8/2015 7:52:27 PM 10568 PeaZip, file and archive manager C:\program files\peazip\peazip.exe Out 51370 216.34.181.96 80 TCP

    PeaZip rules:

    PeaZip, file and archive manager (TCP-Out) Windows Firewall Control C:\program files\peazip\peazip.exe All Yes Allow Out 51391 216.34.181.96 80 TCP
    PeaZip, file and archive manager (TCP-Out) Windows Firewall Control C:\program files\peazip\peazip.exe All Yes Allow Out 51390 216.34.181.96 80 TCP
    PeaZip, file and archive manager (TCP-Out) Windows Firewall Control C:\program files\peazip\peazip.exe All Yes Allow Out 51389 216.34.181.96 80 TCP
    PeaZip, file and archive manager (TCP-Out) Windows Firewall Control C:\program files\peazip\peazip.exe All Yes Allow Out 51380 216.34.181.96 80 TCP
    PeaZip, file and archive manager (TCP-Out) Windows Firewall Control C:\program files\peazip\peazip.exe All Yes Allow Out 51370 216.34.181.96 80 TCP

    With PeaZip it only uses a single remote address so there is no issue.

    Specify local port with any app that uses many different remote addresses, it breaks the connections... for example, KingSoft's WPS 2014.
     
    Last edited by a moderator: Mar 8, 2015
  10. marzametal

    marzametal Registered Member

    Joined:
    Mar 19, 2014
    Posts:
    766
    @hjlbx

    Why not put all these in one?
    local port = any
    remote port = 80,443
    remote ip = 134.170.108.48,134.170.108.96,134.170.108.72,207.46.101.29
    local ip = bind it to yours

    Merge the 4 x 443 rules together, then add port 80 and 207.46.101.29 to the merged ruleset. You might even cover yourself future dramas by adding 134.170.108.0-134.170.108.255 to the rules. OneDrive is treating local ports in the same manner as a browser would; uses as many as it wants. Try attaching one local port to a browser rule and things will blow up in your face, similar to whats going on at the moment...
     
  11. Alpengreis

    Alpengreis Registered Member

    Joined:
    Oct 7, 2013
    Posts:
    670
    Location:
    Switzerland
    Okay, that's good, thank you, NOW I can help you, hopefully *g*

    As you can see, the skydrive.exe changes the port again and again ...

    So it's necessary, that you create a rule, which has a local port RANGE. It means, you must prepared for further port changes.

    Here I show you a rule, which could be good enough for your problem. Note: you have to CREATE A NEW RULE (blank rule) (it exist other ways too, but take for now this one). You can delete the other skydrive rules, behold just the following NEW ...

    Program = C:\windows\system32\skydrive.exe
    Name = OneDrive Sync Engine (TCP-Out)
    Group = Windows Firewall Control (you could also change it to another desired name)
    Description = Make one, if desired
    Location = Private (or if you use in Public areas too, set also for Public; the same for Domain)
    Protocol = TCP
    Local Ports = 51300-51399 (it can be enough, but if you see further notification, for lower or higher
    ports, you must enlarge the range! If you see (in future), that a smaller range is enough, you could even reduce the range.)
    Remote Ports = 80,443
    Local addresses = Your PC IP, If it's a dynamic IP (DHCP), you must define a range here too,
    for example 192.168.1.2-192.168.1.99 (it's an example only: it must be YOUR range in your local
    network). So, the easiest way is set it to ANY.
    Remote addresses = Here you should cover ALL the possible IPs for your remote desination also with a range, multiple ranges here are necessary. It could be something
    like this: 134.170.0.0-134.170.255.255,207.46.64.0-207.46.127.255 (you can check such things with a WHOIS-service). Maybe other IP-ranges should be also allowed (not known yet). Important: IPs are not forever - IPs can change, even whithin a company, new subnets are possible - it means: it's very difficult to have defined remote IPs for such things. So the easiest way also here: set it to ANY.
    Service = Any
    Direction = Outbound
    Action = Allow
    Interface types = All interface types (or change it to your purposes)

    Now, it should be no more a problem, I hope.

    Greetings,
    Alpengreis

    Edit: Added port 80
     
    Last edited: Mar 9, 2015
  12. hjlbx

    hjlbx Guest

    Hello Alpengreis and marzametal,

    I certainly appreciate all your assistance.

    As a policy I do not specify local ports or port ranges in rules as they add nothing to overall security. My reports regarding local ports was only in regards to my observations while beta testing.

    I know about port and IP address ranges... and IP range calculators.

    To me it is not worth all the extra time to create individual rules for each remote address, since some apps may connect to upwards of 50 individual addresses over time. Antivirus, for example, is notorious for this sort of thing. Creating individual IP rules serves no purpose other than to clutter the rules list...and...

    the time required to respond to all the notifications, create the individual remote IP rules, then sort and merge them doesn't justify the incremental increase in security.

    As I said, generally I will set the remote address to "Any" and only specify protocol and remote port.

    Only if an app uses one or two remote addresses will I include a remote address in the rule.

    I will merge rules after a while...for example, TCP 80 & 443 for the same app.
     
  13. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,412
    Location:
    Romania
    Actually there is no problem at all. Off course the program will not connect if you create a rule which specifies a local port because we don't have control over the local port that the application will try to use next time. Next time, it will use probably a different local port and so on, making your previous rules with local ports not applying. After the connection times out a new notification will pop up. Based on your description, everything works as it should from my point of view. This is a normal behavior for this scenario.
     
  14. Alpengreis

    Alpengreis Registered Member

    Joined:
    Oct 7, 2013
    Posts:
    670
    Location:
    Switzerland
    Then it's clear, that you cannot connect (sometimes)!

    For this are ranges, so you can have just ONE rule for ex.!

    One rule with ranges could be enough, you don't have further notifications then!

    So, where is then your problem? The other scenario with notifications is normal with your rules! It's not a bug.

    IPs can nevertheless change on remote side (or new are added or whatever). Then you receive a new notification.

    Alpengreis

    PS: As Alexandru said, there is no problem/bug with WFC!
     
  15. hjlbx

    hjlbx Guest

    BUG (Potentially, but I am not sure if the issue reported below is by design or not):

    Build 4.4.1.1

    On W8.1 system if sign-out of Windows and then sign-in to a different User Account (e.g. Administrator) for the very first time, then duplicate Metro Apps rules will be added to WFC.

    I think this is due to the way that W8.1 adds/configures Metro Apps for each individual User Account.

    * * * * *

    Also, when pin WFC icon to taskbar, if select it then WFC does not open.
     
    Last edited by a moderator: Mar 10, 2015
  16. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,412
    Location:
    Romania
    Rules are created and applied for all users. There are no rules specific for an user account. This can't be a bug of WFC if the operating system automatically creates required rules for some applications. If you enable Secure Rules, then these automated rules will be deleted by WFC.

    WFC is a tray application. When you start WFC from it's shortcut, a new system tray icon will appear. This will not open any window. If you pin WFC to the taskbar, when you launch it again, it will appear in the system tray. It will not open any window. To me, it looks like it works as designed.
     
  17. gggirlgeek

    gggirlgeek Registered Member

    Joined:
    Mar 26, 2014
    Posts:
    13
    Location:
    USA
    Hi,

    False positive here most likely. ~Virus Total results removed per Policy~ found in %Current User%\App Data\Local\BiniSoft.org

    Question: The file and the folder is dated 12/03/13. Pretty sure I haven't had WFC that long. Is this your file? Is it old? If it's old can I delete it?
     
    Last edited by a moderator: Mar 14, 2015
  18. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,412
    Location:
    Romania
    I am curious what is the content of that cmd file. That folder was used in the past for storing user preferences but now WFC uses Windows Registry for this purpose. You can delete that folder and all the content it has.
     
    Last edited by a moderator: Mar 14, 2015
  19. gggirlgeek

    gggirlgeek Registered Member

    Joined:
    Mar 26, 2014
    Posts:
    13
    Location:
    USA
    Hello,

    Still loving WFC. Thank you so much!

    Suggestion: I'd like to be able to change the theme of the Rules Panel, particularly the background colors and/or text. When using a dark Windows theme it's very difficult to find a light text color that can be read on the yellow and pink backgrounds. I see it currently uses the color from 3D Objects. This is the exact text that needs to be very bright (white\yellow\pink) in a dark theme. An easy fix would be for you to use the Hyperlink color instead. This does not affect so many other programs and is normally blue or dark blue. I use bright blue or hot pink so it would be perfect.

    I know this is nit picking so no big hurry. I understand if it's not something you want to prioritize or bother with.

    Best Regards!
     
  20. gggirlgeek

    gggirlgeek Registered Member

    Joined:
    Mar 26, 2014
    Posts:
    13
    Location:
    USA
    Here it is. It seems to be related to "Usb Flash Drives Control"o_O Which I have installed before but don't really use now.

    Code:
    @echo off
    taskkill /f /im usbc.exe
    ping 1.1.1.1 -n 1 -w 300 >nul
    if exist "C:\Program Files\USB Flash Drives Control\usbc.exe" del /s /q "C:\Program Files\USB Flash Drives Control\usbc.exe"
    move /y "S:\@Downloads\System\@Security\usbc.exe" "C:\Program Files\USB Flash Drives Control\usbc.exe"
    if exist "C:\Users\Me\AppData\Local\BiniSoft.org\bbe18401.cer" del /s /q "C:\Users\Me\AppData\Local\BiniSoft.org\bbe18401.cer"
    "C:\Program Files\USB Flash Drives Control\usbc.exe"
    del %0
    
    Update: OK it's from your old version of USBC. I'll email you about this since it's off topic. Sorry.
     
    Last edited: Mar 14, 2015
  21. atguardlover

    atguardlover Registered Member

    Joined:
    Jun 25, 2014
    Posts:
    4
    Question or Bug Report:

    Ive got a few programs running from a TrueCrypt container
    This container always gets a fixed drive letter when mounted.
    But those programs (Skype, FTP) wont connect until i create a new rule from the blocked connections log.
    The rules still exists but are ignored or something the next time the container is mounted.
    Any ideas ?
    thanks & greets
     
  22. Alpengreis

    Alpengreis Registered Member

    Joined:
    Oct 7, 2013
    Posts:
    670
    Location:
    Switzerland
    It seems, that it's necessary to "reactivate" such rules. So it should be enough, to open the rule in WFC rule manager (Enter) and press on the Apply button.

    It could be also possible with the OS Command Prompt (command line) - here an example (Win 7):

    netsh advfirewall firewall set rule name="HERE YOUR RULE NAME" new enable=yes

    You could integrate this in a batch and probably to execute successfully it needs administrator rights.

    Greetings,
    Alpengreis
     
  23. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,412
    Location:
    Romania
    Even if you see the same drive letter for your encrypted drive when it is mounted, Windows assigns a different GUID for it and Windows uses these GUIDs to identify the drives, not the drive letters. To make these rules apply again you must open Manage Rules window, select these rules and then disable and enable them again. In this way, Windows Firewall will refresh these rules internally with the new GUID of the mounted drive.

    I will think about a workaround in WFC to see how much time it takes to disable and enable all custom rules at program start-up to ensure that this is done automatically. Until then, the solution is above. Or you could try to use a normal drive for your programs. What is the purpose of having Skype on an encrypted drive ?
     
  24. hjlbx

    hjlbx Guest

    Your Skype profile contains a lot of confidential data like contact list, IM-history, calls history etc. This data is not encrypted by default. It means anyone who uses your PC can use this information easily. Roho website.
     
  25. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,412
    Location:
    Romania
    You are right. This means that you have to redirect the folder that Skype uses to store local data from %appdata% to a custom folder from the encrypted disk. But again, if you are afraid that someone may steal your sensitive data from your Skype conversations (stored locally in main.db), you might better consider other communication channels instead of Skype.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.