Windows Firewall Control (WFC) by BiniSoft.org

I agree. But even better would be a solution which would be related to the OS. This means function(s) for Win 10 should be only possible on Win version > 7 for example (instead to compromise Win 7).

The disadvantage would be: we would have different functionality to "discuss".

The BIG advantage would be: avoid problem(s) on Win 10 (which a user can't avoid - for example a normal ex- with later import is enough to destroy some standard Win 10 rules on my Win 10 system here).

But if a solution would be even "dirty" on Win 10 too then we should wait for a confidentally solution (perhaps another workaround from Alexandru OR even better for a MS fix).

 

Long time no issues... but lately I noted two issues that wondered me and that I had not experienced before. I'm using 4.8.8.0 on Win7.64.

1. I wondered why all of a sudden the activation status got lost. After a reboot the activation info was back.
2. After a boot WFC started as expected. After some minutes the WFC service stopped. I had to manually restart the service via services.msc.

Both incidents happened only once... and everything has been running flawlessly since then again.

Just to let you know.

 

Any incompatibility with Kaspersky AV on Windows 10?

Thanks

 

I have updated the WFC code to detect correctly the group name of these rules and the local port.

The problem on export/import exists only on partial policy (.wpw which is something created by WFC.
If you export and import a full policy (.wfw format), then these keywords are preserved.

I just checked on the latest Windows 10 Insider Preview build 14971, and the problem still exists in Windows Firewall API.

I added a mention of this in the Known Limitations section of the user manual.

If this happens again, let me know and we will try to find a pattern. I also experience software failures with many programs. Every few days, Skype closes out of nowhere, SQL Server does not always start at Windows start-up, etc. If this happens again, please check the Troubleshooting section of the user manual and check the WFC log.

I don't know if any, but if you try, please share your feedback.

 

Windows Firewall Control v.4.8.9.0

Change log:
- Improved: When enabling Secure Rules, if there are rules with no group names, WFC offers the user the possibility to add them to the WFC default group name.
- Improved: Added better support for handling inbound rules with EdgeTraversal set to "Defer to user". This affects the editing of these rules, group renaming and the relation with Secure Rules which could not add these rules in the Unauthorized Rules group.
- Fixed: The rules from "mDNS" group are not recognized correctly on Windows 10.
- Fixed: The updater does not work if the previous service executable file (wfcs.exe) does not exist on disk anymore.
- Fixed: Exception message is displayed if the service is closed and immediately the user presses the Exit button from the tray icon.
- Updated: The user manual topics were extended.

New translation strings:
466 = Rules with no group defined were detected. To preserve them, do you want to add these rules to Windows Firewall Control group before enabling Secure rules ?

Updated translation strings:
045 = Inbound rules with EdgeTraversal set to 'Defer to user' support only limited customization, therefore some properties will be disabled. Do you want to continue?
460 = Warning. All firewall rules, including Windows Firewall default firewall rules, which have the group name different than the authorized groups defined will be deleted or disabled. Creating a backup copy of your current rules is recommended. Are you sure you want to continue?

Download location: http://binisoft.org/download/wfc4setup.exe
SHA1: e3b621972058ffc4e9be72b4052ce903f362a5c5
SHA256: b95772ab93b87fca748498738455e93ed335cc779282cb9a79fb264b6954f276

Best regards,
Alexandru

If I forgot something, please remind me and I will do my best.

 

Thank you for new version, Alexandru. mDNS is fixed now.

PS: For the german language user: translation is done and already sent to binisoft.org

 

Steam when run creates rules in a nameless group if they don't exist.

Those rules are acceptable and to be enabled, but here's an issue managing the group.

If Secured rules are enabled, Steam's nameless group would automatically be named Unauthorised Rules.

Steam isn't happy being in a group with a name and during every next run would recreate its rules afresh in a nameless group.

So, if Secured rules are set to 'disabled', Steam's creations would repeatedly spam the Rules Panel's disabled rules.

Otherwise, if Secured rules are set to 'deleted', Steam would turn to spamming Event ID #1 complaints in Event Viewer.

An authorised group can't be nameless, right? Even if it could, one most likely wouldn't want to have a nameless group authorised anyway.

With Secured rules enabled, how can Steam's group be taken care of properly so it wouldn't spam here and there?

It's certain that a most simple config is around somewhere yet this idiot is just too stupid.

Please help. Thanks!

 

My thoughts on this. If a software can't connect to the Internet, it should inform the user about this, being the responsibility of the user to create the appropriate firewall rules in his firewall. Steam should not create firewall rules and mess up with your firewall. However, Steam approach is very aggressive because they could check if an allow rule for their executable exists. Instead, they enforce a strict rule which can't be modified in any way. Since Steam uses this bad practice for years now, I doubt they will change this, you either don't use Steam, either you don't use Secure Rules feature. It is up to you. Secure Rules was created exactly for programs like Steam, so a working solution for Steam and Secure Rules should come from Steam developers.

 

I got no issue with steam, the answer is to have a manually created rule already in place and then steam wont try to create one.

 

Hello Mr Binisoft,

Apologies in advance if this has been asked before, if I need to RTFM please tell me to do so.

With quite a few of the applications I run I want to allow local traffic only and get alerted for non local access, In order to do this I have been doing the following:

When alerted about a blocked outbound connection

Click Customise rule
Remove Remote ports, local ports, set protocol to any
Enter the following into remote IP 192.168.0.0/16,172.16.0.0/12,10.0.0.0/8
Click Allow this program.

This works great, but the blocking of outbound connections to non local addresses can get a bit tedious, if I decide to block the addresses to stop being hassled I must do it per IP as the notifications come up. I do know that I can set it once and permanently per IP but my preference would be to routinely be prompted as I might end up wanting it to connect to global addreses e.g. using specific functionality in the application or updating.

Suggestions from this:
1. A button to allow all traffic to local subnets
Case - Saves me from manually doing the above haha... but I think that others might just want to simply block applications from calling home and are less concerned about local access. This makes it easy to use it locally and as external IP requests come through I can approve them or block for now per connection.

2. Option on when you click block for now and ask me later to ignore all blocked outbound connections for that application not just the specific connection , and to specify a period of time
Case - Application is allowed to have local access, it constantly attempts to submit bug reports and check for updates. I do not wish to block this permanently but I do not want to be notified about each access attempt for the day.

3. Additional time period for allowing and the above suggested feature (e.g. 4 hours, 1 day)

I understand that you use the windows firewall/event logs and an API so I can appreciate if any of these suggestions either have significant drawbacks or are not possible. Let me know if you want me to further anything I have suggested or consider something else.

Thanks

 

@alexandrud

Thanks for explaining.

I guess the compromise would be to have Secured rules enabled and set to 'deleted', then let Steam spam the event log as much as it wants to.

@chrcol

What is your scenario?

Have Secured rules disabled, and Steam won't try to create entries in a nameless group?

Or, have Secured rules enabled and set to 'disabled', and Steam won't create entries only to be disabled by WFC and put into the Unauthorised Rules group?

Or, have Secured rules enabled and set to 'deleted', and Steam won't log event id 1 error?

In my case, though having as you stated 'a manually created rule already in place', all of the above are negative.

If you would care to explain your issue-free WFC config of the Steam entries, I could follow suit.

 

@alexandrud

I have a similar request with the above. Is it possible to have an ignore option?
eg. "Ignore this program" premanently or temporary?

Panagiotis

 

I have secure rules enabled.

I do see steam keeps adding rules for games when they get installed or updated. But not making rules for itself.

I agree steam should not be doing this without at the very least prompting the user to what it is doing. This is not a WFC problem and WFC does its job by deleting those unauthorised rules.

 

i finally find an workaround windows 10 updates mess with svchost thread pooling because WFC keeps popup connection blocked
even if i allow svchost for wuauserv and BITS
for those who may be interested there some instructions in this thread
https://social.technet.microsoft.co...ndows-10-firewall-with-windows-update-service
and
https://blogs.technet.microsoft.com...ing-started-with-svchost-exe-troubleshooting/


this is done on a LTSB machine with strict traffic policies were we allow updates maybe once
per year is not for mainstream OS ( you should do reg backups if will try this )

 

I don't know where to put such an option in the notifications dialog. Creating rules for local traffic only is not very common. I am open for suggestions. Instead of setting remote IP property to 192.168.0.0/16,172.16.0.0/12,10.0.0.0/8, you could use the LocalSubnet keyword with the same result.

This should be done through existing firewall rules, not through a different mechanism. For example, I do not want to create another window where the user can define or delete paths to be ignored by the notifications system.
- To stop temporarily notifications for a program you can create a temporary block rule which will be deleted automatically on the next WFC restart, usually after a reboot. This approach will dismiss all notifications for a certain program, but will also overwrite any allow rule since block rules have higher precedence than allow rules.
- To stop permanently notifications for a certain software, create an allow rule for your desired connections. Then create a generic block rule for the same program and disable the rule. From the Notifications tab, check the last checkbox "Use disabled rules....".
The current behavior of the Block for now and ask me later button is just to close the notification without doing anything else.

I am open to suggestions on how to do this without having a new list of ignored processes.

Thank you for sharing this.

 

Some apps make it impossible to implement it this way.
e.g. Action! of mirillis if there is a block or an allow rule (enabled or disabled) of "C:\windows\system32\dwm.exe" the program will refuse to load...

Panagiotis

 

And you are SURE that not another security program on your system has influence?

 

No security program is installed on my systems (except sandboxie).
https://mirillis.com/en/products/tutorials/action-recorder-error-message-101.html

I guess is a stupid way to prevent piracy... Stupid, because it nags, even if there is only an allow rule in place....

Panagiotis

 

I had in the past one similar report for an image converter software. The behavior was the same. On each run, it checked if there is a firewall rule for it's own executable. It didn't matter it was an allow rule. If a rule existed, then the program would not run. This is really poor programming. Please send an email to their support and ask them how can you use their software in conjunction with your firewall. Disabling your firewall to be able to run a screen capture software is just stupid. I am really curious about their answer.

 

I don't think that contacted them will make a difference. If you google action critical error 101 , you'll see that there are reports from 2013...
About poor programming. Since they decided to check the firewall rules to fight piracy, I don't think that they can do it in another way (it would involve too much effort)
eg. for correctly implementing it they should:
- check if there is an active block rule (should give error)
- check if there is an active allow rule
- check that the active rule is enabled for public and private profiles (if not should give error)
- check the protocol of the rule, is it any or tcp? (if not should give error)
- check the remote ports of the rule, are they any or 80,443 (if not should give error)
- check the local ip addresses of the rule, is it any or does an address exist and does it match the address of the system? (if not should give error)
- check the remote ip addresses of the rule, is it any or are the addresses of their servers included? (if not should give error)

ps. The other option would be to either check if the connection is established with their servers and then start, or to use online/offline activation bound to hardware with periodic online verifications... methods that I hate because if/when a company closes you can no longer use your paid software...

Panagiotis

 

Alexandru,
the only way that I can think is to use a txt file, manually edited from the user with exclusions.
eg. in WFC ad an option "ignore notifications from the list" (point to or select the txt file) and then the user could type the ignored directories

C:\windows\system32\dwm.exe
C:\Program Files (x86)\Mirillis\Action!\*
....

Panagiotis

 

Well, if you use a different firewall than Windows Firewall ? They can't check the rules of every installed firewall, this is why their approach is bad from beginning.

If you have no rule defined, WFC will show you a new notification, which is correct. If you create a rule (obviously, an allow rule), then the program would not start. But in this case, the process is blocked since outbound filtering (Medium Filtering profile) is enabled in Windows Firewall. Then, my questions are:

1. How this software will connect with their servers for license verification ?
2. Does this program work if outbound filtering is enabled ?
3. Or does it require to have outbound filtering disabled so that it can connect freely to their servers ? In this case, any mechanism implemented in WFC where the user could define some exceptions that will automatically dismiss the notifications for certain strings defined by the user, will not work.

I am not a fan of text files for this. I would implement in the Notifications tab a new list where the user could add some exceptions. Similar to the authorized groups list. But, see my questions from above. Because this might not work with your scenario.

Now, if I do this implementation, then I would have to:
A) Remove the High notification level since the dismiss of notifications of svchost.exe and System can be done through this new exclusions list. What happens if I exclude svchost.exe and I have High notification level selected ?
B) This involves a new redesign on the notifications system.

As you can see, to support this bad written software, I also have a lot of work to do. I can do it, but I want to know if this really would solve the problem described by your scenario.

 

True. Actually, there is no need to use a different firewall. With medium filtering and no rules the connection will be blocked and the software won't nag.

1. I don't think that is used for license verification. More likely is used to ban widely used activation keys.
2. Yes, it just "hates" to see a any rule for "dwm.exe".
3. No, it does not need outbound connection, if it cannot connect to their servers it'll still work...

For me, you should not change anything.
A) don't now how you can combine the two that is why I mentioned the txt file.
B) I know, and a txt file seemed the only option for minimal modifications.
Personally, I'm not a fan of notifications.
I just use them to set the rules that I want and then I disable them. Then I export the rules,activate the firewall policies and import them there.
Heck, even though I donated when you initially accepted donations I continued to use only V1 until last month.

Panagiotis

 

Only a real fan would do that

I will do some changes to see how it looks like.

- An exclusions list in the Notifications tab which can be used by the user to exclude folders, exe files, basically a list of strings. This list can be used to add also the "svchost.exe" and "System" in the list of excluded items.
- The notifications system will check the path of the blocked connection and the exclusions list before displaying a new notification. If a defined exclusion string is contained, then the notification will not be displayed.
- The High notification level will be removed.
- Medium notification level becomes "Display notifications for all programs"
- Low notification level becomes "Display notifications for unsigned programs only"
- A new button is added in notification dialog which will add the exe name in the exclusions list. Where to put this option ?

Anyone, if you have more ideas about this one, you are welcomed to share them here. Note that the exclusions will be made based on strings. This is not a complex mechanism with exclusions based on time, date, etc. If you want to see again new notifications for an excluded string, you will have to remove it from the list.

 

Yes, ATTENTION with those points. Both are very important, and I am very sure, not only for me! The function to have notifications for ALL (really all) outgoing connections is an essential points of WFC IMHO.