Windows Firewall Control (WFC) by BiniSoft.org

Thank you for responding. Yes, I'm using 4.9.2 downloaded from binisoft.org and the hash matches. It does appear that the old message you linked describes what I'm seeing since the blocked wfc.exe connections do show up in the log when I get a notification popup for another application.

From that message -
However, in the notification dialog context (when a new notification is displayed), WFC checks if the program has a digital signature. On other cases, the operating system checks if there is a valid certificate for WFC, or even referenced assemblies may check for a valid digital certificate. All these are made in the name of wfc.exe even if I don't trigger such verifications from WFC code. One thing is sure, WFC doesn't do any hidden activity on your system.

It's good to know that WFC itself isn't trying to connect to the internet for some unknown reason. However, if during a popup notification, WFC checks if the program has a digital signature which causes the operating system to attempt some communication in the name of wfc.exe, should those be allowed? Are they even necessary? They show up in the log as blocked and I'm not sure if that is a good thing or not. Does everyone else just ignore the blocked connection attempts in the log or do you set up a rule to allow wfc.exe to connect to port 80 for all addresses?

I get popup notifications, but I've never received a notification for spoolsv.exe. I just see the blocked connections in the log. I currently have no block rules at all.

 

As far as I know it has no negative effect, if you are block those other connections attempts from wfc.exe. As Alexandru said, WFC needs really only the one predefined outbound connection rule to check for updates. If you have the auto-check disabled you could even deactivate this predefined rule too.
On the other side it should be also okay to create allow rules for those connections.

So IMHO, that is a individual user decision.

Are you in PUBLIC location?

If not, further investigation seems necessary.

As a first step it would be good to make SCREENSHOTS of:

- Filter Level setting
- Notifications setting
- ALL related Outbound rules with spoolsv.exe
- An example of the blocked Outbound connection from WFC-Log

Additionally: have you other software in use which could affect those connections?

EDIT: If Alexandru can analyze your policy is this even easier and better way than mine here (please see his posting below)!

Greetings

Alpengreis
Maintainer of WFC DE-Translation file

 

Unfortunately, this is not possible in WFC because WFC is not aware of network packets, it doesn't inspect any traffic.

For the first part, wfc.exe should connect only to the specified IP from the rule named "WFC - Windows Firewall Control Updater". You should ignore other connection attempts of wfc.exe. I tried many times to stop them, but the behavior is not controllable from WFC code, but from the operating system itself. Just ignore them.

For the second part, please export your full policy and sent it to support@binisoft.org and also a screenshot with Connections Log where I can see all details of the blocked connection. I will try to reproduce this from code to see if WFC handles this correctly or if the problem is generated by some conflicting rules.

 

Thank you. I just wanted to make sure it was safe to ignore the blocked wfc.exe connection attempts. It has been 2 days since I had the spoolsv.exe blocked connection in the log and I've been printing to my network printer but can't reproduce it today. If I see it again, I will email your support email address. Otherwise, maybe it was just an error on my part.

Thanks also to Alpengreis for responding.

 

Just wanted to tell everyone that the problem I was having with spoolsv.exe showing up in the blocked connection log even though there is a default rule set up to allow it, has nothing to do with WFC. The reason I hadn't seen the log entries in a few days was because I hadn't shut down my computer. Once I did, the entries reappeared.

This appears to just be some type of timing issue with the Windows Firewall itself (not WFC) and only while it is booting.

First it shows up in the blocked connection log -



And then a few seconds later, it shows up as allowed



I'm not sure why it happens, but obviously WFC has no control over this and I didn't want my message to concern anyone over using WFC, which is a excellent program.

 

On Windows start-up there can be connection attempts before the actual initialization of the network. This is the reason why you see those connections.

 

Windows Firewall Control v.4.9.3.0

Change log:
- Updated: 'Start automatically at user logon' is made now through Windows Registry instead of the shortcut in 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup' folder.
- Fixed: Importing policies from network shares does not work. The same applies when exporting a partial or a full policy is made on a network location.
- Fixed: In Connections Log, 'Local' has the meaning of 'Source' and the 'Remote' has the meaning of 'Destination'. In Connections Log, Local Ports/Addresses were renamed to Source Port/Address and Remote Ports/Addresses were renamed to Destination Port/Address.
- Updated: The user manual was updated to reflect the new changes.

New translation strings (which I forgot to mention in the previous version):
024 = Failed to import the policy file
025 = Failed to export the policy file
850 = Source address
851 = Source port
852 = Destination address
853 = Destination port

Download location: http://binisoft.org/download/wfc4setup.exe
SHA1: e4af240d037e5baf7ad20b64d245bc45407e6be3
SHA256: ea8471a54cfa9f55499409753e0c8ca22c83ca34f11acde9886d17b17755d0a9

Best regards,
Alexandru

 

In view of this change would a uninstall be necessary?

 

No. The updater will remove the shortcut (if exists) and will create the entry in Windows Registry.

 

Wonderful, thanks

 

For the German language user: // Für die Benutzer der deutschen Sprache:

The translation file is already sent to the developer and should be ready on binisoft.org very soon! // Die Übersetzungs-Datei ist bereits an den Entwickler gesendet und sollte sehr bald auf binisoft.org bereitstehen!

Greetings.

Alpengreis
Maintainer of WFC DE-Translation file

 

@alexandrud Little suggestion on improving WFC. Been really liking the way Secure Rules is keeping my Firewall Rules free of unauthorized rules, while still keeping the rules for future reference. Would it be possible to add a shortcut in the context menu of Rules Panel to "Authorize This Group" Authorized Groups"? That will really speed up the process of authorizing the firewall rule groups coming from trusted Windows Store apps, so that whenever they're updated via the store, their automatically created rules aren't disabled...

 

@alexandrud

What is the intended behavior for setting the password ?

When I define the password and then select "Lock" nothing happens.

I have to set the password, select Lock, exit the GUI and then re-launch the GUI for the GUI indicator to change from unlocked to locked.

Then when I want to unlock WFC, I have to enter the password, select Unlock, exit the GUI and then re-launch the GUI to unlock WFC.

 

I can add an entry for this, but my question is, how will you be able to add a new group in the Authorized Groups list while Secure Rules is enabled ? To prevent disabling/deleting Windows Store apps rules, in the Authorized Groups list add an entry named "@" (without the quotes).

Something does not work correctly on your side. When you lock the program, the lock dialog should close and the user interface should become disabled. Then you can unlock it from the same dialog. In neither of these scenarios, a restart of the GUI is not required.

1. Please check the WFC log in Event Viewer to see if an error was logged regarding this behavior.
2. Please disable your antivirus while you lock it next time, or try to add wfcs.exe in the exceptions list of your antivirus. During the lock, some system files are modified to achieve the locking of the Windows Firewall CPL and WFwAS (wf.msc). If your antivirus blocks WFC service from doing it's job, then this might be the reason why the locking feature does not work as expected.

 

Secure rules allows adding new authorized groups while it's enabled, which is good. I go to the secure rules section in the main panel and simply add it. This shortcut in the Rules Panel will drastically simplify the following process:

Open Disabled Rule's Property Dialog > Copy Group Name > Cloase Dialog > Switch to Main Panel > Navigate to Secure Rules Section > Paste Group Name > Add to Authorized Group List > Switch Back to Rules Panel > Enable the Disabled Rule

Down to:

Right-click on Disabled Rule > Select "Authorize This Group" > Right-click on Disabled Rule > Select "Enable"

Better yet, to further simplify the process, as you'd only be authorizing a group if you don't mind the application creating rules behind your back, you'd automatically want to re-enable the selected firewall rule(s) from that app. Thus, the shortcut could practically be "Authorize This Group and Enable Rule(s)", further simplifying the process down to:

Right-click on Disabled Rule > Select "Authorize This Group and Enable Rule(s)"

Notice the Rule(s), this could be used on multiple rules simultaneously to even further save time when you install several new trust-worthy apps from the Windows Store, who's automatically created rules were disabled.

The problem with that is, I don't want every app from the Windows Store having access to the internet. I block some apps from using internet connection as they serve their purpose to me offline...

While you're at it, would it be possible to add support for horizontal trackpad/mouse scrolling? For some reason, vertical scrolling with my Surface Pro's precision touchpad or Logitech MX Master works in both the rules/connection logs panels, but neither of them can do horizontal scrolling in those same panels. Pressing left/right keyboard buttons work for that, but I think mouse/trackpad horizontal scrolling should also be supported...

 

The only AV installed is Windows Defender.

In the Events Log there is an error - "WFC was not locked."

 

What? No AppGuard?

 

I just installed the latest WFC 4.9.3.0 and ticked the option to populate the rules from the Windows Firewall but upon checking the rules in WFC, I see every program/rule listed twice. see this image please:

 

Good point. I will add a simplified way of adding a new authorized group right from the Rules Panel.

I will investigate this to see if it can be improved.

In the Details tab the EventData should contain the exception that was encountered. Can you post that one ?

Those rules that seem to be duplicated have no Group set. This means they were created from outside WFC. I see that some of them are for Domain location and some of them for Private,Domain. It does not appear in your screenshot, but these rules aren't they created for different protocols ? Those duplicates, is one of them created for the UDP protocol and one of them for TCP protocol ? IF the answer is yes, then there are no duplicates.

 

AppGuard + Windows Defender + Windows Firewall + Windows Firewall Control

LastPass and Adguard or uBlock Origin

That's it.

 

@alexandrud

Setting the password uses using cmd. Unlocking uses cmd.

I had cmd set with limited privileges on the system - so the restrictions were the cause of the malfunction.

I sent video. Please disregard.

 

I'd like to notify you of a bug regarding the alerts on Windows 10. It appears that sometimes blocked apps and connections are not detected until the connections list is refreshed. Also can you add a custom refresh interval for the connections tab? Also I'd love to see a feature that shows all active connections with the apps to allow to block them on demand.

 

I will update the code to make sure that the password is not set if something does not work correctly. Thank you for your video and your feedback.

Unfortunately I can't reproduce this scenario. Please give some more details.

1. What operating system do you use ?
2. What other security products do you use on this machine ?
3. Did you modify the default size of the Security event log ?
4. For which programs do you encounter this behavior ? Do you have any rules for these programs ? Give some examples.
5. How many rules do you have in your rules list ?

Pressing the refresh in Connections Log has nothing to do with the notifications. Please check the user manual how the notifications system works. Just press F1 in any WFC window and read the following topic: User interface > Main Panel > Notifications > How does the notifications system work?

There is no auto refresh in Connections Log because loading the entries can take much longer than the specified interval. Just press F5 to refresh the entries.

Regarding the active connections, WFC will not include this feature. Resource Monitor (resmon.exe) already contains this info and is available in any Windows version.

 

Is anyone using WFC with the Windows Linux Subsystem? Anything running inside the subsystem does not seem to show up as file paths withing the firewall, so rules are never triggered

 

Please read my answer related to this from page 104: https://www.wilderssecurity.com/threads/windows-firewall-control-4.347370/page-104#post-2610125