Windows Firewall Control (WFC) by BiniSoft.org

I had a feeling someone would bring up telemetry. As has been mentioned plenty of times in these forums, telemetry is not necessarily spying. I've used O&O ShutUp 10 to lessen Windows phoning home and I have to trust the programs I install. If I can't trust a program it doesn't get installed.

I guess I probably don't need WFC after all.

Thanks all.

 

Maybe this has been answered before, but why isn't WFC signed?

 

WFC doesn't always write the correct outbound allowed rule for a program. I had to write one within Windows Firewall.

I had network connections dropping on Windows 10 so I had to permanently allow outbound connections for my wireless device via the WF interface itself.

Now all works well.

 

Please give more details. How did you create the rule from WFC ? Did you browse for the file, from the notification ? What is different between the WFC rule and the rule created from WFwAS ?

 

For instance, with Yahoo Messenger, I allowed -C:\Users\UserName\AppData\Local\yahoomessenger\Update.exe --processStart "Yahoo Messenger.exe" - with WFC. I still couldn't connect to the Internet.

I had to resort to Windows Firewall Advanced Settings, New Rule - and under Programs set allowed the following address - C:\Users\UserName\AppData\Local\yahoomessenger\app-0.8.288 - now I could connect to the Internet.

As for the Network Connection - under Windows Firewall Advanced Settings, New Rule - Predefined - I created an allowed rule for Wireless Display. Now I have a solid Internet connection on my wireless device.

 

Speaking of the above, is it normal to get new alerts for hxmail (Windows Mail) every few days? I keep setting it to allow all tcp out, but a few days later I have to do the same again. Does it change path or something? Happens with calendar and store as well.

 

From your description an additional rule was required for Yahoo Messenger. This does not mean WFC is not creating correct rules.

The program path is the same or does it have a different path after an update ? If the path is different, then the behavior is correct.

 

Just found how to look at the rules, and indeed they are in different directories. Is it possible to create rules with wildcards in the path? E.g. C:\Example\*\Example\example.exe

Edit: From what I can find, Windows Firewall doesn't support wildcards. =(

 

Regarding wildcards:

 

How does WFC associate a rule to a program?
Is the deciding factor only a program name and path? or program hash?

What if a known executible with an "allow" rule loads a new, unknown DLL - is it still "allowed"?

 

I've decided I'll give WFC a try. I finally jumped through enough hoops and have successfully donated AU$14.15.

I'm just running Disk Clean-up after updating Windows and will image my machine before installing WFC. Wish me luck!

 

Why was WFC using 25% of my CPU resources??

 

My problem is much less important than Krusty's, but on a new laptop I installed WFC and I believe it is somehow breaking the network file sharing features of windows. It is a fresh installation of 1703 Win 10, with the latest WFC, and I've run Blackbird ( http://getblackbird.net/ ) on the computer, as well as the lan fix for blackbird (blackbird -l) .

The problem is that if I go to "Network" with WFC on and set to Medium Filtering, it says that "Network Discovery is turned off. ...". Attempting to enable network discovery makes no difference. If I set WFC to "No Filtering", Network Discovery works perfectly without problems. To try to fix it, I deleted ALL explicit firewall block rules, but it still somehow blocks the filesharing. I don't receive any notification. I can provide logs as necessary, etc.

It's possible something else has broken the network discovery, but because it works when WFC is disabled, it seems to me that WFC is involved. I can provide rule exports or logs as necessary. It might be some 1703 nonsense.

Anyway, I still love the product and have used it on several computers without problems. It's such an elegant firewall solution.

And good luck with your CPU problem, Krusty! Don't give up on WFC

 

Nar, I'm not giving up just yet. After a restart the CPU usage dropped off so I'm monitoring while trying to learn how to use WFC to unblock some programs.

I have Notifications set to Learning mode for now. Does that mean as it sounds, that WFC is 'learning' which programs to allow and is creating rules automatically?

 

I am on Windows 7 and can't test this right now, but, create a new allow rule from WFwAS which applies to all programs. After the wizard finishes open up the rule and set the application package to your Windows Store app. Maybe this will work because you have a rule for a specific application package. Now, if after an update the path changes, the rule will be still good. Please let me know if this works.

WFC does not associate nothing. Windows Firewall are applied per path basis, so if an updated version of a program uses the same path then the existing firewall rule is OK, if the path changes, a new rule is required for the new path. Since Windows Firewall does not have any logic which contain the program hash, any allow rule is an allow rule. Even if an "unknown DLL" is loaded, the call is made by the executable, so if there is an allow rule for that executable file, then that executable is allowed.

It depends on what the WFC service is doing at that time. When you open the Connections Log to see connections, the service loads the entire Security log and parses it. This takes time and CPU.

If you enable File and printer sharing a new set of Windows Firewall rules are created by the operating system. They include outbound and inbound rules which are created in a group named File and printer sharing. By default, these rules are disabled in Windows Firewall. If this does not work, try to enable manually the rules from the File and printer sharing group.

Also, if the advanced sharing settings not staying active, try to:

1. Make a backup of your rules. Export a full policy or just export your custom rules to a partial policy file.
2. Reset Windows Firewall default set of rules. Set now the sharing check boxes. They should remain now active.

The behavior that you have mentioned happens when the default rules from the File and Printer Sharing group are missing. It seems that when you check those check boxes, it just toggles the enabled/disable property of these rules. But, if these rules are missing, checking those check boxes will fail to recreate them.

3. Reimport just your rules from step 1.

If you are using Secure Rules, make sure that File and Printer Sharing is in the authorized groups list.

No, that means that when a blocked connection event is generated, if the program is digitally signed with a valid signature, WFC will automatically create an allow rule for it if a matching rule is not found. WFC is not a firewall by itself and for this reason it doesn't learn anything. WFC is not aware of active network connections or currently running processes. It works in a passive way by reading the events generated in Security log by Windows Firewall.

 

I've got a fast growing and rather large list of NT Kernel & System block events. Should I allow these?

 

Creating the rules worked and it seems they're doing what they're supposed to do and only for the applications they're supposed to be active on. Haven't had any update yet though so can't test that, not that it tells me the app has been updated, but I assume it'll work even after they're updated. I also set the group to Windows Firewall Control so that I can have the "Secure" setting in WFC enabled.

 

That was exactly it, and the problem is fixed now, thanks for the quick help!

Personally, I like to allow these to LocalSubnet, although I don't know the full purpose of the connection attempts.

 

Update: It works for "Allow" but not for "Block", when I make it "Block" WFC will alert, I assume this is expected but how do I make a block rule that doesn't mean notify? I mean, what does WFC do differently when I choose block in comparison to me making it in Advanced Settings?

 

Also, I just checked my incoming blocked connections. Should all these really be blocked?

 

How does your block rule looks like ? And which are the blocked connection details from the new notification ? Do they match ?

Please read the following user manual topic User interface > Main Panel > Notifications > How to stop the notifications for a program? Just press F1 in any WFC window to open the user manual. You can add a notification exception also from the notification dialog.

 

anyone knows , which process/exe Cortana uses for its outgoing connection when checking a request made by the user?

 

I've gotta say that so far the support has been superb!

I'm sorry I'm no firewall rules expert but until I donated to WFC dev I haven't needed to be.

 

i'm trying to find what process makes cortana to connect internet when vocal command are ordered... it isn't searchUI.exe , must be something else.

edit: found out , it is C:\Windows\System32\Speech_OneCore\common\SpeechRuntime.exe