Windows Firewall Control (WFC) by BiniSoft.org

Discussion in 'other firewalls' started by alexandrud, May 20, 2013.

  1. aldist

    aldist Registered Member

    Joined:
    Nov 8, 2017
    Posts:
    1,103
    Location:
    Lunar module
    If you, like me, are not interested in automatically checking for Windows Updates, which has become evil in Windows 10, there is only one thing for svchost - allow outgoing DNS connections over UDP to remote port 53. All other svchost connections will be blocked. To stop being bothered by svchost notifications, add svchost.exe to the notifications exceptions.
     
  2. StealthyTrojan

    StealthyTrojan Registered Member

    Joined:
    May 18, 2020
    Posts:
    24
    Location:
    Portugal
    But I don't want to prevent Windows Update from automatically checking for updates. I've asked at the TinyWall thread, is it better over there? Or the only way to get rid of the svchost problem is to use a paid firewall like the one in Avast or AVG? They decide everything automatically for you.
     
  3. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,411
    Location:
    Romania
    They will decide to allow a lot of svchost.exe connections anyway :) What is really the svchost problem that you have ? Something is not working or the problem is what you see in Connections Log ? It would be better if WFC would skip and not display those in Connections Log ? Then it would be a better product ?

    The reason why you see svchost.exe connections blocked, despite your allow rules is because the operating system contains some restricted rules related to certain Windows services. For example, some Windows services are allowed to to connect only in certain circumstances. If you create a rule that allows more than those restricted rules, then you will see dropped connections for svchost.exe. This doesn't mean anything for your user experience. If Windows features that you use are working as expected, then just add svhost.exe in the notifications exceptions list and forget about it.

    Check this Windows Registry key: HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices to see some restricted rules which are not available in Windows Firewall API, therefore WFC can't display these.
     
  4. StealthyTrojan

    StealthyTrojan Registered Member

    Joined:
    May 18, 2020
    Posts:
    24
    Location:
    Portugal
    I didn't' know about that, that's strange. Why does Windows have rules to block its own connection attempts?
     
    Last edited: Apr 26, 2021
  5. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,411
    Location:
    Romania
  6. Yin Cognyto

    Yin Cognyto Registered Member

    Joined:
    Jun 15, 2014
    Posts:
    12
    After I recently considered migrating to a free AV+Firewall environment (still undecided on the AV, have to probably choose between Avast and Avira), I discovered WFC while I was trying to stop WF from creating allow rules behind my back, and I share Leeju27 appreciation and concerns regarding WFC, even more so with Alex being quite close geographically to me.

    In other words, 1) and 2) happened to me as well, but I don't think WFC is the culprit, since I had an instance when I lost the WiFi connection even before installing it, with only bare WF and "Core Networking - DNS (UDP-Out)" rule active. I imagine there could be other (hopefully, few) rules that can be added to the minimum recommended ones in order to stabilize svchost and the connection (I couldn't even connect directly to https://www.binisoft.org/wfc with all the recommended WFC rules - bar the Windows Update one - active and enabled, though it worked by first getting to https://www.binisoft.org and then choosing the WFC section on the page, so a similar side of the problem persisted after installing WFC on top of the bare WF).

    Regarding 5), when you have time to update WFC, maybe you'll consider having an option somewhere to present a "mini" version of notifications instead of the big one as it is now. Having such informative notifications is brilliant and frankly I didn't think it would be possible for a WF based solution, but on my 1366x768 px screen the notifications take half of the screen vertically and about a quarter horizontally, preventing me from seeing other stuff on the screen. I'm guessing a notification the size of the allow / block buttons (or even both) as illustrated below, where only the program / name along with the source / remote and maybe the protocol could be shown, with the rest of the "non-essential" available as "tooltips" on some nearby mini icon hovering could work too. For example, this:

    WFC Notification.jpg

    could alternatively look like this (excuse my photoshopping skills):

    WFC Mini Notification.jpg

    P.S. The garbled text is the Source and Remote, while the green arrow and the red X are the same Direction (Out, so arrow should have been upwards, but anyway) and Action (Block) as in the big "version". Stuff like Signed or Process ID could be presented as tooltips for this case.

    EDIT: On a second look, I realized that one would typically disable the notifications and only enable them when he wants to find out (and configure right away) which connections to allow for something that needs online access, so having a bigger notification window makes sense.
     
    Last edited: May 9, 2021
  7. Yin Cognyto

    Yin Cognyto Registered Member

    Joined:
    Jun 15, 2014
    Posts:
    12
    One more thing I noticed today after last night installing Avast Antivirus Free (though I don't think it's part of the problem). I started the computer in the morning and left it on for a couple of hours (time in which the screen went black, as usual when idle for a while, i.e. the "sleep" process). When I returned, I had WFC with an exclamation mark and the message "Can't connect to windows firewall control service" in the system tray. I saw that people experienced such issues since 2014 (!) and although the solution to restart (i.e. Stop, then Start) the Malwarebytes Windows Firewall Control service in the Service Manager (services.msc) solved the problem, it must be a better way to automatically avoid such things, right?

    Unfortunately, I didn't check if all was OK with WFC in the system tray right after starting the computer and only noticed the issue when I returned to it, but just speculating, is it possible that the issue is related to the note from the Start Automatically At User Logon checkbox? I didn't log out from my user account, but who knows, maybe system sleep produces a similar effect... I'm on Medium Filtering, Secure Profile and Secure Rules (no Secure Boot), if that matters.
     
  8. kenw

    kenw Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    145
    Location:
    Brighton, Colorado
    Something I wonder about : If I do not allow a program to connect, is it allowed or denied ?

    or a program pops up and I do nothing
     
  9. lunarlander

    lunarlander Registered Member

    Joined:
    Apr 30, 2011
    Posts:
    326
    If you do not allow a program to connect then it is denied.
     
  10. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,411
    Location:
    Romania
    A mini version of the notification will require some (a lot) work and will not be probably done.
    I can't reproduce this and I do not think it is related to Sleep mode. I also use Sleep mode on my laptops and the tray icon does not display the exclamation mark when resuming. I will keep an eye on this.
     
  11. Quassar

    Quassar Registered Member

    Joined:
    Oct 19, 2011
    Posts:
    251
    Location:
    Poland
    Firewall denny conection always during popup.
    Conection go on only after allowed.. if msg is in iddle conection supose be still not allowed till you not acept.
     
  12. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,411
    Location:
    Romania
    The answer is here: https://binisoft.org/pdf/guides/Malwarebytes-WFC-User-Guide.pdf#page=17

    "Windows Firewall Control doesn't do any packet filtering to inspect the network traffic. This is done by Windows Filtering Platform. Each time a network packet is dropped, Windows Firewall generates a new event in the Security event log of the system. Windows Firewall Control is subscribed to these events and based on the existing firewall rules it decides if a new notification should be displayed or not. This is done by searching through the existing firewall rules to see if there is a rule that matches the blocked connection that was recorded in the Security event log. The events about a blocked outbound connection are raised after the connection is blocked. This means that a notification dialog is displayed for an already blocked connection, not for a paused connection, therefore the notification dialog can't have an Allow for now and ask me later option. After creating an allow rule, the program that was blocked must retry the connection in order to connect based on the newly created allow rule."
     
  13. aldist

    aldist Registered Member

    Joined:
    Nov 8, 2017
    Posts:
    1,103
    Location:
    Lunar module
    @alexandrud
    I guess I'm very confused. It is necessary to deny the program connect to one specific IP 69.135.0.15 (for example) and allow connect to all other IP.
    Create rule 1 - block outbound to 69.135.0.15, the rule works and blocks connections.
    Create rule 2 - allow outbound to all addresses, and rule 1 stops working. But after all, blocking rules take priority over allowing rules, then why is this happening?
    Delete rule 2 and create rule 3 - allow outbound on 1.1.1.1-69.135.0.14,69.135.0.16-255.255.255.255. Now the program cannot connect to 69.135.0.15, but connects to all other IP as required. It seems that now rule 1 is not needed either, but if you delete it, then you will receive notifications about a blocked connection at 69.135.0.15.
    So rule 1 + rule 3 is the correct option, or am I wrong?
     
  14. Alpengreis

    Alpengreis Registered Member

    Joined:
    Oct 7, 2013
    Posts:
    670
    Location:
    Switzerland
    Block rules have higher priority than allow rules, yes.

    It's related to your profile too. For MEDIUM rule 3 resp. rule 1 + 3 (rule 1 isn't necessary as Alexandru describes below) would be okay. If you switch to LOW, you should be have the explicitly block rule for 69.135.0.15 and the allow rule would be no more necessary.

    To have rules which are okay for ALL profiles, you should have rules 1 and 3.

    PS: 1.1.1.1 should be 0.0.0.0
    PPS: Do also not forget to handle IPv6 (if you have it on your system and if it's necessary for your purpose): there should be a rule which allows all, means: ::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
     
    Last edited: May 16, 2021
  15. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,411
    Location:
    Romania
    If you are on Low Filtering profile and you want to block only 69.135.0.15, then you would create Rule 1. That's all.
    If you are on Medium Filtering profile and you want to allow any other IP but not 69.135.0.15, you create Rule 3. Rule 1 is not needed. To stop notifications for 69.135.0.15 then add a notification exception or keep Rule 1.

    In your example, Rule 2 should not break Rule 1.
     
  16. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,411
    Location:
    Romania
    Windows Firewall Control v.6.5.0.0

    Change log:
    - New: The notification dialog displays now the count of blocked attempts for each program that is notified.
    - Improved: The keyboard shortcuts to switch between notifications were changed in notification dialog to Ctrl+Left and Ctrl+Right.
    - Fixed: Privilege escalation vulnerability was fixed in WFC service.
    - Fixed: Some group names are not displayed correctly in Rules Panel.

    Download location: https://www.binisoft.org/download/wfc6setup.exe
    SHA1: 5c09432413a69404acd0b801a8ae08e2adf52ef8
    SHA256: 4ccc620495122c206c33ca76986d7388685fa6786ead0aa2d2837989782d9305

    Sorry for not being able to provide more features and fixes to WFC at this time.

    Thank you for your support,
    Alexandru Dicu

    upload_2021-5-20_18-51-45.png
     
  17. bORN2BWILD

    bORN2BWILD Registered Member

    Joined:
    Oct 3, 2016
    Posts:
    26
    Location:
    Greece
    binisoft.org = Server not found !!!!
     
  18. JRViejo

    JRViejo Super Moderator

    Joined:
    Jul 9, 2008
    Posts:
    97,423
    Location:
    U.S.A.
  19. kronckew

    kronckew Registered Member

    Joined:
    Aug 27, 2006
    Posts:
    455
    Location:
    CSA Consulate, Glos., UK
    WFM - just d/l'd new version 6.5.0.0
     
  20. bORN2BWILD

    bORN2BWILD Registered Member

    Joined:
    Oct 3, 2016
    Posts:
    26
    Location:
    Greece
  21. yoweho8574

    yoweho8574 Registered Member

    Joined:
    Mar 11, 2020
    Posts:
    19
    Location:
    UK
    Hello there, i wrote a while ago about that but there is really a problem with automatic rules deletion and updating windows store apps, often (but not always) it don't delete the rules fast enough after windows created rules when updating apps and so the apps send/receive traffic when i launch them.

    Also "secure profile" feature often disable itself (checkbox unchecked) and also there is another problem with the log which still disable itself sometimes and you need to uncheck and recheck boxes under "log connections" in the log window to reenable it.

    having those 3 issues since i'm using up to date WFC on multiples PCs and from windows 17xx through 20H2.

    Thanks for your work.


    edit also i've read the previous messages and i was wondering if there is some other software with a GUI to edit Computer\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedService rules? it's a pain to read and edit them in the registry
     
    Last edited: May 20, 2021
  22. kronckew

    kronckew Registered Member

    Joined:
    Aug 27, 2006
    Posts:
    455
    Location:
    CSA Consulate, Glos., UK
  23. bORN2BWILD

    bORN2BWILD Registered Member

    Joined:
    Oct 3, 2016
    Posts:
    26
    Location:
    Greece
    Well Cloudlfare dns (1.1.1.1 & 1.0.0.1) report that. Server not found.

    Don't you think something is wrong with the dns record?
     

    Attached Files:

  24. yoweho8574

    yoweho8574 Registered Member

    Joined:
    Mar 11, 2020
    Posts:
    19
    Location:
    UK
    which browser are you using? I'm using doh cloudflare on firefox and the site load because it use standard dns as fallback. Edit it's the network.trr.mode 2 option but this behavior is by default unless you have modified it.
     
    Last edited: May 20, 2021
  25. bORN2BWILD

    bORN2BWILD Registered Member

    Joined:
    Oct 3, 2016
    Posts:
    26
    Location:
    Greece
    Well apparently they fixed the issue, because (after 2days off) it works right. I was using FF,Chrome whatever. The issue was not mine but something with their hosting. Pls read my posts. Not related to me.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.