another Windows Firewall Control?

This is what i get. Removed the old version before installing.

 

I had overseen this when I installed 3.100

Now with learning mode enabled, I experience popups for programs, that I already have defined rules for. This is for example I allowed svchost for UPD port 53 (that is DNS) router adress. After having the rules, WFC permanently asks me to do exactly the same. That happens for allowed programs as well as for denied programs. See the Microsoft_IP-Range example in my posting before.

Maybe I did not understand the concept?

 

If you don't want to see again notifications for a program, you must use the checkbox "Do not alert me again about this program" in the notification. You can see these programs listed in Manage Rules, under Hidden Notifications. If you don't check that checkbox, you will see future notifications even for programs that have defined rules.

For example, you define a rule to block svchost.exe to access an IP address. In the future when it tries to connect to this IP address it will show a new notification because from the point of view of WFC, notifications for svchost.exe are not restricted. Svchost.exe does a lot of traffic, so I recommend to disable notifications for svchost.exe.

Multiple allow/block firewall rules can coexist. For example, let's say you have a rule for opera.exe to allow all connections to 80, 443 ports to all remote addresses. Also, you can have a rule for opera.exe to block access to X.X.X.X IP address. Both rules are active, because they don't exclude themselves. But if you have a rule to allow all conections for opera.exe and also a rule to block all connections for opera.exe, the block rule is more powerfull and will be take place.

When do you get that error ?

 

No combination will work. I still get core networking, network discovery etc.


Ok about the feature. I just find it odd that under Profile column Any is used when all are selected but it's not used in the other columns mentioned.

 

OK, so if I use the next popup of svchost that informs me about the connecting attempt to one of MS Ltd IP, I can use it to mark the checkbox "Don't alert me again". Is this "Don't alert me again" bound to the specific rule or to the svchost.exe?

 

I don't get those when choosing "Created by WFC".

 

I always get this on install. My workaround, If the downloaded WFC was moved during the installation to the final destination, go to the final destination, right click and select Run as Administrator and it will complete the installation. If the install did not move it to the final destination, right click the downloaded file - cut, go to the intended final destination and paste, right click the pasted file and select Run as Adminstrator and it will install. Don't know why I always get this but I have attempted to track it down. I think it has to do with two things 1) even though the installation is initially run as Admin, it somehow loses the ability to rewrite the task event for startup which is always left behind in Task Scheduler after uninstall. If it isn't left behind, then it has problems writing the new task 2) Way back yonder when I installed the very first version of WFC which at the time would not work for reasons we finally figured out, I attempted to launch the installer in Compatibilty mode to get it to work and as we know now, even that wasn't going to make it work. After bugs were worked out on WFC and even though I cleaned the registry of all traces WFC, Windows still thinks that the app needs to be installed in this Compatibilty mode. When it isn't, Windows halts the final install process with this popup warning.

 

Personally I did no longer have those issues since I terminated WFC.exe before uninstalling.

 

If I had this version of WFC way back yonder, then all my rules would have been created by WFC. But up to this point, not having enough flexibility to add multiple addresses etc. when creating WFC rules, I've had to use WFAS for rule creation. I guess I could disable my WFAS rules, get the popup and rewrite all my rules using info from my disabled WFAS created rules and I may just do that now that we have this new version.

 

Yes, I see...
...although I think that there still are certain aspects you need WFAS for.
For example in case you want to create rules for svchost that are bound to a certain service...such as svchost-> wuauserv or svchost->dnscache.

 

New version is working fine .The popups are slow.I like the old version better.

 

I see Service Name listed in one of the columns of Manage Rules. Is that for informational purposes or is it configurable? If it is, this would take care of your example.

 

hi,

nice update!

I have some things to report:

1st: Multiple Popups for exactly the same(Where only one popup should appear):
http://www.abload.de/img/multiple_rulesbldie.jpg
I guess you have to check before a popup does appear if a rule already exists with this Program + Profile + Direction + Port + Adress + Protocol and so on...

2nd: Some Window I got when I click on the remote address on a popup
http://www.abload.de/image.php?img=wfc_error0f0chb.jpg
http://www.abload.de/img/wfc_error592ow.jpg
The browser opens with networktools.nl as expected just the popup about the Unhandled exeption should not appear, If you click Continue all is going well, if you click Quit WFC does close.

Complete Detailbox info:

Code:

See the end of this message for details on invoking 
just-in-time (JIT) debugging instead of this dialog box.

************** Exception Text **************
System.ComponentModel.Win32Exception: An error occurred in sending the command to the application
   at System.Diagnostics.Process.StartWithShellExecuteEx(ProcessStartInfo startInfo)
   at System.Diagnostics.Process.Start(ProcessStartInfo startInfo)
   at af.a(Object A_0, LinkLabelLinkClickedEventArgs A_1)
   at System.Windows.Forms.LinkLabel.OnMouseUp(MouseEventArgs e)
   at System.Windows.Forms.Control.WmMouseUp(Message& m, MouseButtons button, Int32 clicks)
   at System.Windows.Forms.Control.WndProc(Message& m)
   at System.Windows.Forms.Label.WndProc(Message& m)
   at System.Windows.Forms.Control.ControlNativeWindow.WndProc(Message& m)
   at System.Windows.Forms.NativeWindow.Callback(IntPtr hWnd, Int32 msg, IntPtr wparam, IntPtr lparam)


************** Loaded Assemblies **************
mscorlib
    Assembly Version: 2.0.0.0
    Win32 Version: 2.0.50727.5448 (Win7SP1GDR.050727-5400)
    CodeBase: file:///C:/Windows/Microsoft.NET/Framework64/v2.0.50727/mscorlib.dll
----------------------------------------
wfc
    Assembly Version: 3.1.0.0
    Win32 Version: 3.1.0.0
    CodeBase: file:///C:/Windows/System32/wfc.exe
----------------------------------------
System.Windows.Forms
    Assembly Version: 2.0.0.0
    Win32 Version: 2.0.50727.5446 (Win7SP1GDR.050727-5400)
    CodeBase: file:///C:/Windows/assembly/GAC_MSIL/System.Windows.Forms/2.0.0.0__b77a5c561934e089/System.Windows.Forms.dll
----------------------------------------
System
    Assembly Version: 2.0.0.0
    Win32 Version: 2.0.50727.5447 (Win7SP1GDR.050727-5400)
    CodeBase: file:///C:/Windows/assembly/GAC_MSIL/System/2.0.0.0__b77a5c561934e089/System.dll
----------------------------------------
System.Drawing
    Assembly Version: 2.0.0.0
    Win32 Version: 2.0.50727.5420 (Win7SP1.050727-5400)
    CodeBase: file:///C:/Windows/assembly/GAC_MSIL/System.Drawing/2.0.0.0__b03f5f7f11d50a3a/System.Drawing.dll
----------------------------------------
System.Management
    Assembly Version: 2.0.0.0
    Win32 Version: 2.0.50727.5420 (Win7SP1.050727-5400)
    CodeBase: file:///C:/Windows/assembly/GAC_MSIL/System.Management/2.0.0.0__b03f5f7f11d50a3a/System.Management.dll
----------------------------------------
CustomMarshalers
    Assembly Version: 2.0.0.0
    Win32 Version: 2.0.50727.5420 (Win7SP1.050727-5400)
    CodeBase: file:///C:/Windows/assembly/GAC_64/CustomMarshalers/2.0.0.0__b03f5f7f11d50a3a/CustomMarshalers.dll
----------------------------------------

************** JIT Debugging **************
To enable just-in-time (JIT) debugging, the .config file for this
application or computer (machine.config) must have the
jitDebugging value set in the system.windows.forms section.
The application must also be compiled with debugging
enabled.

For example:

<configuration>
    <system.windows.forms jitDebugging="true" />
</configuration>

When JIT debugging is enabled, any unhandled exception
will be sent to the JIT debugger registered on the computer
rather than be handled by this dialog box.

Best
ibydos

 

This is configurable, but - as I think - only via WFAS. At least I did not find a way to configure this via WFC. I'm sure Alex can tell us what's behind this.

 

Alex explained that here:
https://www.wilderssecurity.com/showpost.php?p=1971559&postcount=528

 

When chosing to show rules "Created by WFC", all rules that have "Windows Firewall Control" as description will be listed. Did you modified your rules in WFwAS and deleted the description ? All rules created by WFC have this as a description.

The method used to get the firewall rules using the Firewall API return instead of "Any", a blank space or *. Converting all of them to "Any" string will insert a 4-5 seconds of delay when loading Manage Rules if there is a large number of rules. That is why I made the decision to leave them blank. For profile column, the API returns "Any", so I used it.

"Don't alert me again..." is related to the application name. In this example is svchost.exe.

Always install the program with administrative privileges. Problems could arise on standard user accounts because they don't have enough privileges.

Indeed, the new version adds support to define multiple IP. Use "," to separate them. Also, multiple port ranges are supported.

This option would be applicable mostly for svchost.exe. Maybe in a future version I will add support to modify the service name. Service names displayed in Manage Rules are for informative purposes. Right now is not a priority to add support to set the service name. You can use WFwAS for this for now.

 

Yes, that is what I did. I created the rule for svchost via WFC and modified it in WFAS.
svchost->wuauserv is by default done by WFC
svchost->dnscache and
svchost->NlaSvc I did as described above.
Anyone knows any other services linked to svchost.exe?

 

For 1) when you create a rule, you have to check "Don't alert me again...." from the notification. Also, you can select this check box and press "Ask me later". This will not create a new rule, but there will be no other later.

For 2) about the unhandled exception, please give more specifications. I want to recreate the same usage scenario to track the problem. Is your Windows in german ? Do you use a standard user account ?

I will add these two as optional rules at the installation in the final version, besides Windows Update.

 

Yes I did. I also thought that in a previous reply I had enquired to what differentiates WFC rules from WFAS rules. In other words, I asked how WFC knew the difference between the two. At any rate, I don't remember seeing a reply to that question until now. Thanks.

Is the description "Windows Firewall Control" ?

Very well explained, I can go along with that.

Makes no difference for me since I am an Admin user and still have the issues each and every time I install WFC. Even though I am an Admin user, I still right click Run as Administrator and supply credentials. Maybe it's an UAC issue.

Here you go, I just now uninstalled WFC, cleaned the registry and HD from all traces. Downloaded the file, right clicked, Unblock, right click again, Run as Adminsitrator and the install crashes. It moved the wfc.exe to the final destination. I went there and as always had to right click it in system32 to Run as Administrator from there and it gave me the Installation Successful tootip. Below the image is what was in the error message box.

Code:

Description:
  Stopped working

Problem signature:
  Problem Event Name:	CLR20r3
  Problem Signature 01:	wfc.exe
  Problem Signature 02:	0.0.0.0
  Problem Signature 03:	4ebc7ba3
  Problem Signature 04:	wfc
  Problem Signature 05:	3.1.0.0
  Problem Signature 06:	4ebc7ba3
  Problem Signature 07:	108
  Problem Signature 08:	1f
  Problem Signature 09:	System.NullReferenceException
  OS Version:	6.1.7601.2.1.0.256.48
  Locale ID:	1033

 

Alex, although I allowed svchost.exe->dnscache and svchost->NlaSvc outgoing connections related to these processes are still blocked (verified with Sysinternal's Process Explorer). I can see this in the event manager because svchost notifications are hidden now.

Or do we have to enable svchost->lanmanworkstation, too?

It seems that editing svchost-rules becomes more and more difficult ;-)

---EDIT---
Some tests later - and even after adding an allow-rule for svchost->lanmanstation - connections that I thought to have allowed are blocked.
I had to define a rule svchost-allow any so that no more connections are blocked except those that were predefined by WFC.
So my conclusion regarding svchost and underlying services is: It is easier (better?) to define only "block" rules than to define "allow" rules.

 

Until this version, storing and reading of WFC rules was done using Windows Registry. From this version, they are not stored anymore in Registry because now I can read them all using the firewall API right from it's core. From this version, it searches at description of the rules to know if they were created by WFC or not.

I can't recreate your scenario. I also use an admin account with UAC set to maximum. At installation, to move wfc.exe that is executing to a new location, it uses a temporary batch file which is saved in Temp folder. This cmd file is used to close, move, and execute again wfc.exe from the new location. When it runs again, WFC does some routines and show that message about "Successfully installation !". This temporary wfc.cmd which is executing is launched with administrative privileges, so it can relaunch wfc.exe back with the same administrative privileges.

Do you have any antivirus, antispyware, antiwhatever that can block executing files from the Temp folder ? You said something about that you did a step to Unblock. What is this ?

I think "Workstation" has nothing to do with "Network Location Awareness". They are not dependant. You have to create more rules to allow than to block to fully setup svchost.exe. And you must be very careful with svchost.exe because many things are related to it.

svchost->dnscache is activated by default in Windows Firewall. It's name is "Core Networking DNS (UDP-Out)" and it allows port 53 UDP for dnscache.

 

Can this (btw quotes) be avoided?

 

No, it can't. The rules for the same program have to use different names because the modifying of a rule is made by its name. Otherwise, when you modify a rule, these modifications are made for all rules with the same name. If you have 3 rules named "Internet Explorer" and you choose to edit one of them, when you press Apply, the modifications will be made for all of them. That is why they must have different names. Those random strings are for this purpose. I know they are not looking fine, I don't like them either, but they are necessary.

 

IMPORTANT

How are the notifications created and why they are sometimes so slow or missing ?

"Learning Mode" uses the Security Event log. It checks at every 0.3 seconds the last entry from this log. If the event recorded has the ID the number 5157, it means it found a blocked connection, and continues to analyze the message. It reads the content of the message recorded in the log file, it analyzes the message and extract the info needed to show in notification. If the direction is "Outbound" and the message is not older than three seconds, it displays the notification to the user.

All the things above are made 3 times a second. When you start your web browser and it attempts to make a connection, Windows Firewall writes a new entry in the security event log, with info about your web browser connection. Here takes place WFC to show you the notification. Usually, the last entry is generated by the last program you use to connect to the internet.

Things should be easy, but sometimes svchost.exe receives 30-40 inbound connections attempts in one second, also with the number ID 5157, but with direction "Inbound". These connections are also appended to the security event log, so if you start your web browser and then you receive 20 attempts of inbound connections to svchost.exe, the last entry would be for svchost.exe instead of your browser. WFC reads for 3 times in a second the last entry, but the last entry is from svchost.exe inbound connection.

The result is that you are not notified about your browser. In this case you must press on the refresh button to make the web browser to attempt a new connection, so it can be catched by WFC properly.

When svchost.exe stays quiet, the notifications are showed very prompt. When it starts with a blast of inbound connections it affects the performance of Learning Mode. Unfortunately there is no way to make the system not to log the inbound blocked connections, and this polutes the security event log with thousands garbage entries. And all these are readed by WFC in dozens of steps, for every entry.

I hope this helps you to make you an idea.

 

No antivirus, no antispyware. I do have Malware Defender and AppGuard. I disable both before installing or else I wouldn't even be able to execute the downloaded file.

The Unblock button is built in Windows and IE security for downloaded files from other sources.