another Windows Firewall Control?

If the performance will not decrease too much, I can do this.

Grouping the rules by the path can be a good addition. I will try this.

This will require to include an external API from VirusTotal. It can be done, but I don't like it.

Showing the hostname requires to connect to the Internet. There was an attempt to show the hostname instead of the IP, but it can take up to 5 seconds to resolve the hostname. For the performance, this was left out. You can always click on the remote IP to start a WHOIS query.

You can customize the rule before creating it from the notification window or you can customize it after, from Manage Rules.

Because in this way you will get tons of rules for the same program. For example, your browser connects from a different local port on different remote IP with every connection. This means a new rule for every connection. The rules can't be connection based.

Even if you create a rule to allow TCP port 80 instead of full access for your browser, if it is hijacked it will also try to use the regular port 80 to not look suspicious. So, it does not matter if the rule is a generic one or a customized one for specific ports. If you are in such a scenario, you already have bigger problems. I don't know if there is any firewall that will block a connection just because the site is from China.

The Low notification level will auto create rules for digitally signed applications with a valid signature, without user interaction. However, the connection attempts of unsigned programs will display notifications.

This is not a good idea. At least 100 rules are for svchost.exe, other 100 are for SYSTEM. It is up to the user to manage he's own rules. This is why you can set port ranges, IP ranges, etc. A merge function is not feasible.

Low notification level.

 

The rules must be read all at once because they are unique by an internal hash. This hash is changing on read of rules. The rules are not identified by their name, because several rules can have the same name. Regarding the speed, it does not matter if you load 30 rules or 500 rules. This is under 1 second.

 

Well this could be optional and be changed in the settings. At the beginning can show the IP an as soon as the whois is resolved show it in the popup.

Well I would remove the remote IP and maybe the remote port from the equation, and just make this auto-custom mode in an hypothetical "Very High" notification mode. This is why I as for the merge feature, because you will get 5 rules for a program with 5 different local ports, so it could be merge in only 1 rule or line.
Well maybe this would not help that much with security but if I remember well Outpost has detailed and predefined rules for the most common software, so it should help a little.

So what is the difference between low and medium?

I don't understand why is not a good idea to merge rules , but anyway if the tree view is implemented this is not a priority.

Regarding the self security of the program how good it is?
I guess is can be killed easily but the rules will remain in windows firewall, but how I can protect windows firewall from being deactivated by a malware? UAC? I have it activated in the low level but I don't get any warn if I disable windows firewall using the WFC interface and I think I should get an UAC popup.

 

I've tried again, and the hostname that is resolved by the NET DNS class does not offer a better info about the connection. Look in the picture below what is the address that I wanted to navigate and what is the resolved host name. This isn't better than the IP address. This feature will stay as it is now. The user can click on the remote IP to launch a WHOIS query.

The merge rules is not feasible because it requires an complex algorithm with tens of constraints for hundreds of rules, which can cause innefective merged rules. It is the users's job to manage and adjust his rules based on his needs. For example, in the last 2 years, I always created generic rules to allow all connections for my programs and I never had any security problems because of this. It is a matter of personal sense of security. The best way to protect yourself from malware is to watch what you're clicking and what files you are executing. There is no buletproof firewall or antivirus software.

Predefined rules for Office, Winamp, etc, will not be included. There are several and easy ways to create new rules with WFC. Even more rules with one click. It is very simple to add new rules, so, predefined rules are not on the wishlist.

On Low notification level, digitally signed applications are automatically allowed withour user interaction. On Medium notification level, it does not matter if a file is digitally signed or not, you wil lreceive a notification for it if there is not a rule for it to allow it or block it.

WFC can be closed from Task Manager and this is absolutely normal. WFC is not a worm. If the user wants to close the program, it can be closed. The rules are active even if WFC is not running because they are in Windows Firewall. To protect from malware, please make sure that you don't run strange exe files from untrusted sources. If you run a malware appliction with Administrative privileges, it can disable Windows Firewall or any other firewall that you use. So, pay attention to which files you execute.
The GUI of WFC (wfc.exe) can be executed under standard user accounts. It gives tasks to the service (wfcs.exe) which runs under LocalSystem account. The LocalSystem account has unlimited privileges and is not monitorized by UAC. This is why you did not receive any UAC prompt.

The icons for the applications are already implemented and will be available in the next version. The grouping needs a few more improvements because right now it takes to much resources. I think this will be also included in the next release.

 

Well said

Looks awesome, sure can't wait for this neat feature

 

In this case is not useful because you are accessing to a website using it so the remote ip can be whatever.
But imaging that suddenly svchost ask for access to a remote pc based .ru .cn... I don't have nothing against Russians or Chinese people but since I don't live or speak there for me it would be suspicious. In the whois there is more information that can be added to the popup
Also you can add this http://www.ipvoid.com/ to scan the ip (on demand or automatically for each popup ) like with VT (on demand). It's quite simple in case is on demand, I mean only a link like this is needed
http://www.ipvoid.com/scan/"IP ADDRESS"/
In an automatic mode this info can be shown in the popup "Detections: 0/36 (0.00%) || Status: CLEAN || IP Country:"

Regarding the filter and display system would be nice to have in a checbox way (so it can be used with any combination of display and filters) some other options like hide signed files, hide MS signed files...
Or maybe rework all the filters (filter and display) option in checkboxes you the user can select any combination.

Also be able to check a file in VirusTotal via right click in the "manage rules" window, like is possible to do with any file in the desktop or in win explorer using "VT uploader".
Or maybe you can integrate your firewall with X-ray http://www.raymond.cc/blog/xray/ to scan everything with one click automatically.
And remember to add VT (on demand) in the popups xD

It's possible to add attack detection technology to windows firewall like agnitum outpost has?
https://www.wilderssecurity.com/showpost.php?p=1469905&postcount=1

 

Hi,

I found this old reference to "Allow once" feature. Is it still impossible to implement it? Maybe with a temp rule that deletes itself immediately thereafter.

Thanks!

 

There will be a new combobox which can group rules by different items. The signature of a file is checked only in the notification, not in Manage Rules.
About the VirusTotal check, this is not a thing to be handled by WFC. There are other tools for this and the purpose of a firewall is not to be able to check files for viruses. There are antivirus softwares that do this.
Windows Firewall doesn't have attack detection technology and can't be added.

From the notification dialog you can create a temporary rule which will be deleted automatically on the next startup of WFC. This is the closest thing to what you want. Connection based rules are not possible because WFC does not monitor connections, so it can't know if a connection was closed to remove the correspondent rule.

 

That "Allow Once" feature doesn't sound like it can be efficiently implemented for in Windows firewall (to my understanding), because Windows firewall can't (and it's not the job of a firewall to) determine what exactly the application needs the Internet connection for, thus it wouldn't know how long a single connection attempt is by some random program.

If the firewall was set to count a certain period as 1 connection attempt for all programs, there'll be several conflicts from one user to another; some cases, the firewall will close the connection too early, resulting in application error, and other cases the firewall will live the connection open for too long, acting like it's a permanent allow rule.

Though, if it's implementable (if Windows Firewall itself does have some signal indicating when a connection starts and stops), this could really really come in handy for certain apps I have installed, that keep making automatic calls to home. Once in a while, I'll like to allow them connect.

--EDIT--

Come to think about it, if I understood this Microsoft description of WF correctly, this feature could be implemented using the "INetFwOpenPorts" API. At the moment, WFC is able to detect which port an application wants to connect on (it's always displayed in the pop-up). What could be done is as follows, at the cost of the users system resources (consider making this an option in the main Window with a disclaimer):

- User chooses the "Allow Once" option in a pop-up notification
- WFC creates an allow rule with the group name "Allow Once" then the WFC service keeps track of the "Allow Once" port that was shown in the pop-up
- WFC service keeps repeatedly using the "INerFwOpenPorts" API to determine which ports are currently open (this is where the system resources come in play)
- Once WFC service detects the port is no longer in the list, it removes it from it's track and deletes the rule​

Though, this again wouldn't work in the case where there are several programs connecting to the same port simultaneous. Does this ever happen

 

Off course is not something that a firewall must do, but it's a nice feature, easy to implement (maybe not the x-ray thing), security related and resource free.

With this you mean that you will add the link to check on VT in the popups?

Maybe you can add this http://www.ipvoid.com/ to scan the ip (on demand or automatically for each popup ) like with VT (on demand). It's quite simple in case is on demand, I mean only a link like this is needed
http://www.ipvoid.com/scan/"IP ADDRESS"/
In an automatic mode this info can be shown in the popup "Detections: 0/36 (0.00%) || Status: CLEAN || IP Country:"

 

Hahaha, it's been stated several times, this is a firewall control-only application. All what you're requesting for virus protection purposes is offered by both MalwareBytes Anti-Malware Pro and Microsoft Security Essentials. Simply install those software packs, if so desperate for the security. In the end, if you just rely on software for protection, there will always be pebcak vulnerabilities.

 

Specifically what I request is not offered by any AV anyway:

And just because is a firewall control-only application you need to know and understand what are you allowing, and where are you allowing it to go. Right know you just "know" that an app (that you may know or not) is requesting access to go on internet...

If you have an AV installed so you may think your computer is clean ergo you will allow all the popups from the firewall (anyway you don't understand the popups or you don't need necessarily to understand what each app is and does and where is requesting access and where is requesting it), obviously you can disable the firewall because is not giving you any additional protection, is useless and is consuming resources and you time clicking on popups.

If I don't have this information for what the hell I need a firewall? to block cracked apps? come one...

The firewall (hw and sw) born as an industry need, the admin knew perfectly what each app does and where the app need access so he manually created detailed rules for each app and blocked anything else, since no new apps were expected in a server. That made sense
But in a normal user computer that is not practical so there is a need to find alternatives, if you want to make a useful use of a firewall. Sadly nowadays only a few fw products provides detailed information in the popup.

Some vendors are already going in the right direction like outpost "New! SmartDecision technology for fast decision-making in security issues"

 

Here's a shortcut for you to get the same thing (offline, takes only 1 click), simply click on the program link, it would show you the location of the executable; most programs name their directories on Winows the same as their actual name, so you can find that detail right there. If need be, with VT uploader installed and configured, you just right click the application > Send To > ViruTotal and get the full description there (online, takes only 2 more clicks).

If a user is desperate for such security measures, such user should have the patience to go through either of those simple steps, with at-most 3 clicks.

 

Since is a basic option my request is do it in 1, not 3, anyway, I see you didn't get my point, never mind, maybe you didn't read the whole post after I edited it.
Seems that is not important at all to understand what app are you giving access and where, so, probably we don't need a fw at all.

 

Would it be possible to add the possibility to turn this function off via a Setting? As I am quite sure that this enhancement will be increasing Memory Usage, or ... ??

Regards

 

I would second this. Icons do not improve the functionality.
They are completely needless.
Let's keep WFC simple and let us not bloat it.

 

It's improve the usability.
I don't think that 100kb of icons (1kb per icon) are going to affect the performance at all.

 

It would be a good idea to make it optional; it could be one of the user's configurations during setup and it could be an option provided in the Manage Rules window

 

From my tests, the icons are loading under 1 second for 300 rules and the memory is not increasing. 300-400KB of icons from 30-40MB of the WPF window doesn't count.

 

Oke thanks for that, but I also have to agree with this poster ...

And as always Alexandru you are doing a great job

 

Hello,

I am still having this same problem but have been investigating it a bit further. The same silent blocks occur when I am in the Metro Store trying to either update an app or download a new one. I am also having silent blocks/lost connections when I run a metro app that needs internet connectivity. I never get an alert from WFC but if I change profiles from medium filtering to low filtering, then the problem disappears and all works fine. It seems the metro interface is somehow blocking alerts to WFC. I am running Win 8 Pro x64 with WFC set to medium filtering with medium notifications. Does anyone else running Win 8 see this same problem or does anyone have any ideas?

 

I think you answered your own question. In the Windows Ei8ht metro UI, last time I checked, an application has to be built using the metro API in order for it to show alerts in that UI; don't think WFC has that functionality just yet, never seen a picture of it in the mobile-on-desktop (a.k.a. metro) UI.

@alexandrud
This could be an expansion point for WFC If the metro UI works just like I think (like a mobile/tablet OS), pop-ups could be shown as alerts (though I think the'll be very limited in terms of customizability) and the main window and manage rules window could be shown in a metro app.
Looking forward to using this software on my upcoming Surface Pro (the only hardware I'll ever be using Windows 8 on)

 

WFC is a desktop application and is incompatible with metro applications which run in fullscreen and prevent desktop applications to show on top of them. The notifications appear even for metro applications, but you can't be aware of them because they are beneath metro interface. To be notified when a metro application is blocked you can enable notification sounds in WFC and you can also increase the notification timeout. In this way, you will hear a sound and you will know that something got blocked, so you can switch to your desktop and see the notification.

I have implemented two months ago the pop-ups alerts for WFC to show on the top-left in the metro style fashion. BUT:
1. To support this, WFC must use NET Framework 4.5. Very few users use Windows 8, and on Windows 7, I don't think that many people will upgrade to it.
2. I must switch permanently to Visual Studio 2012 for the development, which is very, very, very, slow, from Visual Studio 2010.
3. The pop-up is very limited, so the user still must switch to desktop to see what is all about. I can't display a whole notification in the metro interface, because two metro applications can't work one on top of the other.

The end: I abandoned this and I never put it in a final build, but instead, I have implemented the notification sound, which is more adequate.


And now about the development of the new version. Grouping in a tree the rules by application name will break the virtualization of the datagrid. This means increased memory usage and slow loading performance. I must cancel this. But, new features will come very soon. Stay close.

 

Since you have it implemented, just a suggestion, could you release two seperate versions? One that is compatible with all Windows versions, and a second that is enhanced to take advantage of Windows Ei8ht (just adds a metro function to WFC).

How slow is slow is it less than 10 seconds on your computers? If so, mind making it a user option (with a disclaimer) in the main window?

Looking forward to the new version

 

No, this is too hard to maintain. I will end up in the same situation in which I was before switching to WPF, to work double time for two versions of the program for different DPI settings. Maybe, in the future, when more people will switch to Windows 8, I will switch to NET Framework 4.5 and this will be included. But, again, these pop-ups does not help too much. You still have to manually switch to desktop.

Enough slow. I will try a different approach these days to see if I can come up with something that is really working.