another Windows Firewall Control?

Right, it will not start or run under a Win7 Standard account, but I was able to at least run it (won't start with Windows, though) using SuRun as described in my post #61...

https://www.wilderssecurity.com/showpost.php?p=1865421&postcount=61

 

Actually, I was able to run it, I just run it as administrator. I thought I could find a way to run it when windows starts.

 

You mean the right-click -> Run as... context menu from your Standard account? I'm just curious because that didn't work for me.

 

I disabled wfc task in task scheduler, created a shortcut on desktop with the line below as target:

Changed its icon to wfc, then went to start menu, right click on Startup > Explore all users, drag & dropped the shortcut there, now wfc works in Standard account.

At first log on, SuRun shows this: attachmentid=226886 tick both check boxes and it won't ask again for that user.

btw, the first time I installed wfc, the installer crashed: attachmentid=226887 attachmentid=226888 no problem after reinstall though.

Nice little app.

 

Standard users on Windows 7 don't have privileges to initiate scheduled tasks, especially task that uses administrative privileges. This is a limitation of the operating system for standard users.

The program must be named wfc.exe when is running, you did encounter that problem because wfc.exe was actually named wfc(1).exe. I thought that it will be pointless to check everytime the program starts if it's name is wfc.exe or not, because there are already hundreds of tests, before actually the program initiates the graphical interface.


P.S. I have found some new situations, and I'm currently working to fix them. It seems on Vista the events 5157 are triggered only on system programs, causing no show of notifications on blocked connections of other programs than system ones. Windows Vista only triggers events 5152 for other programs. Also on Windows 7, it seems that the event 5157 is used not only for outbound, but also for inbound. That's why it keeps telling that exists a rule for svchost.exe. Because the rule is for outbound, and the notification is for inbound. I'll fix them in a few days. Thank you for your support.

 

Hi alex, I'm holding steady with 2.8 version at the moment. I'm ready to try 2.9.1 version again or should I wait. Last attempt, which was a few days ago, Learning mode generates an exception error. It states that it can't find Internet Exploder on D:/Program Files/etc.. I can understand why it can't locate IE at that path, it's on E:/Program Files/etc...




The screenshot above is for RainMeter but I get this for all apps wanting outbound when in learning mode. It just references the wrong partition for some reason.

 

I'm still debugging this. I also encountered this kind of error on Windows Vista in a domain environment. Yesterday I installed VS on Vista and I will try to debug from there the program, as on Vista there are more incompatibilities.

 

I have found the problem that you have. Well, Windows 7, even it is installed on E:\, when it starts up it actually acts like it is installed on C:\. If you go to your Program Files and find Internet Explorer, on it's properties, location shows C:\Program Files\Internet Explorer. So the rule must be created for C:\Program Files\Internet Explorer\iexplore.exe, even if in reality when you start another operating system it is located on it real location, I mean on E:\Program Files\Internet Explorer. Further, it seems that Windows Filtering Platform detects on event viewer a new event 5157 as coming from harddiskdevice3 (E:\) instead of harddiskdevice1 (C:\). I mean, Windows Explorer recognize this change which is made by the operating system to offer more compatibility to the existing programs that are programmed to work from C:\, but Windows Filtering Platform did not recognize that change and still recognize the real location of a file. And the problem is that when WFC reads from that security event 5157, it is getting the path actually to hardiskdevice3. Windows FIltering Platform shows notifications for E:\Program Files\Internet Explorer\iexplore.exe, but from the point of view of operating system, the call is coming from C:\Program Files\Internet Explorer\iexplore.exe. I will try to find a solution for this problem. It was tricky to find that out.

 

Yes, I've noticed this as well. There has to be something in the registry for me which has flagged wfc.exe with compatibility issues. When uninstalling 2.6, it pops up with suggestions, all of which will crash the uninstaller. Something is being left behind in the registry that has flagged wfc.exe past, present and future installations for needing some type of compatibility for install/uninstall. There should be something written in the registry that I need to manually remove to clear this.

 

Here is the first time that I have ever seen smart screen do anything,

 

is there a way to have the firewall pop up everytime a program try to connect to the net ?

often the built in firewall doesn 't pop up for some software

thanks

 

This behaviour was encountered because Windows Filtering Platform uses ( I don't know why) the same event 5157 for outbound and also for inbound. This is fixed in the new beta 2.9.2. From now on, it will not show notifications for those 5157 events that are triggered for inbound alerts.

I saw that too, two days ago. I already submitted a ticket to Microsoft, and below is their response until now.

You can see here that our website is clean:
http://www.google.com/safebrowsing/diagnostic?site=binisoft.org
http://www.urlvoid.com/scan/binisoft.org

This problem occured because Windows Vista triggers 5157 (connection blocked)events only for system applications, like svchost.exe. Other programs can be traced only by events 5152. This is also fixed in version 2.9.2.


WFC 2.9.2 can be downloaded only from here: http://binisoft.org/download/wfc292.zip
because is still in development.

What is new until now:
* Windows Vista notifications will now show, for any program, not only for system ones.
* Fixed unhandled exception when a program path is incorrect and cannot retrieve the program's name. (Windows installed on different partition than C:\ and virtual machines)
* Updated to use NET Framework 3.5 libraries, because these are more new and more reliable.

P.S. Any feedback for the new version is welcome. Thank you.

 

i will test under w7 32bit and windows 7 64bit

 

Version 2.9.2 installed perfect. So far no exception errors but still have issues.
Learning mode is enabled and works but it is still the wrong path.

View attachment 226921

I went into Advanced security and edited the path manually, tightened up the security a little and this allows the connection to be made. But see below



After editing the path in Advanced security, your Show Allowed's path is not updated but the apps are still able to connect since I've edited the correct path in Advanced security. Any ideas on a fix for the wrong path?

Don't know if it helps any but when selecting the proper path in Advanced Security, the path shows as

Code:

%ProgramFiles%\Internet Explorer\iexplore.exe

Maybe your program code could be altered to generate the same which might keep it local to the booted system partition.

 

Update: now it has defaulted back to D:/ path with two of the options in learning mode grayed out.

Well, I can't post a screenshot of it for some reason. Clicking the paper clip just carrys over to the upload page.

 

OK. Please try this build http://binisoft.org/download/wfc292beta2.zip

On my test system, I have Vista Ultimate installed on C:\, Windows 7 Home installed on D:\ and Windows 7 Ultimate installed on E:\. I have tested this build on all installations and recognizes the proper path. Please try this build and let me know if it works for you. I also added a message with "Access Denied" when a user tries to create a rule for executable files that are stored on removable devices.

All the troubles come from the fact that when an operating system installed on D:\ or E:\ is booted, it takes place of drive C:\, and even that Windows Explorer can deal with this change, Windows Filtering Platform, does not. So, if you boot your Windows installed on E:\, it is recognized as the new C:\ for Windows Explorer, but recognized E:\ (the real path on disk) in Windows Filtering Platform, and viceversa. This is the behaviour of Windows Filtering Platform that created me so many problems. Finally I figured it out.

 

We have a Winner! Thank you alex for your hard work on this. I do have a question. If I import my old Advacned Securirty rules and delete the Windows Firewall Control Group which gets imported by Advanced Security, will I be OK? I want to import my custom Advanced Security rules but I've noticed that it also imports the Windows Firewall Control Group with it. I want to keep my Custom AS rules, delete WFC Group rules and re-make WFC's rules through the Learning Mode. Can this be done?

Suggestion for the future, lol. In the Show Allowed dialog, right click the rule and open it in Advanced Security or just open Advanced Security. Since we now have the ability to edit WFC's rules, this might be a plus. It may not be something that can be done and I realize we have the option from the tray context menu but when a new rule is made through Learning Mode, I seem to be looking in the Show Allowed dialog to see if it was made. While in that dialog, it might be helpful to be able to right click a rule to bring up Advanced Security to tweak the rule. Just a thought.

 

Yes you can easily delete WFC rules, but please do that from WFC. And then you can add new ones.

Working on that. The new version 2.9.2 (final), will include this functionality.

 

Version 2.9.2 is out:

What's new in version 2.9.2

√ Fixed for Learning Mode, the wrong path detection of executable files when using an operating system installed on different drive than C:\
√ Learning Mode will not activate if the following, dependant, Windows services "TCP/IP NetBIOS Helper" and "Workstation" are not set to Automatic.
√ New context menu for rule items, with the possibility to move a rule from "Programs Allowed" to "Programs Blocked" and viceversa.
√ From this version, 'Import Policy' and 'Export Policy' are available for all users.

The program can be downloaded from: http://binisoft.org/wfc.php

I want to thank you all for your support, suggestions, feedback and for your patience until I have fixed all the errors that occured for some of you. If you have in mind new features, and can be done, I will be glad to improve Windows Firewall Control and make a better program. Thank you.

 

So how is the logging feature ?!

Does it log blocked & alowed properly ?!

 

I don't understand your question. What logging feature ? Windows Firewall Control uses system events that are already logged by operating system in the Security Events. It reads blocked outbound connections and when Learning Mode is enabled, it shows user notifications. No internal logging.

 

The W7 firewall has a loging feature ,you can see connections in a txt file if you enable it ,but not all of them.
I thought you have added a loging feature or you have integrated it into your control firewall.
I consider a log important so you can see what is blocked ,what is alowed ,as well as what has been asked.

 

Well, I misunderstand you. I thought you referred to WFC, as if in the past it has been used a logging feature. WFC does not use the integrated logging feature of Windows Firewall (the one that you can access from WFwAS), it uses system events. A logging feature is not present in WFC, that is why I created a Learning Mode, that is why there exists firewall rules. The logging feature for outgoing connections is really the Learning Mode. As for incoming connections that were blocked, who wants to see hundreds (per hour) of incoming connections blocked by Windows Firewall ? With what it helps the user a list full of IP's ? What to do with it ?

And that is why there exists profiles. On Medium Filtering, all connections are blocked, with exception of the ones defined in the created rules, so there exists a control of what is allowed to use the bandwidth, on Low Filtering, all connections are allowed, with exception of the ones blocked especially. For the most of the users is not needed. Such things can be viewed anyway, in Event Viewer, there is no need to implement them.

 

can detect every program try to connect to the net?
because i run many program , that connect to the net , no pop up , i could not block them
and when i uninstall it , it always delete my personal (made by me before install )firewall ruleset
w7 32bit
thanks

 

The blocked and alowed connections log is mainly for debuging purposes ,at least for me.
I don t care about the Inbounds as most of us use routers ,it s about the possibility some programs to not pop up when they need to connect.I m refering to legitimate programs.A loging feature would help in this situations.
I don t know how your program work ,but Windows 7 firewall by itself tends to not tell about some connections.I ve had the surpirze to have connectivty issues without knowing why, struggleing in the advanced settings to tweak different settings that i previouosly did for some aplication.

As Mantra seems to confirm my "fear" i consider that some loging is usefull to avoid possible issues ,though i don t know how you could make that ,if the soft is based on the Windows firewall itself.

I hope you understood what i mean
Good loging also gives awerness and trust.

Anyway keep up the good work as your soft seems to be apreciated
Succes !