TinyWall Firewall

Discussion in 'other firewalls' started by ultim, Oct 12, 2011.

  1. tcarrbrion

    tcarrbrion Registered Member

    Joined:
    Dec 15, 2007
    Posts:
    103
    Thank you for the quick fix. It appears to be OK now.
     
  2. tcarrbrion

    tcarrbrion Registered Member

    Joined:
    Dec 15, 2007
    Posts:
    103
    I have just noticed another problem. I have "Windows Defender" ticked on the Special Exceptions page but I am finding MsMpEng.exe is logged as blocked. This is currently in:

    C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2109.6-0\

    and has not recently updated. If I run:

    MpCmdRun.exe -ValidateMapsConnection

    it says it cannot communicate. httpcode=451.
     
  3. ultim

    ultim Developer

    Joined:
    Oct 12, 2011
    Posts:
    685
    Location:
    Hungary
    Then you seem to be having a different problem. Windows Defender updates, both engine and signatures, are distributed over Windows Update. And I can verify and confirm that I am getting constant Defender updates on all machines where TinyWall is installed, even though the Windows Defender special exception is disabled (because the Windows Update exception is enabled). The special exception for Defender is only to enable cloud-based scanning and automatic file submission to Microsoft.
    Also, I now tried MpCmdRun.exe -ValidateMapsConnection on my computer, and this truly fails, but it fails even if I disable TinyWall.
    In other words, these things don't suggest to me that something would be wrong with TinyWall.
     
  4. tcarrbrion

    tcarrbrion Registered Member

    Joined:
    Dec 15, 2007
    Posts:
    103
    I am concerned that I get MsMpEng.exe blocked on port 443 in the TinyWall log. I believe this is the Windows Defender scanner engine.
     
  5. ultim

    ultim Developer

    Joined:
    Oct 12, 2011
    Posts:
    685
    Location:
    Hungary
    Please send me both of the following two things in PM so that I can check:
    1) Hover over the filename of MsMpEng.exe in the log, TinyWall will show the full path. What is the full path?
    2) Open an administrative command prompt and issue "netsh wfp show filters". This will create an XML file, please send that to me.
     
  6. tcarrbrion

    tcarrbrion Registered Member

    Joined:
    Dec 15, 2007
    Posts:
    103
    I notice in the exported firewall rules the windows defender entries are unique in having a double backslash:

    <asString>\device\harddiskvolume4\programdata\microsoft\windows defender\platform\4.18.2109.6-0\\msmpeng.exe</asString>

    Could this be causing a problem?

    The whole filters.xml file is very big and a don't know how to attach it to a message in this forum.

    The path in the rule is correct otherwise and so is the path in the blocked log entry.
     
  7. ultim

    ultim Developer

    Joined:
    Oct 12, 2011
    Posts:
    685
    Location:
    Hungary
    Could be, needs to be tested. If you remove the trailing backslash of the InstallLocation value in the HKLM\SOFTWARE\Microsoft\Windows Defender regkey and after that select TinyWall's Normal mode (even if it was already in Normal mode), does it work then?

    After the experiment you should re-add the backslash 'coz I don't know if removing it causes problems elsewhere.
     
  8. tcarrbrion

    tcarrbrion Registered Member

    Joined:
    Dec 15, 2007
    Posts:
    103
    It won't let me edit the InstallLocation even as administrator. I don't want to be messing with permissions in case I mess it up. It does have a back slash on the end, but the BackupLocation does not. This might have changed.
     
  9. Freki123

    Freki123 Registered Member

    Joined:
    Jan 20, 2015
    Posts:
    196
    @ultim I think I got the same problem like tcarrbrion. zip with pathname and .xml send to your pados.hu email.
    Seemed to happen after an Defenderengine update since I haven't had blocks listed before.

    Pathes of the old ones and the new ones. The newer ones were listed as blocked in the connection log.
    WdNisSvc (C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2109.6-0\NisSrv.exe)
    WdNisSvc (C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2110.6-0\NisSrv.exe)

    WinDefend (C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2109.6-0\MsMpEng.exe)
    WinDefend (C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2110.6-0\MsMpEng.exe)
     
    Last edited: Oct 29, 2021
  10. ultim

    ultim Developer

    Joined:
    Oct 12, 2011
    Posts:
    685
    Location:
    Hungary
    Hi @tcarrbrion,
    Hi @Freki123,

    I'll send you a test build in the next couple of days to try, to see if it solves the problem.
     
  11. ultim

    ultim Developer

    Joined:
    Oct 12, 2011
    Posts:
    685
    Location:
    Hungary
  12. tcarrbrion

    tcarrbrion Registered Member

    Joined:
    Dec 15, 2007
    Posts:
    103
    Thank you, that does appear to have solved the problem of logged entries. Also, it allows MpCmdRun.exe -ValidateMapsConnection to work.
     
  13. Freki123

    Freki123 Registered Member

    Joined:
    Jan 20, 2015
    Posts:
    196
    @ultim Send you two e-mails since I find no opion to attach a zip here.
     
  14. ultim

    ultim Developer

    Joined:
    Oct 12, 2011
    Posts:
    685
    Location:
    Hungary
    It seems the reason was the double-backslash in the path. Microsoft seems to have added a trailing backslash in newer Defender versions to the registry entry which caused this problem recently. TinyWall in the test build handles this more robustly by correctly forming the path both with and without the trailing directory separator. For now this is only implemented for Defender, in the public release this will be generalized for all built-in rules to make it future-proof for other programs too in case they make similar changes.

    I also found out why MpCmdRun.exe -ValidateMapsConnection failed for me even with TinyWall disabled. It seems you cannot run this test if the corresponding features in Defender's settings are disabled. As soon as I enabled the features, the test succeeded for me. So now I can confirm that at least on my system and with the latest test build, there are no problems regarding Defender.

    A public release with the fix will come somewhat later. We are still checking something with Freki123, but I'm also waiting for some other things.
     
  15. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,843
    Location:
    The Netherlands
    My bad, forgot about this feature. But I assume it will then override TinyWall's own protection of the hosts file?
     
  16. ultim

    ultim Developer

    Joined:
    Oct 12, 2011
    Posts:
    685
    Location:
    Hungary
    Well, it can be misleading to say "override". The hosts file is still protected against modifications by other programs, but TinyWall will not prevent its own self to install the blocklists, yes.
     
  17. Freki123

    Freki123 Registered Member

    Joined:
    Jan 20, 2015
    Posts:
    196
    @ultim I did the reload rules with tinywall a few times.
    For MsMpEng.exe it seems fixed for me. No blocks in the log.
    For NisSrv.exe it is still listed as blocked in the log. But when I understood your wilders post right that was to be expected.
     
  18. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,843
    Location:
    The Netherlands
    OK I see. I simply wondered if TW would perhaps block itself from modifying the hosts file, which wouldn't be logical, I agree.
     
  19. Radish

    Radish Registered Member

    Joined:
    Jun 16, 2020
    Posts:
    7
    Location:
    Scotland
    To anyone following this forum thread that has the issue with Tinywall starting in Unknown Mode I think you should read this new thread: TinyWall Starts in Unknown Mode

    You might manage to get a fix from there.
     
  20. netarchitech

    netarchitech Registered Member

    Joined:
    Jun 19, 2021
    Posts:
    4
    Location:
    NY
    Hi @ultim,

    Upon upgrading to TinyWall 3.2.3, I received the following 3 warnings:

    https://postimg.cc/gallery/x8ZD1qt

    I think the update went OK, but I thought I would post the warnings just in case...

    Any thoughts? Thanks in advance...
     
  21. ultim

    ultim Developer

    Joined:
    Oct 12, 2011
    Posts:
    685
    Location:
    Hungary
    It's alright, these messages are harmless and you can ignore them.
     
  22. netarchitech

    netarchitech Registered Member

    Joined:
    Jun 19, 2021
    Posts:
    4
    Location:
    NY
    Thanks for the confirmation, @ultim...Much appreciated :)
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.