WFC questions.

Discussion in 'other firewalls' started by Graphite85, Sep 20, 2020.

  1. Graphite85

    Graphite85 Registered Member

    Joined:
    Aug 28, 2020
    Posts:
    32
    Location:
    New Zealand
    Can anybody tell me how WFC is able to modify the Windows control panel firewall rules from a standard user account without admin rights? Windows firewall needs admin access into advanced settings to modify the firewall rules so how does this work? Am I only controlling user based firewall rules?



    My second question is about secure rules. From what I've read this can be used to prevent Windows from resetting the firewall. Just exactly when and what does Windows reset in the firewall? When I try to enable secure rules it says every rule that is not in an authorized group will be deleted. This would delete all of the core networking rules and Microsoft store app rules. Am I supposed to add core networking and other groups to the authorized groups? Could anybody explain this further?
     
  2. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,066
    Location:
    Romania
    1. WFC has 2 parts, a GUI app (wfc.exe) which requires only standard privileges and a Windows service (wfcs.exe). The service is the one that works with the Windows Firewall rules, not the GUI part. In Rules Panel you see all rules, not just user based rules.
    2. Secure Rules detects when a new firewall rule is added and can disable/delete it. Read more about how it works here: https://binisoft.org/pdf/guides/Malwarebytes-WFC-User-Guide.pdf#page=25
    Yes, if you want to preserve the default rules, you should first add their group names in the Authorized groups list, otherwise Secure Rules will disable/delete them.
     
  3. Graphite85

    Graphite85 Registered Member

    Joined:
    Aug 28, 2020
    Posts:
    32
    Location:
    New Zealand
    Hi,

    Thanks for your reply. So how is it that the wfcs.exe service can modify rules in the Windows control panel firewall (which requires admin privileges to open) from a standard user account without without any admin privilege's? Is the wfcs.exe already running with administrator privilege's?
     
  4. kaljukass

    kaljukass Registered Member

    Joined:
    Apr 27, 2011
    Posts:
    161
    It runs with TrustedInstaller privileges which is a step higher of administrator privileges.
     
  5. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,066
    Location:
    Romania
    Actually, the wfcs.exe service runs under SYSTEM account which has all possible privileges in Windows world. SYSTEM account is on top of any administrator account.
     
  6. Graphite85

    Graphite85 Registered Member

    Joined:
    Aug 28, 2020
    Posts:
    32
    Location:
    New Zealand
    Thanks for clarifying, this makes sense now. :thumb:
     
  7. Graphite85

    Graphite85 Registered Member

    Joined:
    Aug 28, 2020
    Posts:
    32
    Location:
    New Zealand
    Is this also how Windows Update can install updates from a standard local user account?
     
  8. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,066
    Location:
    Romania
    Yes. The updates are not installed for a specific user account but for the whole system. Just because a standard user account is logged in, it does not mean the updates are installed under that user account.
     
  9. Graphite85

    Graphite85 Registered Member

    Joined:
    Aug 28, 2020
    Posts:
    32
    Location:
    New Zealand
    So is secure rules basically a way to prevent malicious tampering of the firewall? Are there other types of rules I might to prevent? How can I prevent certain Windows store app rules from being created? These seem to get re-created regularly.
     
  10. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,066
    Location:
    Romania
    Please take a look in the user manual. It answers a lot of questions about WFC and Windows Firewall, it also explains how Secure Rules works:
    https://binisoft.org/pdf/guides/Malwarebytes-WFC-User-Guide.pdf
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.