Windows 10 Firewall Control (Sphinx-Soft) Discussion Thread

Discussion in 'other firewalls' started by Brummelchen, Feb 14, 2015.

  1. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,789
    The only place I've seen ICMP is in the built in Local System zone, which includes DNS.
    (And there are no ICMP types dropdown like in old Outpost or Kerio.)
    I once tried making my own ICMP rule for ping.exe and got nowhere because SYSTEM rules seem to take precedence. At least in Window10. It wasn't till in the Programs tab I set System to log events that I saw it.
    I'm not fighting it. I suspect Windows filtering platform handles it, though I haven't gone into Windows event log > security to see.
     
  2. henryg

    henryg Registered Member

    Joined:
    Dec 13, 2005
    Posts:
    342
    Location:
    Boston
    It’s been a while since I’ve used this.....
    Does it still block everything after the initial install? Also, is there an option for a ‘learning mode’?
     
  3. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,789
    Block everything? Yes, unknown blocked by default, but
    1. It depends what your definition of "everything" is.
    2. It depends what you ask the installer to set up rules for (win updates, system applications, file sharing).
    3. It depends what you set in the Settings, what domains you use or add ...
    Learning?
    4. If you mean is there a learning setting in the tray icon (like Outpost has) - then no.
    5. Packet filter "learns" from your responses to alerts about an initially blocked application. On alert, or later, you select a zone (set of rules) which you can use as provided, edit the list, or make your own useful zone.
     
  4. henryg

    henryg Registered Member

    Joined:
    Dec 13, 2005
    Posts:
    342
    Location:
    Boston
    Thank you
     
  5. Circuit

    Circuit Registered Member

    Joined:
    Oct 7, 2014
    Posts:
    939
    Location:
    Land o fruits and nuts, and more crime.
    One big bug i found with beta 8.4.0.59 is Mbae connects saying update avaible, thought every connection was blocked?
    I had WFC10 locked down, so i thought.
    Tried to join the forum, but will not play the google captca game.


    The new VPN rule is still useless @ least for winscribe!
     
  6. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    5,858
    ah, there it is, thank you :)

    recaptcha v2 is a matter of your browser (or HOSTS file)
    too much locked down, your fault.
     
  7. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,789
    Describe how you locked it down. And what zones did you assign to mbae64.exe and mba-svc.exe.
     
  8. Circuit

    Circuit Registered Member

    Joined:
    Oct 7, 2014
    Posts:
    939
    Location:
    Land o fruits and nuts, and more crime.
    Did not lock down mbae64 just harden such as Svchost.exe no updates, Services set to LAN.

    The thing that was surprising no pop-up about mbae connecting, did not have a rule for it yet.
    All of a sudden, mbae says new version available , without a mention of any connection leaving my computer.
    Thought all connections were blocked until I set a rule?
     
  9. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,789
    What did you see in the event log? Or reviewed access.log in the installation directory.
    Best thing would be for you to join their forum and ask there providing as much detail as you can. If captcha is bugging you, then it's your choice if you want help or not. (I don't recall having to use captcha, but it's been long ago).
     
  10. Circuit

    Circuit Registered Member

    Joined:
    Oct 7, 2014
    Posts:
    939
    Location:
    Land o fruits and nuts, and more crime.
    Will sit on the shelf for now, some one might figure it out.
    Did not look at the event log. if mbae managed to get through piggy-backing another program nothing would be shown.
    Goolgle captcha is a big no (spending a half hour playing with photos like a pre-schooler). That is why I am asking here.
    Thanks for the sugesstions.:thumb:
     
    Last edited: Aug 11, 2018
  11. Circuit

    Circuit Registered Member

    Joined:
    Oct 7, 2014
    Posts:
    939
    Location:
    Land o fruits and nuts, and more crime.
    The stable version was fine. Beta had the problem.
    I disconnect the cable of life, installed over the stable version, computer froze ofcourse after the suggestion of shutting down explorer rebooted then the message from mbae came up.
    Tried a different way the next time uninstalled first, then reinstalled beta. Same message " New version of Mbae available".

    Too bad he/she or them don't monitor this site.
     
  12. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,789
    When I install over the previous version I also get the explorer shutdown thing and need restart. The best solution to this part is to always install in the administrator account not limited user. Then there is no issue with Windows10 messing up restarting explorer. Why you get mbae update notice I don't know. Perhaps as your old rules come in, mbae is permitted since installing over a previous version retains previous rules.
    Probably unrelated: Are you running both Sphinx and Windows Firewall? (I don't, Windows FW is turned off, just Windows filtering platform does its job). It all should work ok with both on because so long as one of them has a block rule, mbae would be blocked.

    This is what it looked like on first restart after installing (perhaps it'll help you a bit to debug). The 4 denied connections "UpdateGuard" happen during restart when Sphinx isn't yet ready, so they block everything. Then Mbae64 was allowed at 23:42 which I see in the access log,
    If I had a rule to block, MBAE would have been blocked.

    AfterInstalling-.jpg
    Agree 100%.
     
  13. Circuit

    Circuit Registered Member

    Joined:
    Oct 7, 2014
    Posts:
    939
    Location:
    Land o fruits and nuts, and more crime.
    Windows 7 64 here. Windows firewall was off. Must have been switching between the to versions.
    I will try that rule set next time.
    Thanks for your input!
     
  14. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    5,858
    you way to deal with it - it works here. as i wrote its a matter of your browser and/or HOSTS file which blocks gstatic.com and google.com in several ways. and ofc cookie matters. btw recaptcha usage is growing. but this is sphinx so we should end it here.

    btw dashost is windows 10, windows 7/8 dont own that.
    "system" is bound to "localsystem" (default) and the rest to "webbrowserzone" as i dont have doubt on my system.
     
  15. Circuit

    Circuit Registered Member

    Joined:
    Oct 7, 2014
    Posts:
    939
    Location:
    Land o fruits and nuts, and more crime.
    Anything Google I try not to touch.
    That captcha thing is a big failure.

    "btw recaptcha usage is growing"
    Good luck.:thumbd: Hope it works for you.
    Of course pictures work better, for simpletons Baa, Baa's.
     
    Last edited: Aug 12, 2018
  16. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,789
    Me too. But I also use LANonly for several programs such as WinMediaPlayer, VLC, spoolsv, excel, word ...
    Just don't want'm on the web. Did you ever see/use their newer MSOnline & MSOffline zones? Just curious.

    Good note about dashost. Circuit never told us with what Windows we're playing (or I missed it), besides complaining about captcha.
     
  17. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    5,858
    just installed .59 today and did not had a closer look. its a http filter IMO bound to MSO files.
    the problem here i need to check zones and its "prev" remnants to make changes in my own zones.
    "lanonly" is used a lot here, some programs need a loop back (eg O&O Defrag or Zortam MP3) - or just lan ^^ (running a network here).

    the "vpn" zone looks like e reduced "localsystem" zone.
    funny to mention -> 127.0.0.1/32
    localhost is bound to 0.0.0.0 instead 127... recommended from microsoft
    (see also HOSTS file)
     
  18. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,789
    The difference I see between MSOnline and WebBrowser zones is MSOnline has no DNS rule. Other than telemetry and those experimental rules.
    My GUESS is that Sphinx developers saw a bunch of system32 programs and didn't see the need for DNS rules, perhaps because M$ often uses hard coded IPs or internally they call on svchost.
    At one point, few versions back, when I was making rules from scratch Sphinx zone suggestions on detected were for MSOnline or MSOffline zones.

    Local host 127.0.0.1 or zeros. Yes, I know HOSTS now uses zeros. Yet, something like SeaMonkey browser uses loopback, in and out on two adjacent ports of 127.0.0.1.
    Windows doesn't seem to mind. Windows firewall if off here, but FilteringPlatform logs the stuff in windows event log, and the connections there are 127.0.0.1. (See elevated events viewer > security).
    It's beyond my skills to understand, but I think I read somplace that zeros in HOSTS is quicker or something like that.

    (prev) rules. On .59 I just see 8 of them this time, and only one used by me. So I think I'll just delete (prev) ones.
     
  19. Circuit

    Circuit Registered Member

    Joined:
    Oct 7, 2014
    Posts:
    939
    Location:
    Land o fruits and nuts, and more crime.
    Beta 8.4.0.60 solves the problem, working nice.
    Great support (via e-mail).
     
  20. Smile

    Smile Registered Member

    Joined:
    Apr 19, 2002
    Posts:
    9
    Why do I see this in the log?

    2018:08:23|11:31:42|Blocked|1|IPv4 UDP api.coinmarketcap.com/104.17.139.178:137(137)|System|LocalSystem Outgoing|System

    I do not have anything related to crypto running.
     
  21. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    5,858
    Browser and malicious script in page? Dont you use an adblocker?

    Run Adwcleaner?
     
  22. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,789
    Problem of MBAE no alert?
    Sort of hard to understand why, since the only change from 8.4.0.59 to .60 was an additional UI command to add a site to domains really easily. Alertings, settings, packet rules haven't changed.
     
  23. imuade

    imuade Registered Member

    Joined:
    Aug 4, 2016
    Posts:
    751
    Location:
    Italy
     
  24. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    5,858
    on win10 i run both but i never had any issues between both. maybe he has matter because he has "hardened" his system. no one knows until one is eliminated.
     
  25. Circuit

    Circuit Registered Member

    Joined:
    Oct 7, 2014
    Posts:
    939
    Location:
    Land o fruits and nuts, and more crime.
    Ditch Mbae (google like), problem solved , phoning home (telemetry). No problem now.
    Not worth the privacy impact.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.