Just trying out Windows Firewall on Windows 10 along with Malwarebytes WFC. Is it true that Windows firewall just uses the application name to authenticate an application permitted to connect to the internet? I tried renaming leaktest.exe to eraser.exe and put it into the same directory as eraser where I have a permit rule for eraser.exe in WFC. The renamed eraser.exe connected out to GRC without a prompt. I would think that a firewall should check the MD5 or SHA of the executable and prompt me to create a new rule if the checksum has changed, like some other firewalls I've used in the past. I've only been using Windows Firewall for a week or so. Am I missing a setting somewhere to force this (I have Smartscreen enabled) or is this just a security hole?
Windows Firewall rules are applied per path basis not per checksum basis. There is no check for SHA256 of the file. You usually allow programs from Program Files or System32 folders. To replace the files in such folders you need administrative privileges. If there is a rule for a specific file and that file is updated/replaced, the allow rule still works. This is how Windows Firewall works. I had in plan a feature for WFC to check the SHA256 of the file and to remove the rule if the SHA256 is different, but Malwarebytes acquired Binisoft in 2018 and I had to slow down WFC development because I work now on too many other projects. It is still in the WFC backlog.
Magnificent that it's seriously considered. WFC is a stellar project IMHO and such an addition would fill a gap.
Sure, so I'm wondering about your plans for "a feature for WFC to check the SHA256 of the file". Does it make sense at all without checking dependent DLL-s?
Checking the loaded dependencies of a specific software is not something that a firewall should check. A software may have tens/hundreds of dependencies. The software itself should check if the loaded dependencies are the expected ones. Anyway, those dependent DLL files are loaded into a process (executable file) which connects to the network. The improvement in WFC can be that if the SHA256 changes, then the rule may be deleted/disabled, in a similar way Secure Rules does it already.
