Windows Firewall Control (WFC) by BiniSoft.org

Discussion in 'other firewalls' started by alexandrud, May 20, 2013.

  1. hjlbx

    hjlbx Guest

    @alexandrud

    Some malwares disable WFwAS and Action Center surreptitiously... so user does not notice. They go about their business unaware that the firewall has been incapacitated.

    I had posted about this on the thread about 3 months ago. You posted that you would think about it - if I recall correctly...

    Best Regards,

    HJLBX
     
  2. hjlbx

    hjlbx Guest

    @alexandrud

    I will forward infos to VS developer...

    HJLBX
     
  3. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,411
    Location:
    Romania
    1. For the case when Windows Firewall is turned off from WFC by setting the No Filtering profile, a warning and a confirmation dialog was added in WFC.
    2. For the case when Windows Firewall is turned off from outside of WFC, the red X icon will be displayed in the system tray. Also, the logic of revert profile gets activated in this scenario and the profile will be reverted back after x minutes.
    3. For the case when Windows Firewall service gets disabled, WFC service will fail to start and the WFC icon will be the black one with the exclamation mark indicating that it can't connect to the service. I guess, here I could improve this scenario to make the WFC service to start Windows Firewall service if it is disabled. And check from time to time if it is running. But this is not bulletproof. Even if WFC will monitor Windows Firewall service and launch it back when it gets disabled, an attacker could also try to stop Windows Firewall Control service. I have developed at some point a mechanism with 2 processes that watch each other (every 2 milliseconds) and which will launch the other one if it is stopped. This mechanism is also used by some malware to ensure that you don't stop them. Anyway, if you write a short batch file which kills all these processes and execute it (with admin privileges), it will kill all the processes before them being able to relaunch themselves again.

    Anyway, for all scenarios, if the user launches wfc.exe with admin privileges, this will start Windows Firewall and Windows Firewall Control services again if they are stopped.
     
  4. Alpengreis

    Alpengreis Registered Member

    Joined:
    Oct 7, 2013
    Posts:
    670
    Location:
    Switzerland
    Uupss, my fault! Must be the heat ;-)

    Technical question: but without any info for the user, a such rules appears: ALL is allowed (even inbound with edge = allowed) for ALL programs! Is this really better as info? Would it be not better to have a column or whatever (at least a Tooltip), to inform the users about other values? Maybe an hint "Special Win 10 rule, show in Original WFwAS or in exported rule (plain text)" or something like that?
     
  5. Defenestration

    Defenestration Registered Member

    Joined:
    Jul 17, 2004
    Posts:
    1,108
    The web page for WFC says the DNS Client service needs to be enabled for the notifications to work properly. What issues arise if it is disabled ?
     
  6. Distman

    Distman Registered Member

    Joined:
    May 7, 2013
    Posts:
    12
    yesterday I update my Windows 8.1 Pro to Windows 10 Pro 64Bit. Since then I can not open the context menu of Windows Firewall Controll. Also I can not run it as a normal window anymore. It is running in the try and when I move the mouse over the icon, the hint is also displayed. But right cklick, left click, double click will do nothing. Other programs work normal, like Dropbox, Skype, USB, ...
    Installed is the latest version. All Windowsupdates are done and the latest graphic card driver is installed.
    Any idea?
     
  7. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,411
    Location:
    Romania
    ALL is allowed for ALL programs ? Even if the new columns are not displayed, this does not mean that the rules apply for all programs. I could add a new column named Application Package which will display "something" or maybe a checkbox. Then in WFC the user will know that these are Windows 10 rules because they apply for specific application packages. But I think it is pretty obvious in Manage Rules which rules are different than the others. What bothers me is that if we choose to reset Windows Firewall default rules, all these specific rules are not recreated back.
    If the DNS service is disabled, then in notification dialog (Connections Log also), instead of the real remote IP addresses that are blocked/allowed you will see your router IP address. If DNS service is disabled, then Windows Firewall logs the connections before resolving the domain names. And the first IP address that is contained is your router IP.
    Have you tried to uninstall WFC and reinstall it again ? Does this change anything ?

    Please go to Event Viewer (eventvwr.msc). Under "Windows Logs" category, there is a subcategory named Application. Here are logged all errors from all programs. When you are there, on the right panel is a button named "Save all events as...". Use this button to export an *.evtx file and send it to support@binisoft.org to check it. Maybe we can find here a .NET problem that is causing this.
     
  8. Alpengreis

    Alpengreis Registered Member

    Joined:
    Oct 7, 2013
    Posts:
    670
    Location:
    Switzerland
    I know that. I meant, it SEEMS so for the user within WFC. How should a 0815 user know, there are hidden values, if he does not see that within WFC? That's my point. He should be somehow informed about that (must not be the real (not understandable) values) IMHO.

    I would say, better than nothing. How I said above, must not be the real values. A hint would be enough, ala "Open Win FW to see all values!" or something like that.

    That's indeed not good, hmm ... I hope you can find a solution for this! BTW: This was even the case in WFwAS in a test on (another) Windows 10 installation here (upgraded from Win 7 Ultimate x64) (not checked again on the clean Win 10 installation). After reset to default, all these rules were deleted. The only workaround (till now with my actual knowledge) is to create a new win account (if I remember correctly). Not tested (till now): Import the ruleset within WFwAS and/or WFC.
     
  9. Alpengreis

    Alpengreis Registered Member

    Joined:
    Oct 7, 2013
    Posts:
    670
    Location:
    Switzerland
    DE-language file for WFC 4.5.2.0:
    translation is sent to the developer (binisoft.org), sorry for the delay (Win 10 clean-installation was the reason) ...

    DE-Sprachdatei für WFC 4.5.2.0:
    Übersetzung wurde an den Entwickler gesandt (binisoft.org), Entschuldigung für die Verzögerung (Win 10 Neu-Installation war der Grund) ...
     
  10. marzametal

    marzametal Registered Member

    Joined:
    Mar 19, 2014
    Posts:
    766
    For Windows 10 users, does it come shipped with .NET Framework 4.6?
     
  11. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,411
    Location:
    Romania
  12. Distman

    Distman Registered Member

    Joined:
    May 7, 2013
    Posts:
    12
    This solved the problem. I checked the application log, but there was no error recorded. Not from .NET or any other program. But looks like everything is working again.
     
  13. jwcca

    jwcca Registered Member

    Joined:
    Dec 6, 2003
    Posts:
    772
    Location:
    Toronto
    Alexandru, would you consider making the following changes to minimize column widths?
    The current excessive widths waste screen space and result in screwing up the display when many columns are shown and the window is moved partly "off screen".

    Minimum widths could be much smaller when both headings and options are short.

    For column descriptions with two words, use two lines:
    Local addresses
    would be:
    Local
    Addresses



    Heading / Option descriptions could be shortened, at least in English, to:
    Loc'n: "Dom|Pri|Pub|All" (Short heading, at most only two short options)
    Enable: "Yes|No"
    A/B: "Allow|Block" (Short heading)
    I/O: "In|Out" (Short heading)
    Inter
    -face: "LAN/RA/WiFi" (two line heading, short descriptions)
     
  14. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,411
    Location:
    Romania
    I can reduce the minimum size of the columns. The columns headers will use trimmed text if the text is larger than the current column width and will display a tooltip if the text is trimmed.

    Regarding the shortened texts, you can download the language file and modify it as you wish. Then just put the modified .lng file into the same folder with wfc.exe and restart the program. It will use your custom strings. I am not a fan of abbreviations.

    You can also hide uninteresting columns or you can even reorder them and put the most interesting ones on the left.
     
  15. Aleks111

    Aleks111 Registered Member

    Joined:
    Apr 13, 2015
    Posts:
    3
    Dear, alexandrud, please read my message carefully, because on current point program doesn't work correctly.
    I'll illustrate it on two situations:
    Situation 1.
    I have a program myprogram.exe. I want to BLOCK this program access to specified ip diapason. I create a block rule, where specify ip range. What firewall behavior I expect in this situation? I expect this:
    1) I want firewall to know that I DECIDED what I want to do with this file (myprogram.exe) - this means no more notifications about this file. 2) I want firewall to BLOCK access to specified range AND ALLOW access to any other ip adresses.
    What firewall does in this situation? When myprogram.exe tries to connect to any other ip (not in blocked range) firewall blocks it (it's wrong behavior according to logic!) and throws notifications (which impossible to turn off, only turn off notifications at all). Then even more... If I click allow on notification - allow rule will be created and we will have 2 rules about one program. First - allow all. Second - deny ip range. But cause the block rule has higher priority firewall will do the job correctly from this point.

    Situation 2.
    I have a program anotherprogram.exe. I want to ALLOW this program access to specified ip diapason. I create allow rule, where specify ip range. What firewall behavior I expect in this situation? I expect this:
    1) I want firewall to know that I DECIDED what I want to do with this file (anotherprogram.exe) - this means no more notifications about this file. 2) I want firewall to ALLOW access to spedified range AND BLOCK access to any other ip adresses.
    What firewall does in this situation? When anotherprogram.exe tries to connect to any other ip (not in allowed range) firewall blocks it and throws notifications (which impossible to turn off). Then if I click BLOCK in notification popup - block rule will be created and we will have 2 rules about one program. First - allow selected range. Second - deny all. In this situation firewall will BLOCK ALL (program will not be possible to connect to allowed range) cause block rule has higher priority (it's also wrong behavior according to logic!). The only solution I found in this situation is to create block all rule to anotherprogram.exe, turn it off and then specify in notifications not to popup when rule exists but turned off.

    So, if say shortly, normal firewall behavior looks like this:
    0. Notifications appear about every program that doesn't have firewall rule (in high notification level)
    1. If block rule added, where diapason specified - block connections to specified diapson, allow others. No more notifications about this file.
    2. If allow rule added, where diapason specified - allow connections to specified diapson, block others. No more notifications about this file.
     
  16. jwcca

    jwcca Registered Member

    Joined:
    Dec 6, 2003
    Posts:
    772
    Location:
    Toronto
    Thank you! :thumb:

    I did that and am happy! :thumb:

    I've done that but sometimes I like to see everything, without having to use the scroll bar at the bottom.

    Overall - :)
     
  17. sfws

    sfws Registered Member

    Joined:
    Aug 4, 2015
    Posts:
    3
    Maybe not directly WFC related question, but:

    I was updating my Windows Time service configuration and it would not update. The W32Time svchost.exe has the normal outbound udp port 123 enabled and allowed, but this (below) rule is preventing access:

    Code:
    <Rule Name="AllJoyn Router (UDP-Out)" Group="AllJoyn Router" Program="C:\Windows\system32\svchost.exe" Description="Outbound rule for AllJoyn Router traffic [UDP]" Location="3" Enabled="Yes" Action="Block" Direction="Out" LocalAddresses="" LocalPorts="" RemoteAddresses="" RemotePorts="" Protocol="17" ServiceName="AJRouter" EdgeTraversal="" Icmp="" InterfaceTypes="All" ApplicationPackage="" AuthorizedComputers="" AuthorizedUsers="" LocalUserOwner="" SecureFlags="0" />
    That should, I believe, only block the AjRouter service from all UDP, but it is also affecting the W32Time service. Is that how it should work, or is there something else going on / wrong?
     
  18. marzametal

    marzametal Registered Member

    Joined:
    Mar 19, 2014
    Posts:
    766
    What if you make an allow rule for W32Time service, does it help?

    It is working as expected. You have created an allow rule and a block rule that restricts IP range outbound. That means each rule is now a custom rule, which means you need to create another rule to accomodate for anything that fits outside your custom IP ranges.

    1. If block rule added - now create an allow rule for the remaining IP ranges...
    2. If allow rule added - now create a block rule for the remaining IP ranges...

    Example for one program:
    Your allowed IPs will look like this - 69.16.175.10,69.16.175.42,93.184.221.133
    Your blocked IPs will look like this (example, can be restricted further, just showing you what the opposite of allow IP looks like for ranges) - 1.1.1.1-69.16.175.9,69.16.175.11-69.16.175.41,69.16.175.43-93.184.221.132,93.184.221.134-255.255.255.255

    0. Notifications appear - not sure what you mean by notifications in HF mode... your internet access is unavailable until you modify Remote IP outbound and inbound rules.
     
    Last edited: Aug 15, 2015
  19. Blaspie

    Blaspie Registered Member

    Joined:
    Apr 4, 2014
    Posts:
    15
    Hi,

    how do I allow LAN folder sharing with this firewall? When I set the firewall to anything other than "no filtering" and then go to "Network" folder, it is empty and there is this message instead: "Network discovery and file sharing are turned off. Network computers and devices are not visible. Click to change..." However clicking it does nothing, the message just reappears immediately. Connections log doesnt show anything either.
     
  20. marzametal

    marzametal Registered Member

    Joined:
    Mar 19, 2014
    Posts:
    766
    I don't share anything, so can't help you...

    But one way to figure it out before someone on here who does share helps is to have a look at the rules list with "no filtering" on, and then check the rules list with "low filtering" on and match 'em up for missing rules. Shouldn't take too long to track down which rules are nerfed...
     
  21. Aleks111

    Aleks111 Registered Member

    Joined:
    Apr 13, 2015
    Posts:
    3
    If I have 100+ diapasones, should I manually substract them from whole ip range? This is against any program logic. If user add "block diapasone" rule this means that other ips should be allowed. Otherwise he should just add "block all" rule.

    HF - you mean high filtration mode? I haven't said anything about high filtration mode in my post.
     
  22. Blaspie

    Blaspie Registered Member

    Joined:
    Apr 4, 2014
    Posts:
    15
    High filtering adds two rules to block inbound and outbound traffic. Other than that, there doesnt seem to be any change in rules at all, no matter what filtering mode is enabled.

    I also use LAN messenger, a program to chat and send files over LAN. Chat works, but sending files does not work with WFC enabled. I tried to create rules to allow all LAN traffic, it didnt help.
     
  23. sfws

    sfws Registered Member

    Joined:
    Aug 4, 2015
    Posts:
    3
    No, that is why I brought it up. This rule is active, but not allowing the W32Time through unless I disable that AJRouter udp block rule:
    Code:
    <Rule Name="WFC - Windows Time Service" Group="Windows Firewall Control" Program="C:\Windows\system32\svchost.exe" Description="Allow Windows to synchronize the system clock with an Internet time server." Location="2147483647" Enabled="Yes" Action="Allow" Direction="Out" LocalAddresses="" LocalPorts="" RemoteAddresses="" RemotePorts="123" Protocol="17" ServiceName="W32Time" EdgeTraversal="" Icmp="" InterfaceTypes="All" ApplicationPackage="" AuthorizedComputers="" AuthorizedUsers="" LocalUserOwner="" SecureFlags="0" />
    I believe it should work like:
    • A service rule specific to AJRouter should not affect W32Time service, even without an explicit allow rule.
    • An explicit allow rule should override a block rule.
    or am I incorrect? Neither of those seems to be working / true.
     
  24. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,411
    Location:
    Romania
    You will not receive a new notification if a future connection which gets blocked matches this IP range.
    This works if you use Low Filtering profile because connections that do not match a rule are allowed. When Medium Filtering profile is activated, all connections that do not match a rule are blocked by default. Until this point, you did not create an allow rule for myprogram.exe, so it gets blocked.
    This behavior is correct if you use Medium Filtering profile.
    This is also the correct behavior. The allow rule specifies which connections are allowed, in your case, all. The block rule specifies which are blocked, your specific IP range. Because block rules have higher priority over the allow rules, Windows Firewall will mix these both rules. Everything seems fine to me.
    You will not get any new notification for the specified IP range. If a new connection tries to connect on a different IP and gets blocked, then a new notification will be displayed.
    This seems correct to me. Your rule does allow an IP range and now you have a new connection which is not allowed by a rule, so it gets blocked when using Medium Filtering profile. You will receive a new notification.
    0 - This happens already
    1 - You have to define an allow all rule and then a custom block rule for specific IP ranges that you want to be blocked.
    2 - I can't change the default behavior from Windows Firewall. A block all rule will override any allow rule. For this scenario, you have to make the block rule, the opposite of the allow rule to make it work.
    I think this should be reported to Microsoft. Indeed, the rule that you have posted, should not affect the allow rule that you have defined for W32Time service.
    Did you enable File and Printer sharing like explained below ?

    http://windows.microsoft.com/en-us/windows-vista/enable-file-and-printer-sharing

    This will create a new set of Windows Firewall rules that will allow network sharing. Make sure that you don't have Secure Rules feature enabled in WFC when you enable file and printer sharing. Otherwise, these rules will be automatically deleted by WFC because they are created from outside of WFC.
     
    Last edited: Aug 15, 2015
  25. pajenn

    pajenn Registered Member

    Joined:
    Oct 26, 2009
    Posts:
    930
    Is anyone here using Glasswire on top of WFC? Would they conflict?

    It's similar to WFC in that it uses windows firewall. It's not as good, in my opinion, at blocking and allowing programs, but it's better at giving you information about the processes that are using the web, and has several other nice features. I'd like to use both...
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.