Windows Firewall Control (WFC) by BiniSoft.org

Alex I been looking into the internal hardening firewall rules, and have discovered they can be controlled via a program API. Is it possible to add this functionality to WFC?

Some info here

http://windowsitpro.com/systems-management/understanding-windows-service-hardening
https://msdn.microsoft.com/en-us/library/aa365489.aspx
http://sourcedaddy.com/windows-7/windows-firewall-and-wsh.html

The reason I want to overide these rules is that some services on windows wont allow direct DNS queries because WSH blocks them, it seems anything running in a appcontainer (modern apps) and some services will fail to do dns lookups unless dnsclient service is enabled and these internal wsh rules are the reason.

 

I will check all the tips and report then - thank you so far!

PS: I think 20480 (20 MB) is too low (I had not checked this right). So this value is reached too quick and then the oldest entries are overwritten too fast (I have MUCH allow entries). I test now with higher value as first measure ...

EDIT: The test is sucessfull till now - it SEEMS it's solved. Thanks again, Alexandru! My main mistake was that I thought with splitted logs, especially because I have created individual logs! Of course the real security log is ONE log with one defined size! My second mistake was that I took 20480 KB for 200 MB, uhhhh, that was bad ;-) In reality I had only 20 MB which was really too low.

BTW: could you not set this value higher while install? For example with a registry check "if the value is < 204800 set it to 204800" or at least "if the value is default 20480 set it to 204800" or you could make an option in WFC to set the size? Just an idea, but could be sensfully, because 20 MB default is really not enough.

 

thanks for your reply.

my condition is in the task bar the ico is green and in the log there is no error, only three logs for last several days says"Resolving the path of the program has failed."

and in my computer environment there is no hips software to effect the wfc.exe and wfcs.exe start. only have the windows defend and even this software i have add it to the white list.

so is there any other ways to find the reason? thanks very much.

 

It is possible to add support to view and modify these rules through Windows Firewall API but I will not implement it. There is a reason why these are not easily accessible to the users and my opinion is that the users should not change the default rules that are applied to Windows services.

I will see if I can add support in Connections Log to set the log size. I do not want to increase the log size automatically at installation because this is not always required. Note that increasing the log size will also increase the waiting time when processing the Security event log.

When the Start automatically at user logon option is checked in the Options tab a new shortcut is created for wfc.exe in the following location:

C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\Windows Firewall Control.lnk

This shortcut is available to all Windows user accounts and will launch the program for all user accounts.

1. This shortcut should be executed with standard privileges and the user must never check the following check box from the Compatibility tab. If this check box is checked, it must be unchecked.



2. Try to remove this shortcut and create a scheduled task to execute the file wfc.exe. https://technet.microsoft.com/en-us/library/cc748993(v=ws.11).aspx

3. If you have installed a major update through Windows Update (e.g.: Windows 10 Build 14393.5) please uninstall and reinstall WFC.

 

Alex sorry to hear your stance in not allowing the end user to control their machine, the developer does not always know best.

I even gave you a specific reason why I want to overide the rules.

 

thanks again - changing location=All seems to end the false notifications & not just at startup

 

Here’s a compatibility issue that looked like it was involving WFC, but really wasn’t so I thought it would be good to share here in case it comes up…

I went to download EMET 5.51 today – it would not download. I eventually had a look at WFC connection log & my browsers were being blocked outbound when I clicked on the download. So I put WFC in ‘Low Filtering’ to allow all outbound traffic, but all browsers were still blocked when I clicked on the download (and still showing up in the WFC log). I had to exit WFC & stop the service to get the download to work.

But, I was replacing MBAE-free with EMET & had not uninstalled MBAE yet. Once I uninstalled MBAE I tested the download again & there were no issues – no blocked browsers. So it was just MBAE causing the problem, but it sure looked like it was WFC – all good now

 

The Security log (Connections Log) contains all connections blocked by Windows Firewall or by other security products. Since WFC does not block or allow anything, the source of blocking is always someone else, but not WFC.

 

ahh - i thought only Windows Firewall was logged

right, but why would disabling WFC clear the block - this is why i thought i might be WFC & another app having a compatibility issue. I'm still not sure why this worked since it seems like it was all caused by MBAE

 

It was just a coincidence. The block was not made by WFC. Please check the user manual to find out how the notifications system works and how the connections are blocked in Windows Firewall. Best regards.

 

Now I get an error message when I go into Network "Network discovery is turned off". When I click turn on nothing happens. Same with the options in Control Panel>Network and Sharing Center>Advance sharing settings. Only when I turn off WFC does it remain on. As soon as I enable WFC (any Profiles) same problem. Tried restoring Windows Firewall default rules and WFC recommended rules with same results.

Obviously, all necessary Services are running as able to connect when WFC is Off.

Any help appreciated.

Thanks,
Robert

Win 10 Pro (clean install)

Alexandrud replied, "When you enable/disable some features from Windows (like Network Discovery, File and Printer Sharing), the operating system enables/disables some group names from the default set of rules. If you have removed these rules, then the operating system can't actually enable these functionalities because the rules from their corresponding groups are not there anymore. In this case, my recommendation is to reset your rules to the default set and start over with the removing carefully of the default rules."

Alexandrud, I have never disabled or removed any of WFC's or Windows default rules. Do you mean reset Windows Firewall with Advance Security to Default Rules and set WFC to just it's/your default rules and start all over again?

Robert

P.S. Why was I in Windows (10) Firewall topic? I deleted my posts.

 

If you use Secure Rules, make sure that you add these default group names into the authorized groups list before enabling them from Advanced sharing settings.

On my system, pressing on the 1 does nothing, pressing on the 2 will create the green rules above. But, if I close the Advanced sharing settings window and reopen it, the 1 check box is again set to OFF. The same happens even if I disable Windows Firewall. It is probably a bug in Windows?

 

Windows Firewall Control v.4.8.4.0

Change log:
- New: Added support to find duplicate rules in Rules Panel.
- Fixed: The application always uses the Calibri font family which for some users may not be the best font. If the user changes the default font from the Advanced Appearance Settings... dialog, WFC is still displayed with Calibri font. Now the WFC user interface reflects the system font.
- Fixed: Pressing multiple times on F1 key will open multiple times the user manual.
- Updated: Pressing the F1 key in the focused window will open the user manual to the corresponding topic instead of the main page.
- Updated: The user manual topics were extended.

Note that the installer size was increased because the .chm file is also packed into the installer.

New translation string:
799 = Show duplicate rules

Download location: http://binisoft.org/download/wfc4setup.exe
SHA1: f1d43e140e1ee8f6dcf24e4378a2422535a846de
SHA256: ef8f9c9904452db1edf7bb76597be364bd9b27d1275dae084c837bdd8a2efbb4

- The search for duplicate rules is made on the following columns: Program, Location, Action, Direction, Local addresses, Local ports, Remote ports, Remote addresses, Protocol, Service, Edge traversal, ICMP settings, Interface types. The following columns are not taken into consideration during the search: Name, Group, Description, Enabled. The results contain only the rules for which at least two similar rules were found.

- I tried to group the duplicated rules results in a more user friendly way. Unfortunately, even if the user interface looked pretty good, the grouping on the data grid was very very slow and the entire experience was extremely poor. I will look for an alternative way in the future. Currently they are displayed by groups but the grouping has no visual expression.

Best regards,
Alexandru

 

As usual you were right. It was Secure rules that had caused the problem. User error! Uninstalled and reinstalled now everything is as it should be.

Damn, now I have to start from scratch.

Thanks Alexandrud,
Robert

 

Spanish manual user the latest version, does not start with F1 key or icon in WFC.Checked same file in version 4.8.3.0 and works well.

English user manual if it works in both versiones.¿Possible problem file size?

Spanish = 1.51 mb
English = 9.48 kb

regards

 

German language translation for newest WFC update v4.8.4.0 is done, sent to Binisoft.org and should be ready very soon!

 

The user manual is still under development and is still changing. Version 4.8.3.0 just launched an external process with the chm file, while version 4.8.4.0 is able to launch the help file inside WFC on specific topic depending on where the user presses F1 key. These topics have some IDs which were reassigned in the last version of the user manual. Because the user manual part is something new in WFC, these IDs will probably change again in the future until I have a definitive structure.

 

I couldn't turn on network discovery and advanced file sharing options, and luckily the above posts explained it. I have secure rules on; I had to reinstall and select "Import group names from current existing rules". When I uninstalled I selected "Restore to the state before installing this program". This is great.

While doing this, I thought it would be nice to actually see the list of group names from current existing rules. Maybe like the pic below. Thanks again for the wonderful WFC.

 

This approach uses too much space and does not have a way to enter something new. You can add only the existing entries. I guess this will remain as it is now.

Meanwhile I managed to define a visual style to group the duplicate rules and the results looks like this. This works pretty fast and will be included in the next version.

 

Alexandrud, how exactly does this Secure rules work. The help file is not very informative to me. If I select it and highlight WFC only the rules in current WFC group are imported and Secured and all the rest are either deleted or disabled correct? How does one create a Group with ALL the current rules secured? Your not saying that I have to go to All Rules and No Filter and manually Add to Group>WFC? Not sure how Secure rules work.

Thanks,
Robert

 

@alexandrud

Can we have someting like this in WFC?
http://www.nirsoft.net/utils/wireless_network_watcher.html

 

@alexandrud
Liking these new enhancements, thanks so much

 

When you enable the Secure Rules, only the rules (Rules Panel) which have the group name (Group column) set with one of the defined authorized groups names (Security tab) will be considered authorized. All other rules will be deleted or disabled. If you want to have just one group name for all rules, let's say "MyGroup", you have to define "MyGroup" as an authorized group in the Security tab and then add your rules in this group from Rules Panel. In the Add to group list you won't see "MyGroup" unless you have at least one rule in this group. So, modify one rule and set the group to "MyGroup" and then you can add all of your rules to this group. I hope this helps.

No.

 

Off-topic
Also take a look to this nice utility:
https://www.softperfect.com/products/wifiguard/

 

I got it. However, if I make a group called Authorized rules and add 1 rule to it then add the rest of the rules that are automatically created by Windows Firewall, I have to ignore WFC created rules. Otherwise, in the Rules panel>(Display) All rules>(Filtered) User created rules nothing will show as ALL rules will be in the Authorized rules group. I do not want to see all the rules (no filter) but only the rules I have created; the list is to long.

So I guess I have to do this on a per rule basis unless some are bunched together then I can just scroll to highlight then add them to the Authorized rules group.

If WFC pops up, wil that newly created rule be in the WFC group and not the Authorized rules group?

Wait a minute, if I enable Secure rules and put ONLY the default Windows Firewall rules into the Authorized rules group, then the rules created by me (WFC group) will either be deleted or disabled as only the Authorized rules group will be active. Correct?

If this is true, then I am stuck between using Secure rules and having everything (Windows Firewall and WFC rules) in that group and not being able to use the Filter to User defined rules OR not engaging the Secure rules option at all. Am I able to have more than 1 group active at the same time?

Thanks,
Robert