Windows Firewall Control (WFC) by BiniSoft.org

Hi,

Why are you not code-signing your setup executable files? A code signing certificate costs around $150 ... 3-4 customers should easily pay for the certificate costs.

Also... why post a MD5 checksum when there are high-end tools available for generating collisions by padding the file with inverse-algorithm bytes. Could you at least publish the SHA1 or preferably SHA256 hash?

Btw, it's a nice tool. You should consider adding a WinRT / Modern UI version and publish your application into the Windows Store. It would be great to be able to use this on the new "Windows 10 S"

Thanks.
-MessageBoxA

 

Could you name some please?

 

Option A) preferred as it's less messy, Use RunAsTrustedInstaller then issue the commands needed inside the cmd prompt running as SYSTEM
Option B) use regedit to take ownership of the service keys in question then issue the commands (optionally then restore original rights.)

In my quick test on a Win7 VM I found around 20 services to change from none, a bit surprising. Might be more on Win8/10
Here's a .bat I created for this test

Code:

@ECHO OFF
rem svchost
sc sidtype AELookupSvc unrestricted
sc sidtype Appinfo unrestricted
sc sidtype AppMgmt unrestricted
sc sidtype Browser unrestricted
sc sidtype gpsvc unrestricted
sc sidtype ProfSvc unrestricted
sc sidtype seclogon unrestricted
sc sidtype SysMain unrestricted
sc sidtype Themes unrestricted
sc sidtype WbioSrvc unrestricted
rem .NET
sc sidtype aspnet_state unrestricted
sc sidtype clr_optimization_v2.0.50727_32 unrestricted
sc sidtype clr_optimization_v2.0.50727_64 unrestricted
sc sidtype clr_optimization_v4.0.30319_32 unrestricted
sc sidtype clr_optimization_v4.0.30319_64 unrestricted
rem Legacy
sc sidtype RpcLocator unrestricted

UPDATE:
Removed the lsass group changes after I noticing they caused some issues. Still checking into the others but after seeing the lsass event log errors I am now wondering if changing the svchost ones also cause issues unless you've separated instances like I have in that VM. More info on splitting them here
All in all while this method allows you to change them it doesn't appear to be something you'll want to do for everything on a live system all at once. More testing will be required.

 

Good work syrinx! I didn't know there was such a tool as runastrustedinstaller, nice!
Did you have a way to test if a firewall rule made this way is for sure active?

 

I got a weird issue; I don't know what happened but I didn't make any changed to my system and out of the blue I started receiving "the windows firewall control service could not be found" errors. Tried reinstalling and the same issue then I uninstalled from the method given in faq.

 

When do you see this error and where ? Have you checked in your installation folder if both files wfc.exe and wfcs.exe are there ? Maybe your antivirus removes wfcs.exe because it detects it as a false positive ?

 

Windows Firewall Control v.4.9.9.1

Change log:
- New: Nothing changed. I just increased the version from 4.9.9.0 to 4.9.9.1 just to prove how poor are many antivirus detection systems that detect wfcs.exe as a false positive.

Download location: https://binisoft.org/download/wfc4setup.exe
SHA1: d142012f1ed42ab9e7ff3f0be85374357de286ec
SHA256: 93b454aad068257a57b9b779613fd19e278eec833a99120062c2fda83837c010
VirusTotal:

wfc4setup.exe
https://www.virustotal.com/en/file/93b454aad068257a57b9b779613fd19e278eec833a99120062c2fda83837c010/analysis

wfc.exe
https://www.virustotal.com/en/file/0ac26a08968e0e6d97a479645f7ce909c13d04fad649a2687c68d091fe40a27a/analysis

wfcs.exe
https://www.virustotal.com/en/file/26f86bbaef341ceb7e51063a128d97a5fcde9613080a96635ecc0fef2214fa2a/analysis

Below is the VirusTotal report for WFC service from version 4.9.9.0 released a week ago, which is detected as Trojan.Generic... by multiple antivirus vendors:
https://www.virustotal.com/en/file/...52cb59f9dbc00f1d35f072fa2c7a6ab9c8c/analysis/

I just changed the version from 4.9.9.0 to 4.9.9.1 and then recompiled the software. Now the false positive is gone and with the same virus definition versions, WFC service is not detected anymore. This makes me wonder how these antivirus engines work ? The code is the same, so how they decide a program is a threat or not ? It just doesn't make sense. And has nothing to do with the fact that WFC is not digitally signed.

I made this experiment because I have received tens of emails in the past week which describe the same problem. Kaspersky and other antivirus vendors were detecting WFC service as Trojan.Generic and removed wfcs.exe from their machines.

Please report any false positives to your antivirus vendors. Thank you for your support.

Best regards,
Alexandru

P.S.: If you have problems reinstalling WFC, after your antivirus removes wfcs.exe, please read below:
https://www.wilderssecurity.com/threads/windows-firewall-control-4.347370/page-126#post-2674385

 

Zemana allowed it this time with no interruption.

 

I had the same problem after testing Bitdefender. It caused a lot of problems. Bitdefender made thousands of temporary files to Windows/Temp filling my hard drive. Not sure if it was fighting with WFC. Also, it alerted that those temp files were Trojans SMIL.crypt2. and started deleting those.

I removed Bitdefender that was a bit of pain too. After that, I noticed the same error with WFC. I had to use Revo Uninstaller to remove everything from WFC and then reinstall. Now it works again.

 

Most security vendors are using a score to statistically determine the likelihood that your application is malware.

1.) If you purchase a code-signing certificate this should significantly reduce the score.
2.) Avoid using a packer... these always increase the probabilistic score.

For what its worth... https://virusscan.jotti.org/ does not flag your executable.

 

I've switched to defender again. BF really seems to cause more problems than it solves.

 

1) Based on this model, any new software that gets out on the Internet should be flagged as malware since new programs do not have a history and there is no score for them. This means also that new malware will be automatically flagged as a threat. Then how can we explain the that fact that many malware do a lot of harm before they are recognized by antivirus vendors. Do they have a better score than WFC which is on the market since 2010 ?
2) WFC is not packed or obfuscated. It can be easily decompiled and the source can be easily read. This should help antivirus vendors to not detect WFC as a threat since the code is not hidden. However, this helps keygen creators to make their keygens faster.

 

Could someone help, I don't seem to be able to create an inbound rule that works.

I'm wanting to create a rule to allow inbound on one port for my torrent program, Deluge. When I look at the blocked inbound connections I see Deluge has been blocked, so I click on 'Customize and create' It shows as 'remote address' my LAN ip address, which I leave as 'custom, same for the port I want to leave open.The others I set allow 'Any'.

I create the rule, refresh the connections log I see inbound to Deluge is still blocked. If I look in the 'recently allowed' log I do see one or two instances were allowed, but in the 'recently blocked' there are many, many instances.

Thinking I may have got mixed up with local and remote sources, I delete the rule and create a new one as a temporary fix to see where I'm going wrong that allows all ports and all address, for both local and remote, for Deluge. Still I see Deluge inbound blocked. In the rules list there isn't other inbound rule for Deluge, except the ones I'm creating.

I've gone through this so many times trying some different combinations, but whatever rule I create I can't stop Deluge inbound showing as blocked in the connections list. I know I must be missing something fundamental and simple, but I'm stuck.

What am I doing wrong?

 

@srb10
The hardware firewall within the router?
Iirc, there's need to open ports there too, well, one port for the matter.

 

Just had the same problem with Bitdefender.
Well, it actually started two days ago.
I un-installed both WFC and Bitdefender, reinstalled both and was ok.
Until today when I see Bitdefender has deleted wfcs.exe

Bitdefender support said I should white-list the folder wfcs.exe was in.
Didn't help.
Installation of 4.9.9.1 says it could not copy the file(s) to folder.

Aarrgh.

Edit Even switching off On-access scanning and Active Threat control did not help.

 

These AV companies should white list established softwares automatically.

 

It started again. Now, after two days of being quiet, WFC service is now detected as a threat. The same clean code, two different threats.

WFC service 4.9.9.1 is now detected as Gen:Variant.Razy:

WFC service 4.9.9.0 is detected as Trojan.GenericKD:

~virus total results removed as per Wilders policy
https://www.wilderssecurity.com/threads/policy-regarding-the-posting-of-jotti-virus-total-results.180057/
Unfortunately, I can't change WFC code because it really needs access to kernel32.dll, advapi32.dll, etc., and without this access, WFC can't do it's job. Most probably, malware developers call similar methods from Windows assemblies (kernel32.dll) and this is why WFC service is detected as a threat. Anyway, this is a false positive. Actually, WFC service code is mostly the same as it was two years ago.

Please report false positives to your antivirus vendors.

Thank you.

 

I'm referring to windows firewall The port is open in the router, wfc shows windows firewall is blocking inbound connection even though I have created a rule to allow. Using registered wfc 4.9.9.1

 

Totally agree, this was a contributing factor to me migrating to a totally Sig-free security config, far less headaches lol
Loving your red letter sig there Clubhouse +1

 

Most security vendors do something very similar. The score for signed executables is greatly reduced. If this guy would sign his installer the problem would most likely go away.

The code signing process involves purchasing a certificate... you have to give all your personal information over to the certificate authority. They will then do a simple background check on you and if you pass... give you a code signing certificate. If you have criminal convictions or other negative criteria and fail the background check... no code-signing certificate for you.

Code signing protects everyone... the customers are ensured that the installer has not been modified and created by a developer that can be trusted. It also protects the developer... installers that have been signed cannot have malware attached to them.

-MessageBoxA

 

There are some certificate authorities that offer a $69 per year code-signing certificate.

There are several other factors at play here:
Some certificate authorities may be 'more-trusted' than others. This is due to the increased vetting and background check process.
'Country of Origin' of the software publisher also has an impact. From a third-world country? You may have a difficult time obtaining a code-signing certificate.

-MessageBoxA

 

For inbound access, rules with ANY protocol don't work. You must create 2 inbound rules, one for UDP protocol and one for TCP protocol. The same applies to uTorrent.

 

1. Only a few certificate authorities sell code signing certificates for individuals.
2. There is no criminal conviction check since a certificate authority is not the Interpol and they can't check your criminal record in all the countries over the world.
3. Installers that have been signed can contain malware. This is not something common, that a digital signature with a stolen identity, can contain malware.

However, a code certificate from a respectable certificate authority doesn't cost only 69 USD per year. Only Comodo offers such low prices but their system to prove your identity is very stupid and impossible to pass if you are not listed in an online businesses database.

Two months ago I wanted to buy a digital certificate from DigiCert and after I sent them a copy of my identity card, a copy of my telephone bill, a copy with my bank account details, they still needed an International Attestation Letter (which they sent me) legalized at a notary so that they can be sure that I am the one that I said I am. The problem was that this document was in English and notaries that I asked will not legalize any document that is not in Romanian. They are not allowed to legalize documents that are in other languages (and this makes sense). So, I have to translate this document from English to Romanian (pay the translator), then legalize the Romanian document (pay the notary), then translate it again into English (then pay again the translator) and send it back to DigiCert (pay them the certificate). All of these documents cost me 200$ + 223$ the cost of the certificate. I also have the website, so + 15$ the domain name + 170$ the website hosting. As you can see, this is already 620$/year. So, the whole deal is not just 69$.

I will give it a try again, in the next weeks to see how I can get a code signing certificate to sign WFC. If WFC will still receive false positives, I just lost 423$

I know that a digital signature can help, but is not that easy as it sounds.

 

Thank you so much. I was about to post about my ad blocker named Ad Muncher showing stuff blocked inbound on 127.0.0.1 with a rule made with ANY. So now I will make one for TCP and monitor if it asks for UDP.

 

@alexandrud How about something like a tipjar for the signing costs on the homepage ( x dollar reviced from yyy needed). If it matches the needed amount = the users a willing to pay for a certificate. If It doesnt't matches the amout by far the useres are only crying*duck*. Excuse the english but i think the idea is clear