Windows Firewall Control (WFC) by BiniSoft.org

Discussion in 'other firewalls' started by alexandrud, May 20, 2013.

  1. MessageBoxA

    MessageBoxA Registered Member

    Joined:
    Jun 20, 2011
    Posts:
    62
    Hi,

    Why are you not code-signing your setup executable files? A code signing certificate costs around $150 ... 3-4 customers should easily pay for the certificate costs.

    Also... why post a MD5 checksum when there are high-end tools available for generating collisions by padding the file with inverse-algorithm bytes. Could you at least publish the SHA1 or preferably SHA256 hash?

    Btw, it's a nice tool. You should consider adding a WinRT / Modern UI version and publish your application into the Windows Store. It would be great to be able to use this on the new "Windows 10 S"

    Thanks.
    -MessageBoxA
     
  2. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,092
    Location:
    Mexico
    Could you name some please?
     
  3. syrinx

    syrinx Registered Member

    Joined:
    Apr 7, 2014
    Posts:
    427
    Option A) preferred as it's less messy, Use RunAsTrustedInstaller then issue the commands needed inside the cmd prompt running as SYSTEM
    Option B) use regedit to take ownership of the service keys in question then issue the commands (optionally then restore original rights.)

    In my quick test on a Win7 VM I found around 20 services to change from none, a bit surprising. Might be more on Win8/10
    Here's a .bat I created for this test
    Code:
    @ECHO OFF
    rem svchost
    sc sidtype AELookupSvc unrestricted
    sc sidtype Appinfo unrestricted
    sc sidtype AppMgmt unrestricted
    sc sidtype Browser unrestricted
    sc sidtype gpsvc unrestricted
    sc sidtype ProfSvc unrestricted
    sc sidtype seclogon unrestricted
    sc sidtype SysMain unrestricted
    sc sidtype Themes unrestricted
    sc sidtype WbioSrvc unrestricted
    rem .NET
    sc sidtype aspnet_state unrestricted
    sc sidtype clr_optimization_v2.0.50727_32 unrestricted
    sc sidtype clr_optimization_v2.0.50727_64 unrestricted
    sc sidtype clr_optimization_v4.0.30319_32 unrestricted
    sc sidtype clr_optimization_v4.0.30319_64 unrestricted
    rem Legacy
    sc sidtype RpcLocator unrestricted
    
    UPDATE:
    Removed the lsass group changes after I noticing they caused some issues. Still checking into the others but after seeing the lsass event log errors I am now wondering if changing the svchost ones also cause issues unless you've separated instances like I have in that VM. More info on splitting them here
    All in all while this method allows you to change them it doesn't appear to be something you'll want to do for everything on a live system all at once. More testing will be required.
     
    Last edited: Jun 28, 2017
  4. RockLobster

    RockLobster Registered Member

    Joined:
    Nov 8, 2007
    Posts:
    1,812
    Good work syrinx! I didn't know there was such a tool as runastrustedinstaller, nice!
    Did you have a way to test if a firewall rule made this way is for sure active?
     
  5. PunchsucKr

    PunchsucKr Registered Member

    Joined:
    Jul 29, 2009
    Posts:
    138
    I got a weird issue; I don't know what happened but I didn't make any changed to my system and out of the blue I started receiving "the windows firewall control service could not be found" errors. Tried reinstalling and the same issue then I uninstalled from the method given in faq.
     
  6. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,165
    Location:
    Romania
    When do you see this error and where ? Have you checked in your installation folder if both files wfc.exe and wfcs.exe are there ? Maybe your antivirus removes wfcs.exe because it detects it as a false positive ?
     
  7. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,165
    Location:
    Romania
    Windows Firewall Control v.4.9.9.1

    Change log:
    - New: Nothing changed. I just increased the version from 4.9.9.0 to 4.9.9.1 just to prove how poor are many antivirus detection systems that detect wfcs.exe as a false positive.

    Download location: https://binisoft.org/download/wfc4setup.exe
    SHA1: d142012f1ed42ab9e7ff3f0be85374357de286ec
    SHA256: 93b454aad068257a57b9b779613fd19e278eec833a99120062c2fda83837c010
    VirusTotal:

    wfc4setup.exe

    https://www.virustotal.com/en/file/93b454aad068257a57b9b779613fd19e278eec833a99120062c2fda83837c010/analysis

    wfc.exe
    https://www.virustotal.com/en/file/0ac26a08968e0e6d97a479645f7ce909c13d04fad649a2687c68d091fe40a27a/analysis

    wfcs.exe

    https://www.virustotal.com/en/file/26f86bbaef341ceb7e51063a128d97a5fcde9613080a96635ecc0fef2214fa2a/analysis

    Below is the VirusTotal report for WFC service from version 4.9.9.0 released a week ago, which is detected as Trojan.Generic... by multiple antivirus vendors:
    https://www.virustotal.com/en/file/...52cb59f9dbc00f1d35f072fa2c7a6ab9c8c/analysis/

    I just changed the version from 4.9.9.0 to 4.9.9.1 and then recompiled the software. Now the false positive is gone and with the same virus definition versions, WFC service is not detected anymore. This makes me wonder how these antivirus engines work ? The code is the same, so how they decide a program is a threat or not ? It just doesn't make sense. And has nothing to do with the fact that WFC is not digitally signed.

    I made this experiment because I have received tens of emails in the past week which describe the same problem. Kaspersky and other antivirus vendors were detecting WFC service as Trojan.Generic and removed wfcs.exe from their machines.

    Please report any false positives to your antivirus vendors. Thank you for your support.

    Best regards,
    Alexandru

    P.S.: If you have problems reinstalling WFC, after your antivirus removes wfcs.exe, please read below:
    https://www.wilderssecurity.com/threads/windows-firewall-control-4.347370/page-126#post-2674385
     
    Last edited: Jun 29, 2017
  8. clubhouse1

    clubhouse1 Registered Member

    Joined:
    Sep 26, 2013
    Posts:
    1,124
    Location:
    UK
    Zemana allowed it this time with no interruption.
     
  9. Locheed

    Locheed Registered Member

    Joined:
    Aug 6, 2013
    Posts:
    3
    Location:
    Finland
    I had the same problem after testing Bitdefender. It caused a lot of problems. Bitdefender made thousands of temporary files to Windows/Temp filling my hard drive. Not sure if it was fighting with WFC. Also, it alerted that those temp files were Trojans SMIL.crypt2. and started deleting those.

    I removed Bitdefender that was a bit of pain too. After that, I noticed the same error with WFC. I had to use Revo Uninstaller to remove everything from WFC and then reinstall. Now it works again.
     
  10. MessageBoxA

    MessageBoxA Registered Member

    Joined:
    Jun 20, 2011
    Posts:
    62
    Most security vendors are using a score to statistically determine the likelihood that your application is malware.

    1.) If you purchase a code-signing certificate this should significantly reduce the score.
    2.) Avoid using a packer... these always increase the probabilistic score.

    For what its worth... https://virusscan.jotti.org/ does not flag your executable.
     
    Last edited: Jun 29, 2017
  11. PunchsucKr

    PunchsucKr Registered Member

    Joined:
    Jul 29, 2009
    Posts:
    138
    I've switched to defender again. BF really seems to cause more problems than it solves.
     
  12. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,165
    Location:
    Romania
    1) Based on this model, any new software that gets out on the Internet should be flagged as malware since new programs do not have a history and there is no score for them. This means also that new malware will be automatically flagged as a threat. Then how can we explain the that fact that many malware do a lot of harm before they are recognized by antivirus vendors. Do they have a better score than WFC which is on the market since 2010 ?
    2) WFC is not packed or obfuscated. It can be easily decompiled and the source can be easily read. This should help antivirus vendors to not detect WFC as a threat since the code is not hidden. However, this helps keygen creators to make their keygens faster. :)
     
  13. srb10

    srb10 Registered Member

    Joined:
    Jun 30, 2017
    Posts:
    3
    Location:
    United Kingdom
    Could someone help, I don't seem to be able to create an inbound rule that works.

    I'm wanting to create a rule to allow inbound on one port for my torrent program, Deluge. When I look at the blocked inbound connections I see Deluge has been blocked, so I click on 'Customize and create' It shows as 'remote address' my LAN ip address, which I leave as 'custom, same for the port I want to leave open.The others I set allow 'Any'.

    I create the rule, refresh the connections log I see inbound to Deluge is still blocked. If I look in the 'recently allowed' log I do see one or two instances were allowed, but in the 'recently blocked' there are many, many instances.

    Thinking I may have got mixed up with local and remote sources, I delete the rule and create a new one as a temporary fix to see where I'm going wrong that allows all ports and all address, for both local and remote, for Deluge. Still I see Deluge inbound blocked. In the rules list there isn't other inbound rule for Deluge, except the ones I'm creating.

    I've gone through this so many times trying some different combinations, but whatever rule I create I can't stop Deluge inbound showing as blocked in the connections list. I know I must be missing something fundamental and simple, but I'm stuck.

    What am I doing wrong?
     
  14. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,092
    Location:
    Mexico
    @srb10
    The hardware firewall within the router?
    Iirc, there's need to open ports there too, well, one port for the matter.
     
    Last edited: Jun 30, 2017
  15. blikksem

    blikksem Registered Member

    Joined:
    Jan 17, 2013
    Posts:
    4
    Just had the same problem with Bitdefender.
    Well, it actually started two days ago.
    I un-installed both WFC and Bitdefender, reinstalled both and was ok.
    Until today when I see Bitdefender has deleted wfcs.exe

    Bitdefender support said I should white-list the folder wfcs.exe was in.
    Didn't help.
    Installation of 4.9.9.1 says it could not copy the file(s) to folder.

    Aarrgh.

    Edit Even switching off On-access scanning and Active Threat control did not help.

     
  16. clubhouse1

    clubhouse1 Registered Member

    Joined:
    Sep 26, 2013
    Posts:
    1,124
    Location:
    UK
    These AV companies should white list established softwares automatically.
     
  17. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,165
    Location:
    Romania
    It started again. Now, after two days of being quiet, WFC service is now detected as a threat. The same clean code, two different threats.

    WFC service 4.9.9.1 is now detected as Gen:Variant.Razy:

    WFC service 4.9.9.0 is detected as Trojan.GenericKD:

    ~virus total results removed as per Wilders policy
    https://www.wilderssecurity.com/threads/policy-regarding-the-posting-of-jotti-virus-total-results.180057/

    Unfortunately, I can't change WFC code because it really needs access to kernel32.dll, advapi32.dll, etc., and without this access, WFC can't do it's job. Most probably, malware developers call similar methods from Windows assemblies (kernel32.dll) and this is why WFC service is detected as a threat. Anyway, this is a false positive. Actually, WFC service code is mostly the same as it was two years ago.

    Please report false positives to your antivirus vendors.

    Thank you.
     
    Last edited by a moderator: Jul 1, 2017
  18. srb10

    srb10 Registered Member

    Joined:
    Jun 30, 2017
    Posts:
    3
    Location:
    United Kingdom
    I'm referring to windows firewall The port is open in the router, wfc shows windows firewall is blocking inbound connection even though I have created a rule to allow. Using registered wfc 4.9.9.1

    wfc1.JPG wfc2.JPG wfc3.JPG
     
    Last edited: Jul 1, 2017
  19. _CyberGhosT_

    _CyberGhosT_ Registered Member

    Joined:
    Mar 2, 2015
    Posts:
    457
    Location:
    MalwareTips "Your Security Advisor"
    Totally agree, this was a contributing factor to me migrating to a totally Sig-free security config, far less headaches lol
    Loving your red letter sig there Clubhouse +1 :thumb:
     
  20. MessageBoxA

    MessageBoxA Registered Member

    Joined:
    Jun 20, 2011
    Posts:
    62
    Most security vendors do something very similar. The score for signed executables is greatly reduced. If this guy would sign his installer the problem would most likely go away.

    The code signing process involves purchasing a certificate... you have to give all your personal information over to the certificate authority. They will then do a simple background check on you and if you pass... give you a code signing certificate. If you have criminal convictions or other negative criteria and fail the background check... no code-signing certificate for you.

    Code signing protects everyone... the customers are ensured that the installer has not been modified and created by a developer that can be trusted. It also protects the developer... installers that have been signed cannot have malware attached to them.

    -MessageBoxA
     
    Last edited: Jul 1, 2017
  21. MessageBoxA

    MessageBoxA Registered Member

    Joined:
    Jun 20, 2011
    Posts:
    62
    There are some certificate authorities that offer a $69 per year code-signing certificate.

    There are several other factors at play here:
    Some certificate authorities may be 'more-trusted' than others. This is due to the increased vetting and background check process.
    'Country of Origin' of the software publisher also has an impact. From a third-world country? You may have a difficult time obtaining a code-signing certificate.

    -MessageBoxA
     
  22. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,165
    Location:
    Romania
    For inbound access, rules with ANY protocol don't work. You must create 2 inbound rules, one for UDP protocol and one for TCP protocol. The same applies to uTorrent.
     
  23. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,165
    Location:
    Romania
    1. Only a few certificate authorities sell code signing certificates for individuals.
    2. There is no criminal conviction check since a certificate authority is not the Interpol and they can't check your criminal record in all the countries over the world.
    3. Installers that have been signed can contain malware. This is not something common, that a digital signature with a stolen identity, can contain malware.

    However, a code certificate from a respectable certificate authority doesn't cost only 69 USD per year. Only Comodo offers such low prices but their system to prove your identity is very stupid and impossible to pass if you are not listed in an online businesses database.

    Two months ago I wanted to buy a digital certificate from DigiCert and after I sent them a copy of my identity card, a copy of my telephone bill, a copy with my bank account details, they still needed an International Attestation Letter (which they sent me) legalized at a notary so that they can be sure that I am the one that I said I am. The problem was that this document was in English and notaries that I asked will not legalize any document that is not in Romanian. They are not allowed to legalize documents that are in other languages (and this makes sense). So, I have to translate this document from English to Romanian (pay the translator), then legalize the Romanian document (pay the notary), then translate it again into English (then pay again the translator) and send it back to DigiCert (pay them the certificate). All of these documents cost me 200$ + 223$ the cost of the certificate. I also have the website, so + 15$ the domain name + 170$ the website hosting. As you can see, this is already 620$/year. So, the whole deal is not just 69$.

    I will give it a try again, in the next weeks to see how I can get a code signing certificate to sign WFC. If WFC will still receive false positives, I just lost 423$ :)

    I know that a digital signature can help, but is not that easy as it sounds.
     
  24. Access Denied

    Access Denied Registered Member

    Joined:
    Aug 8, 2003
    Posts:
    927
    Location:
    Computer Chair
    Thank you so much. I was about to post about my ad blocker named Ad Muncher showing stuff blocked inbound on 127.0.0.1 with a rule made with ANY. So now I will make one for TCP and monitor if it asks for UDP. :thumb:
     
  25. Freki123

    Freki123 Registered Member

    Joined:
    Jan 20, 2015
    Posts:
    228
    @alexandrud How about something like a tipjar for the signing costs on the homepage ( x dollar reviced from yyy needed). If it matches the needed amount = the users a willing to pay for a certificate. If It doesnt't matches the amout by far the useres are only crying*duck*. Excuse the english but i think the idea is clear :D
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.