Windows Firewall Control (WFC) by BiniSoft.org

Discussion in 'other firewalls' started by alexandrud, May 20, 2013.

  1. aldist

    aldist Registered Member

    Joined:
    Nov 8, 2017
    Posts:
    37
    Location:
    Germany
    Yes, it works, no problem, and when I turn ON the High Filtering profile, I see two new rules in WFwAS.
    Some time ago worked and from the command line, and then I decided that the Windows updates broke something.
     
  2. bORN2BWILD

    bORN2BWILD Registered Member

    Joined:
    Oct 3, 2016
    Posts:
    9
    Location:
    Greece
    I'm using for the last decade Comodo standalone firewall. In my wife's laptop i use WFC. Love them both (not my wife, Comodo and WFC).

    I have a problem with Comodo and i would like to ask if WFC behaves differently. Lately i get Generic OUTGOING alerts about Windows Operating System trying to access the Internet. And i can't tell what exactly happens, if it is really Windows (10) or some other software using Windows to connect. Comodo says that sometimes it is impossible to know what exactly is asking to Internet Access.

    Is WFC different ? Will i be able to know what software or dll or whatever is trying to get Internet access ?

    Thanks
     
  3. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    1,425
    Location:
    Romania
    If the operating system will try to connect to the Internet you will get notified about svchost.exe is trying to connect to the Internet. Since every Microsoft Windows service is using svchost.exe to connect to the network/Internet, you can't be sure which service is requesting the communication. Also, these communications are encrypted, so even if you find out which Windows service wanted network access, you can't really find out why. If you are using Windows 10, taking into consideration the telemetry, connection attempts from the operating system should not be something unseen until now. In your case, probably the operating system wants to connect. If other software (malware) tries this, then your antivirus should say something.
     
  4. bORN2BWILD

    bORN2BWILD Registered Member

    Joined:
    Oct 3, 2016
    Posts:
    9
    Location:
    Greece
    @alexandrud

    svvhost.exe and telemetry.exe are recongnized all-right. Windows Operating System is something else, hidden. I'm using Windows 10, 64 bit Pro. I have no Malware or anything. Probably some application is trying to hide. To phone-home ?

     

    Attached Files:

  5. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    1,425
    Location:
    Romania
    I don't know the meaning of "Windows Operating System" in the context of Comodo software. Maybe it is the same as "System" from Windows Firewall?
     
  6. bORN2BWILD

    bORN2BWILD Registered Member

    Joined:
    Oct 3, 2016
    Posts:
    9
    Location:
    Greece
    No because System has a predifined rules set in Comodo. Comodo said that Windows OS is something they can't recognize.

    See my thread:

    https://forums.comodo.com/firewall-...ows-operating-system-t115826.0.html;topicseen
     
  7. bORN2BWILD

    bORN2BWILD Registered Member

    Joined:
    Oct 3, 2016
    Posts:
    9
    Location:
    Greece
    anyway i guess i must try myself WFC to see what happens ....
     
  8. Eliot

    Eliot Registered Member

    Joined:
    Aug 8, 2003
    Posts:
    895
    Location:
    Computer Chair
    Comodo did not block windows update and the windows store for me when I tried it. I did not attempt to block them but did not allow any requests other than my attempts to use my apps/programs. It never once asked me for the things required for win update or store and they worked.

    With WFC, the second I opened the store it asked me for two different requests for access, svchost and runtimebroker. svchost for windows update and both for the win 10 store. This is why I love WFC over all the other firewalls ( have tried 99% of them). It only allows what I want it to allow. Hope this helps.
     
  9. imuade

    imuade Registered Member

    Joined:
    Aug 4, 2016
    Posts:
    423
    Location:
    Italy
    If you have Comodo Firewall in safe mode, it will automatically allow any outgoing request from trusted apps. If you wanna get alerts you have to switch to custom ruleset mode.
    Nevertheless, if you set up a rule to block for example Windows Store, it will block any outgoing connections even in safe mode
     
  10. Eliot

    Eliot Registered Member

    Joined:
    Aug 8, 2003
    Posts:
    895
    Location:
    Computer Chair
    It has been a while since I tried Comodo. I think it was 3-4 firewalls ago. I was using ZoneAlarm right before WFC. My god what a resource hog... Thank goodness for WFC.
     
  11. HKEY1952

    HKEY1952 Registered Member

    Joined:
    Jul 22, 2009
    Posts:
    657
    Location:
    HKEY/SECURITY/ (value not set)

    Windows 10 Home x64 v1709 OS Build 16299.19

    Please read the above Quotes word for word first!


    The Windows Firewall Control rule for Windows Update should not be labeled "Windows Update" because svchost.exe is not bound to any of the REQUIRED Windows Update Services or bound to any of the REQUIRED Windows Update program executables at all in this rule. The rule is only bound to svchost.exe, and only binding svchost.exe to TCP:80 and TCP:443 outbound only. ANY call to svchost.exe from ANY source requesting outbound to TCP:80 and/or TCP:443 will not be restricted. This rule violates the Windows 10 service-hardening rules.

    The program svchost.exe in this rule exists free reign OUTBOUND to TCP:80 and/or TCP:443 for ANY Application or ANY Service that calls svchost.exe requesting outbound to TCP:80 and/or TCP:443, leaving TCP:80 and TCP:443 wide open, thus contradicting the built-in Windows service-hardening rules for the "Host Process for Windows Services" (svchost.exe).


    Now, the Windows Firewall Control rule for the Windows Time Service (W32Time) is correct, and restricts svchost.exe to the W32Time Service and restricts communications outbound to only UDP:123 because svchost.exe is BOUND to the W32Time Service and BOUND to UDP:123 outbound only. That of which is the internal Windows default rule in the service-hardening rules for svchost.exe when svchost.exe is conjoined with the W32Time Service. As an result, ALL other requests are dropped within this particular rule that do not match [svchost.exe with W32Time Service with UDP:123 outbound] as one communication process.

    Microsoft Corporation is not going to allow serviced clients the binding of svchost.exe to the Windows Update Service along with the binding of the required related services and programs for Windows Update to work when Windows Defender Firewall is configured to block all outbound connections, because Microsoft PROGRAMMED ALL outbound connections through svchost.exe to conform to the built-in service-hardening rules for (svchost.exe) in order to enforce security and reliability during update communications and to further allow Windows 10 to properly and security service the said device, now, and over time [1][2].

    The service-hardening rules will open the port/s upon request as needed and drop (block) any unrelated requests that do not satisfy the policy rule, then close the port/s.


    The Microsoft Windows 10 Operating System is slowly but surely evolving into an "cloud service" operating system, as intended by Microsoft. (Microsoft Windows 10 Operating "Service")

    Blocking svchost.exe communications or tampering with svchost.exe communications may breach the Operating Service security and/or impede the Operating Service functionality by conflicting with, thus violating, the Windows 10 service-hardening rules.

    Heed the warning given to the user when modifying or creating firewall rules involving svchost.exe in the Microsoft Windows Defender Firewall.


    Binisoft Windows Firewall Control is great!, and an very useful front end for the built-in Microsoft Windows Defender Firewall. However, the Microsoft Windows 10 Operating "Service" (System) and Windows Defender Security run best and secure best at the DEFAULT SETTINGS.


    My personal Microsoft Windows Defender Firewall setup with Binisoft Windows Firewall Control: ALLOW ALL Outbound and BLOCK ALL Inbound (Low Filtering). There exists NO RULES in both Outbound or Inbound and there are no problems with Windows and no errors recorded in the Event Viewer.

    [1] Windows 10 is NOT spying on you (us). Those automated outbound connections, some of which are aggregate and some of which include personal identifiable information, exist and are executed to improve the Windows 10 Operating "Service" and to configure Windows 10 to operate and function harmoniously in regards to each individuals use of, interaction with, and configuration of the said device and the Windows 10 Operating "Service", rendering an more "personal Windows 10 experience". In other words, over time the installed Microsoft Windows 10 Operating "Service" will transition its settings to comply with the users preferences. It's called "Machine Learning" an learning algorithm called "Artificial Neural Network" (ANN), usually called "neural network" (NN), an branch of "Artificial Intelligence" (AI).

    [2] All that one needs to do is invest an little time and parse through the Windows 10 Settings and disable or enable the desired settings, it's all there for the paranoids, in Settings.....then relax! Enjoy Windows 10! Set it up and give it some time. Windows 10 is your personal "service", learning from and responding to your input. Over time, the installed Microsoft Windows 10 Operating "Service" will transform your device/computer into your very own unique and personal unit.



    -HKEY1952
     
  12. aldist

    aldist Registered Member

    Joined:
    Nov 8, 2017
    Posts:
    37
    Location:
    Germany
    Hm, this is absolutely wrong. I have a lot of rules for outbound connections, and I have no problems with running Windows 10.
     
  13. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    1,425
    Location:
    Romania
    I missed the point of your very large post.
    1. In Windows 7 you can add the Windows Update service (wuauserv) in the Service property of a svchost.exe rule and it will work. I agree with you. But, on Windows 8, Windows 10, this does not work anymore. Just try for yourself and you will see that Windows Update will not work with such a "service-hardening rule". For this reason, svchost.exe must be entirely allowed when Windows Update checks/downloads new updates.
    2. If you do not enable outbound filtering in Windows Firewall, then all programs can connect at their will. What is the purpose of a software firewall if any connection would be allowed ? Your recommendation is just BAD. Indeed, with outbound filtering disabled any existing outbound allow rules are not required since the connections are allowed by default.
    Again, I missed the point that you are trying to make.
     
  14. imuade

    imuade Registered Member

    Joined:
    Aug 4, 2016
    Posts:
    423
    Location:
    Italy
    I'm on Windows 10 FCU and I set WF to block both IN and OUT connections.
    Then I set up exclusions as mentioned here: http://hardenwindows10forsecurity.com/
    So, basically, I enabled:
    • Program svchost.exe UDP OUT on port 53
    • Program svchost.exe TCP OUT on ports 80 and 443
    • Program svchost.exe and service wuauserv any protocol OUT on any port
    Everything is working fine, including Windows Update
     
  15. aldist

    aldist Registered Member

    Joined:
    Nov 8, 2017
    Posts:
    37
    Location:
    Germany
    In your case, the third rule makes rules 1 and 2 unnecessary, since they completely overlap. The third rule needs to be removed.
     
  16. imuade

    imuade Registered Member

    Joined:
    Aug 4, 2016
    Posts:
    423
    Location:
    Italy
    For what I understand, the third rule applies only to svchost when related with wuauserv service, while 1st and 2nd rules apply to svchost, no matter what service is using (thus including wuauserv)
    The 3rd rule overlaps 1st and 2nd only when wuauserv is involved
    So:
    • svchost + wuauserv: any OUT is allowed
    • svchost + any: only UDP OUT on 53 and TCP OUT on 80 and 443 are allowed
     
  17. aldist

    aldist Registered Member

    Joined:
    Nov 8, 2017
    Posts:
    37
    Location:
    Germany
    Please, show the screenshot of the editing this rule.

    At a minimum, if the update does not work without rule #3, then it should be ON for the update check period only.
     
    Last edited: Nov 13, 2017
  18. imuade

    imuade Registered Member

    Joined:
    Aug 4, 2016
    Posts:
    423
    Location:
    Italy
    Here

    Immagine.jpg
     
  19. aldist

    aldist Registered Member

    Joined:
    Nov 8, 2017
    Posts:
    37
    Location:
    Germany
    To imuade
    Let's wait for explanations from alexandrud.
     
  20. imuade

    imuade Registered Member

    Joined:
    Aug 4, 2016
    Posts:
    423
    Location:
    Italy
    OK :)

    So, just to complete my overview, when I set rules No. 1 and 2 I kept "all programs and services" under Services --> settings

    Like that svchost can connect only to ports 53 (UDP) and 80, 443 (TCP) unless it's running the wuauserv service (and in this case it gets full outbound connectivity)

     
  21. imuade

    imuade Registered Member

    Joined:
    Aug 4, 2016
    Posts:
    423
    Location:
    Italy
    Maybe @Umbra can shade some lights :)
     
  22. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    4,054
    Location:
    Europe then Asia
    i dont use the 3rd one , and WU works fine.
     
  23. HKEY1952

    HKEY1952 Registered Member

    Joined:
    Jul 22, 2009
    Posts:
    657
    Location:
    HKEY/SECURITY/ (value not set)
    Sir, the point is this:

    What one must arrive to understand is that the Microsoft Windows 10 service-hardening rules govern the Microsoft Windows Defender Firewall for both Outbound and Inbound connections regardless of any firewall rules that may exist. Microsoft owns Ring 0 of the firewall. Ring 0 is governed by the service-hardening rules. Any firewall rule created or modified by the end user service client that violates the "service-hardening rules" will be warned with an firewall alert message within the firewall rule. Heed that warning, unless one knows exactly and precisely what they are doing.

    As an example: Allowing svchost.exe Full Unrestricted Outbound. That rule violates the Microsoft Windows 10 service-hardening rules. Now of course the rule is going to work, however, because of the service-hardening rule violation the security of the Microsoft Windows 10 Operating "Service" (System) has now been configured to an possible security breach state. Any source from within calling svchost.exe for outbound access exists unrestricted access Out. That's BAD. [please read the entire sentence in #1 of quote]


    The default setting for the Microsoft Windows Defender Firewall Control Panel is to ALLOW ALL OUTBOUND and BLOCK ALL INBOUND.
    The default setting for the Microsoft Windows Defender Firewall Rule Base exists NO OUTBOUND BLOCK RULES.
    The default setting for the Microsoft Windows Defender Firewall Rule Base exists an select list of Microsoft Predefined Rules that are set to ALLOW OUTBOUND.
    [for the above three, please read the last sentence in #2 of quote]

    Now did you notice, that when you set the Windows Defender Firewall to allow all outbound, and you create an outbound allow rule, the created outbound allow rule does not show in the Windows Defender Firewall Monitoring Tab. Why? Because the firewall is allowing all outbound and Ring 0 is going to ignore that rule, and will continue to ignore that rule unless the firewall is set to block all outbound, or the rule its self is set to block if the firewall is set to allow all outbound.

    Now did you notice, that when you set the Windows Defender Firewall to allow all outbound, all of the Microsoft predefined outbound allow rules show in the Windows Defender Firewall Monitoring Tab. Why? Because Ring 0 is monitoring those Microsoft predefined rules, and will continue monitoring those Microsoft predefined rules regardless if the firewall is set to allow all outbound or block all outbound, or the rule its self is set to allow or block. The same also applies to the Microsoft predefined inbound rules.

    Now, among all of those Microsoft predefined outbound and inbound rules, each and everyone of those Microsoft predefined outbound and inbound rules can be programmed by the end user service client to become "orphaned" by enabling or disabling the respective security settings within the Windows Settings and/or by disabling the respective service that is bound to the rule located in the Microsoft Management Console and/or Group Policy Editor and/or by removing the application package that is bound to the rule by utilizing power shell commands (get-appxpackage | remove-appxpackage) and/or by modifying an registry key/s and/or by clicking on 'disable rule'. Thus resulting in that the Microsoft predefined outbound and inbound rule/s are now "orphaned" and will be ignored by Ring 0 and the service-hardening rules because the source for the predefined rule is no longer available.

    With that, why do that? It defeats the purpose of built-in security!


    So, what is left to allow or block when the Microsoft Windows Defender Firewall Control Panel is set to allow all outbound and block all inbound?.....The answer is NOTHING.

    We are not going to block CCleaner, we are not going to block Windows Updates, we are not going to block Browsers, we are not going to block.....etc.


    Listen, the Microsoft developers, especially the top level developers that control groups of developers, are not your every day ordinary people. These people are highly intelligent and skilled developers. I express to you now.....use the Default Settings in the Microsoft Windows Defender Firewall, and study Post #3611.

    Please continue using the Binisoft Windows Firewall Control, it is an great front end for the Microsoft Windows Defender Firewall and the logging is superb.


    EDIT: clarity/simplicity



    -HKEY1952
     
    Last edited: Nov 14, 2017
  24. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    4,054
    Location:
    Europe then Asia
    No way for me to let Windows Firewall on "Allow All Outbound" if i don't use a 3rd party firewall or something blocking maliciously created rules...
     
  25. imuade

    imuade Registered Member

    Joined:
    Aug 4, 2016
    Posts:
    423
    Location:
    Italy
    So, the rules I set should be fine, since they ALLOW OUTBOUND to TCP 80 and 443 for ANY Application or ANY Service that calls svchost.exe.
    Plus, when svchost.exe is bound to wuauserv service, then ANY OUTBOUND to ANY port (thus including TCP 80 and 443) is allowed.

    I noticed that you get the same warning about svchost.exe on Windows 7 too, so I don't think it's related with Windows 10
     
Loading...