Windows Firewall Control (WFC) by BiniSoft.org

Thanks Umbra, I'll try that too and check if WU is working

 

[1] Norton SafeConnect Policy number 3 (199.85.126.30/199.85.127.30)
[2] Firewall Router
[3] Windows Defender Firewall set at Default settings
[4] Windows Defender Virus and Threat Protection set at Default settings
[5] Binisoft Windows Firewall Control set at Low Filtering

What maliciously created rules?
Oh! you must be referring to the locally created rule by the end user for svchost.exe that allows all outbound without any service or application package being bound to the rule that violates the Windows 10 service-hardening rules!

The end user is the only security threat to security breaches in Windows 10.


-HKEY1952

 

I think you mean Norton ConnectSafe.

 

I did.....Thanks Krusty

-HKEY1952

 

No, i meant a malware (say keylogger) undetected by Windows Defender (or whatever AV) creating an outbound rules to connect to the attacker machine. I saw it plenty of times.
It is why at Emsisoft we created a Windows Firewall Fortification module on our software, to prevent those attempts.

 

We are both off topic now, so if the moderators will allow.

Microsoft Windows Defender Virus and Threat Protection can detect SOME software keyloggers, but not all software keyloggers.

Microsoft Windows Defender Virus and Threat Protection can not detect HARDWARE keyloggers.

The likelihood of an hardware keylogger getting installed on an home users device without the users consent is well below nil.

The likelihood of an software keylogger getting installed on an home users device without the users consent is next to nil.

[1] Secure the DNS [posts #3628 & #3627] This is the most important first layer of defense. (please follow the link and read)
[2] User Account Control set at Default settings
[3] Automatic Windows Update and Security Enabled
[4] Use Binisoft Windows Firewall Control's superb Logging to lookup programs using network connections and instantly Block or create an outbound/inbound Block rule.

Aside from keyloggers
[5] Today 11/14/2017 Microsoft Automatic Updates updated the Microsoft Windows Malicious Software Removal Tool and Windows Defender Antivirus to detect and remove the Ransom:Win32/WannaCrypt (WannaCry).
https://www.microsoft.com/en-us/wds...edia-description?Name=Ransom:Win32/WannaCrypt

Besides automatically running monthly through Automatic Windows Updates, one can run the malicious software removal tool any ole time their little ole hearts desire by navigating to:
C:\Windows\System32\MRT.exe


Can not believe the marketing BS thrown at consumers for monetary gain.

All third party security vendors try to portray Microsoft as completely incompetent in regards to security.

Get real people, with the advent of Windows 10 third party security software is now on the threshold of next to nil.



-HKEY1952

 

first i wonder why you get so aggressive, did i touched a nerve?

Yes sure... tell that to the people who were infected by banking trojans and other ransomware like Wanacry, you will find plenty asking for help to remove them...
Sure, they shouldn't download or click on unknown executables or files, but will you blame them for their ignorance?

MS let obsolete features like SMBv1 active until millions get infected, they let Powershell installed on Home versions (when no one use it except ITs or Sysadmins) which is the n°1 interpreter used for exploits, they let people using Admin account as default account? come on...That is the real BS, not security vendors that deploy counter-measures that try to prevent those security holes to be exploited.
Luckily now, MS understood that they need to built stronger security mechanism in their latest OS, i approve them since they started in Win8, but a bit late isn't it...?

People in forums believe that all users have their knowledge and have safe habits...This isn't true.
You gave some advices (DNS, etc...), most average Joe won't even understand what you are saying, only those with some decent computing knowledge will...
I was a repair guy long time ago, and i can tell you most of my ex-customers didn't know more than just push the power button and click only on their software's icon button to launch them...
People in computing/security forums live in another world.

Anyway i gave my opinion, you are free to disagree, i won't go further.

 

I confirm this and agree with @alexandrud 100%. It works exactly as I would it expect it to in Win 7 but it definitely does not work on Win 10 (I can't confirm Win 8 but I expect the same issue as well).

In fact there was one svchost with PID 3180 where the Event Viewer Security logs reported it blocked to remote MS IP address, port 443, and even after I allowed the service under it to any remote address and remote port it was still showing blocked, and of course the update check still failed. In spite of some very long posts extolling the virtues of Microsoft's technical brilliance, they have, imho, failed miserably on the firewall w/advanced security since Win 7.

 

What is beyond my understanding is why different people with the same OS have different answers for the same question... maybe there's a difference among Windows 10 versions? I'm using the Home edition

 

Firewall in all editions of Windows 10 is the same. To get updates for Windows only rule #2 is enough, it works for me. But I still install updates only offline, having previously studied, what good or what portion of telemetry they will add to my system.

 

OK, thanks

 

My questions on this screenshot

Please help me, how do I have a screenshot in my message, and not a link to it?

 

The first group name is empty. It means it will clear the group name and set it to None. I will add a tooltip for that empty entry.

 

Thank you very much for you help! I got it now.

 

Totally forget to ask this question, and I'm still using an older version of WFC, but is it possible to assign names to an app in the connections log? For example, with SpeedFan you don't get to see anything in the name column.

http://www.almico.com/sfscreenshots.php

 

I think, that the application name in the connection logs is taken from the application name in the rules pane. The name can be entered or edited in the Properties (2xLMB)

 

What we have here is an failure to "communicake" as the Boss stated in the movie Cool Hand Luke starring Paul Newman. "cake" what an dude!

Again.....,
What one must arrive to understand is that the Microsoft Windows 10 service-hardening rules govern the Microsoft Windows Defender Firewall for both Outbound and Inbound connections regardless of any firewall rules that may exist.
Microsoft owns Ring 0 of the firewall. Ring 0 is governed by the service-hardening rules.

The NEW firewall rules for Windows Update NOW reside in Ring 0 and are not visible or accessible to/for the End User of the Operating Service, and exist 'explicit ruling'.

Which means that any end user defined rules for windows update require that the properties of the end user defined rules to exactly match the properties of the windows update rules in ring 0 to allow for windows update to work, and that can not be achieved because the properties for the windows update rules in ring 0 are not accessible to the end user. Also take note, that now, when windows defender firewall is set to block all outbound, some of the TCP:443 out are blocked and can not be re-configured to allow because of the explicit ruling.)

Microsoft has removed the PROGRAM 'wuauserv.exe' from %SystemRoot%\System32\ so that the PROGRAM svchost.exe can no longer be BOUND to the Windows Update SERVICE to create an firewall rule for Windows Update.

Setting the Windows Defender Firewall to Block All Outbound will NOW also result in that the service-hardening rules in Ring 0 for Windows Update will automatically BLOCK some TCP:443 Out, and Windows Update will fail.
Check the Binisoft Windows Firewall Control Logs for Blocked TCP:443 Out. (end user will not be able to create valid working rules here because the port/s are blocked in ring 0 with explicit rules)


What does all of this mean? It means that Microsoft is encouraging, some might argue and say forcing, the end user of the Microsoft Windows 10 Operating "Service" (system) to leave the Windows Defender Firewall at the DEFAULT SETTINGS for optimal security. (That's GOOD)

The default settings for Microsoft Windows Defender Firewall are: Allow All Outbound and Block All Inbound.


Note that failure to update Windows through Windows Updates for an prolonged period of time will result in that device being denied future updates from Microsoft.


Look, if one is that paranoid about allowing all outbound do this:
Choose new outbound rule
Choose Predefined
Choose Diag Track (for example)
Choose BLOCK (the default)
Result - "Connected User Experiences and Telemetry" are now blocked outbound for TCP:ALL for All programs and All application packages.

Repeat the above for any Predefined rule your little ole heart desires.
Microsoft has provided the end user with all of the necessary rules to block or allow in "Predefined Rules" for both In/Out for optimal security.

Microsoft Windows 10 is an set-it-and-forget-it Service.



-HKEY1952

 

So what is this connection that's happening

Happens around the same time, every day, for the last maybe 3-4 days it's been happening... This is new, I thought it might have been a glitch with it check for updates, but I don't have that setting checked.

https://i.imgur.com/OkSk2hT.png

 

See my answers from here and here.

 

Thanks for the answer, so it's System related, but using wfc.exe name, seems devious.

 

Running great, can't wait till the next update, have a wonderful holiday weekend.

 

It's been awhile since I have read this thread, can someone tell me which page has the latest beta?

 

There is no beta. Here is the last release post. Anyway, you can go to the website directly to get the latest version.