Discussion in 'other firewalls' started by alexandrud, May 20, 2013.
I thought I used to get notification with, for example:
Might be a bug in the newest version. I would say wait for the Developer to chime in here.
Well, something went wonky for me because I found notifications at Disabled.
And now, with notifications at Display. I'm not getting notification for Block rules.
That sounds familiar.
Yeah, wonky kinda snuck up on me. Finding notifications at Disabled was .
... Except I didn't specifically have block rules, WFC just stops notifying me of blocked connections so maybe a different matter.
Yeah, maybe I'm not remembering whats what.
Finding notifications at Disabled was .
There is no bug. If you create a block rule it means that you want a program to be blocked, therefore a new notification will not be displayed for a blocked connection which has a matching block rule. It was never different. Since a block rule will always generate blocked connections events in System event log, what would be the purpose to display notifications for such programs ? Or let me put it another way, how would you stop the notifications for the programs that you already blocked on purpose ?
The purpose of the notifications system is to display notifications when a matching rule is not found. Since you have a matching block rule, from my point of view, everything works as expected.
WFC may stop giving you new notifications if:
1. You create a matching rule that will dismiss any new notification. You have to check your rules. Pay extra attention to firewall rules that apply to all programs.
2. Audit settings are modified on purpose or by a security policy, that will prevent Windows Firewall from logging new blocked connections. If Connections Log does not contain recently blocked connections, then the auditing of these entries is disabled.
3. The profile is set to Low Filtering which means outbound connections without an explicit block rule will be allowed. In this case there is nothing blocked, so, nothing to notify.
4. Some weird incompatibility with another software that you use and which may interfere with WFC. For example, Rivatuner Statistics Server tries to determine the FPS of WFC because it uses D3D for rendering the user interface. Since WFC is not a game, Rivatuner Statistics will crash WFC with a d3d9.dll exception. The solution is to set Application detection level to None in Rivatuner Statistics so that it won't try to determine FPS for desktop applications.
5. Another security software does packet filtering, a software proxy, which may determine Windows Firewall filtering not working as expected. A software proxy will redirect the traffic to the proxy making the firewall rules useless. Once the software proxy is allowed, then all programs will appear to connect through the proxy. You won't have blocked connections for individual programs, but allowed connections made by the proxy.
Let's say you use Firefox and you don't have any rule for firefox.exe. If you use Medium Filtering profile and Display notifications and you try to use Firefox, do you receive a notification about a blocked connection for firefox.exe ? If the answer is yes, then the notifications work. If you don't receive any notification, check the Connections Log. Does firefox.exe appear in the recently blocked connections ? If the answer is no, then audit settings are not correct. If the answer is yes, then check the WFC and the Application logs to see if there is an exception logged at the time when the notification should have been displayed. If there is an exception, then send me the log. if there is no exception, check the existing firewall rules. One of the existing firewall rules made WFC to dismiss the notification.
Okay. Thanks. My confused remembering was that I have a Block rule so, program does not call home. And then upon my call... for example, "check for updates" I could then temp allow outbound. I understand (remember) that a new notification will not be displayed for a blocked connection which has a matching block rule and It was never different.
I was surprised by finding notifications at Disabled and ruminated myself into confused remembering.
Thanks again. Regards w Respect
This is a great explanation. Thanks!
The notifications system may be disabled if:
1. You disable it on purpose and you forgot about it
2. You reset user settings which will reset any custom set option. This is like you have installed WFC for the first time.
3. You uninstall WFC and reinstall it without keeping the settings intact. The third check box must be checked. By default, the first one is checked.
4. Aliens abducted your PC and disabled them because they didn't want you to see anymore those notifications
Yep, mischievous band of manacle marauding aliens manipulated my machine.
I don't have WFC installed now so better off helping someone else.
Can I propose a feature? In popup alert boxes, can we have the ability to copy/select variable text? I often run traceroutes on IP's, and end up having to manually type an IP from the alert into a command prompt. Not a huge deal, but would be helpful to have.
If selectable text isn't possible, then perhaps some function that can copy per-line variables (much like the mouse-button functions).
Is it possible to not display notifications for allowed entries ?
I would like to not display 127.0.0.1>127.0.0.1 loopbacks which tend to fill the log file.
Have you checked the side bar in the connections log?
That will not solve your problem?
Notifications exceptions + https://www.wilderssecurity.com/thr...-by-binisoft-org.347370/page-150#post-2729543
You can't apply this kind of filter in Connections Log because WFC reads all entries from the Security log of the system and displays them all. If it is logged, it will be displayed. If you are not interested in allowed entries, then uncheck the check box below:
Notifications exceptions only apply to which notifications you see through the notification dialog.
Notifications exceptions only apply to which notifications you see through the notification dialog.[/QUOTE]
I get that - I do want to log allowed entries - but, I would like to hide the loopbacks in the display of allowed entries. This seems to work only for blocked entries ??
When you want to view the allowed, you can click the Source IP address column and sort by IP. that will group all the 127's together for easier viewing. Only other thing I can think of to help.