Windows Firewall Control (WFC) by BiniSoft.org

Discussion in 'other firewalls' started by alexandrud, May 20, 2013.

  1. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    1,638
    Location:
    Estonia
    When a new version of a Windows Store application that you have installed is receiving an update, the path of the executable file changes. Because Windows Firewall rules are applied per path basis, after such an update a new rule is required. This can become very annoying especially if an application is updated very often. This is how Windows Firewall works and this is not something that Windows Firewall Control can change.

    As a workaround, instead of creating a firewall rule for a specific executable file:
    • Create a rule that applies to all programs and set an empty group name for this rule. Setting an empty group name is important for the next step.
    • Launch Windows Firewall with Advanced Security (wf.msc) and edit your newly created rule.
    • In the Programs and Services tab, press on the Settings button under the Application Packages group box, select your specific application package and save the rule. Now you will have a working firewall rule, even if the program gets updated and the path changes. Now, you can add this firewall rule in any Group you want.
    Note: The rules with a group name set can't be modified from Windows Firewall with Advanced Security. Also, the application package can't be set from Windows Firewall Control, yet. I am still working on this.
     
  2. tcarrbrion

    tcarrbrion Registered Member

    Joined:
    Dec 15, 2007
    Posts:
    75
    Thanks. This does work for application packages. I don't think it will work for Windows Defender which is the most important one for me. When it first changed to be in a numbered directory under ProgramData I think I had to add my own firewall rule.
     
  3. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    1,638
    Location:
    Estonia
    On my Windows 10 machine, Windows Defender stays in C:\Program Files\Windows Defender only. In C:\ProgramData\Microsoft\Windows Defender it keeps the definition files and the quarantined items. I never saw any notification for Windows Defender from ProgramData folder.
     
  4. tcarrbrion

    tcarrbrion Registered Member

    Joined:
    Dec 15, 2007
    Posts:
    75
    New monthly updates now go to a directory like C:\ProgramData\Microsoft\Windows Defender\Platform\4.12.17007.18011-0. The newer programs for Windows Defender run from ProgramData and older ones from C:\Program Files\Windows Defender.

    See:

    https://support.microsoft.com/en-gb/help/4052623/update-for-windows-defender-antimalware-platform

    I don't know which programs require network access for the protection to work but I have firewall rules for both the old and new locations.
     
  5. tcarrbrion

    tcarrbrion Registered Member

    Joined:
    Dec 15, 2007
    Posts:
    75
    I just tried deleting all the firewall rules for Windows Defender and it still can access the internet. It looks like it is not a problem.
     
  6. tcarrbrion

    tcarrbrion Registered Member

    Joined:
    Dec 15, 2007
    Posts:
    75
    It is a problem. My attempt at a rule for an application packages had let all programs out. No wonder it worded. I need a rule for C:\programdata\microsoft\windows defender\platform\4.12.17007.18011-0\msmpeng.exe for Windows Defender to work and possibly other rules as well.
     
  7. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    1,638
    Location:
    Estonia
    I am using the latest version of Windows 10 (official MSDN ISO from December 2017), I have the latest updates, and that folder is empty on my computer. I will keep an eye on this.

    upload_2018-2-18_0-44-46.png
     
  8. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    9,457
    It is empty because you have the "old" client version (4.12.16299.15) which is still installed into C:\Program Files\...
    This has been changed with newer versions.
    Old location: %ProgramFiles%\Windows Defender
    New location: %ProgramData%\Microsoft\Windows Defender\Platform\<Version>
     
  9. Special

    Special Registered Member

    Joined:
    Mar 23, 2016
    Posts:
    171
    Location:
    Canada
    What tcarrbrion says it correct, the new location is in ProgramData folder for whatever reason, you can open task manager > open file location to see where the process that runs resides.
     
  10. nin7qpzm6

    nin7qpzm6 Registered Member

    Joined:
    Aug 21, 2016
    Posts:
    2
    Location:
    Earth, Russia
    Indeed. OS version 1607. MsMpEng.exe new path.

    MsMpEng.exe new path.png
     
  11. minimalist13

    minimalist13 Registered Member

    Joined:
    Mar 28, 2016
    Posts:
    14
    I have notifications set for 1 second to combat this problem.
     
  12. Alpengreis

    Alpengreis Registered Member

    Joined:
    Oct 7, 2013
    Posts:
    457
    Location:
    Switzerland
    Or set a password and lock WFC?
     
    Last edited: Feb 20, 2018
  13. AmigaBoy

    AmigaBoy Registered Member

    Joined:
    Sep 12, 2015
    Posts:
    97
    Rules Panel suggestion: in the context-menu, above or below the "Add to group >" entry, add a direct "Add to WFC group" entry. It is commonly used (I assume) and sometimes having to scroll down and find the WFC group through the many available default groups can be cumbersome.
     
  14. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    1,638
    Location:
    Estonia
    Not very commonly used since rules created through WFC are already in the group named "Windows Firewall Control". Anyway, you can select multiple rules at once and add them all together to the same group, so there is no need to do this multiple times for each rule separately.
     
  15. ravenise

    ravenise Registered Member

    Joined:
    Jul 18, 2009
    Posts:
    38
    "When you use Medium Filtering profile, you already have enabled inbound filtering protection and outbound filtering protection. This means only the programs that have an allow rule will be able to connect to the Internet. I don't see the point here for a new profile that will do the same thing as Medium Filtering. What else should happen when this "sleep mode" gets enabled ?"

    Multiple customizable profiles is a great idea. A simple switch to a profile that only allows one program (or two or whatever). Because now, if I only wish to allow one or two programs, (this means only one or two possible security holes) for the night or for vacation or something else... I have two options, 1. Don't change anything, or 2. Selectively disable every single firewall rule except for "only this program." Then I must do this each time. Then undo each one each time when I wish to switch back.

    "The first option is not very nice because WFC might disable several network cards and they also must be re enabled automatically when the user uses again the computer (mouse movement, keys pressed on the keyboard, etc)."

    That's great, disable all adapters sounds great. Best would be an option to disable selectively. Hardware level exploitation may bypass Windows high filters; disabling the network card could prevent this and save electricity. I think both options would be great, then the user has the choice to do whatever they want.

    "The second approach would be easier to handle. Anyway, until I will think about this, you could use Task Scheduler to create a task that would disable your network cards when the computer is idle for a configurable amount of time."

    "Regarding the MAC address, I can change it from code, but I don't see where to put this kind of action in the user interface. Changing the MAC address is not something that you do very often. Actually, I never changed the MAC address of any of my devices because I had no reason to do it. If you change your MAC address often, you could create a batch file that can be used for this purpose. I really don't see where this feature would fit in WFC."

    Under "security" would be a great place. Spoofing Mac addresses upon every new connection mitigates against a variety of Local Network level & VPN exploits; Exploits and hackers often use the Mac address to identify a given target; AND to Identify exploitable Firmware / Hardware routers and Network Cards like the one I just posted on over here. Randomizing the Mac makes the job of identifying the victim much more difficult; Attackers will always attempt to initiate an exploit that is designed for the specific Hardware; if this is spoofed, the exploit will fail. Here is an example of how they do it. https://www.youtube.com/watch?v=IxgLVk4ozs4 They (NSA and other nasty groups) use this same technique and have a database of every single vulnerability ever made public (or not made public) for every Windows O/S, Linux O/S, Android, Mac, Iphone, Router, Hardware, Browser, everything. Mac randomization It is one of the best defenses!

    A similar example of this is Spoofing the UserAgent in a web browser mitigates against nearly every kind of exploit that exists for web browsers, done by automated botnets, hackers, and exploits in the web! Especially in the Akami cloud, they ALWAYS try to target known exploits for the browser & operating system you SEEM to be using. If you are in Windows using Firefox, but all the internet sees is "Debian Chrome", the hackers will always try to use known exploits for Chrome/Debian. So you are amazingly protected. Make sense?
     
    Last edited by a moderator: Feb 26, 2018
  16. ravenise

    ravenise Registered Member

    Joined:
    Jul 18, 2009
    Posts:
    38
    I confirm my network card; which has an exploitable Intel Management chip enabled, is disabled when the adapter is shut off; the light on my switch goes off and it appears I am safe from hardware level exploitation. Though intel ME is said to be accessible even while the computer is turned off completely. This may vary from version to version. On my machine (Intel Management 5.0) Intel ME will allow my NIC to remain enabled even during reboot / post in certain circumstances, including BSOD (probably to enable remote assistance for repairs), after disabling my Network card in the bios, and after running certain linux distributions; the quickest way to disable this is to unplug the computer and remove the cmos battery; no longer does the NIC boot at post via Minix, the linux distro inside ME mounting on-board LAN out of band. At any time during its running operation, Intel Management is vulnerable to simple Metasploit attacks leveraged against the Lan card; Certain exploit databases will certainly flag the mac address as vulnerable. Randomize the mac, the attack surface is greatly diminished. Here is the list of exploits on Metasploits homepage. https://rapid7.com/db/search?utf8=✓&q=amt&t=a
     
    Last edited: Feb 26, 2018
  17. tcarrbrion

    tcarrbrion Registered Member

    Joined:
    Dec 15, 2007
    Posts:
    75
    It has just updated and I now need a rule for C:\ProgramData\Microsoft\Windows Defender\Platform\4.12.17007.18022-0\msmpeng.exe
     
  18. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    1,638
    Location:
    Estonia
    I have to think about a solution for these scenarios. I can create a list with allowed locations which will make WFC to automatically create a new allow rule for exe files under a certain folder when they try to connect. Or make the notification dialog to automatically update an existing rule which ends with the same exe file name, in this way the user at least knows that a rule will be updated. Or... Suggestions are welcomed. I don't have yet a nice solution to this problem.
     
  19. Special

    Special Registered Member

    Joined:
    Mar 23, 2016
    Posts:
    171
    Location:
    Canada
    It's fine the way it is, it takes a literal click to make a new rule when a new .exe pops up like this (which is what? once a month for this Defender thing...), or you can edit your existing rule and just change the path to match the new number and press okay, in this case. change "....\Platform\4.12.17007.18011-0" to "\Platform\4.12.17007.18022-0". Big whoop.

    I'd personally hate WFC automating things, making new rules to new .exe files without my knowing. I like how it is now, and the C does stand for Control :p.
     
  20. n8chavez

    n8chavez Registered Member

    Joined:
    Jul 19, 2003
    Posts:
    2,570
    Location:
    Location Unknown
    What profile is your VPN connection; public, private, or Domain? Change the VPN to private, create allow rules for private and deny rules for public and domain, and set your regular wifi/lan to public. The below rules will only allow the private connections. Create these for every exe you want to be secured. Also, NorVPN's "killswitch" sucks. Get a VPN with a real one; AirVPN, mullvad, etc.

    Allow Rule:

    sshot-2.png

    Deny Rule
    sshot-1.png
     
  21. ravenise

    ravenise Registered Member

    Joined:
    Jul 18, 2009
    Posts:
    38
    Hopefully that will fix it for you, but if you are using the NordVPN app, that could be a problem, it uses dll injection into ntoskrnl, ntdll & a few other system files; which could bypass the firewall altogether, I'll post my findings here shortly;
     
    Last edited: Mar 2, 2018
  22. ravenise

    ravenise Registered Member

    Joined:
    Jul 18, 2009
    Posts:
    38
  23. dja2k

    dja2k Registered Member

    Joined:
    Feb 15, 2005
    Posts:
    2,095
    Location:
    South Texas, USA
    Can someone give me some insight on why WFC asked to allow explorer.exe to access internet if I already had it blocked with a rule from NVT SysHardener app? Thanks!
     

    Attached Files:

  24. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    1,638
    Location:
    Estonia
    Please post here the full row (to see all columns) from Connections Log where you see explorer.exe so that I can see all details of the blocked connection. The same, a screenshot from Rules Panel with all details of the rule for explorer.exe. Thank you.
    Did you change the default advanced notifications settings? Did you see this only for explorer.exe or for other files too?
     
  25. dja2k

    dja2k Registered Member

    Joined:
    Feb 15, 2005
    Posts:
    2,095
    Location:
    South Texas, USA
    Here you go...

    Been running WFC for a long time now and either I hadn't noticed similar behaviors or it was just this one. Notification is set to Medium.
     

    Attached Files:

Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.