Windows Firewall Control (WFC) by BiniSoft.org

Discussion in 'other firewalls' started by alexandrud, May 20, 2013.

  1. aldist

    aldist Registered Member

    Joined:
    Nov 8, 2017
    Posts:
    173
    Location:
    Germany
    Try add this application to the "Notifications -> Exclude Notifications" list.
    Or, to turn off such notifications, do the following:
    - for the same application, create a common blocking rule for outgoing connections and DISABLE it;
    - in the advanced notifications settings enable this feature: Use disabled rules when searching for matching rules. If a matching disabled rule is found the notifications will not be displayed.
     
  2. gorblimey

    gorblimey Registered Member

    Joined:
    Jan 19, 2017
    Posts:
    153
    Location:
    West Oz
    It's entirely possible the {79640f5f-3b68-4d2a-9af2-82e6a5ec5e32} is not fixed, it changes every time. So the file path is not constant, and you can't make a rule.

    What happens if you just let it be blocked?
     
  3. Beyonder

    Beyonder Registered Member

    Joined:
    Aug 26, 2011
    Posts:
    113
    What happens is that it asks me again the next time I try to update.

    \device\imdisk0\temp\{b6725ae4-d21d-47f7-b2c5-267490f3a2f5}\mpsigstub.exe
    \device\imdisk0\temp\{cf9ff1db-dc36-4495-9967-9831701c8767}\mpsigstub.exe

    It seems you're right, it keeps changing every update. Is there a way for me to whitelist mpsigstub.exe?
     
  4. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    1,529
    Location:
    Estonia
    There is no way unfortunately. Windows Firewall rules are applied per path basis not per process basis. If the path changes, a new rule is required. You can add it to the notifications exceptions list so that you won't be bothered again, or you can temporarily switch to Low Filtering profile and allow it to go online.
     
  5. gorblimey

    gorblimey Registered Member

    Joined:
    Jan 19, 2017
    Posts:
    153
    Location:
    West Oz
    Is this path in UserSpace? (eg: C:\Users\... or Program Data ?)

    I really hate security software that behaves like Malware: ZAM Free is on notice, the last time it updated it did exactly what your problem child is doing.

    There is a fix, if it is in UserSpace. Get VoodooShield and set a rule to block everything in whichever Temp folder, like this attached image. If you never want to hear about it again, set the Block action to Silent.

    Note that this file is a M$ installer, so some updates may not work--IMHO sometimes not a bad idea.

    FWIW, VS and WF/WFC is my total realtime protection: what one misses or can't deal with, the other can. It's all about enumerating Goodness :)

    VoodooShield-BlockRule.png
     
  6. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    10,413
    Location:
    The Netherlands
    BTW, is it possible to block apps from connecting to a certain domain-name via WFC, like with Little Snitch? And can you tell a bit more about your new job at Malwarebytes, what will you be developing?

    https://www.obdev.at/products/littlesnitch/index.html
     
  7. clubhouse1

    clubhouse1 Registered Member

    Joined:
    Sep 26, 2013
    Posts:
    1,104
    Location:
    UK
    Be interesting to see the mess Malwarebytes make of this.
     
  8. aldist

    aldist Registered Member

    Joined:
    Nov 8, 2017
    Posts:
    173
    Location:
    Germany
    WFC does not support resolving domain names.
     
  9. myk1

    myk1 Registered Member

    Joined:
    Sep 2, 2012
    Posts:
    70
    Location:
    Belgium
    yes, as always....
    Shall I remember Partition magic and Drive Image (of Power Quest); for both tools one floppy was enough....
    or DVDshrink? half a floppy was enough (and still +- running on W10)..
    and some others I do not recall of
     
  10. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    1,529
    Location:
    Estonia
    In Windows Firewall you can't define firewall rules for domain names, only for IPs or IP ranges. I will start working in one week and I will find out more soon, until then I have no other news.
     
  11. Alpengreis

    Alpengreis Registered Member

    Joined:
    Oct 7, 2013
    Posts:
    449
    Location:
    Switzerland
    I have the ...

    Code:
    Reading Security log failed.
       Exception: System.ArgumentException: Der Index 16510 liegt außerhalb des gültigen Bereichs. bei System.Diagnostics.EventLogInternal.GetEntryAt(Int32 index) bei WindowsFirewallControl.Proxy.ProxyServer.GetLogConnections(Int32 logEntries, Int32 direction, Int32 eventId)
    
    too unfortunately.
     
  12. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    10,413
    Location:
    The Netherlands
    OK thanks. And keep us posted about your work at Malwarebytes, sounds interesting. :thumb:
     
  13. AmigaBoy

    AmigaBoy Registered Member

    Joined:
    Sep 12, 2015
    Posts:
    73
    I've noticed that sometimes the Secure Profile option is automatically disabled, by Windows Update for example. I think the most recent Windows cumulative update also did this (KB4284819) - I'm on Win 10 1709 (16299.492).
     
    Last edited: Jun 13, 2018
  14. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    1,529
    Location:
    Estonia
    Next Monday I will start working again and I will take a look.
     
  15. buffering

    buffering Registered Member

    Joined:
    Jan 16, 2015
    Posts:
    7
    Hello and happy to hear the good news about binisoft.

    Yesterday I couldn't left-click on the taskbar icons (volume, battery, wifi) to see info or settings in Windows 10 (1803). Also right-clicking program icons in the task bar wouldn't work. So long story short, I fixed it by unchecking Secure rules and Secure profile in WFC. More specifically, Secure rules, because first I disabled Secure profile and restarted but no joy. Then I disabled Secure rules and restarted for the taskbar to work.

    Before disabling the options in WFC, I noticed a firewall error followed by a ShellExperienceHost error in Eventviewer. These two errors occurred successively, and repeatedly:
    Code:
    Log Name:      Microsoft-Windows-AppModel-Runtime/Admin
    Source:        Microsoft-Windows-AppModel-Runtime
    Date:          14-Jun-18 7:37:15 AM
    Event ID:      35
    Task Category: None
    Level:         Error
    Keywords:      AppContainer
    User:          DESKTOP-ABCD\USERABCD
    Computer:      DESKTOP-ABCD
    Description:
    CreateAppContainerProfile failed with error 0x80070005 because it was unable to register with the firewall.
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Microsoft-Windows-AppModel-Runtime" Guid="{F1EF270A-0D32-4352-BA52-DBAB41E1D859}" />
        <EventID>35</EventID>
        <Version>0</Version>
        <Level>2</Level>
        <Task>0</Task>
        <Opcode>0</Opcode>
        <Keywords>0x2000000000000002</Keywords>
        <TimeCreated SystemTime="2018-06-14T11:37:15.797005300Z" />
        <EventRecordID>912</EventRecordID>
        <Correlation ActivityID="{D768F447-0397-0000-8967-69D79703D401}" />
        <Execution ProcessID="5472" ThreadID="6088" />
        <Channel>Microsoft-Windows-AppModel-Runtime/Admin</Channel>
        <Computer>DESKTOP-ABCD</Computer>
        <Security UserID="S-1-5-21-860367813-1122591061-15154029-1001" />
      </System>
      <EventData>
        <Data Name="ErrorCode">2147942405</Data>
      </EventData>
    </Event>
    
    Log Name:      Microsoft-Windows-AppModel-Runtime/Admin
    Source:        Microsoft-Windows-AppModel-Runtime
    Date:          14-Jun-18 7:37:15 AM
    Event ID:      21
    Task Category: None
    Level:         Error
    Keywords:      (70368744177664),AppContainer
    User:          DESKTOP-ABCD\USERABCD
    Computer:      DESKTOP-ABCD
    Description:
    CreateAppContainerProfile failed for AppContainer onecore\ds\security\gina\profile\profext\appcontainer.cpp Line:1895 microsoft.windows.shellexperiencehost_cw5n1h2txyewy Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy with error 0x80070005.
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Microsoft-Windows-AppModel-Runtime" Guid="{F1EF270A-0D32-4352-BA52-DBAB41E1D859}" />
        <EventID>21</EventID>
        <Version>0</Version>
        <Level>2</Level>
        <Task>0</Task>
        <Opcode>0</Opcode>
        <Keywords>0x2000400000000002</Keywords>
        <TimeCreated SystemTime="2018-06-14T11:37:15.797063800Z" />
        <EventRecordID>913</EventRecordID>
        <Correlation ActivityID="{D768F447-0397-0000-8967-69D79703D401}" />
        <Execution ProcessID="5472" ThreadID="6088" />
        <Channel>Microsoft-Windows-AppModel-Runtime/Admin</Channel>
        <Computer>DESKTOP-ABCD</Computer>
        <Security UserID="S-1-5-21-860367813-1122591061-15154029-1001" />
      </System>
      <EventData>
        <Data Name="ErrorCode">2147942405</Data>
        <Data Name="Context">onecore\ds\security\gina\profile\profext\appcontainer.cpp Line:1895 microsoft.windows.shellexperiencehost_cw5n1h2txyewy Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy</Data>
      </EventData>
    </Event>
    More info about taskbar not working because of ShellExperienceHost - Taskbar start, notifications, search, wifi, date, battery and volume icons not working
     
  16. AmigaBoy

    AmigaBoy Registered Member

    Joined:
    Sep 12, 2015
    Posts:
    73
    Secure Rules in 5.3.x is known to cause problems with Windows 10 -because of the way this OS operates- and that's why you get a warning before enabling it. I would either disable it or use WFC 5.0.2.0 if you want that functionality.

    Search the previous posts for more info.
     
  17. Special

    Special Registered Member

    Joined:
    Mar 23, 2016
    Posts:
    134
    Location:
    Canada
    Is something like this possible?

    Okay so lets say I want to block www.example.com, I could do this with a host file with "127.0.0.1 www.example.com"

    But can WFC make just the program block traffic to and from www.example.com while leaving it functional for other connections?
     
  18. buffering

    buffering Registered Member

    Joined:
    Jan 16, 2015
    Posts:
    7
    Thanks @AmigaBoy
    @Special DNS resolution is a different aspect. There's a freeware for that HostsMan · abelhadigital.com. It flushes the dns cache, backup/restores previous host file, doesn't run in the background...everything you'd want. Except it applies to the whole machine - not specific programs.
     
    Last edited: Jun 14, 2018
  19. aldist

    aldist Registered Member

    Joined:
    Nov 8, 2017
    Posts:
    173
    Location:
    Germany
    Yes, WFC can do this. To do this, you need to specify the IP address or range of IP addresses for www.example.com in the blocking rule for your program.
    WFC and Windows Firewall can not work with domain names (host names), they work only with IP.
     
  20. DavidXanatos

    DavidXanatos Registered Member

    Joined:
    Sep 6, 2006
    Posts:
    149
    Location:
    Viena
    Since malwarebytes now bought the developer of WFC and the app is not longer being actively developed, how about making it open source and Lett the community continue with the project?
     
  21. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    2,970
    Location:
    .
  22. Special

    Special Registered Member

    Joined:
    Mar 23, 2016
    Posts:
    134
    Location:
    Canada
    Good to hear, for the record I'm trying to block Blizzards hot garbage client from constantly downloads new ads, and other streamed advertisement while in the background but not to gimp the rest of my system (like Firefox browser) from having images blocked that would happen if I used a host file to apply this System wide.

    https://www.reddit.com/r/heroesofth...d_update_agent_what_the_hell_are_you/e0mqun3/

    I tried the host file out and it works great, but I'd like to just apply this to Blizzards client ("Agent.exe") instead with a WFC rule.

    So what's the best way to find the IP or IP range for "bnetcmsus-a.akamaihd.net" and what would my WFC rule panel look like? And what fields do I need to modify?
     
  23. cyb0rg

    cyb0rg Registered Member

    Joined:
    Mar 28, 2018
    Posts:
    1
    Location:
    USA
    I don't know if it's the best way, but here is one way until you find a better one.

    1. Start -> cmd
    2. nslookup bnetcmsus-a.akamaihd.net
    3. Returns: Address: 174.140.87.19
    4. Enter 174.140.87.19 at http://whois.arin.net/ui/ (at the top right of the page)
    5. Result: Net Range 174.140.64.0 - 174.140.95.255
    6. Of course, be cautious when blocking ranges.

    I believe some of this (perhaps all?) can be done within WFC, but I haven't had to do anything like that for so long I don't recall.
    This is one method, anyway.
     
  24. buffering

    buffering Registered Member

    Joined:
    Jan 16, 2015
    Posts:
    7
    WhosIP: Get IP address information from command-line
    FWIW, IP rules is not worth the effort because sooner or later it will be obsolete, because of how CDN and edge servers work.
     
  25. Mannillo

    Mannillo Registered Member

    Joined:
    Jun 19, 2017
    Posts:
    3
    Location:
    UK
    Hello, I am having an issue with WFC where I can only set no filtering or medium filtering, I can't set high filtering or low filtering. If I set it via profiles in the task bar then nothing changes. If I set it via the main panel I can select the relevant option but nothing changes. I'm running the latest version with windows 10. Any ideas? thanks
     
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.