Windows Firewall Control (WFC) by BiniSoft.org

Discussion in 'other firewalls' started by alexandrud, May 20, 2013.

  1. lolnothankyou

    lolnothankyou Registered Member

    Joined:
    Jul 29, 2018
    Posts:
    47
    Location:
    DisableLocation
    @Rainwalker - You can block everything but this:

    Core Networking - DNS (UDP-Out) Core Networking All Yes Allow %SystemRoot%\system32\svchost.exe Any Any UDP Any 53 Any
     
  2. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    1,564
    Location:
    Estonia
    Do not allow the software that can be hijacked that easy ? :) Windows Firewall rules are applied per path basis, not per process basis, so nothing can be done regarding this matter.
     
  3. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    1,564
    Location:
    Estonia
    Those sneaky software :) From my point of view, you should enable outbound filtering and create a few allow rules for the programs that you actually want to be allowed to connect to the Internet. Now, if you trust a software, just allow it, through the main process or through child processes, after all, you trust this software. For the others, just keep them blocked entirely. Nothing is perfect. Regarding Adobe Acrobat, if it has no allow rules, then it won't connect.
     
  4. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    1,564
    Location:
    Estonia
    You know that your complaints are about Windows Firewall created by Microsoft, not about WFC which is not a firewall by itself ? Off course you know it. You also might heard that WFC is no longer mine and that it has another owner. Who wouldn't know this ? :)

    Anyway, you are presenting a false problem. Let me tell you why. Let's say you have a security software that uses multiple modules to connect to the Internet. You would like to allow their updater to be able to download definition files but you don't like the same software to send telemetry data from other modules. If I would be the developer of it, I would put a method to send telemetry data from the same update module since my processes can communicate between them locally anyway. Then, if you allow the updater, you also allow the telemetry. The communication would be encrypted and you wouldn't notice if the updater module connects to check for updates or to send telemetry. The connecting module is just one, while the requests can be done by any of the modules and the communications will appear only for the updater module. You allow the updater, you allow everything. You block the updater, you block everything.

    The same applies for parent-child processes. The parent process (blocked in the firewall) calls a method from the child process (allowed in the firewall). Child process will trigger a connection and you wouldn't know if the source of this was the child process or the parent process, but in the firewall, the connection is made by the child process.

    This is how I see this "problem". If I am wrong, then please correct me.
     
  5. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    2,220
    Location:
    Canada
    Then why don't you simply apply strict rules to those and other child processes by tying them to specific port(s), IP address(es) and protocol? Ensure that Adobe, for example, can only connect to Adobe remote servers and nothing else.
     
  6. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    2,220
    Location:
    Canada
    Sure, but now you're asking for a firewall with a built-in HIPS. That's not what WFC is nor was meant to be. If you apply specific restrictions as I mentioned above to common processes used as child processes by other parent processes, then you will successfully limit how the latter can use telemetry connections.
     
  7. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    1,564
    Location:
    Estonia
    I think you are comparing apples with tomatoes here. Windows Firewall is not a HIPS firewall. And, why is WFC in this discussion anyway ?
    PCT Firewall just announced that a process launched another process. Nothing fancy here, just typical useless HIPS pop-ups. Again, I think you are presenting a false problem here. Programs use multiple dlls/executable files for different purposes. Instead of executing one large exe file that has 300MB, the software has the code spread over multiple assemblies with specific functionality. If it needs to update something, it launches a child process for this purpose. If you need a specific functionality it may launch another child process on request. This is good for the overall performance because you don't have the entire software loaded in the memory. The request is "genuine", it is the same software, the same publisher, it just has the code in a different module. How makes you feel better or secure if you know that an update was triggered from the main exe or from the updater exe ? Why should you care ? For large projects you just can't have all the code in the main exe. There is really no problem in having a process that launches other child processes on demand.
    In the notifications dialog you can see the process ID and the parent process id and the name of the parent process, if this is so important. However, this shows only which is the parent process which launched the child process. You can't know how they communicate between them as there are several technologies for inter process communications which are out of the scope of filtering of a firewall.

    upload_2018-9-5_8-45-14.png
     
  8. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    4,722
    Location:
    Europe then Asia
    in your example, the command would be "malicious.exe is executing IExplorer.exe to connect to 123.123.123.123 "
    IE is not malicious by itself, it is even whitelisted, however the website IE will connect to may be.
    This can be blocked, but not by WFC, WFC doesn't monitor process hijacking, but an HIPS/BB/anti-exe would.

    WFC only prompt for outgoing connections from unknown processes/programs.
    WFC would prevent a connection made directly by the malware, like "malicious.exe is trying to connect to 123.123.123.123"

    You are confounding the firewall purpose with an HIPS/BB purpose.
     
    Last edited: Sep 5, 2018
  9. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    4,722
    Location:
    Europe then Asia
    WFC isn't a firewall, it is an outgoing connection monitor sitting on top of Windows Firewall. Windows Firewall is the firewall.

    By default Windows Firewall allow all outgoing connections (whatever the program), so WFC was made to notify and give the user a way to allow/block on the fly certain programs to access the internet, not to prevent malware to use a legit program to call home.
    Some users like me doesn't want a 3rd party Firewall eating resources and screwing my system, i'm fine with Windows Firewall.

    This is a HIPS/BB mechanism.

    This is an HIPS-like mechanism integrated in a Firewall, like comodo firewall or spyshelter firewall.

    You are comparing Windows Firewall with an HIPS-firewall.
     
    Last edited: Sep 5, 2018
  10. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    1,564
    Location:
    Estonia
    We all know the limitations/features of Windows Firewall. Complaining here about missing features of Windows Firewall has nothing to do with this topic which is about WFC.
     
  11. imuade

    imuade Registered Member

    Joined:
    Aug 4, 2016
    Posts:
    647
    Location:
    Italy
    PCTools FW (but also Comodo or ZoneAlarm) uses its own driver, WFC doesn't, so you can't ask @alexandrud to implement such a feature.
    If you want more control, just install another FW that better suits your needs :)
     
  12. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    4,722
    Location:
    Europe then Asia
    i have anti-exe and SRP to prevent malware to abuse other processes, so no processes (legit or malicious) can even execute on my system unless i personally whitelisted it.
    i have Windows Firewall set to block all outgoing connections which doesn't have an existing rule (allowed by myself), i use WFC just to create rules faster than if i did manually.

    so no, nothing goes behind my back.

    If you wait your firewall to warn you about malicious actions, it is already too late, you better reformat your system...
     
    Last edited: Sep 5, 2018
  13. aldist

    aldist Registered Member

    Joined:
    Nov 8, 2017
    Posts:
    218
    Location:
    Germany
    @popescu
    HIPS is the solution to your problem. Use a firewall that has a HIPS (COMODO, Outpost), or firewall + a separate HIPS (anti-exe).
     
  14. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    1,564
    Location:
    Estonia
    All right, thank you for letting us know. We will pay more attention now that we are aware of how things are going on.
     
  15. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    7,590
    Location:
    U.S.A. (South)
    No complaints on this end and certainly no issues to toot about either. It's percolating along silent as a mouse until a traveler out triggers the alert box with options. Nothing fancy, just dependable each and every time on this end for what it was intended.
     
  16. popescu

    popescu Registered Member

    Joined:
    Sep 1, 2018
    Posts:
    12
    Location:
    Canada
    Are you sure you did not have any "traveler out" which did not trigger any alerto_O?
     
  17. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    4,722
    Location:
    Europe then Asia
    with his security setup? no way (read his signature), if you don't see why, then you need to spend more time here :D
     
  18. focus

    focus Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    349
    Location:
    USA
    Agree. I'm still with 5.0.2.0 though, waiting till the install/upgrade problems are solved with the latest version.
     
  19. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    1,564
    Location:
    Estonia
    What install/upgrade problems?
     
  20. focus

    focus Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    349
    Location:
    USA
    posts 4446, 4449, 4469, 4487. That's as far as I looked, but it seems like the update process is not as smooth as it could be.

    btw, I don't mind the telemetry, it happens in most main security programs like Appguard, HMPA & Sandboxie paid (they make licensing connections & possibly gather a bit of info on client - who knows for sure).

    What I really don's like are these persistent cloud connections. Eset recently did something that causes constant connections, even after I have disabled anything that resembles cloud protection. (I keep TCPView running constantly to monitor my connections). Using Windows Defender now.
     
  21. popescu

    popescu Registered Member

    Joined:
    Sep 1, 2018
    Posts:
    12
    Location:
    Canada
    It is called "Live Grid" and is the cloud component of ESET. Most AVs have something like that.
     
  22. focus

    focus Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    349
    Location:
    USA
    Live grid was off.
     
  23. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    1,564
    Location:
    Estonia
    Software incompatibilities exist, nothing is perfect, but those problems mentioned are usually external to WFC. Two users had problems with WFC and probably another software installed on their computer, some Windows services tweaks, a conflict with another security software that considers WFC a false positive, etc. There may be thousands of reasons and scenarios. However, two users out of a few thousands is nothing new. If I recall, after each update, there were users that had some sort of problems, but this is an exception, while for 99.9% everything went smooth as always. Regarding telemetry connections, maybe you noticed my post 4458 related to this. From my point of view, there are no problems with the current version. But if we ask here, there will be always someone that will find problems, related or even better, unrelated to WFC :)
     
  24. AmigaBoy

    AmigaBoy Registered Member

    Joined:
    Sep 12, 2015
    Posts:
    92
    It's funny how in that thread (as well), people -even staff- keep talking about WFC in combination with the idea of adding/integrating a firewall.

    In fact, it reminds me of we were on a break! https://www.youtube.com/watch?v=F8iKoQE35es IT'S NOT A FIREWALL!
     
  25. popescu

    popescu Registered Member

    Joined:
    Sep 1, 2018
    Posts:
    12
    Location:
    Canada
    What are you blabbering abouto_O
     
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.