Windows Firewall Control (WFC) by BiniSoft.org

Discussion in 'other firewalls' started by alexandrud, May 20, 2013.

  1. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    1,857
    Location:
    Romania
    This was back in Windows XP era. Since Windows Vista came out, Windows Firewall is very capable packet filtering firewall that can filter outbound connections too.
    With your logic, a process could inject into an existing process and listen for incoming connections too. Then, Windows Firewall is not good for blocking inbound connections neither.

    This will be my last reply to your comments, as I think this discussion is not constructive and mostly, not related to WFC. You have your own ideas which are very different from mine, I do not want to convince you of anything. You are free to believe anything you want.
     
  2. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    12,480
    Location:
    The Netherlands
    But if it's legit, then why would it perform this stuff? And why worry about legit software, when you should be focused on malware. And you're completely right when you say that Win Firewall won't stop code injection, so that's why you can combine it with some HIPS that does monitor this. Or you can simply use a third party firewall like ZoneAlarm.

    Actually, I think you're wrong about this. There isn't any firewall or HIPS that can tell you when some app is using code injection in order to bypass the firewall. That's up to the user to figure it out. Why do you think that AV's have never implemented this stuff? Because it's not possible.
     
  3. popescu

    popescu Registered Member

    Joined:
    Sep 1, 2018
    Posts:
    178
    Location:
    Canada
    see here why: https://www.engadget.com/2020/01/27/avast-jumpshot-selling-user-data/
    "The popular antivirus program Avast has been selling users data to giant companies like Google, Home Depot, Microsoft and Pepsi, a joint investigation by Motherboard and PCMag found"
    now, if you can block this through a firewall, you may explore that option.

    There was one, PC Tools Firewall Plus, which works in Win7.
    Truth to be told, nowadays is impossible to find any decent stand alone firewall .
     
  4. popescu

    popescu Registered Member

    Joined:
    Sep 1, 2018
    Posts:
    178
    Location:
    Canada
    I am not aware about this behaviour and again I do not understand how did you get it from my "logic"

    The purpose of a malware is to collect user data and communicate OUT not to LISTEN to incoming connections.
    You are right though that this has nothing to do with WFC, which is a beautiful interface.

    But , as I said before "You can put lipstick on a pig, but it’s still a pig"
     
    Last edited: Feb 9, 2020
  5. hayc59

    hayc59 Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,685
    Location:
    USA Trump Town
    How do i test this program to get a pop up that its blocking it?? thank you
     
  6. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    12,480
    Location:
    The Netherlands
    What does Avast have to do with this subject? You simply can't stop Avast because it's an AV that needs full access to your system, so it makes no sense to block it from making outbound connections and modifying process memory. If you do this, it will malfunction.

    Also, you're wrong, PC Tools Firewall Plus will simply alert about code injection, but it doesn't know the purpose of it, it can't know whether it will be used to bypass the firewall. I think you misunderstood those alerts.

    But anyway, this all hasn't got anything to do with WFC. I already explained, if you're worried about code injection, simply use a third party firewall or combine WFC with a HIPS, that's what I did.
     
  7. popescu

    popescu Registered Member

    Joined:
    Sep 1, 2018
    Posts:
    178
    Location:
    Canada
    Was just an example about how you may want to selectively allow access to internet for "parts" of good applications and block access for some other "parts" .

    This is to demonstrate that you have a lot to " worry" , even though is a about legit software.

    I used PC Tools for years , so believe me, I know what I am talking about. I got many time alerts about " the application a.exe is trying to connect to the internet using application b.exe" allow or block

    But, as you said, this has nothing to do with WFC.
     
  8. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    12,480
    Location:
    The Netherlands
    Exactly, but it's a bad example, because how are you planning to stop Avast from tracking you? It needs the cloud for malware scanning and besides that, it's probably using it's driver to inject code, so HIPS won't stop this. So good luck with trying to block it from phoning home.

    I'm sorry but you're wrong. It's simply a fact that there is no way to know for HIPS why some app wants to inject code. What you're talking about isn't related to code injection, it's most likely related to DDE communication and network-enabled process launching. Trust me, back in the days it was my hobby to test firewalls against so called leaktests.
     
  9. popescu

    popescu Registered Member

    Joined:
    Sep 1, 2018
    Posts:
    178
    Location:
    Canada
    Here a good example:
    Adobe Acrobat Pro:

    If I check for updates, I get a WFC pop up about "C:\program files (x86)\common files\adobe\arm\1.0\adobearm.exe" trying to connect to the internet.
    I block it , yet Adobe says "an update is available"

    If I switch WFC to "High filtering" , Adobe cannot connect to update servers.

    So clearly Adobe is using some other program which was previously allowed.

    Now, if WFC cannot block a good program as Adobe, what about a malicious one, designed to have this behaviour??
     
  10. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    2,765
    Location:
    Canada
    @popescu check the firewall logs. Hopefully they can shed light on how Adobe could connect to the update server. But remember, wfc acts as a pure firewall, exactly what it's intended for. Nothing else.
     
  11. popescu

    popescu Registered Member

    Joined:
    Sep 1, 2018
    Posts:
    178
    Location:
    Canada
    I checked. Adobe is using svchost.exe, which is allowed for Win updates (TCP80,443 out)

    This is a typical example of Windows Firewall futility in blocking a program to connect to the internet.
     
  12. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    2,765
    Location:
    Canada
    It would take some time and effort, but then you could assign specific ip addresses to svchost. Better yet use subnet or cidr masks.

    The following I used at one time for Microsoft update servers:

    Code:
    <group name="Microsoft Updates Servers" comment="">
                <item value="4.27.0.0/16" />
                <item value="8.12.0.0/16" />
                <item value="8.254.0.0/16" />
                <item value="13.107.0.0/16" />
                <item value="64.18.0.0/16" />
                <item value="64.145.0.0/16" />
                <item value="64.208.0.0/16" />
                <item value="65.54.0.0/16" />
                <item value="65.55.0.0/16" />
                <item value="69.16.0.0/16" />
                <item value="69.22.0.0/16" />
                <item value="72.246.0.0/16" />
                <item value="92.242.0.0/16" />
                <item value="107.14.0.0/16" />
                <item value="128.242.0.0/16" />
                <item value="134.170.0.0/16" />
                <item value="151.139.0.0/16" />
                <item value="157.55.0.0/16" />
                <item value="157.56.0.0/16" />
                <item value="165.254.0.0/16" />
                <item value="172.217.0.0/16" />
                <item value="173.245.0.0/16" />
                <item value="191.232.0.0/16" />
                <item value="191.234.0.0/16" />
                <item value="194.7.0.0/16" />
                <item value="198.78.0.0/16" />
                <item value="199.7.0.0/16" />
                <item value="204.160.0.0/16" />
                <item value="204.191.0.0/16" />
                <item value="204.245.0.0/16" />
                <item value="205.250.0.0/16" />
                <item value="206.108.0.0/16" />
                <item value="207.34.0.0/16" />
                <item value="207.228.0.0/16" />
                <item value="208.38.0.0/16" />
                <item value="b00:2048:1::681c:1138/128" />
                <item value="2606:2800:11f:85d:13e0:11e9:1a6:201d/128" />
                <item value="2a01:111:2003::50/128" />
                <item value="93.184.0.0/16" />
                <item value="64.4.0.0/16" />
                <item value="67.131.0.0/16" />
                <item value="216.58.0.0/16" />
                <item value="23.103.0.0/16" />
                <item value="23.73.0.0/16" />
                <item value="23.54.0.0/16" />
                <item value="104.80.0.0/16" />
                <item value="66.119.0.0/16" />
                <item value="8.253.0.0/16" />
            </group>
    you would probably want DNS, time update servers, DHCP, and maybe some others I can't remember. Of course the IP's for Adobe servers maybe? I don't go to this extent anymore, especially running Linux.
     
  13. popescu

    popescu Registered Member

    Joined:
    Sep 1, 2018
    Posts:
    178
    Location:
    Canada
    It is absolutely a futile exercise; you may miss an IP or Microsoft may change a server , so where do we stopo_O? And for whato_O I was able to see that Adobe still connects to internet , buy is there is a malware scenario , you will see absolutely nothing to alert you.
     
  14. syrinx

    syrinx Registered Member

    Joined:
    Apr 7, 2014
    Posts:
    427
    @popescu I've read your comments here over time and while I've had my own issues with @alexandrud in the past (mostly when he tried to abuse the wrong form of Permissions in the registry prior to being consumed by malwarebytes) I'm inclined to say that while you are not entirely pointless you do seem to be willingly ignorant of some real solutions and issues then tend to refer back to one half baked product = PC Tools Firewall Plus as the mold which everything should be based after.

    Sadly I must disagree with you here. IMO mixing things like Windows 10 Exploit Mitigations and then perhaps something like MemProtect (or and I hate to say AppGuard) with some real level of thought beforehand would be enough. While not on the same 'HIPs/alert level's others have argued about to start with in this thread I do believe that with Windows 10 and a decent understanding of available exploit mitigations they would already ahead of the curve. Adding other potential solutions with 'appropriate rules' could also prevent the type of attacks you are so vocal about. I refer again to MemProtect (or and I hate to say AppGuard).

    Between DLL Extenstion rejections and Memory injection protections your argument suddenly becomes less. IF someone were to apply them both properly they would actually be closer to immune. I understand Win 10 isn't the default so I'm not saying you have no points even now. Yet I will now say I am ignoring you much like @alexandrud ignored my warnings previously. Unlike him I will not be deaf to truth but I won't be blindly replying to all words in rejection either.
     
    Last edited: Feb 15, 2020
  15. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    2,765
    Location:
    Canada
    You know those CIDR blocks give you thousands of host addresses for the /16 prefixed network portion?

    Anyway, you don’t seem to accept the way a pure firewall works. You’ll need a HIPS or a firewall with one built in.
     
  16. B-boy/StyLe/

    B-boy/StyLe/ Registered Member

    Joined:
    Sep 19, 2012
    Posts:
    205
    Location:
    Bulgaria
    Hmmm...if I set the rule to blocked in Comodo Firewall for C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe then Adobe Actobat Reader DC can't check for updates and Windows Updates are allowed.
     
  17. popescu

    popescu Registered Member

    Joined:
    Sep 1, 2018
    Posts:
    178
    Location:
    Canada
    Thank you for your answer.

    You lost me after
    which is above my level of understanding and most likely above the level of understanding of common user.

    I am a common user and I need to use a computer, not to "reprogram the OS" in order to
    .

    All I want is a firewall which will tell me if any program from my PC is trying to connect to the internet an let me decide.

    Windows Firewall was not designed to do that , so a fancy interface like WFC will not change the fact.

    So, rather than using something which create an illusion of firewall, I prefer not to bother.

    The example mentioned above is fundamental for every potential WFC user : a common program (AdobeARM.exe) even though is blocked to update, is using svchost.exe to connect to servers, the same svchost.exe which a common user will allow TCP 80,443 for various tasks.

    You will never know when a malicious application , not visible on the screen, will connect to the internet using an existing "allow" rule somewhere.

    In other words, Windows Firewall cannot offer you another layer of security.
     
  18. kronckew

    kronckew Registered Member

    Joined:
    Aug 27, 2006
    Posts:
    329
    Location:
    CSA Consulate, Glos., UK
    You seem to think that just because there may be one small gap in the Armour that covers you from a much larger range of attacks, that this makes it useless. In conjunction with windows defender, you have a decent coverage with WFC out of the box, and you can harden it as you get more informed. Nothing is perfect. A good carpenter learns how to use their tools. A bad carpenter blames them. You can easily block svchost and cover the gap with a couple clicks on the connections log in wfc. Might stop some programs that are too lazy to write their own code for comms, but that's your choice. We talk about layered defense, adding layers adds more security, which you hope will never be needed. They all have gaps, hopefully the gaps will not align. My hardware router's internal firewall handles most of the load anyway.

    Svchost is another topic for another thread.

    p.s. - tried Comodo firewall, didn't suit me. It eventually was blocking stuff it shouldn't without asking and I couldn't find how to unblock the item. So it was uninstalled.
     
  19. RioHN

    RioHN Registered Member

    Joined:
    Mar 14, 2017
    Posts:
    87
    Location:
    Here
    It may be that Comodo firewall blocks applications from creating BITS jobs if they're denied internet access? Testing with Adobe Acrobat Pro DC trial I see:

    Code:
    [16/02/2020] [12:34:33] Denied TCP 13.35.198.26(uds.licenses.adobe.com) adobe_licutil.exe PID:2960 SPort:1165
    [16/02/2020] [12:34:35] Denied TCP 104.85.56.127(www.adobe.com) pdapp.exe PID:5916 SPort:1166
    [16/02/2020] [12:34:38] Denied TCP 23.212.232.250(armmf.adobe.com) acrobat.exe PID:5484 SPort:1167
    [16/02/2020] [12:34:39] Denied TCP 23.212.232.250(armmf.adobe.com) sandboxiebits.exe PID:5696 SPort:1168
    [16/02/2020] [12:34:40] Denied TCP 62.252.170.88(acroipm2.adobe.com) acrobat.exe PID:5484 SPort:1169
    [16/02/2020] [12:34:54] Denied TCP 13.35.198.56(uds.licenses.adobe.com) adobe_licutil.exe PID:2960 SPort:1170
    [16/02/2020] [12:35:01] Denied TCP 62.252.170.35(acroipm2.adobe.com) acrobat.exe PID:5484 SPort:1171
    [16/02/2020] [12:35:15] Denied TCP 13.35.198.82(uds.licenses.adobe.com) adobe_licutil.exe PID:2960 SPort:1172
    [16/02/2020] [12:35:37] Denied TCP 13.35.198.22(uds.licenses.adobe.com) adobe_licutil.exe PID:2960 SPort:1173
    [16/02/2020] [12:35:58] Denied TCP 52.214.151.229(cc-api-data.adobe.io) adobe_licutil.exe PID:2960 SPort:1174
    [16/02/2020] [12:36:19] Denied TCP 52.30.149.178(cc-api-data.adobe.io) adobe_licutil.exe PID:2960 SPort:1175
     
    4th entry down you can see a BITS job has been added/triggered and sandboxiebits.exe is attempting to connect to armmf.adobe.com. I haven't looked at the job details but I assume given the destination that it's update related.

    This is partly why I opt to run a default block everything approach to outgoing internet connections. In an ideal world you could allow all Microsoft services out and wouldn't have to worry about privacy or security related issues. We don't live in an ideal world though.

    https://www.zdnet.com/article/attackers-take-advantage-of-microsoft-windows-bits-to-serve-malware/
    https://www.zdnet.com/article/newly-discovered-cyber-espionage-malware-abuses-windows-bits-service/

    The research team said the Win32/StealthFalcon backdoor didn't communicate with its remote server via classic HTTP or HTTPS requests but hid C&C traffic inside BITS. Researchers believe this was done to bypass firewalls, as companies tend to ignore BITS traffic, knowing it most likely contains software updates, rather than anything malicious.
     
  20. popescu

    popescu Registered Member

    Joined:
    Sep 1, 2018
    Posts:
    178
    Location:
    Canada
    On a philosophical level you are right : nothing is perfect, good carpenter- bad carpenter, etc.

    On a practical level though, the answer is simple :

    a good / innocent application will signal its intention to connect to the internet and you can block or allow it with WFC.
    a malicious application which was purposely designed to bypass the firewall, will connect to the internet without even a blink from WFC.

    So, what is the purpose of WFC? to allow you to block legit applications to connect to the interneto_O?
     
  21. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    2,765
    Location:
    Canada
    No, to allow you to restrict exactly how a legitimate application connects to the Internet. Think of it as a form of Mandatory Access Control on the Network level.
     
  22. popescu

    popescu Registered Member

    Joined:
    Sep 1, 2018
    Posts:
    178
    Location:
    Canada
    I thought the purpose of a firewall, as an additional layer of security , is to prevent an "undetected" malware to send data from your PC to the "mothership"

    Restricting how a legitimate application connects to the internet is a secondary issue, with no implication on your PC security.
     
  23. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    2,765
    Location:
    Canada
    Are you sure about that?

    I believe you have rule for svchost.exe something like:

    Code:
    Allow out, From any To any Port 80,443
    That simple rule alone restricts it to remote ports 80 & 443. The bad guy's server might be on port 8080, in which case that rule will prevent svchost.exe from connecting to it. There is some measure of security in this rule, although the bad guy's server could be on Port 80, then it's useless.

    An even better rule:

    Code:
    Allow out From any to 64.0.0.0 - 69.254.254.254 Protocol TCP Port 80,443
    This will restrict svchost.exe to what is essentially a Class A IP range owned by Microsoft, using only Protocol TCP, to Ports 80 & 443. This is far more secure than the other rule. Honestly you will need more remote MS IP ranges than this, and probably different depending on your region.

    You could create one for your DNS:

    Code:
    Allow out From any To 192.168.1.254, 8.8.8.8, 8.8.4.4 Protocol UDP Port 53
    then if you want to take this further to cover IPv6:

    Code:
    Allow out From any to 2001:4860:4860::8888, 2001:4860:4860::8844
    Most people are loathe to take firewall rules enforcement to this extent, but it can be done with some time and effort. You can't convince me this has no implications on your pc security.
     
  24. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    12,480
    Location:
    The Netherlands
    This does indeed sound a bit weird, you would think that WFC could block this. Perhaps you might also want to test it with TinyWall. If Comodo blocks it, so should WFC. And I wonder how exactly AdobeARM.exe is using svchost.exe to connect out.

    Interesting, so you believe Adobe Acrobat might be using such a technique? Can you give me a link to this Adobe app, I assume you were able to install it sandboxed. I would also like to test it to see if WFC and TinyWall can block it from connecting out.
     
  25. popescu

    popescu Registered Member

    Joined:
    Sep 1, 2018
    Posts:
    178
    Location:
    Canada
    I do not have "a link", but is Adobe Acrobat X , version 10.0.0

    upload_2020-2-16_14-54-58.png
     
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.