Windows Firewall Control (WFC) by BiniSoft.org

Discussion in 'other firewalls' started by alexandrud, May 20, 2013.

  1. paulderdash

    paulderdash Registered Member

    Also Emsisoft, AdGuard, etc., etc., etc.? :rolleyes::isay:
     
  2. reasonablePrivacy

    reasonablePrivacy Registered Member

    Does WFC can filter traffic based on account name?
    It will be not a problem if Windows would use one-binary-per-service, but unfortunately it is not.

    Does WFC can filter traffic based on account name or group account belongs to? One may block svchost from SYSTEM and Administrator accounts while working on account belonging only to account belonging only to users group. Malware infection most likely would infect this work account, because most things would be done from this account.
     
    Last edited: Feb 19, 2020
  3. alexandrud

    alexandrud Developer

    WFC does not do any packet filtering and is not aware of any active connection.
     
  4. reasonablePrivacy

    reasonablePrivacy Registered Member

    Ok. WFC uses Windows Filtering Platform. Does Windows Filtering Platform allow to filter packets based on user account name?
     
  5. alexandrud

    alexandrud Developer

    WFC is just an alternative UI for Windows Firewall. Windows Firewall does the filtering based on the existing firewall rules. Windows Firewall is just an implementation over the Windows Filtering Platform. WFP is very capable but you have to call it by using C++. Maybe the author of Simplewall can answer this question since he took this route and he has more knowledge about this. His product talks with WFP directly from C++.
     
  6. pandlouk

    pandlouk Registered Member

    @popescu if I remember correctly, if a program uses a dll as a service to perform updates and other net activities it will connect under the svchost.exe name.
    The default allow rules (wf) do not have an svchost.exe rule for a reason... and if you create an svchost.exe rule for a specific service, windows firewall will warn you for the risks in doing so...

    @Rainwalker I have uploaded v5.4.0.0 and v5.4.1.0 here in case you still need it.

    Panagiotis

    edit: replaced (wfc) with (wf).
     
    Last edited: Feb 20, 2020
  7. popescu

    popescu Registered Member

    The recommended WFC rules include a svchost.exe, wide open on TCP /80,443

    upload_2020-2-20_16-32-40.png
     
  8. pandlouk

    pandlouk Registered Member

    Sorry I meant wf instead of wfc. I never used the wfc recommended rules.
     
  9. popescu

    popescu Registered Member

    Both downloads seems to be dammaged.
     
  10. yeL

    yeL Registered Member

    those versions are still available via binisoft official website

    5.4.0.0: https://binisoft.org/download/old/5400/wfc5setup.exe
    5.4.1.0: https://binisoft.org/download/old/5410/wfc5setup.exe
     
    Last edited by a moderator: Feb 20, 2020
  11. pandlouk

    pandlouk Registered Member

    Can you post a screenshot? On my end they download and extract correctly.
    after extracted
    v5.4.0.0 should have a SHA-256 hash
    FE81A44112861276AF83FDBCFE1A86BCD641DF93781D016D9B5978830FD011EF
    and
    v5.4.1.0 should have a SHA-256 hash
    8DD146F054D1667187D11D242E51877B480D69061695991573940BDE7F2D6285
    same hashes as those from the binisoft links @yeL posted.:thumb:
     
  12. Rainwalker

    Rainwalker Registered Member

    Thank you folks. I have the downloads.
     
  13. EASTER

    EASTER Registered Member

    Same. Both in working order on this end as well. Thanks
     
  14. wat0114

    wat0114 Registered Member

    And you should know you can tighten that rule considerably. I've actually tried really hard to help you.
     
  15. tnodir

    tnodir Developer

  16. aldist

    aldist Registered Member

    Individual rules for services, running through svchost.exe, worked in Windows 7, but did not work in Windows 8.1 and Windows 10.
     
  17. popescu

    popescu Registered Member

    upload_2020-2-21_4-19-28.png

    tried both Firefox and Edge.
     
  18. aldist

    aldist Registered Member

    Update the version of the archiver!
     
  19. popescu

    popescu Registered Member

    yes, this was the problem, thanks!
     
  20. Erastus Seymour Pott

    Erastus Seymour Pott Registered Member

    BITS is often overlooked, but it is a very viable method of circumventing protections - https://attack.mitre.org/techniques/T1197/
     
  21. wat0114

    wat0114 Registered Member

    Solution: tighten firewall rules for C:\Windows\System32\svchost.exe

    Of course it's best not to allow the malware to run in the first place.
     
  22. popescu

    popescu Registered Member

    Easy to say, impossible to do it.

    There is no way to "tighten" firewall rules for svchost.exe as long as you do not know who or what generated the request and who or what is on the other end of communication (IP)
     
  23. wat0114

    wat0114 Registered Member

    You are wrong! I would suggest you spend some time and effort researching basic networking fundamentals.
     
  24. popescu

    popescu Registered Member

    I may be wrong, but this is what I found:

    This is an "official' answer from Microsoft


    "Hi,


    For security purposes, the IP address for the Windows Update web site constantly changes and it is not a fixed address. Also, there is no official publication of the IP addresses. We normally advise against defining IP addresses on the firewall for this purpose. Instead, we suggest either allowing all outbound connections to http & https ports or defining the DNS addresses as permitted destinations for traffic via the firewall.


    For up-to-date information about the IP's being used by Windows Update, use the DNS system, as this is the only reliable up to date source of information. If you use DNS, make sure the following destination hosts are specified:


    http://windowsupdate.microsoft.com

    http://*.windowsupdate.microsoft.com

    https://*.windowsupdate.microsoft.com

    http://*.update.microsoft.com

    https://*.update.microsoft.com

    http://*.windowsupdate.com

    http://download.windowsupdate.com

    http://download.microsoft.com

    http://*.download.windowsupdate.com

    http://wustat.windows.com

    http://ntservicepack.microsoft.com

    http://stats.microsoft.com

    https://stats.microsoft.com


    Thanks for your understanding.


    Best Regards

    Nina"
     
  25. pandlouk

    pandlouk Registered Member

    @popescu I do not understand this "debate".
    If you do not want dlls that run as services to connect through the "svchost.exe" name -> do not create a rule for "svchost.exe" (not even for specific services).
    If you do not trust a program that wants admin rights to install, you should not install it, in the first place.

    A program that runs with admin rights can modify/create/delete outgoing WF rules at will, and the only way to restrict it is by enabling the group policy (not available in windows home).
    http://woshub.com/windows-firewall-settings-group-policy/
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice