Windows Firewall Control (WFC) by BiniSoft.org

Discussion in 'other firewalls' started by alexandrud, May 20, 2013.

  1. solitarios

    solitarios Registered Member

    Joined:
    Mar 28, 2016
    Posts:
    200
    I miss the era of XP where there was a lot of quality third party firewall. Now we are simply with the universal statement that the windows firewall is enough...
     
  2. pandlouk

    pandlouk Registered Member

    Joined:
    Jul 15, 2007
    Posts:
    2,976
    Actually filters in a very consistent manner.

    You left enabled the windows update rule in tiny wall, that creates an outbound tcp rule for svchost.exe on ports 80 and 443 for every service and then you expect the trafffic, that you explicitly allowed , to be blocked? :confused:

    Windows Firewall was designed from the beginning to do exactly that and does not create any holes. The users are those that create the holes by enabling or creating rules without knowing what they are doing...:rolleyes:

    You can:
    1. ask the developers to change that default outbound rule
    or
    2. deactivate that rule. ;)

    It is far more powerfull and accurate than most firewalls from the xp era. But... no firewall will protect a user from himself.

    @popescu the default rules of both aps are fine for 99% of the users. Neither program forces you to leave them enabled. It is your choice to do so... so stop complaing about a problem that you intentionally allow/create and just fix it.:ouch:
     
  3. popescu

    popescu Registered Member

    Joined:
    Sep 1, 2018
    Posts:
    259
    Location:
    Canada
    I already posted an official answer from Microsoft:

    "For security purposes, the IP address for the Windows Update web site constantly changes and it is not a fixed address. Also, there is no official publication of the IP addresses. We normally advise against defining IP addresses on the firewall for this purpose. Instead, we suggest either allowing all outbound connections to http & https ports or defining the DNS addresses as permitted destinations for traffic via the firewall."


    So , you can clearly see that is not possible to tighten the rules for svchost.exe in order to allow Windows Updates and block all other requests.

    This is going to be my last opinion about this subject, as the futility of using WF for outbound filtering has been explained and proved several times so far.

    Thank you for having patience and good luck!
     
  4. pandlouk

    pandlouk Registered Member

    Joined:
    Jul 15, 2007
    Posts:
    2,976
    1st. I never wrote about about IP addresses.
    2nd. I told you to disable/remove the default tcp rule of svchost.exe for all services on ports 80.443 that windows firewall control and tinyfirewall create.
    3rd. I wrote that creating svchosts.exe rules is not a wise thing to do and windows firewall will alert you about the risk of doing so, if you want to proceed.
    4th. I gave you exact instructions on how to identify and create specific rules for specific services based in wfc logs.

    You intentionally ignored all the above and just posted an answer from microsoft support, that is unrelated to the "problem/security risk" that you described.
    The only thing explained and proved is that you allowed that traffic by leaving the default rules of both programs active. When instead you should have them removed and created more strict rules.

    Windows firewall can work exactly the way you want it to. You only need to disable/remove/modify the default rules of those apps and create your own more restricted ones.

    You 're welcome. Good luck!
     
  5. aldist

    aldist Registered Member

    Joined:
    Nov 8, 2017
    Posts:
    895
    Location:
    Lunar module
    This is just a chivalrous act, thank you very much! Bye! :thumb:
     
  6. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    3,507
    Location:
    Canada
    Microsoft public IP Address Blocks:

    https://www.winhelponline.com/blog/microsoft-public-ip-address-range/

    In csv format from the official Download Center:

    https://www.microsoft.com/en-us/download/details.aspx?id=53602&WT.mc_id=rss_alldownloads_all
     
  7. pandlouk

    pandlouk Registered Member

    Joined:
    Jul 15, 2007
    Posts:
    2,976
    @alexandrud may I ask why the rule "wfc update rule" was created and why is activated by default with the recommended rules?
    Because @popescu is correct to complain about it...
    Allowing every service to connect to ports 80 and 443 defeats the purpose of a restricted firewall and can potentially be dangerous for people that disable windows defender or their antivirus.
    Penalising all the not advanced users because a lot of naive (I'm being polite) users use registry cleaners and delete sids without understanding the problems they create is a bit extreme.
    At least make it as an additional rule to be activated under an "if you have problems updating windows rule" and give a warning that, that rule allows every process that connects under the name svchost.exe to get access to the net.

    Panagiotis
     
  8. aldist

    aldist Registered Member

    Joined:
    Nov 8, 2017
    Posts:
    895
    Location:
    Lunar module
    The program was paid. The absence of this rule would cause a lot of complaints from legal users - you ruined my Windows updates.
    Now who understands, he himself will do as needed, and who does not understand, he does not need a firewall. Imho.
     
  9. pandlouk

    pandlouk Registered Member

    Joined:
    Jul 15, 2007
    Posts:
    2,976
    I know it was donationware.
    I introduced windows firewall control in wilders forum back in June 2010.
    https://www.wilderssecurity.com/sea...control&o=date&c[title_only]=1&c[node]=31 138
    https://www.wilderssecurity.com/threads/windows-firewall-control-for-windows-7.274073/
    And I am probably one of the first persons that donated (21 April 2011) when Alexandrud intruduced donations (even though I never use/d the notifications).

    I guessed, that it would have to do something with people complaining about updates connectivity.
    Still, such a generic rule shouldn't exist or at least should not be activated by default without giving a prior warning.

    Panagiotis
     
  10. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,124
    Location:
    Romania
    The answer is simple. WFC was and is a "one man show". Have you tried to answer to tens of emails a day with the topic "Windows Update doesn't work anymore after I installed your software", "You broke my Windows", "I can't connect to the Internet anymore", "I had to restore an old image", etc. ? It is not funny, therefore I decided to add this rule as a recommended one to reduce the support emails.
     
  11. popescu

    popescu Registered Member

    Joined:
    Sep 1, 2018
    Posts:
    259
    Location:
    Canada
    I do not want to be impolite, but in other words you compromised the whole idea of "Firewall" just for your convenience . A tutorial would have been more appropriate , to explain the risks and benefits, rather than a default rule which opens the firewall to outside world.

    A common user will see pop-ups here and there, will be happy to allow /deny here and there and will live with the idea that the WFC "is working" when in fact the firewall is wide open.
     
    Last edited: Feb 27, 2020
  12. Distman

    Distman Registered Member

    Joined:
    May 7, 2013
    Posts:
    12
    I'm running Win 10 Pro (1909) but even when I create allow rules for svchost bound to services they are in the log as blocked and I also get notifications about them.

    The most notifications I receive from BITS and DoSvc.

    I don't know if the other service rules work or not, but not receive that much notifications.
     
  13. pandlouk

    pandlouk Registered Member

    Joined:
    Jul 15, 2007
    Posts:
    2,976
    :) I feel your pain. Just add somewhere on the site help section or in the program
    A "make it more secure/restricted" info by adding the forllowing images
    Change the default "WFC - Windows Update" rule
    Firewall1.JPG
    to a restricted "WFC - Windows Update" rule
    firewall2.JPG
    Panagiotis
     
    Last edited: Feb 27, 2020
  14. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,124
    Location:
    Romania
    Well, you are impolite since you were not in my position. I developed WFC in my spare time for 8 years, I also have a family and a kid and a real job where I have to work. I did not compromise anything, Windows Firewall has by default the outbound filtering enabled for any software. What I did compromise ? How easy is for you to judge me and have opinions. If you don't like WFC, use another software and stop harassing me with your comments.

    People in general do not read user manuals, they first send a complaining email and they later remember that a user manual was provided.

    I don't know why I spend my time answering to this kind of comments. I have better things to do with my life. Good luck.
     
  15. tcarrbrion

    tcarrbrion Registered Member

    Joined:
    Dec 15, 2007
    Posts:
    103
    As I understand it, svchost.exe can only run as a installed service. Adobe X can update using it because it has an installed service to do that. If malware were to exploit svchost.exe in this way, it would have to be running with administrator privileges and have installed a service. Surely, if this is the case, you have been exploited already and it is too late.
     
  16. popescu

    popescu Registered Member

    Joined:
    Sep 1, 2018
    Posts:
    259
    Location:
    Canada
    Windows Firewall indeed , by default has the outbound permission enabled. However, your product CHANGED the behavior of WF blocking by default any outbound connection; this would be fine, except the fact that you introduced a rule for svchost.exe TCP 80,443 which fundamentally changed the concept of "blocking any outbound connection"

    The common user is not aware about that, he/she will just believe that EVERYTHING is blocked and will get notifications to allow applications.

    While I appreciate your effort and I am sympathetic with your situation, the full version of WFC was essentially a paid version and it is not fair to alter the functionality just not to be bother by emails.
     
  17. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,124
    Location:
    Romania
    So, this rule bothers you? WFC recommended rules have an optional checkbox during installation. This rule is optional and can be easily deleted. WFC does not enforce any rule, it is up to the user to review his rules. WFC is mainly used by power users, not by grand parents that know how to open Skype and shut down the computer. Your assumptions are incorrect.

    upload_2020-2-28_0-32-45.png

    WFC is trash because it propose this rule as a convenience for 99% of users. You don't even use WFC, so why do you make such a case from this ? It was my decision to introduce this rule so that I was able to improve the software. Instead of spending 3 hours a day answering support emails about Windows updates, I preffered to spend 3+ hours a day to improve WFC. Anyway, this whole discussion has no point. I don't have to justify my decisions to anyone. If you don't like a software, move on. It seems that you are stuck on this.
     
  18. popescu

    popescu Registered Member

    Joined:
    Sep 1, 2018
    Posts:
    259
    Location:
    Canada
    What about your paying customerso_O
     
  19. JRViejo

    JRViejo Super Moderator

    Joined:
    Jul 9, 2008
    Posts:
    73,137
    Location:
    U.S.A.
    OK, Enough! Agree to Disagree and Move On! If the Back and Forth Continues, Posts will be Removed!
     
  20. Charyb

    Charyb Registered Member

    Joined:
    Jan 16, 2013
    Posts:
    675
    @alexandrud
    I sent you a message with something I need help with. I appreciate you!
     
  21. Rainwalker

    Rainwalker Registered Member

    Joined:
    May 18, 2003
    Posts:
    2,629
    Location:
    USA
    BTW alexandrud I am sure there are many here who appreciate you.
     
  22. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    9,366
    Location:
    Among the gum trees
    + 1.
     
  23. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,437
    Location:
    Under a bushel ...
    +2, even though I am not even a user of WFC.
     
  24. solitarios

    solitarios Registered Member

    Joined:
    Mar 28, 2016
    Posts:
    200
    The general characteristic of software developers is their ego, mainly thinking that the software they have created is perfect. You see this a lot in developers but not in everyone.

    Getting angry because non-"qualified" users criticize their software or when a non-"qualified" user says something in their software is wrong and suggests an improvement for the software is totally ignored and even mocked (Ignoring their own ignorance).

    Conclusion, there is no perfect software ergo developers should listen to all suggestions even from non-"qualified" users.

    :)
     
  25. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    1,469
    Location:
    Member state of European Union
    Developers should listen to all suggestions, but this does not mean implement them all. Often software that tries to do more and cover more use-cases is getting worse. "Perfect is the enemy of good"
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.