Windows Firewall Control (WFC) by BiniSoft.org

Discussion in 'other firewalls' started by alexandrud, May 20, 2013.

  1. Kirk Reynolds

    Kirk Reynolds Registered Member

    Joined:
    May 8, 2011
    Posts:
    252
    @alexandrud

    I found a minor issue with WFC on my system, Win10x64 v2004. It won't show invalid rules after selecting show duplicate rules in the rules panel. If I select show invalid rules first in the rules panel then they show, but if I select show duplicate rules first and then select show invalid rules then they won't. I have to select refresh list and then select show invalid rules in order for them to show.

    Like I said it's minor, but I thought I would bring it up here in case you were unaware of it and would like to change the behavior so that it always shows invalid rules whenever invalid rules is selected, assuming you can reproduce it.
     
  2. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    1,934
    Location:
    Romania
    This is by design. Show invalid rules applies a filter over the existing loaded items. For duplicate items a grouping is applied over loaded items. Any entry that is not part of the subset is removed, so everything is applied to what is displayed. I will see if this can be improved.
     
  3. someone2

    someone2 Registered Member

    Joined:
    Jan 12, 2013
    Posts:
    5
    Sorry if this is a known issue or has been discussed before:

    Freshly installed Windows 10 2004, WFC 6.3.0.0: when medium filtering is selected the outbound allow rules of WFC aren't effective for certain services, such as Windows and Store updates (svchost). According to the log they're being blocked instead. I tried it with and without WFC's recommended rules, via notifications and learning mode. The allow rules are always correctly created - also checked them in the Windows Defender Firewall UI - but in the end the affected services/processes are being blocked. Other freshly created allow rules such as Firefox are working fine. Any idea?

    BTW no other changes have been made to the default settings of WFC, secure rules are disabled. The problems are gone when low filtering profile is selected, so it's not an issue of an overseen block rule or similiar.
     
    Last edited: Jul 9, 2020
  4. Sm3K3R

    Sm3K3R Registered Member

    Joined:
    Feb 29, 2008
    Posts:
    585
    Location:
    Wallachia
    Is "usocoreworker.exe" allowed to connect ?
    Did you took a look at the Firewall log to see what s being blocked or allowed ?
     
  5. someone2

    someone2 Registered Member

    Joined:
    Jan 12, 2013
    Posts:
    5
    Yes, is allowed.
    For example Windows Update is being blocked several times (never allowed) when an update search is initialized - even though a proper allow rule exits. I also tried it with learning mode so the needed rules were created automatically. Didn't help. As soon as the WFC filtering level is changed to low the Windows updates start. So in medium filtering mode WFC/WDF somehow doesn't seem to find the matching rule (although it definitely exits) and blocks the "unknown" outbound connection.

    I can provide screenshots later if needed.
     
  6. Alpengreis

    Alpengreis Registered Member

    Joined:
    Oct 7, 2013
    Posts:
    535
    Location:
    Switzerland
    @someone2

    The "good" thing is: you have no explicit block rule for "usocoreworker.exe" because that would also work in Low profile mode.

    To find out why is that no working after switching to Medium profile, it would be indeed good to post the related allow rule(s).
     
  7. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    1,934
    Location:
    Romania
    If you have allowed a specific service name for a svchost.exe rule and that service is still blocked, you can somehow verify the rule that blocked the connection.
    • Reproduce the issue
    • Run command in a CMD window with administrative privileges: netsh wfp show state (this will create a XML file in the current folder)
    • Open the event viewer: Run (Windows+R) > eventvwr.msc
      • go to "Windows logs" > "Security"
      • in the list, identify the dropping packet log (hint: use the Search feature on the right menu, searching for items (source IP, destination port, etc.) specific to your issue)
      • in the log details, scroll down and note the Filter Run-Time ID used to block the packet

      upload_2020-7-10_1-21-24.png
    • Open the generated wfpstate.xml file:
      • search for the noted filter ID, and check out the rule name (element "displayData > name" on the corresponding XML node)

      upload_2020-7-10_1-22-5.png
    If the name is Default Outbound then it may be a bug in Windows Firewall. This means the allow rule targeted to that specific service name was ignored. Why was ignored, I have no clue, the code is in Microsoft assemblies and I do not have access there. In Windows 10, Windows Update uses more services for updating purposes, so to use Windows Update, you mostly need to allow svchost.exe on remote ports 80,443 with no service name set. If you consider that such a rule is very wide, then disable it and manually enable it once a week when you manually check for updates.
     
  8. someone2

    someone2 Registered Member

    Joined:
    Jan 12, 2013
    Posts:
    5
    The rule name in the XML file is indeed "Default Outbound".

    After removing the service name (wuauserv) from my existing, ineffective svchost.exe rule and restricting the protocol to TCP remote ports 80, 443 it works flawlessly! I can live with that - thank you, alexandrud!

    Out of curiosity I added WFCs recommended rules again which I had in the beginning: the Windows Update rule only includes port 443. 80 is missing which seemed to be the problem in my earlier tests. Did you change that recently? On my old system from 2016 your Windows Update rule included port 80 - but maybe I edited it, don't really remember.
     
    Last edited: Jul 10, 2020
  9. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    1,934
    Location:
    Romania
    I have to re-add port 80 in WFC recommended rules. I was expecting it to use only SSL, therefore only port 443. However, it appears that it still uses some non SSL connections on port 80. So, yes, just add 80 too and I will also update this in next WFC version.
     
  10. pinkfufu

    pinkfufu Registered Member

    Joined:
    Oct 22, 2016
    Posts:
    15
    Location:
    withheld
    The WFC recommended rule "WFC - Internet Control Message Protocol (ICMPv4-Out)" is applied to the program "System" (as are a handful of other rules). What is referred to by "System" here? And does it have any associated executable/application package/service?
     
  11. popescu

    popescu Registered Member

    Joined:
    Sep 1, 2018
    Posts:
    254
    Location:
    Canada
    Is it your PC , wide opened to the internet.
     
  12. Sm3K3R

    Sm3K3R Registered Member

    Joined:
    Feb 29, 2008
    Posts:
    585
    Location:
    Wallachia
    Without that rule some applications/online games may not work properly.Same for the Inbound one.
    The ICMP rules should be made/edited from the Windows Advanced Settings though, as in this way you can access the ICMP types, so you can make proper rules with what is really needed in the ICMP field.
    This forum has some recommendations regarding what ICMP types should be allowed.Use the search function.
     
    Last edited: Jul 12, 2020
  13. aldist

    aldist Registered Member

    Joined:
    Nov 8, 2017
    Posts:
    572
    Location:
    Lunar module
    In Windows Firewall with Advanced Security WFwAS (not in WFC) create rule, that allow outgoing only ICMPv4 Type 8 Code 0 (echo request) and check the invisibility of the computer from the outside https://ping.eu/ Add this rule in autorized group in WFC.
    ScreenShot_121.png ScreenShot_122.png
     
  14. ravenise

    ravenise Registered Member

    Joined:
    Jul 18, 2009
    Posts:
    92
    Feature Request: time based rule editor, example: minutely, hourly, daily, weekly, monthly, yearly, enable or disable "powershell.exe" rule for "this long".
     
  15. AnotherUser

    AnotherUser Registered Member

    Joined:
    Jul 18, 2020
    Posts:
    2
    Location:
    Here
  16. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    1,934
    Location:
    Romania
    Will not probably happen very soon :( The implementation would use the Description property of the rule which may be extended to include a JSON settings instead of a simple string. In this way, the properties may be extended with more properties, including a time frame when a rule is enabled or not, the order in the Rules Panel, etc. This is a little bit complex and I have a lot of work in the following months. But I will add this in the backlog. It will be done at some point.
     
  17. aldist

    aldist Registered Member

    Joined:
    Nov 8, 2017
    Posts:
    572
    Location:
    Lunar module
    In search of a solution, try actualization the source and destination addresses and ports, or vice versa, completely abandon their actualization (allow all).
     
  18. myk1

    myk1 Registered Member

    Joined:
    Sep 2, 2012
    Posts:
    124
    Location:
    Belgium
    Do I understand that your last WFC version is built based on the old type 'Secure Rules 5 0 2 0' ?
    thks
     
    Last edited: Jul 18, 2020
  19. Special

    Special Registered Member

    Joined:
    Mar 23, 2016
    Posts:
    329
    Location:
    Canada
    5.3.1.0
     
  20. Alpengreis

    Alpengreis Registered Member

    Joined:
    Oct 7, 2013
    Posts:
    535
    Location:
    Switzerland
    @myk1

    It's absolutely NOT recommended to revert back to an old version especially to a SUCH old version. You can't benefit of all the fixes etc. You should be not surprised if something runs bad ...

    See the changelog here:

    https://binisoft.org/changelog.txt
     
  21. myk1

    myk1 Registered Member

    Joined:
    Sep 2, 2012
    Posts:
    124
    Location:
    Belgium
    No, no I don't want to 'revert' ..
     
    Last edited: Jul 18, 2020
  22. Alpengreis

    Alpengreis Registered Member

    Joined:
    Oct 7, 2013
    Posts:
    535
    Location:
    Switzerland
    Ahh, ok, then sorry for the noise!
     
  23. Special

    Special Registered Member

    Joined:
    Mar 23, 2016
    Posts:
    329
    Location:
    Canada
    Running latest W10 2004, and 5.3.1.0 with absolutely NO problems, and there's nothing in those change logs that requires one to update, but enjoy the added telemetry, or Event Viewer errors if you remove it I guess.
     
  24. AnotherUser

    AnotherUser Registered Member

    Joined:
    Jul 18, 2020
    Posts:
    2
    Location:
    Here
    I've tried every combination of options, and the only one that seems like it might be work is to allow each IP address individually...only 500 so far!
     
  25. myk1

    myk1 Registered Member

    Joined:
    Sep 2, 2012
    Posts:
    124
    Location:
    Belgium
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.