Windows Firewall Control (WFC) by BiniSoft.org

Discussion in 'other firewalls' started by alexandrud, May 20, 2013.

  1. pb1

    pb1 Registered Member

    Joined:
    Apr 4, 2014
    Posts:
    629
    Location:
    sweden

    Better but not good. I sat high filtering and with Brave browser i could connect to the net without a problem and surf.

    Now i know whats up. It operates on the old rules that are left from the former program and goes further from there.
     
    Last edited: Aug 30, 2020
  2. solitarios

    solitarios Registered Member

    Joined:
    Mar 28, 2016
    Posts:
    150
  3. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    1,950
    Location:
    Romania
    Long story short, that is another file named wfc.exe :)

    If you take a look at the list of files, they are Microsoft files.

    <Deny ID="ID_DENY_MWFC" FriendlyName="Microsoft.Workflow.Compiler.exe" FileName="Microsoft.Workflow.Compiler.exe" MinimumFileVersion="65535.65535.65535.65535" />
    <Deny ID="ID_DENY_WFC" FriendlyName="WFC.exe" FileName="wfc.exe" MinimumFileVersion="65535.65535.65535.65535" />

    That wfc.exe is a file that you usually have on your disk if you have Microsoft Visual Studio installed. Below is a screenshot from my development machine.

    More details about that wfc.exe here: https://www.exefiles.com/en/exe/wfc-exe/

    upload_2020-9-4_16-30-42.png
     
  4. solitarios

    solitarios Registered Member

    Joined:
    Mar 28, 2016
    Posts:
    150

    Thank you very much!
     
  5. aldist

    aldist Registered Member

    Joined:
    Nov 8, 2017
    Posts:
    599
    Location:
    Lunar module
    Colleagues, what do you think about the usefulness or uselessness of such an option?
    Add the menu "temporarily enable the rule for ... 5 ... 10 ... 60 minutes", "temporarily disable the rule for ... 5 ... 10 ... 60 minutes" in the Rules Panel for already existing rules. And at the end of the timer there will be a pop-up message "rule [name] is off", "rule [name] is on", or do without the message.
    It would also be nice if the temporary state of the rule was marked in some way, maybe a column "temporary state" with an analogue of a checkbox.
     
    Last edited: Sep 6, 2020
  6. Alpengreis

    Alpengreis Registered Member

    Joined:
    Oct 7, 2013
    Posts:
    537
    Location:
    Switzerland
    @aldist

    It would be an improvement that's clear. I just wonder how many people would reguraley use it ... I assume not sooooo many. The second thing is: has the developer enough time to make a such improvement ... let us wait for reactions ...

    However: I find your idea generally a good one!
     
  7. Special

    Special Registered Member

    Joined:
    Mar 23, 2016
    Posts:
    348
    Location:
    .
    Pointless, bloat. I would never use it, what are even these "use cases" where one would use such an option? When I want a rule disabled, it's for when I'm "doing a thing" and need it disabled for that time, then when I'm done "doing a thing" I enable the rule again right after.
     
  8. Plutox

    Plutox Registered Member

    Joined:
    Dec 28, 2005
    Posts:
    22
  9. aldist

    aldist Registered Member

    Joined:
    Nov 8, 2017
    Posts:
    599
    Location:
    Lunar module
    2. Colleagues, what do you think about the usefulness or uselessness of such an option?
    Add to the Rules Panel the ability to "create temporarily rule for ... 5 ... 10 ... 60 minutes" (not from the notification window).
     
  10. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    1,950
    Location:
    Romania
    Try to define your rule with the full IP range instead of the netmask. Instead of 192.168.2.0/255.255.255.0 use 192.168.2.1-192.168.2.254 and see if this helps.
    Use the guide from here to find out which rule blocked the connections.
    I added this into the backlog. Currently, I do not have time for implementing new features in WFC, but I will consider it.
     
  11. Special

    Special Registered Member

    Joined:
    Mar 23, 2016
    Posts:
    348
    Location:
    .
    Again what is a use case for this? Unless you are doing something EXACTLY for 5 minutes or EXACTLY 10 minutes on the dot, this is either going to turn back on or be off when you don't want it too, you're either going to leave yourself open to not being protected because you finished early, or it's going to break the thing you were doing because you set to 5 minutes when it was taking longer and took actually 6 minutes to do.
     
  12. Plutox

    Plutox Registered Member

    Joined:
    Dec 28, 2005
    Posts:
    22
    No change.
    Ran the process and the outcome is a rule not of my making [MWAC ALE Auth Receive Accept IPv4 (TCP)] and not visible within your rules panel. See what you make of this…
    Code:
                    <item>
                        <filterKey>{d0253ed6-f34b-11ea-a92e-3497f62b15f8}</filterKey>
                        <displayData>
                            <name>MWAC ALE Auth Receive Accept IPv4 (TCP)</name>
                            <description>MWAC ALE Auth Receive Accept IPv4 (TCP)</description>
                        </displayData>
                        <flags/>
                        <providerKey>{d0253e90-f34b-11ea-a92e-3497f62b15f8}</providerKey>
                        <providerData/>
                        <layerKey>FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4</layerKey>
                        <subLayerKey>{d0253e91-f34b-11ea-a92e-3497f62b15f8}</subLayerKey>
                        <weight>
                            <type>FWP_EMPTY</type>
                        </weight>
                        <filterCondition numItems="1">
                            <item>
                                <fieldKey>FWPM_CONDITION_IP_PROTOCOL</fieldKey>
                                <matchType>FWP_MATCH_EQUAL</matchType>
                                <conditionValue>
                                    <type>FWP_UINT8</type>
                                    <uint8>6</uint8>
                                </conditionValue>
                            </item>
                        </filterCondition>
                        <action>
                            <type>FWP_ACTION_CALLOUT_TERMINATING</type>
                            <filterType>{d0253ed5-f34b-11ea-a92e-3497f62b15f8}</filterType>
                        </action>
                        <rawContext>0</rawContext>
                        <reserved/>
                        <filterId>76701</filterId>
                        <effectiveWeight>
                            <type>FWP_UINT64</type>
                            <uint64>844424930131968</uint64>
                        </effectiveWeight>
                    </item>
     
  13. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    1,950
    Location:
    Romania
    It appears that another security software is blocking the connection by using a block rule defined through Windows Filtering Platform and not by Windows Firewall directly. Windows Firewall is just a implementation over Windows Filtering Platform. Try to disable any web protection module that you may have and try again. Another security software created that rule, which is not visible in Windows Firewall but may be visible in the security software that created it.
     
  14. Plutox

    Plutox Registered Member

    Joined:
    Dec 28, 2005
    Posts:
    22
    Thanks for that. The clue is in the rule name, MWAC – a quick test suggests it's the web protection module within your stable-mate, Malwarebytes. Although why this should choose to block connections from one member of my local subnet to another, is a mystery to me.

    Thanks again.
     
  15. pinkfufu

    pinkfufu Registered Member

    Joined:
    Oct 22, 2016
    Posts:
    18
    Location:
    withheld
    I have this rule set (along with all other Windows Firewall Control recommended rules) but am unable to run Windows Update or set the time through Internet Time Settings when the WFC profile is set to Medium Filtering. Everything works, however, if I change the WFC profile to Low Filtering.

    Any ideas, please?

    Windows 10 1607 with 2020-06 updates
    WFC 6.4.0.0

    TIA
     
  16. aldist

    aldist Registered Member

    Joined:
    Nov 8, 2017
    Posts:
    599
    Location:
    Lunar module
    First, try to allow any connections for svchost.exe. Windows Update and Time should work. Then set this rules for svchost.exe.
    1. For Windows Update.
    Allow TCP outgoing, where:
    local port - any;
    remote port - 80, 443;
    local address - any;
    remote address - any.
    2. For time service.
    Allow UDP outbound, where:
    local port - 123;
    remote port - any;
    local address - any;
    remote address - any.
    (if you specify the remote port 123, then sometimes you need to specifically specify the local and remote addresses).

    Try to synchronize the time via the Internet, and immediately look at the records of blocked connections in the WFC Connection Log and draw a conclusion.
     
    Last edited: Sep 10, 2020
  17. Plutox

    Plutox Registered Member

    Joined:
    Dec 28, 2005
    Posts:
    22
    It occurs to me – many a mystery might be explained if there was a straightforward way of viewing Windows Filtering Platform rules that might have been put in place (or left over) by applications other than WFC? Any way to do this?
     
  18. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    1,950
    Location:
    Romania
    I develop and support only WFC while Malwarebytes has many products. But, yes, MWAC is related to the web protection module from Malwarebytes. Try to disable it temporarily.
    I am not aware of any tool that can be used to view nicely all WFP rules.
     
  19. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,688
    In 2016 there was an neat discussion of many secret filtering platform rules. I saved the Sphinx firewall link because I found it interesting. While they don't have a complete list (which we could all use), you might be interested to see the discussion in this thread:
    https://www.tapatalk.com/groups/vistafirewallcontrol/secret-rules-of-windows-firewall-t542.html
     
    Last edited: Sep 10, 2020
  20. aldist

    aldist Registered Member

    Joined:
    Nov 8, 2017
    Posts:
    599
    Location:
    Lunar module
    There are BFE rules HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent\Filter
    WFP - Windows Filtering Platform.
    BFE - Base Filtering Engine - this is WFP, modified by user (or system?) rules.
     
  21. Plutox

    Plutox Registered Member

    Joined:
    Dec 28, 2005
    Posts:
    22
    Thanks for that. A utility that showed all the current WFP rules in plain English would be hugely useful. I wonder just how many WFC ‘mysteries’ owe their existence to the presence of non WFC rules hiding within the platform.
     
  22. pinkfufu

    pinkfufu Registered Member

    Joined:
    Oct 22, 2016
    Posts:
    18
    Location:
    withheld
    Tried this and both WU and time sync worked.

    On making change 1., both WU and time sync stop working.

    The interesting this is that changing "Remote ports" in 1. to "All ports" (for TCP), both WU and time sync again worked.

    Note, all default Windows rules have been deleted and only the WFC recommended rules are in place. (WU and time sync work with these rules if the profile is changed to Low Filtering.)

    WFC block logs are attached for failed time sync.

    Ideas?
     

    Attached Files:

  23. aldist

    aldist Registered Member

    Joined:
    Nov 8, 2017
    Posts:
    599
    Location:
    Lunar module
    It looks like Microsoft is tightening its svchost policy in newer versions of Windows 10.
    Judging by your log, try to add remote port 53 to the allowing rule # 1 for svchost or create a new rule "Allow DNS for svchost", UDP, where the local address is 192.168.0.10 (or any), local port - any, remote address 9.9.9.9 (or any), remote port 53.
    To reduce telemetry leaks, consider which rules can be enabled temporarily only when checking for updates or synchronizing time.
    P.S.
    Time synchronization is easy to solve with small third party apps that don't use svchost.
     
  24. pinkfufu

    pinkfufu Registered Member

    Joined:
    Oct 22, 2016
    Posts:
    18
    Location:
    withheld
    If I've not misunderstood your post, I already have such a DNS rule; it was created by WFC. The attachments show my existing rules.
     

    Attached Files:

  25. aldist

    aldist Registered Member

    Joined:
    Nov 8, 2017
    Posts:
    599
    Location:
    Lunar module
    Yes, exactly, there is such a rule.

    @alexandrud
    The user shared an export file from his WFC Connections Log on the forum, but it is very inconvenient to parse it in Notepad due to the lack of clear tabs and column names. It would be very helpful for WFC to export the log in a format compatible with CSVFileView Portable http://www.nirsoft.net


    1. It is quite easy to do, you just need to replace the separators in the generated file from " | " to "," (without quotes).
    Now it is like this:
    13/09/2020 11:11:51 | 3788 | SSDP Discovery | C:\windows\system32\svchost.exe | Block | Out | 127.0.0.1 | 58548 | 239.255.255.250 | 1900 | 17 | SSDPSRV
    13/09/2020 11:11:48 | 3788 | SSDP Discovery | C:\windows\system32\svchost.exe | Block | Out | 127.0.0.1 | 58548 | 239.255.255.250 | 1900 | 17 | SSDPSRV
    13/09/2020 11:11:45 | 3788 | SSDP Discovery | C:\windows\system32\svchost.exe | Block | Out | 127.0.0.1 | 58548 | 239.255.255.250 | 1900 | 17 | SSDPSRV
    And it will be like this:
    13/09/2020 11:11:51,3788,SSDP Discovery,C:\windows\system32\svchost.exe,Block,Out,127.0.0.1,58548,239.255.255.250,1900,17,SSDPSRV
    13/09/2020 11:11:48,3788,SSDP Discovery,C:\windows\system32\svchost.exe,Block,Out,127.0.0.1,58548,239.255.255.250,1900,17,SSDPSRV
    13/09/2020 11:11:45,3788,SSDP Discovery,C:\windows\system32\svchost.exe,Block,Out,127.0.0.1,58548,239.255.255.250,1900,17,SSDPSRV
    2. The first line in the generated file should be a line with the following content:
    "Time generated", "Process ID", "Name", "Program", "Action", "Direction", "Source address", "Source port", "Destination address", "Destination port", "Protocol", "Service"
    3. The result of opening such a file
    ScreenShot_301.png
    4. As a temporary solution, you can independently insert the first line into the sent file and batch replace the separators in it, for example, in NotePad ++.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.