Windows Firewall Control (WFC) by BiniSoft.org

Discussion in 'other firewalls' started by alexandrud, May 20, 2013.

  1. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    3,381
    Location:
    Canada
    Well it turned out to be more complicated than just requiring that svchost->service rule. first of all, both Windows updates and daily Windows Security updates could be detected, but not able to download; they were getting stuck at 0% progress every time, and the frustrating part about it was that WFC was not providing notifications for connection attempts, even though that option is enabled. About a week ago I whittled down my ruleset significantly by deleting the default rules and building my own based both on what I knew I needed, as well as via WFC notifications. It seems I deleted some rule or rules that are required for updates to be downloaded. So I ended up importing a ruleset I saved before paring down my ruleset, and now all is good. There are several Windows apps default rules in that set that might be what's needed, but ofc I can only speculate at this time.

    Still, the most puzzling thing about the ordeal, besides the rule(s) required for the downloading of updates, is why didn't WFC present alerts when the updates were being blocked?
     
  2. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    978
    Location:
    UK
    I can confirm since I disabled that logon provisioning task, I have not had any more flipping between private and public states.

    Also thanks alexandrud for confirming the behaviour on file sharing.
     
  3. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,097
    Location:
    Romania
    An existing matching svchost.exe rule ? Did you check the Connections Log and your existing rules ?
    svchost.exe added in the notifications exceptions list ?
    Notifications disabled ?
     
  4. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    3,381
    Location:
    Canada
    Notifications were/are enabled. I didn't add anything to Notifications exceptions list - at least not deliberately, and yes, there were matching svchoct rules with regard to protocol, remote IP's, but with each one tied to a different service. Anyway, that rule set is gone and the earlier one I imported is working fine, so I unfortunately can't research any more.

    Thank you for your suggestions, alexandrud :)
     
    Last edited: Feb 12, 2021
  5. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,789
    Location:
    The Netherlands
    Yes that's true I guess, but if some app already has permission to make outbound connections, doesn't it already have full access to your PC? I always assumed that such an app can simply collect data and then send it back to the hacker's server. I never understood why some apps need permission to listen for inbound connections, what ability do they gain with this permission, know what I mean?
     
  6. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    3,381
    Location:
    Canada
    They act as a server for remote sources that request connections to them. As @alexandrud mentions in the quote you included in your above post: "... and if you want to query their databases, you have to allow inbound connections to them."
     
  7. Rick2154

    Rick2154 Registered Member

    Joined:
    Feb 17, 2021
    Posts:
    4
    Location:
    USA
    alexandrud

    I am very new to using your WFC program.
    I've been trying different Firewalls for a while now. I do like yours very much.

    I have watched the video "Windows Firewall Control 4" ..nice btw and well-done at that time period.
    http://www.youtube.com/watch?v=Wpsnf_pbGMM
    I have also read the WFC User Guide pdf end to end.
    My question is about where it says:
    A temporary rule can be set to expire when Windows Firewall Control is restarted, after 60, 10 or 5 minutes
    ..right here, next where it says:
    "There is also this Custom Timeout which can be set between 1 and 60 minutes."

    Question 1. Where is this Custom Timeout gui located? ..so I can manually set anything between 1 to 60 minutes myself?

    Question 2. Is there a way to create another entry alongside timeout of xx minutes, to also have another separate choice = an instance of 1 time; iow, let's say Program A prompts for internet access, my choices I see now are 5 min, 10, 60, or Until Restart - but what I'd would like along with Minutes, is another setting for: 1 instance. I click to allow Program A ..a one time access, and as long as it's connected online - it has access indefinitely (not timed) until it's closed, but once I close Program A it ends permission. If I start Program A again, then I will have to grant the same 1 instance again (or chose from your other Minutes scale)

    Do you understand and did I ask my question correctly, alexandrud ?

    I would actually pay for this extra feature!

    Thank you
     
    Last edited by a moderator: Feb 18, 2021
  8. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,097
    Location:
    Romania
    upload_2021-2-18_22-26-25.png
    In theory, WFC could keep an internal list of allowed processes and watch the current running processes. Once you press on a new button called "Allow this time/instance", WFC could create an allow rule and watch when that process is not running anymore. When the process exists, WFC could delete the rule. It can be done, is not hard at all, the problem is that I am working on many projects right now and I do not have enough time to update WFC. I will put this request in the backlog and I will implement someday.
     
  9. Cache

    Cache Registered Member

    Joined:
    May 20, 2016
    Posts:
    432
    Location:
    Mercia
    Just realised that I haven't updated WFC for a while (I'm running 6.0.2.0). I've downloaded the latest version and seem to recollect that previously I just installed this on top. Is that still OK to do?

    Alternatively, "Check if a new version is available" tells me that I need a rule to allow the connection. Grateful if someone would kindly explain what rule I need to create.
     
  10. aldist

    aldist Registered Member

    Joined:
    Nov 8, 2017
    Posts:
    879
    Location:
    Lunar module
    Ok, over the top. Before that, create a backup of the rules, just like that, for no reason.

    Сreate an outbound allow rule for C:\program files\malwarebytes\windows firewall control\wfc.exe
    Without a rule, when checking for updates, the WFC itself will show a message about an outgoing connection request.
     
  11. Cache

    Cache Registered Member

    Joined:
    May 20, 2016
    Posts:
    432
    Location:
    Mercia
    Thanks aldist. OTT update went smoothly.
     
  12. Rick2154

    Rick2154 Registered Member

    Joined:
    Feb 17, 2021
    Posts:
    4
    Location:
    USA
    As for your screenshot on Question 1 - Yes I've seen that GUI already and even had set them, but thought it was all about just that = "Notification Options" and how long do I want to leave the alert box open!
    Ahhhh, but as I re-read the second worded option over and over - it's wording is slightly different and it's not about how long the alert box is open, but about temporary rule. Shoot, I can see now why I missed that because it's under the "Notification Options, and not where I expected to see it right where 5, 10, 60, until restart is ..and there have that clickable option right there.
    Hmmm, if I set it to let's say 1 minute though that IE, Edge, Firefox, etc whatever program, only will work for just that one minute and stop, whereas if you had a One Instance would work until closed.

    Re: Question 2. I can appreciate your time dilemma more than you know. I also see you have been dedicated to this WFC project for a long long long time, and that you even reply to posts all these years is a credit to you and your tenacity. Also your WFC thread has a higher view count than all others too, and I can see why. Excellent program. Every where I look I see more buttons opening other screens of interest. Very nice!
    Thank you for your work. Sincerely.
    fwiw, I personally prefer your branding rather than the new company (sorry) ...HowEver, I can clearly surmise all the many darn good reasons why you had to do what you did. I understand and respect those reasons and decisions. I do.
    If I was a multi-millionaire, I would have given you a million $ to fund your program, I would, I think it's just that worthy! LoL, I would also hand you an extra 100k and say not only to put that custom adjustable timer on the Allow xx time gui, but more importantly ask you to create that "Allow this time/instance" rule immediately and put it on that same gui too. Because I was an investor though I would also have first testing rights on it right away, instead of having to long await for all the time it takes to make it an official release.
    What a dreamer I am :)

    Thank you
     
    Last edited: Feb 19, 2021
  13. aldist

    aldist Registered Member

    Joined:
    Nov 8, 2017
    Posts:
    879
    Location:
    Lunar module
    If I were a developer, maybe I would agree to ... 2000€. Try it, maybe there is still a chance to get the desired option :D
     
  14. Rick2154

    Rick2154 Registered Member

    Joined:
    Feb 17, 2021
    Posts:
    4
    Location:
    USA
    I'm not a millionaire though, so.. it's just how I think and dream - where all things are possible.
    I think my idea is right on though.
    If I was a multi-millionaire, I would fund projects like this, because they are akin to how I think about security. I also can see and understand the incredible time and effort it took him to create a program like this, and tie it into the main Windows Firewall. I think it's thrilling, and a thrilling accomplishment.
     
  15. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,789
    Location:
    The Netherlands
    No correct, but what I'm trying to figure out is how would malware use the "act as a server" permission. Is it perhaps to get full control over the PC from remote? Then I'm guessing that tools like TeamViewer also need to listen for incoming connections, perhaps somebody can check this out.
     
  16. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    3,381
    Location:
    Canada
    I guess so, but from my limited understanding, I think malware typically looks to connect outbound to a remote server to download malicious content onto the victim's computer. And since most home users are behind some sort of router, a remote adversary looking to connect to a malicious server process on the victim's device should be blocked by the router anyway.

    You might remember the Blaster worm of XP days, that exploited an unpatched vulnerability in the DCOM RPC. Well if a user was behind a router, or even if Windows firewall was enabled (block incoming by default) the worm was blocked, so the vulnerable DCOM RPC listening for remote connections rendered the Blaster worm looking to exploit it harmless.
     
  17. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,789
    Location:
    The Netherlands
    I do remember that back in the days you had backdoors/trojans who could control PC's from remote, I'm guessing they could only work if they could accept incoming connections. But like you said, I suppose a firewall should block this anyway. So if a firewall or HIPS alerts about this, this might be clue that a certain app might be shady, unless it has a valid reason to request this permission.
     
  18. kronckew

    kronckew Registered Member

    Joined:
    Aug 27, 2006
    Posts:
    413
    Location:
    CSA Consulate, Glos., UK
    Sadly, many firewalls seem to skip telling you which app made the attempt. The 'bad' ones seem to use 'system' or 'svchost' and so use MS's convenient code-saving network access. I recall attending a computer course on clustering in London where the instructor had left the remote access unaltered. I got a bit bored at one point on the last day, everyone was ready to go home, and so I used the shutdown command to occasionally shut down the instructor's server. Took him a while to figure out what was going on, he of course got a bit angry and ordered 'whoever is doing that please stop'. So I did. You can harden those two apps, but then some apps you want may not function as expected.

    (He'd told us earlier that after each class they wiped and reinstalled the server, and wiped the student's pc's so they could install the server OS themselves, so I was not overly sorry.)
     
  19. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    978
    Location:
    UK
    Sorry, I got one more problem, completely unexpected and is a weird one. Hopefully someone already has a workaround for this.

    If I have adaptive sync enabled on my monitor, then the first time either of the following happens.
    (a) bring up WFC UI to change settings etc,
    (b) notification popup for WFC

    The screen goes off then on again briefly, it will only do this the first time after the screen is turned on, the problem is gone again if I disable adaptive sync.

    I already fixed it, nvidia weirdness, I made a new game profile on nvidia settings, and copied over the settings for windows explorer for gsync, and now its normal. I will do a support request with nvidia to see if they can ship this in their drivers.
     
    Last edited: Feb 23, 2021
  20. Graphite85

    Graphite85 Registered Member

    Joined:
    Aug 28, 2020
    Posts:
    32
    Location:
    New Zealand
    Last edited: Mar 15, 2021
  21. kronckew

    kronckew Registered Member

    Joined:
    Aug 27, 2006
    Posts:
    413
    Location:
    CSA Consulate, Glos., UK
    The image is essentially unreadable, too small. I do not have any that begin U-, so I haven't a clue. There is an option to list and then delete invalid and/or duplicate rules. The Security Options 'secure rules' section allows for deletion of 'unauthorized' rules. I am guessing the ones marked U-Steam and U-{whatever the other group is} are Unauthorized' and hence possibly malware added by third party games/software, which you could individually highlight and right click to delete (backup rules 1st).
     
  22. aldist

    aldist Registered Member

    Joined:
    Nov 8, 2017
    Posts:
    879
    Location:
    Lunar module
    If the "Secure rules" function is enabled and the "Disable unautorized rules" option is selected, the prefix "U -" will be added to the name of such disabled rules.
    These will be rules created by the applications themselves without user intervention.
     
  23. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    3,381
    Location:
    Canada
    When svchost.exe is tied to a specified service such as Windows update (wuauserv.exe), the connection fails when attempting to scan for updates and I'm prompted to retry. I've checked my rule carefully for outbound TCP to remote ports 80,443, and it is correct. When I choose "Apply to all programs and services", the update & security checks work fine.
     
  24. solitarios

    solitarios Registered Member

    Joined:
    Mar 28, 2016
    Posts:
    200
    Hi, this is the only thing I don't like about WFC.

    Sin título.jpg
     
  25. Tunerz

    Tunerz Registered Member

    Joined:
    Jun 12, 2007
    Posts:
    110
    Location:
    Philippines
    This was alexandrud's explanation regarding WFC's telemetry.


     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.