Windows Firewall Control (WFC) by BiniSoft.org

Discussion in 'other firewalls' started by alexandrud, May 20, 2013.

  1. aldist

    aldist Registered Member

    Joined:
    Nov 8, 2017
    Posts:
    1,088
    Location:
    Lunar module
    These are legal statistics and can be easily disabled. Delete mbcut.dll, mbcut32.dll, Newtonsoft.Json.dll or rename it to .dll_____. Disable WFC update check.
     
  2. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,408
    Location:
    Romania
    WFC update check does not send any telemetry data. It will check the content of https://binisoft.org/update.xml and will compare the current version with the one from the xml file. This is how it checks if a new version is available.
     
  3. Graphite85

    Graphite85 Registered Member

    Joined:
    Aug 28, 2020
    Posts:
    40
    Location:
    New Zealand
    I'm concerned that I may be blocking some essential Windows rules that are being created with a U prefix because they don't have a group name. An example is HNS Container Networking DNS/ICS. I have 50 or so of these with U prefix and no group name. Should I add these to a custom authorized group?
     
  4. aldist

    aldist Registered Member

    Joined:
    Nov 8, 2017
    Posts:
    1,088
    Location:
    Lunar module
  5. Sigals

    Sigals Registered Member

    Joined:
    Mar 24, 2021
    Posts:
    2
    Location:
    EUU
    Hi there,

    I've been using WFC for quite a while however I have an issue where I get this notifcation multiple times per day - even though I click "Allow this program".

    https://i.imgur.com/ncCiLgo.png

    Is it not possible to have a wildcard path such as: C:\ProgramData\Microsoft\Windows Defender\Platform\*\msmpeng.exe

    It's extremely annoying having this like 4-5 times per day.

    Any suggestions would be welcome.
     
  6. aldist

    aldist Registered Member

    Joined:
    Nov 8, 2017
    Posts:
    1,088
    Location:
    Lunar module
    1\ Add msmpeng.exe to the "Notifications -> Notifications exceptions" list.
    Or 2\
    For the msmpeng.exe, create a general blocking rule for outgoing connections and DISABLE it;
    in the advanced notification settings, SUPPLY the lowest checkbox "Use disabled rules when searching for matching rules. If a matching disabled rule is found the notifications will not be displayed."
    Windows Brandmauer and Windows Firewall Control do not support wildcards.
     
  7. Sigals

    Sigals Registered Member

    Joined:
    Mar 24, 2021
    Posts:
    2
    Location:
    EUU
    Perfect! Thank you very much, the notifcation exception didn't occur to me.
     
  8. Stukalide

    Stukalide Registered Member

    Joined:
    Jul 12, 2013
    Posts:
    65
    Would it be possible to add the ability for allowing/denying connections based on what the parent/calling process is?

    For example, allowing programA when it wants to outbound through python.exe, but blocking python.exe when programB (or any program besides programA) attempts it. Would this be possible? There are "common area" programs like python, node, java, etc. that would be great if we could block connections through those based on what program is doing the calling.
     
  9. aldist

    aldist Registered Member

    Joined:
    Nov 8, 2017
    Posts:
    1,088
    Location:
    Lunar module
    This is probably a HIPS function, not a firewall, and Windows does not have built-in HIPS. When used in conjunction with WFC, this can be solved by the settings in group policies or in OSArmor, in it you can create a rule like "prevent python.exe from starting for everyone except programA".
     
  10. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,408
    Location:
    Romania
    Not possible because Windows Firewall rules are applied per path basis, not per process basis.
     
  11. Leeju27

    Leeju27 Registered Member

    Joined:
    Apr 10, 2021
    Posts:
    2
    Location:
    Uludag
    Binisoft Firewall by alexandrud was the reason i didn't sitch from windows to linux.... and the reason why i'm now a registered member of this forum :)
    Welcome everybody and Alexandru thank you for that and for your faboulous Product!

    By the time i used WFC the problems get more and more:

    1.) svchost is getting blocked sometimes at "medium level"-profile, even if i set a rule to allow everything (in-, outbound in all locations)
    2.) My Wifi-Connection ist getting lost sometimes - i'm not sure if this has something to do with WFC or with 1.)
    3.) since version 6.4.0.0: whenever i create a new rule ort i click on a WFC-Alert, the programm freezes for a few seconds (aboutn 10-20 sec). The reaction with versions before 6.4. where always very fast.
    4.) after click to check update in "About" panel i get this error message:
    https://abload.de/img/fehlerwindowsfirewallrmj3y.png

    5.) Since malwarebytes bought WFC the developement seems to be stuck.
    Is there an update planed?
     
  12. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,408
    Location:
    Romania
    1. This happens because Windows Filtering Platform contains some internal rules which are not exposed to the user (the rules you see in WFC or WFwAS). These rules are more restrictive especially for this reason: "even if i set a rule to allow everything (in-, outbound in all locations)". This is a really bad idea.
    2. Not related to WFC at all since there is no packet filtering. WFC does not block or allow anything. However, some Svchost.exe and System are always required for proper network connectivity. See the WFC recommended rules for a minimal set of rules required by svchost.exe and System.
    3. Please check WFC log in Event Log. I had a report about a similar case a few months ago and the problem was a Windows Update which messed up the Windows Firewall. The same freeze, with nothing logged. A Windows reinstallation fixed the problem for that user.
    4. This is because wfc.exe can't access the Internet. Do you have an allow rule for C:\Program Files\Malwarebytes\Windows Firewall Control\wfc.exe ? If not, then how can it check for updates ?
    5. Development for WFC is slow because I am working on many other projects for Malwarebytes. When some of these projects will come to an end and I will have more free time, I will update WFC. I have many new features in plan for WFC, unfortunately, they have low priority.
     
  13. osmandemi

    osmandemi Registered Member

    Joined:
    May 5, 2010
    Posts:
    113
    Malwarebytes internet security(firewall+ malwarebytes) o_O
     
  14. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,408
    Location:
    Romania
    No, there is no plan for such combination.
     
  15. Paul04

    Paul04 Registered Member

    Joined:
    Mar 4, 2020
    Posts:
    9
    Location:
    Colorado
    WFC rule question

    https://www.4shared.com/img/azZuTWyIea/s25/178d4b08ee0/scvhost_process_blocked

    Hi all

    I ask for clarification on how a WFC Rule works when it includes both a Process (*.exe) and also a Service.

    In my example, please refer to the attached WFC Log above (picture).

    It seems to me that the Log shows that the Windows Service "AudioSrv,Dhcp,eventlog,lmhosts,wscsvc" is using the process "Svchost.exe" to send an outwards msg, but was blocked from doing so.

    My question is: If I now highlight this Log entry and use the "Customize & Create" action to create a WFC Rule to ALLOW this service to send an outwards message, which of the following is correct:

    (a) WFC will only allow Svchost to send a message when it is initiated by the service "AudioSrv,Dhcp,eventlog,lmhosts,wscsvc", or

    (b) WFC will allow Svchost to send messages irrespective of which service asks it to do so (i.e. open slather for all Svchost processes)
     
  16. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,408
    Location:
    Romania
    T
    From your screenshot, it seems that you have Windows 7. This "AudioSrv,Dhcp,eventlog,lmhosts,wscsvc" is not a service, but 5 different services. WFC tries to detect the service name from the Process ID. Unfortunately, 5 different services run under same PID which is 948. In Windows 10, this is not possible anymore. In Windows 7, this means any of those 5 services could be source of the connection.

    (a) Not correct. WFC does not allow/block anything, Windows Firewall does this. If the problem is that you have entries in Connections Log about blocked svchost.exe connections, then you should create 5 different rules for each of these services. If you did not experience any missing functionality, I wouldn't bother with this.

    (b) Not correct. This would happen only if your svchost.exe rule is applied to all services, meaning no service specified. If you specify a service in your rule, only that service will be able to connect.

    Anyway, it seems that you only need to enable this rule, so that your machine can contact your DHCP server:
    upload_2021-4-15_18-48-0.png
     
  17. aldist

    aldist Registered Member

    Joined:
    Nov 8, 2017
    Posts:
    1,088
    Location:
    Lunar module
    As far as I know, the DHCP Allow Rule is only needed if you get a dynamic IP address from your ISP. Create a blocking DHCP rule, if there are no problems with the Internet, you can leave this blocking rule.
    Also, in the settings of the network adapter, you can disable the IPv6 protocol (TCP\IPv6).
     
  18. Paul04

    Paul04 Registered Member

    Joined:
    Mar 4, 2020
    Posts:
    9
    Location:
    Colorado
    Thanks, clear answer, and I'm relieved it's true.
    Just as an aside - do windows Services have unique ID's, similar to PIDs of Processes, that are knowable by users or are Services only known by name?

    Thanks, I understand your point of creating single-service rules.

    May just need to clarify a bit further - looking at my current Rules listed in WFC, over several months I have accumulated about a handful of SvcHost.exe block rules (different IP ranges and ports) that all show the following in the Service field (which looks exactly the same in the WFW interface):
    "AeLookupSvc,Appinfo,BITS,Browser,gpsvc,iphlpsvc,LanmanServer,MMCSS,ProfSvc,Schedule,SENS,ShellHWDetection,Themes,Winmgmt,wuauserv"

    Do you mean that, as these rules stand, they will be blocking ALL these 15 Services, and ONLY these 15 services, from sending out msgs via SvcHost?
    Or if that is not correct, what Services are they then currently blocking, as they stand?

    Lastly, on the topic of DHCP rules, thanks for your and Aldist's suggestions about how to handle a DHCP rule - at some of the locations I do computing at I do get dynamic IPs so that will be relevant.
     
  19. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    1,999
    Location:
    Member state of European Union
    Almost everybody gets a dynamic IPv4 address from ISP or ISP's issued router/gateway.
    Internet connectivity usually works despite blocking incoming DHCP, because OS will do outgoing DHCP requests anyway. These outgoing packets will create entry in ffirewal's connection table (even though UDP is connectionless protocol) allowing most of incoming DHCP packets to pass despite incoming rule blockade.
    I would advise to allow incoming DHCP, because most incoming packets will bypass this firewall rule anyway, but in rare scenarios they may not thus creating connectivity problems that are hard to troubleshoot. Connectivity may work in one network without any problems, but you go and connect to another Wifi network and get seemingly intermittent network connection problems.
     
  20. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,408
    Location:
    Romania
    This may be a bug since a rule can be created for one service only. Such rule may block the first service that it displays or even all services. Try to remove these block rules for svchost.exe (or at least disable them) and recreate them again. Were they created from Connections Log or from the notification dialog ? If you use Medium Filtering then block rules are not required since everything without an explicit allow rule is blocked by default. Please check WFC recommended rules and use them as a starting point for creating a larger set of firewall rules. You should not need to create too many svchost.exe rules and you can add svchost.exe in the exclusions list and don't bother with it anymore, especially if you don't notice something which does not work as expected.
     
  21. Paul04

    Paul04 Registered Member

    Joined:
    Mar 4, 2020
    Posts:
    9
    Location:
    Colorado
    In my case, at two of the four locations I compute at our router get's a static IP that stays the same year in year out. To my considerable frustration, because, from a privacy perspective, that makes it easier for web site owners to track you (unless you're always on a VPN). I've even called up the ISP asking him to flip us to a new IP, but he declined.

    In respect of DHCP, perhaps I'm naive but I currently have no qualms about creating Allow rules for DHCP services to do whatever they want, inwards and outwards.
     
  22. Paul04

    Paul04 Registered Member

    Joined:
    Mar 4, 2020
    Posts:
    9
    Location:
    Colorado
    Just for context, I'm at a win7 location the past few days; at two other locations I occasionally visit, I have win10 (also with WFC installed).

    Alexandrud, I have come to prefer creating from the Log because you get more options than when you use the Notification pop-up. So when I get a pop-up, I have to open the Log so I can create from there. And that's where all these multi-service names get automatically inserted.

    Ok, I will have to do some experimentation to work out what Services get blocked with these multi-service names. May take a few days to fit in that testing and report back here.

    I am obviously not expert at firewall or security tech. My modus operandi has been to only create Allow rules when I get repeatedly bugged by the same Notification. If it seems that the culprit process is benign, I will create the rule and see if the Notifications stop. (I don't want to turn Off notifications - I learn too much from them).

    I recall doing this in a number of instances when my pc was repeatedly wanting to go out to IP ranges owned by Ripe, Netcast or Akamai and the like. Reading up on those, I got info that indicated there was a network performance benefit to be had from allowing those so I created Allow rules for their IP ranges when I thought my response times were a bit slow.

    Another context is LAN file sharing, where I may get a Notification when I try to network with another pc on the Lan. Always seem to involve svchost. So I create Allow rules to see if I can get through.

    Another context is software updates - I am very strict on controlling when my OS or apps update (so my DAW doesn't crash unexpectedly), so I try to block services like BITS until I want to allow them.

    Now you can see why it gets tricky because BITS is included in the same name as a lot of other Services, which may or may not want Allow rules.
    For example, WFC created the following service name:
    "AeLookupSvc,Appinfo,BITS,Browser,gpsvc,iphlpsvc,LanmanServer,MMCSS,ProfSvc,Schedule,SENS,ShellHWDetection,Themes,Winmgmt,wuauserv" in a number of my rules.

    upload_2021-4-17_1-47-20.png

    This example has BITS in with Browser and Lanman and ShellHwDetection. So when the Log rule creation dialogue sets up a rule with this string as the "service", it just looks baffling to me and that's why I came here to post and ask for clarification.
     
    Last edited: Apr 16, 2021
  23. Leeju27

    Leeju27 Registered Member

    Joined:
    Apr 10, 2021
    Posts:
    2
    Location:
    Uludag
    Thank you for you answer.

    I know it is, and i was very happy to see that it is possible to link processes like svchost.exe to explicit services (i think since version 6.0.2.0).

    Ok, thanks. Keep testing everythin with LAN and no disconnection problems anymore. Router log was empty but now think it was because of weak signal quality.

    I checked the event log, no errors. Will try to reinstall WFC and report when i find some time.

    yes, i did that of course. I don't know exactly what was the problem. But now the check works again.

    That's a pitty but very understandable for the very cheap price of binisoft.
    If it was open source, i would have suggested you at https://opencollective.com so that i could give more "support".
    Maybe your next project ;)


    My main problem with WFC (and probably of many users):
    Updates on Windows 10. (I'm still on Windows 10 v1607 pro for several reasons. Maybe this is important information aswell.)

    I know about the standard rules in WFC and i also tried to delete all rules and start with them from the beginning.
    I also activated the original Windows Standard rules again to start from the beginning.

    What i want:
    secure profile = activated
    secure rules = activated, disable unauthorized
    allow windows store rules = NO WAY i don't need them (and hopefully never will)

    1.) Are the standard WFC-Rules are a little bit too strict for my environemt and for later Windows vesions?
    2.) Do you have a changelog of the WFC "recommended rules" maybe somewhere on github or gitlab?
    3.) Do you have a recommended procedure to fix these update problems since windows 10 v1607 (and later).
    and maybe could describe how to start over again ans still keep getting updates for defender and Windows security fixes?
    4.) Could you provide another less strict "recommended rules" list that doesn't interfere with standard update procedures in Win 10 v1607 and later (i think BITS ist the probleme here)?

    Thank you!
     
    Last edited: Apr 17, 2021
  24. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,408
    Location:
    Romania
    1) WFC recommended rules, the ones mentioned here https://binisoft.org/pdf/guides/Malwarebytes-WFC-User-Guide.pdf#page=23 are just a suggestion for a minimal set of rules. They will not cover all scenarios and are just a recommendation. "Too strict" is very subjective.
    2) They are almost the same since many years ago. WFC is on GitHub but on a private repository, not available to public. Anyway, there is no changelog for these rules.
    3 & 4) In Windows 10, Windows Update requires full access for svchost.exe on remote ports 80,43 on TCP protocol. A service based rule for Windows Update (wuauserv) does not work anymore as it used to work on Windows 7, 8.1.
     
  25. StealthyTrojan

    StealthyTrojan Registered Member

    Joined:
    May 18, 2020
    Posts:
    24
    Location:
    Portugal
    I've tried Malwarebytes Windows Firewall Control more than once, but I found always the same problem, it keeps blocking svchost.exe even after allowed. And surely it isn't very smart to allow svchost entirely and keep allowing every thing related to it, but even after allowing svchost.exe altogether, I still get some svchost blocked connections in the activity log. How do I know which ones are important and which ones are not?
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.