Windows Firewall Control (WFC) by BiniSoft.org

Discussion in 'other firewalls' started by alexandrud, May 20, 2013.

  1. kilves76

    kilves76 Registered Member

    Joined:
    Feb 11, 2012
    Posts:
    13
    Some more questionable behavior by MS apps: download MSERT.EXE the Microsoft Support Emergency Response Tool, which does offline virus scanning. Nowhere does it say though that its behavior is anything but offline...

    Put WFC on Medium filtering, Secure Profile, Secure Rules.
    Create a Block rule for MSERT.EXE where you have it, for example C:\tmp\MSERT.EXE , both in and out block.

    Let it scan a large volume with virus/backdoor/pup/eicar test stringed programs and watch on your network monitoring application how MSERT.EXE effortlessly makes it through the firewall to Microsoft's servers.
    Now the real question is, how likely is it that this is the only MS app that treats Windows Firewall as a joke - and how many malware authors have reversed the code and are using its tricks to also bypass the Windows Firewall.

    Something about Swiss cheese.
     
  2. DeRodeKater

    DeRodeKater Registered Member

    Joined:
    Sep 21, 2011
    Posts:
    34
    Correct, I've checked my rules, WU serv is needed and BITS. I have disabled Delivery Optimization as I prefer to download stuff from MS directly.

    Weirdly I cannot seem to get MS Defender to update with these rules. I checked connection log and wuauserv gets blocked by firewall, even though I have it allowed. But downloading updates through Windows Update works.
     
  3. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,122
    Location:
    Romania
    Which is the network monitoring application that you are using ? I did the same on my side and I do not see any allowed connection for MSERT.EXE. I didn't create any kind of rule for it. Default inbound block, default outbound block. There is no trick, elevated privileges will allow unrestricted access to Windows Firewall. If a malware gains elevated privileges, this is usually possible because of the user launching and allowing it through the UAC prompt.
     
  4. kilves76

    kilves76 Registered Member

    Joined:
    Feb 11, 2012
    Posts:
    13
    This time using Nirsoft's LiveTcpUdpWatch since it has a nice flow view for tcp, but it doesn't know how to tie UDP messages into flows (udp and its replies will be shown as 2 separate items).

    On my Win 10 Pro test box some of the rules under Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices have regenerated once (this far), but not on the Server 2022 test box. So one needs to prepare for the worst case of all them them eventually regenerating, latest probably by an OS update, and delete them regularly.

    If one has startup and shutdown scripts, one could include this to both: (EDIT: removed /va which caused to not work properly, /f is enough)
    Code:
    reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices" /f
    Or run it from task scheduler at regular intervals.
     
    Last edited: Dec 6, 2021
  5. mantra

    mantra Registered Member

    Joined:
    Jan 25, 2005
    Posts:
    5,848
    hi @alexandrud
    I have performed several tests on w7
    i guess it's the service or/and the w7 boot optimazer , w7 even with the prefetch service is disabled , it perform a boot optimazer
    i fix it with a bat file
    Code:
    NET STOP wfcs
    NET START wfcs
    
    about framework ,i have tested on computers with .net Microsoft .NET Framework 4.5.1
    maybe in the next version could be added a stronger service control
    thanks
     
  6. Claudio R

    Claudio R Registered Member

    Joined:
    Jan 22, 2018
    Posts:
    36
    Location:
    Italy
    hi @alexandrud
    I install WFC from the command line via a batch file:
    wfc6700setup.exe -i -r -c

    I set, again from the command line/batch, the Medium Filter:
    netsh.exe advfirewall set allprofiles state on
    netsh.exe advfirewall set allprofiles firewallpolicy blockinbound, blockoutbound

    It is possible, always from the command line/batch, to set:
    1) Notification: Learning mode
    2) Options: User interface language: Italian
    3) Options: Start automatically at user logon
    4) Rules: Outbound and inbound

    Tnx
     
  7. D3ltorohd

    D3ltorohd Registered Member

    Joined:
    Nov 20, 2021
    Posts:
    10
    Location:
    Germany
    Hello,
    for now i have a problem with the windows xbox app. When the WFC is on, the app become no internet connection. When i disable WFC than the Xbox App works. What can i do ?

    The other problem is, that i have allowed a game but i see that it was blocked. Its a game from xbox app
     

    Attached Files:

    Last edited: Dec 16, 2021
  8. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,122
    Location:
    Romania
    1)
    reg add "HKLM\Software\Classes\CLSID\{WD2827D4-F8E0-B379-I229-D89D12E4642A}" /v "NotificationLevel" /t REG_DWORD /d "1" /f
    auditpol.exe /set /subcategory:{0CCE9226-69AE-11D9-BED3-505054503030} /failure:enable
    2)
    reg add "HKCU\Software\Binisoft.org\Windows Firewall Control" /v "UserLanguage" /d "wfcIT.lng" /f
    3)
    reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Malwarebytes Windows Firewall Control" /d \""C:\Program Files\Malwarebytes\Windows Firewall Control\wfc.exe\"" /f
    4) I really advise you against using this mode. Inbound rules are not required in 99% of use cases and may open your computer to a lot of threats. It is your decision.
    reg add "HKLM\Software\Classes\CLSID\{WD2827D4-F8E0-B379-I229-D89D12E4642A}" /v "Direction" /t REG_DWORD /d "2" /f

    Add these to your batch file before installation so that, after installation, these keys are automatically used when WFC service is started.
     
  9. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,122
    Location:
    Romania
    What have you tried so far ? Did you create any allow rule ? Did you enable the notifications ? Did you allow svchost.exe on remote ports 80,443 for all connections ? Did you check the recently inbound/outbound connections in Connections Log to see what was blocked at the time when this app was blocked ? Do you use Secure Rules ? Without relevant details, what can we do ?
     
  10. Clarensio

    Clarensio Registered Member

    Joined:
    May 4, 2014
    Posts:
    2

    Thank you @alexandrud... mythical just what I needed

    PS: it's always me Claudio R.
     
  11. Claudio R

    Claudio R Registered Member

    Joined:
    Jan 22, 2018
    Posts:
    36
    Location:
    Italy
    I further take advantage of your... patience (I received your advice but that setting was cognitive in an exclusive function of PC in LAN/WAN) and I ask you:

    Also for the Medium Filter:
    netsh.exe advfirewall set allprofiles state on
    netsh.exe advfirewall set allprofiles firewallpolicy blockinbound, blockoutbound​

    can I set it "before" via regedito_O
     
  12. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,122
    Location:
    Romania
    Medium Filtering profile can't be set through Windows Registry. You can set Medium Filtering profile by these netsh calls before installing WFC. When WFC service will start, the profile will be recognized as Medium Filtering as a result of executing these two netsh.exe calls.

    The order in your batch file would be: reg add, netsh and then wfc6700setup.exe -i -r -c
     
    Last edited: Dec 16, 2021
  13. Claudio R

    Claudio R Registered Member

    Joined:
    Jan 22, 2018
    Posts:
    36
    Location:
    Italy
    Tnx
     
  14. D3ltorohd

    D3ltorohd Registered Member

    Joined:
    Nov 20, 2021
    Posts:
    10
    Location:
    Germany
    I do not use Secure Rulse,its not enabled.I have notifications on, and i allowed all connections when the notify comes up when i start the app. When i look at rulse, there is a rule for it with allowed outgoing. Incoming, i see nothing, but he didnt ask for it. I allowed all svhost, when there come a notify for it.
     
  15. Claudio R

    Claudio R Registered Member

    Joined:
    Jan 22, 2018
    Posts:
    36
    Location:
    Italy
    hi @alexandrud

    I have set, as you told me, the attached bat file (no errors reported) but unfortunately Notification is Disabled.
    ===============================
    @Echo off
    CLS
    @Echo.

    reg add "HKLM\Software\Classes\CLSID\{WD2827D4-F8E0-B379-I229-D89D12E4642A}" /v "NotificationLevel" /t REG_DWORD /d "1" /f
    auditpol.exe /set /subcategory:{0CCE9226-69AE-11D9-BED3-505054503030} /failure:enable
    reg add "HKCU\Software\Binisoft.org\Windows Firewall Control" /v "UserLanguage" /d "wfcIT.lng" /f
    reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Malwarebytes Windows Firewall Control" /d \""C:\Program Files\Malwarebytes\Windows Firewall Control\wfc.exe\"" /f
    reg add "HKLM\Software\Classes\CLSID\{WD2827D4-F8E0-B379-I229-D89D12E4642A}" /v "Direction" /t REG_DWORD /d "0" /f

    netsh.exe advfirewall set allprofiles state on
    netsh.exe advfirewall set allprofiles firewallpolicy blockinbound,blockoutbound

    wfc6700setup.exe -i -r -c

    exit
    ===============================
    Checking the register (regedit) I found that the key "NotificationLevel" is not created I tried to divide the creation of the key into several parts (first the folder then the DWord32 key but nothing: Notification remains Disabled.

    I then tried to import the key from a .reg file In this case the key is created regularly but until I close wfc.exe and restart it the Notifications do not change.

    I think it is necessary to close WFC.exe and restart it (even if I don't remember how to do it from the command line :) - WFC.exe -mp to start but to stop o_O

    Do you have any ideao_O?

    Thank you
     

    Attached Files:

  16. D3ltorohd

    D3ltorohd Registered Member

    Joined:
    Nov 20, 2021
    Posts:
    10
    Location:
    Germany
    With Windows Store or Xbox App programs it its ****, there is no way to let they pass the firewall. All is allowed. I look at the blocked log, and create rulse for those, with all ports and ips are allowed. But nothing happen. He blocked the same exe again and again. I can do what i want. When i uninstall WFC all works fine, the windows firewall let them pass. I tink WFC is only a overlay and a notification for the windows firewall and no extra firewall. But why it will not work ?
    Is there a way i can whitelist some .exe files ?
     
  17. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,122
    Location:
    Romania
    I executed the same batch file in one of my virtual machines and it works. The batch file must be executed from an elevated CMD window. If it does not work on your side, try with one command at a time and check the results of each of them.

    upload_2021-12-17_21-43-41.png
     
  18. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,122
    Location:
    Romania
    Did you enable the notifications and did you create similar rules to the ones below and it still does not work ? I was notified about these once I started Windows Store app.

    upload_2021-12-17_21-56-14.png

    The user guide may answer to a lot of questions related to WFC and Windows Firewall: https://binisoft.org/pdf/guides/Malwarebytes-WFC-User-Guide.pdf
     
  19. Claudio R

    Claudio R Registered Member

    Joined:
    Jan 22, 2018
    Posts:
    36
    Location:
    Italy
    I discovered my problem in My VM: I ran everything through a .bat inside a self-extracting file and even if I ran it as an administrator the file inside it didn't work well.

    Running the .bat directly as an administrator... everything is fine.

    Last question: to stop from prompt dos wfc.exe that command (if possible ...) I have to set o_O
    START = SFC.EXE -mp
    STOP = SFC: EXE o_O?

    Thanks again
     
  20. D3ltorohd

    D3ltorohd Registered Member

    Joined:
    Nov 20, 2021
    Posts:
    10
    Location:
    Germany
    The store works, i can download or update games from there or download tools. But all the games from there cant go online. I can create rulse, but that did not work. I also create rulse like the example from the guide but nothing works. Only when i go to lower filterintg than it works.
     
  21. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,122
    Location:
    Romania
    Continuing this basic scripting tutorial :) :
    taskkill /f /im wfc.exe
    or more nicely so that the system tray icon goes away, call:
    wfc.exe -exit
     
  22. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,122
    Location:
    Romania
    If these games which you don't name are among Forza Horizon, Microsoft Flight Simulator, etc. they do not work with outbound filtering enabled in Windows Firewall (equivalent of Medium Filtering profile). This is not something that WFC could fix, the problem is with Windows Firewall itself. More info here.
     
  23. Claudio R

    Claudio R Registered Member

    Joined:
    Jan 22, 2018
    Posts:
    36
    Location:
    Italy
    Thanks for tutorial and I swear I'm done with the off-line commands :)
     
  24. D3ltorohd

    D3ltorohd Registered Member

    Joined:
    Nov 20, 2021
    Posts:
    10
    Location:
    Germany
    Yes for example Forza 5, or AoE IV and so on. But when i uninstall the WFC it works fine with the windows firewall.
     
  25. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,122
    Location:
    Romania
    When you uninstall WFC you probably revert default Windows Firewall settings which by default allows any outbound connection. There is no need to uninstall WFC to play these games, you can switch the profile to Low Filtering, which will disable outbound filtering in Windows Firewall. Your problems have nothing to do with WFC, but with Windows Firewall itself.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.