Windows Firewall Control (WFC) by BiniSoft.org

Discussion in 'other firewalls' started by alexandrud, May 20, 2013.

  1. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,163
    Location:
    Romania
    Which is the network monitoring application that you are using ? I did the same on my side and I do not see any allowed connection for MSERT.EXE. I didn't create any kind of rule for it. Default inbound block, default outbound block. There is no trick, elevated privileges will allow unrestricted access to Windows Firewall. If a malware gains elevated privileges, this is usually possible because of the user launching and allowing it through the UAC prompt.
     
  2. kilves76

    kilves76 Registered Member

    Joined:
    Feb 11, 2012
    Posts:
    13
    This time using Nirsoft's LiveTcpUdpWatch since it has a nice flow view for tcp, but it doesn't know how to tie UDP messages into flows (udp and its replies will be shown as 2 separate items).

    On my Win 10 Pro test box some of the rules under Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices have regenerated once (this far), but not on the Server 2022 test box. So one needs to prepare for the worst case of all them them eventually regenerating, latest probably by an OS update, and delete them regularly.

    If one has startup and shutdown scripts, one could include this to both: (EDIT: removed /va which caused to not work properly, /f is enough)
    Code:
    reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices" /f
    Or run it from task scheduler at regular intervals.
     
    Last edited: Dec 6, 2021
  3. mantra

    mantra Registered Member

    Joined:
    Jan 25, 2005
    Posts:
    5,878
    hi @alexandrud
    I have performed several tests on w7
    i guess it's the service or/and the w7 boot optimazer , w7 even with the prefetch service is disabled , it perform a boot optimazer
    i fix it with a bat file
    Code:
    NET STOP wfcs
    NET START wfcs
    
    about framework ,i have tested on computers with .net Microsoft .NET Framework 4.5.1
    maybe in the next version could be added a stronger service control
    thanks
     
  4. Claudio R

    Claudio R Registered Member

    Joined:
    Jan 22, 2018
    Posts:
    36
    Location:
    Italy
    hi @alexandrud
    I install WFC from the command line via a batch file:
    wfc6700setup.exe -i -r -c

    I set, again from the command line/batch, the Medium Filter:
    netsh.exe advfirewall set allprofiles state on
    netsh.exe advfirewall set allprofiles firewallpolicy blockinbound, blockoutbound

    It is possible, always from the command line/batch, to set:
    1) Notification: Learning mode
    2) Options: User interface language: Italian
    3) Options: Start automatically at user logon
    4) Rules: Outbound and inbound

    Tnx
     
  5. D3ltorohd

    D3ltorohd Registered Member

    Joined:
    Nov 20, 2021
    Posts:
    10
    Location:
    Germany
    Hello,
    for now i have a problem with the windows xbox app. When the WFC is on, the app become no internet connection. When i disable WFC than the Xbox App works. What can i do ?

    The other problem is, that i have allowed a game but i see that it was blocked. Its a game from xbox app
     

    Attached Files:

    Last edited: Dec 16, 2021
  6. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,163
    Location:
    Romania
    1)
    reg add "HKLM\Software\Classes\CLSID\{WD2827D4-F8E0-B379-I229-D89D12E4642A}" /v "NotificationLevel" /t REG_DWORD /d "1" /f
    auditpol.exe /set /subcategory:{0CCE9226-69AE-11D9-BED3-505054503030} /failure:enable
    2)
    reg add "HKCU\Software\Binisoft.org\Windows Firewall Control" /v "UserLanguage" /d "wfcIT.lng" /f
    3)
    reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Malwarebytes Windows Firewall Control" /d \""C:\Program Files\Malwarebytes\Windows Firewall Control\wfc.exe\"" /f
    4) I really advise you against using this mode. Inbound rules are not required in 99% of use cases and may open your computer to a lot of threats. It is your decision.
    reg add "HKLM\Software\Classes\CLSID\{WD2827D4-F8E0-B379-I229-D89D12E4642A}" /v "Direction" /t REG_DWORD /d "2" /f

    Add these to your batch file before installation so that, after installation, these keys are automatically used when WFC service is started.
     
  7. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,163
    Location:
    Romania
    What have you tried so far ? Did you create any allow rule ? Did you enable the notifications ? Did you allow svchost.exe on remote ports 80,443 for all connections ? Did you check the recently inbound/outbound connections in Connections Log to see what was blocked at the time when this app was blocked ? Do you use Secure Rules ? Without relevant details, what can we do ?
     
  8. Clarensio

    Clarensio Registered Member

    Joined:
    May 4, 2014
    Posts:
    2

    Thank you @alexandrud... mythical just what I needed

    PS: it's always me Claudio R.
     
  9. Claudio R

    Claudio R Registered Member

    Joined:
    Jan 22, 2018
    Posts:
    36
    Location:
    Italy
    I further take advantage of your... patience (I received your advice but that setting was cognitive in an exclusive function of PC in LAN/WAN) and I ask you:

    Also for the Medium Filter:
    netsh.exe advfirewall set allprofiles state on
    netsh.exe advfirewall set allprofiles firewallpolicy blockinbound, blockoutbound​

    can I set it "before" via regedito_O
     
  10. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,163
    Location:
    Romania
    Medium Filtering profile can't be set through Windows Registry. You can set Medium Filtering profile by these netsh calls before installing WFC. When WFC service will start, the profile will be recognized as Medium Filtering as a result of executing these two netsh.exe calls.

    The order in your batch file would be: reg add, netsh and then wfc6700setup.exe -i -r -c
     
    Last edited: Dec 16, 2021
  11. Claudio R

    Claudio R Registered Member

    Joined:
    Jan 22, 2018
    Posts:
    36
    Location:
    Italy
    Tnx
     
  12. D3ltorohd

    D3ltorohd Registered Member

    Joined:
    Nov 20, 2021
    Posts:
    10
    Location:
    Germany
    I do not use Secure Rulse,its not enabled.I have notifications on, and i allowed all connections when the notify comes up when i start the app. When i look at rulse, there is a rule for it with allowed outgoing. Incoming, i see nothing, but he didnt ask for it. I allowed all svhost, when there come a notify for it.
     
  13. Claudio R

    Claudio R Registered Member

    Joined:
    Jan 22, 2018
    Posts:
    36
    Location:
    Italy
    hi @alexandrud

    I have set, as you told me, the attached bat file (no errors reported) but unfortunately Notification is Disabled.
    ===============================
    @Echo off
    CLS
    @Echo.

    reg add "HKLM\Software\Classes\CLSID\{WD2827D4-F8E0-B379-I229-D89D12E4642A}" /v "NotificationLevel" /t REG_DWORD /d "1" /f
    auditpol.exe /set /subcategory:{0CCE9226-69AE-11D9-BED3-505054503030} /failure:enable
    reg add "HKCU\Software\Binisoft.org\Windows Firewall Control" /v "UserLanguage" /d "wfcIT.lng" /f
    reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Malwarebytes Windows Firewall Control" /d \""C:\Program Files\Malwarebytes\Windows Firewall Control\wfc.exe\"" /f
    reg add "HKLM\Software\Classes\CLSID\{WD2827D4-F8E0-B379-I229-D89D12E4642A}" /v "Direction" /t REG_DWORD /d "0" /f

    netsh.exe advfirewall set allprofiles state on
    netsh.exe advfirewall set allprofiles firewallpolicy blockinbound,blockoutbound

    wfc6700setup.exe -i -r -c

    exit
    ===============================
    Checking the register (regedit) I found that the key "NotificationLevel" is not created I tried to divide the creation of the key into several parts (first the folder then the DWord32 key but nothing: Notification remains Disabled.

    I then tried to import the key from a .reg file In this case the key is created regularly but until I close wfc.exe and restart it the Notifications do not change.

    I think it is necessary to close WFC.exe and restart it (even if I don't remember how to do it from the command line :) - WFC.exe -mp to start but to stop o_O

    Do you have any ideao_O?

    Thank you
     

    Attached Files:

  14. D3ltorohd

    D3ltorohd Registered Member

    Joined:
    Nov 20, 2021
    Posts:
    10
    Location:
    Germany
    With Windows Store or Xbox App programs it its ****, there is no way to let they pass the firewall. All is allowed. I look at the blocked log, and create rulse for those, with all ports and ips are allowed. But nothing happen. He blocked the same exe again and again. I can do what i want. When i uninstall WFC all works fine, the windows firewall let them pass. I tink WFC is only a overlay and a notification for the windows firewall and no extra firewall. But why it will not work ?
    Is there a way i can whitelist some .exe files ?
     
  15. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,163
    Location:
    Romania
    I executed the same batch file in one of my virtual machines and it works. The batch file must be executed from an elevated CMD window. If it does not work on your side, try with one command at a time and check the results of each of them.

    upload_2021-12-17_21-43-41.png
     
  16. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,163
    Location:
    Romania
    Did you enable the notifications and did you create similar rules to the ones below and it still does not work ? I was notified about these once I started Windows Store app.

    upload_2021-12-17_21-56-14.png

    The user guide may answer to a lot of questions related to WFC and Windows Firewall: https://binisoft.org/pdf/guides/Malwarebytes-WFC-User-Guide.pdf
     
  17. Claudio R

    Claudio R Registered Member

    Joined:
    Jan 22, 2018
    Posts:
    36
    Location:
    Italy
    I discovered my problem in My VM: I ran everything through a .bat inside a self-extracting file and even if I ran it as an administrator the file inside it didn't work well.

    Running the .bat directly as an administrator... everything is fine.

    Last question: to stop from prompt dos wfc.exe that command (if possible ...) I have to set o_O
    START = SFC.EXE -mp
    STOP = SFC: EXE o_O?

    Thanks again
     
  18. D3ltorohd

    D3ltorohd Registered Member

    Joined:
    Nov 20, 2021
    Posts:
    10
    Location:
    Germany
    The store works, i can download or update games from there or download tools. But all the games from there cant go online. I can create rulse, but that did not work. I also create rulse like the example from the guide but nothing works. Only when i go to lower filterintg than it works.
     
  19. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,163
    Location:
    Romania
    Continuing this basic scripting tutorial :) :
    taskkill /f /im wfc.exe
    or more nicely so that the system tray icon goes away, call:
    wfc.exe -exit
     
  20. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,163
    Location:
    Romania
    If these games which you don't name are among Forza Horizon, Microsoft Flight Simulator, etc. they do not work with outbound filtering enabled in Windows Firewall (equivalent of Medium Filtering profile). This is not something that WFC could fix, the problem is with Windows Firewall itself. More info here.
     
  21. Claudio R

    Claudio R Registered Member

    Joined:
    Jan 22, 2018
    Posts:
    36
    Location:
    Italy
    Thanks for tutorial and I swear I'm done with the off-line commands :)
     
  22. D3ltorohd

    D3ltorohd Registered Member

    Joined:
    Nov 20, 2021
    Posts:
    10
    Location:
    Germany
    Yes for example Forza 5, or AoE IV and so on. But when i uninstall the WFC it works fine with the windows firewall.
     
  23. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,163
    Location:
    Romania
    When you uninstall WFC you probably revert default Windows Firewall settings which by default allows any outbound connection. There is no need to uninstall WFC to play these games, you can switch the profile to Low Filtering, which will disable outbound filtering in Windows Firewall. Your problems have nothing to do with WFC, but with Windows Firewall itself.
     
  24. D3ltorohd

    D3ltorohd Registered Member

    Joined:
    Nov 20, 2021
    Posts:
    10
    Location:
    Germany
    What i cant understand. When WFC ask me if the exe will go out and i allow it, it was in the firewall rulse set as allowed for this app. But its blocked, why windows firewall ignore this rule ?
     
  25. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,163
    Location:
    Romania
    Windows Firewall is an implementation over Windows Filtering Platform (WFP). The notifications which you see in Windows Firewall Control are for blocked connections logged in WFP. At this point, there is nothing related to Windows Firewall. You create a new Windows Firewall rule with the expectation that this rule will indeed allow future connections of the blocked program. If this does not work, there might be multiple reasons:
    - WFP contains a rule with a higher precedence which overwrites the allow rule that you have created. As a result, the connection is still blocked.
    - The rule created by Windows Firewall does not apply because the path of the file is located on a virtual mounted drive. These paths can't be allowed properly through Windows Firewall. The only solution that I know to make it work, is to disable outbound filtering so that it can connect without a rule.

    I described here a way to find out which filter blocked a connection:
    https://www.wilderssecurity.com/thr...-by-binisoft-org.347370/page-231#post-2929980
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.