Discussion in 'other firewalls' started by alexandrud, May 20, 2013.
I see there is a bug with creating rules:
When updating to a new version - is it recommended to do a FRESH install or can you install over the existing version?
Thank you for reporting this. Indeed, there is a bug there. It will be fixed in the next release.
You can install over the existing version. The updater will know how to update it. However, there is a bug in the current version installer which hangs the updater if the program is running (wfc.exe) and the updater is executed from a standard account. This is already fixed and will be part of the next release.
Windows Firewall Control v.22.214.171.124 - New Version
- Fixed: The updater hangs if the user executes it from a standard user account and the program is running in system tray. The workaround was to manually close it first from the system tray icon and then execute the updater. Now, the update will complete even if the user does not close first the existing running instance.
- Fixed: The protocol is always set to TCP if the user modifies a rule from the notification dialog and the protocol is set to ANY.
- Fixed: The Manage Rules window remains always on top after creating a new rule from the options available on the right panel named "Create new rule". The same behavior was also identified and fixed for the Main Panel window.
- Fixed: After a clean installation the default notification level is set to Low level instead of Disabled level.
- New: The log of the installation/update can be now viewed if the user presses the F12 key when the installation/update is complete (the EXIT button appears).
Installation notes: Just use the installer to update to the latest version. There are no new translation strings.
Download location: http://binisoft.org/download/wfc4setup.exe
Thank you for your support and your feedback,
I know, that it's not a question related to the WFC, but maybe someone could know.
I have configured WCF to "Medium filtering", so outbound connections are blocked by default. I'm connected to the private network. I have all default rules enabled with no changes. But I don't see any machines in my local network (Windows sharing). I see only my machine.
But if I create outbound rule for service host ("C:\Windows\system32\svchost.exe") for private network, TCP protocol and remote address "LocalSubnet", it works. I can see all machines in my network. But I don't want to do that. It's too vague to allow all services to my whole network.
Does anyone know, what I have to allow to make this work? Which particular service, ports etc.? Or why it doesn't work with default rules? There are rules for a lot of various services allowed for private network by default (groups "Core networking", "File and printer sharing", "Network discovery" etc.). Most of them are for UDP protocol, so should I duplicate any rule and change it to TCP? (since if I allow TCP for all services, it works).
I have found really a lot of blocked outbound connections (3 connections every 3 seconds) in the connection log. Remote IP is 126.96.36.199, port 1900, protocol UDP, connection is made by service host. It should be "Simple Service Discovery Protocol", but all related rules for this are allowed. Why is it blocked?
Thank you very much for any advice!
Have a nice day.
And one tip for cosmetic improvement:
when I switch WFC's Control panel tabs, tab content preserves scrollbar position of the previous tab. I think, that it should reset scrollbar position to show the top part of tab on each switch. This is confusing. Especially when I use the mouse wheel only, so I don't realize, that I have to scroll up. When I first used WFC and didn't know that, I missed a lot of configurations
Could you please clarify how WFC prevents applications from making changes to the firewall rules? Some apps have a nasty habit of either adding their own rules to the WF on install or even every time they are run. With other firewalls I was able to protect them from changes by setting a password, but with the WF there isn't such a feature, I guess an app that runs with admin rights can simply change the rules. Can WFC prevent some changes? Does it just monitor the rule changes and then replaces them with its own copy if it detects changes or can it truly lock the rules down so they cannot even be changed?
There is a tickable setting in the Options tab called "Disable the ability of other programs to add firewall rules" and the explanation is as follows: Unauthorized rules are deleted automatically. Only the rules created through Windows Firewall Control are accepted.
However, this setting, although just a tick-box is pretty strong. It also prevents manual rules to be entered via Windows Firewall (with Advanced Security). Therefore, you'd have to un-tick the box I mentioned earlier to manually add a rule, then re-tick it... if that makes sense.
The screenshot on the right
Thanks, I understand how to use it. I guess my question is how strong this protection really is and how easy it is for an app to defeat it.
Thanks for new update!
1) The problem with always create as outbound within Manage rules windows - set to INBOUND - is not resolved. See https://www.wilderssecurity.com/showpost.php?p=2349855&postcount=616 for details.
2) The problem with "After install, the notification-sound is unchecked (I had selected the default sound before)" is still there.
Have a good week!
If I install your program, does it change any of my current firewall settings? Or does it just establish itself with the settings as they are, and then it's up to me to make any further changes I might want?
WFC does not change the rules already created with Windows Firewall as it is "only" a frontend/gui. When installing you can choose to add some (I remember eight) default rules. Later - under "Manage rules" - you can easily distinguish between the rules that were already present before installing and those added later.
You have to enable File and Printer Sharing on your machine. To do this, go to Control Panel\All Control Panel Items\Network and Sharing Center\Advanced sharing settings and check the two check boxes named Turn on network discovery and Turn on file and printer sharing for Home or Work network. This action will create a new set of rules in Windows Firewall which will solve the problem you have mentioned. Make sure that you don't have enabled the check box named Disable the ability of other programs to add firewall rules under the Options tab in WFC, otherwise these rules will be automatically deleted.
I will see if I can change this behavior in the next version.
WFC keeps a hash table of all the rules it has at a given time. Every 3 seconds this hash table is checked to see if any new firewall rule was added. If a new rule is found, then it is automatically deleted. This happens every 3 seconds. If the user adds a new rule through WFC, then the hash table is updated and it will contain also the new rule. If the rule is added in any other way, then it will not be contained in the internal hash table used by WFC and this means it will be deleted.
This can be defeated only if the service (Windows Firewall and/or Windows Firewall Control service) is stopped, but to stop a Windows service, the program that will do that will have to be executed with administrative privileges. The best protection is to know what programs you execute with administrative privileges.
1) This is not a bug. What kind of rules you choose to display in Manage Rules only affects what is displayed not what kind of rules will be created. When you browse for a file from Manage Rules window, the setting regarding the direction of the rule is the one that you see in Main Panel under the Rules tab. This works as intended.
2) Because some internal properties names were changed, that setting is not preserved on purpose when using the updater. The next version of WFC will preserve that setting. This was an intentional "bug" to make the transition between the new naming of the internal properties.
The rules that you already have will remain untouched. If you choose from the installer to install also the recommended rules it will add a few recommend rules. Anyway, when you uninstall WFC you have the possibility to restore the the rules that you had before installing WFC, so you can revert any time to your rule set that you had previously.
Thanks for your reply Alex. Would it be possible to customize the frequency WFC checks for modified rules? Does checking every 3 sec. add any load to the system? Ideally and application should be able to register for notification from WF when changes are made, but I assume that's just not possible, right?
Does WFC notify the user if it detects any changed rules or does it just discard the changes silently? It would be interesting to see what changes show up over and over again to find the guilty app.
Then this is definitive cleared now, thanks!
Thank you for prompt answering!
Thanks for the awesome update alexandrud
I don't quite agree with this. When I was creating my printer custom rules, the preservation of scrollbar position really helped in making the process less frustrating as I could glance at what ports were being blocked then go back to the "Manage Rules" tab and add that port to the custom rule, picking up where I last glanced at under the "Connections Log" tab. If this is going to be changed, I think it should be made optional...
Lowering the frequency under 3 seconds will increase the CPU usage. Right now is under 1%. I tried with 3 checks a second but 20% of CPU time was used because a lot of processing is done when that check occurs. Increasing the time will allow the created rules to be active. 3 seconds is tested and provides the optimum balance between resources / security.
I must investigate this to see if an event is generated in Windows Firewall log when a new rule is created.
When an unauthorized rule is deleted by WFC it is logged. To check the WFC log, execute EventViewer (eventvwr.msc) and go to the category named Applications and Services Logs. There is a subcategory named WFC which contains the log of WFC. Look for Event Id 300 and you will see the name and the path of the application that appeared in the rule that was deleted.
The scrollbar vertical position should reset on Main Panel when you switch the tabs, not in Manage Rules window when you switch between Manage Rules and Connections Log. This was the idea.
So far, not possible to change it. Sounds like it could 'cause system hogging, however, haven't noticed ANY significant load from WFC since I began using it on my ancient 2008 laptop, nothing different on my Surface Pro.
It currently just discards the changes silently. It sure would be yet another extra-ordinary and very handy feature if that were another notification option (Notify on Rule Delete). When a rule is deleted, WFC could open a Notification window (WITH THE CUSTOMIZE LINK ALREADY SELECTED) showing what the rule credentials were going to be with options restore the rule OR let it go.
Oops, misinterpreted it. That is a good idea.
I'm still having issues (on system start-up), where I'm getting a UAC pop-up for "wfc.exe" - and then sometimes the WFC4 tray icon does not even appear and I have to manually launch the program for it to appear.
I've been experiencing this since installing WFC4. Please advice.
I second this. I experienced that only once so far, but it happened.
I had this also - maybe 3, 4 times in a year or so ... It is possible that UAC (after a reboot?) appeared again - I do not remember exactly.
However: after successful logins via UAC it was for a long time again without UAC.
Therefore apologize for maybe stupid question: you have logged each successfully via UAC, right?
Is it possible to get a real learning mode? In the meaning like TinyWall does it and third party firewalls are doing it.
Use Medium Filtering profile with Low notifications level. Digitally signed programs will be allowed silently and you will see the notifications only for unsigned programs. Learning Mode in the way you want is a bad practice because also malware or junk software (toolbars, updaters, etc) can be allowed in this way.
Separate names with a comma.