Windows Firewall Control (WFC) by BiniSoft.org

Discussion in 'other firewalls' started by alexandrud, May 20, 2013.

  1. D3ltorohd

    D3ltorohd Registered Member

    Joined:
    Nov 20, 2021
    Posts:
    10
    Location:
    Germany
    What i cant understand. When WFC ask me if the exe will go out and i allow it, it was in the firewall rulse set as allowed for this app. But its blocked, why windows firewall ignore this rule ?
     
  2. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,122
    Location:
    Romania
    Windows Firewall is an implementation over Windows Filtering Platform (WFP). The notifications which you see in Windows Firewall Control are for blocked connections logged in WFP. At this point, there is nothing related to Windows Firewall. You create a new Windows Firewall rule with the expectation that this rule will indeed allow future connections of the blocked program. If this does not work, there might be multiple reasons:
    - WFP contains a rule with a higher precedence which overwrites the allow rule that you have created. As a result, the connection is still blocked.
    - The rule created by Windows Firewall does not apply because the path of the file is located on a virtual mounted drive. These paths can't be allowed properly through Windows Firewall. The only solution that I know to make it work, is to disable outbound filtering so that it can connect without a rule.

    I described here a way to find out which filter blocked a connection:
    https://www.wilderssecurity.com/thr...-by-binisoft-org.347370/page-231#post-2929980
     
  3. D3ltorohd

    D3ltorohd Registered Member

    Joined:
    Nov 20, 2021
    Posts:
    10
    Location:
    Germany
    Is this a good thing to disable outbound filtering ? The bigger danger is after all inbound or ?
     
  4. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,122
    Location:
    Romania
    By default, outbound filtering is disabled in Windows Firewall. Enabling it is optional and requires the user to do the work of creating allow rules for the programs which are acceptable to connect. If there are some programs that do not work with outbound filtering enabled, you can disable it temporarily. Or you can take the other side, keep Low Filtering profile and manually block unwanted programs. The important thing is to not disable inbound filtering because you will expose your computer to the external world.
     
  5. THZ

    THZ Registered Member

    Joined:
    Dec 29, 2021
    Posts:
    2
    Location:
    Basel
    Hello - I have set WFC to Medium Filtering, block any traffic and to display notifications. Whenever I get a notification on a new unknown traffic I confirm either with block or allow, but this takes up to 1 minute when I click on OK. This is on 2 computers that I have, on other computers not. What could be the reason?
     
  6. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,122
    Location:
    Romania
    This was reported a while ago but I could never reproduce it and provide a fix.
    - Please check the Connections Log and see if there is a program that is generating an insane number of connections (in and out) during the same time when you want to create a new rule from the notifications dialog.
    - That 1 minute seems like a timeout to me. After that 1 minute of waiting, is the rule created ?
    - During this waiting time is the notification dialog closed or frozen ?
    - Please check WFC log in Event Viewer and see if there is something logged regarding this.
    - On which operating system do you have this problem ? Net Framework version ?
    - Does this happen only when you create a new rule from the notification dialog, or also when you try to create a new rule from Rules Panel ?
    - Try to identify the differences between the computers where it works and where it doesn't. Do they use the same security software, the same antivirus ?
     
    Last edited: Dec 30, 2021
  7. THZ

    THZ Registered Member

    Joined:
    Dec 29, 2021
    Posts:
    2
    Location:
    Basel
    Many thanks. Actually my log doesn't provide anything unusual, but I will verfiy this the next time I will have this issue.

    I can answer your questions so far:
    -The rule is being created after 1 minute of waiting
    -The notification dialog remains frozen
    -This happened with Windows 10 x64 and happens now with Windows 11 as well. Net Framework 4.8.04161
    -All computers have been setup almost identical, no security software, only Microsoft Defender
     
  8. NAMIKAWA

    NAMIKAWA Registered Member

    Joined:
    Jan 8, 2022
    Posts:
    2
    Location:
    JP
    Hello,

    I use WFC, I wanted to turn off the messages that appear that the program needs permission in the firewall.
    https://i.imgur.com/hhYt6P2.png

    But all the notification settings I've tried are probably used (linked) by the WFC program and can't be turned off.

    how can i turn off these annoying messages?
     
  9. Alpengreis

    Alpengreis Registered Member

    Joined:
    Oct 7, 2013
    Posts:
    563
    Location:
    Switzerland
    This has nothing to do with WFC. It should be the following setting (here Windows 10 Pro x64 ... I don't know which OS you have in use) and it's for INBOUND connections:

    Type "Firewall status" or "Check firewall status" or something like that (don't know exactly, because I have a non-english OS version in use) in the Windows Search Field or in Search Field of the Settings window (you should also find it over the "Control Panel, System and Security" somewhere):

    Open it, then you should have a window like this ...

    Notifications_1-2.PNG

    ... click on the text in red square ("Change notification settings"), then you should have a window like this ...

    Notifications_2-2.PNG

    .. now you should be able to disable it for the desired location(s).
     
    Last edited: Jan 8, 2022
  10. NAMIKAWA

    NAMIKAWA Registered Member

    Joined:
    Jan 8, 2022
    Posts:
    2
    Location:
    JP
    @Alpengreis Yes, I tried exactly this setting before I wrote here!
    The problem is that it always returns to the default values.
     
  11. Alpengreis

    Alpengreis Registered Member

    Joined:
    Oct 7, 2013
    Posts:
    563
    Location:
    Switzerland
    Last edited: Jan 8, 2022
  12. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,122
    Location:
    Romania
    Execute wf.msc

    upload_2022-1-9_12-10-43.png

    Then click on this:

    upload_2022-1-9_12-11-54.png

    Then for Private and Public, click on Customize under Settings:

    upload_2022-1-9_12-13-6.png

    And set this setting to No:

    upload_2022-1-9_12-14-55.png

    Now you should not see those WF notifications anymore. If you can still see them let me know.
     
  13. Alpengreis

    Alpengreis Registered Member

    Joined:
    Oct 7, 2013
    Posts:
    563
    Location:
    Switzerland
    Yes, over the Management Console is another way ...
     
  14. moredhelfinland

    moredhelfinland Registered Member

    Joined:
    Mar 31, 2009
    Posts:
    147
    Location:
    Finland
    How effective this FW is against tampering(disabling) vs Comodo Firewall and Zonealarm that runs in their own kernel level driver (ring 0) ?
     
  15. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,122
    Location:
    Romania
    There is no tampering protection in WFC because:
    - WFC is not a firewall
    - WFC is just an alternative user interface for Windows Firewall. It also provides some extra nice features, but this does not make it a firewall.
    - Even if WFC is closed, the firewall rules are still applied by Windows Firewall itself. By closing WFC you just don't have access to the alternative user interface, it is not the end of the world.
    - A real anti-tampering mechanism requires an ELAM driver signed by Microsoft which is not that easy to get, it makes debugging almost impossible (because WFC will be a protected process) and comes with the only advantage that you can't close WFC process. If something goes wrong with the software and it hangs, then, good luck restarting it.
    - A real attacker will probably want to disable Windows Firewall itself, not WFC. Disabling WFC will not help a malicious actor to gain nothing. However, this will attract too much attention, so this is unlikely:
    upload_2022-1-12_20-40-46.png
    - If a malicious software gains enough privileges (the user probably allows it in UAC prompt) to disable a service running under SYSTEM account, the last problem that you have is WFC being closed.
     
  16. moredhelfinland

    moredhelfinland Registered Member

    Joined:
    Mar 31, 2009
    Posts:
    147
    Location:
    Finland
    Yes, WFC is a frontend for Windows Firewall. Many malwares more or less targeting windows firewall, because malware coders does know that many users does not use 3rd party firewall. Its easy to abuse.
    Personally, i never ever rely any FW softwares that's based on windows own firewall. Comodo / Zonealarm uses their own kernel based filterin driver(s). This solution can and will increase security.
    There's a many ways to disable windows firewall during boot stage.
    Nevertheless, you're a great coder and... mov ax,13h? ;)
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.