Windows Firewall Control (WFC) by BiniSoft.org

Hi,
I just read your post about your trouble getting a digital certificate.
That is atrocious behaviour.
From personal experience posting on their forum is a complete waste of time.

If they cannot sort your problem out directly,then how on earth would posting on their forum be of any use.
Hope you got refunded anyway.

 

I got a refund after two weeks of stress, but I never got back my time or any apologize. It doesn't matter now anymore. It is all in the past.

 

@ alexandrud
Thank you so much for your continuous efforts in making WFC a simple and intuitive GUI for managing Windows Firewall!

Unfortunately, I personally don't like the new flattish/solid-color/lego/metro design; it's one of the main reasons I think Windows 8 is a downgrade to Windows 7. Though I clearly understand that beauty requires more system resources, however, I'm willing to trade in those little resources which were being consumed by WFC 3.X to gain back the beauty. So, if you wouldn't mind, could you provide an option to restore the non-flat UI?

Also, I have suggestion for improved functionality. Not sure if this is just due to a limitation of Windows Firewall, but would it be possible to add support for multiple random remote IP ranges? That is, at the "Advanced" properties tab, I would be able to enter a custom address like as follows:

65.54.165.0-65.54.188.0, 131.253.61.60-131.253.61.89

(PS. That's the IP range, for the svchost.exe file on any service on port 443, for viewing the details of apps on the Windows Store. Without allowing this connection, Windows Store will keep stating that you need internet connection when you attempt viewing an app's details )

EDIT - NVM the suggestion (as it appears to be already implemented), noticed my error; had a space character after the comma.

BTW, the Manage Rules window still displays the good-old, non-flat icon in the taskbar

 

Just noticed a minor bug in the current latest version (4.0.0.3). Amongst the recommended rules, which were created during installation, is the "WFC - Windows Firewall Control Updater" rule. When I attempted checking for update, WFC showed an error stating that it's unable to connect to the update server.

I checked the recently blocked rules and it listed that WFC was attempting to connect to the IP "50.87.146.202", whereas the recommended rule allows it to connect to only "50.22.79.60", both on TCP protocol.

Consider fixing this. Updated the recommended to allow only that IP and update seems to be working fine now

--EDIT--

According to what you posted earlier, this should be fixed, but it wasn't; perhaps you only changed the IP address which is configured by the "Restore Windows Firewall Control recommended rules" option and not the IP address which is configured by the installation option to create recommended system rules?

 

The new version was created to be more extensive. The old version had problems displaying long translation strings because of the limited space and adding a new option in the user interface was almost impossible for the same reason. This is the new visual approach of WFC and I can't add back the old GUI because of the limitations of it. I do not understand what means non-flat UI. The old GUI was also very flat, but with a few more colored icons. I think the new version looks more professional and cleaner.

Manage Rules window has the same icon as the Control Panel window, the black one. The old version had icons from different Internet sources. The new icons set was designed from scratch and have more unity in the program.

Yes, you are right. I have changed the recommended rules when the rules are restored but I forgot to update the rule that is created at installation. I will fix this in the next version. Thank you for reporting this.

 

That's precisely my point. By non-flat UI, I mean instead of just having solid colour icons, use icons like the old ones which appear a bit more 3D like to the eye, despite them being technically only 2D.

I guess it has something to do with my Windows Cache? As shown in the following image, it's still displaying the good-old windows-shield-like icon in the taskbar:

 

Yes, the icon from taskbar is from Windows icons cache on your computer. The icon should be the one that appear in the title bar. The old icons don't integrate very well and look very bad in the new user interface because they have so many colors and they stay on a non white container.

 

Noticed a bug I reported earlier. Remember this metro-app-duplicate-alert-on-wake bug (see the edit)? It still appears to persist in the current latest version...

Also, any plans to implement both the "Domain Management" and the "Copy File Name to Clipboard" suggestions?

 

I will check the bug to see if I can reproduce it and I will fix it. Copy file name to clipboard will be in the next version, and regarding the domain management, I will see how can I integrate this or something similar because there is a lot more logic to implement. Thank you for remembering me about these.

 

Hi! I just wanted to say big thanks to Alexandrud for this great piece of software. I've made a donation, and I'm a glad user of WFC full version
Nice work!

 

I love your software and the new look other than the systray icon, it looks more like an e-mail icon to me than firewall, imo it would be cool to have a similar icon to the old zonealarm/pctools type in/out animated icon.

 

Perhaps it was already discussed before, but it could be difficult to find it. Is it possible to add a column Date of creation under Manage Rules, to sort according to the date. It would be easier to find the latest rules added via WFC. Or is it windows build-in firewall limitation? What do you think about such a improvement in WFC?

 

Yes, it was discussed before. Windows Firewall rules don't keep the creation date info. To add this feature I will have to store this extra info in a different location and make a synchronization on every rule add/delete event which can lead to new failure scenarios. A new rule is always added on top of the list because if I do this in a different way, when the user will add a new rule he will have to browse the entire list and search to see if the rule was added or not. Adding it on top is the best deal. To identify easily your rules, there is column sorting if you press on a column header, there are filters in the combo boxes from the right and also the search function. I think there are many ways to sort and see only what the user wants.

 

I didn't know that. Indeed they are added on the top of the list, and this is very good solution. I'm satisfied about that Thank you and sorry for asking about something what has already been discussed - I'm a new one and just learning WFC

 

@ alexandrud

A little clarification of the duplicate alert on wake bug; it appears that the bug doesn't necessarily need the computer to be put through the sleep-then-wake cycle. That's a longer process that pretty much does the following as a sub-part of it:

1.) Have an internet enabled metro app running in the background (had this before I put the computer to sleep)
2.) Disconnect from your wireless network by clicking the notification area "Network" icon, click on your connected wireless network in the list and click the "Disconnect" button (this automatically occurs when the computer sleeps)
3.) WFC shows a blocked network connection attempt by the app (which I notice the next time I wake my computer)​

Hope that simplifies the debugging process.

Also, I have a little suggestion for improving WFC; mind adding the following rule to the recommended system rules for Windows 8 systems (both at installation and the "Restore Windows Firewall Control recommended rule" operation):

Name: WFC - Windows Store (2)
Program: C:\windows\system32\svchost.exe
Service: Any
Location: All
Protocol: TCP
Local Ports: All Ports
Remote Ports: 443
Remote addresses: 65.54.165.0-65.54.188.0,131.253.61.60-131.253.61.89
Direction: outbound​

It appears to be needed to view the details of Windows Store apps. Prior to some unknown Windows Update, it was only the "65.54.165.0-65.54.188.0" IP range that was required to view the details (you pointed that out for me here), but after the Windows Update, it now attempts connecting through the IP range "131.253.61.60-131.253.61.89" :|

 

Sorry for the late reply. I was reading this a few days ago but I hadn't time to respond because I was very busy with some exams. I will try to fix the problem with the wireless disconnect. Regarding the recommended rules, I will add this new rule to the default set of recommended rules.

 

That rule will give to svchost.exe more access than it would normally need. Doesn't the Windows Store have some service to bind svchost.exe to?

-edit-

If this is related, then you should bind to service Windows Store Service (WSService). Source: search engine

 

I just attempted binding the rule to the "Windows Store Service" and attempted viewing the details of a Windows Store apps. It showed the same error message stating that my PC isn't connected to the internet. Changed it back to any service and I was able to view Windows Store app details again...

--EDIT--

This is strange, it was first showing the error message when it was bounded to the Windows Store Service, I switched it back to any service and it allowed me to view the details. Then, I thought why not cycle through the services to see which one is the appropriate one to bound by, switched to the ActiveX installer service (the first in the list) and it strangely allowed me to view the details...closed out the Windows Store app, continued to the next in the list, the Adobe Acrobat Update service (one that is clearly not related to the windows store) and it still let me view the details :| Switched back to the Windows Store Service and it still allowed me view the details...

So, appears like the Windows Store app only requires that connection once in a certain period of time (which I'm unaware of at the moment) for checking if there's an internet connection...another ridiculous programming by Microsoft in Windows 8

 

Hi alexandrud!

First, thank you very much for this great software!

Here few bugs (behaviour) and a wish (v4.0.0.3):

- Bugs and behaviour ...

B1) Policy Export Bug

An existing file cannot be overwritten. An overwrite warning appears but then the overriding fails.

B2) Policy Import "Bug" (Behaviour)

After import a policy the filter level "Low Filtering" is set - regardless of the level previously set. Of course, the level should remain.

B3) IPv6 Address-Range Bug

It's not possible to set an IPv6 Address-RANGE (invalid, red field).


- Wish ...

W1) "Non-UAC" AND "UAC" Mode

It should be possible to switch (or install) a "Non-UAC" Mode, which means:

> "Non-UAC" Mode:

The current situation. Standard-Users/Accounts have access to rules, etc.

> "UAC" Mode:

A new - safer - variant. Standard-Users/Accounts have access (to rules, etc) only through UAC. So it would be the same as in Windows Firewall Advanced Security (WFwAS). Even the WFC-password would then be no longer necessary. UAC of course would be necessary only AFTER a notification.


Okay, I look forward to your reply and thank you in advance!

Kind regards,
SwissBIT

PS: Sorry for my bad english!

 

B1) Indeed. This is a bug. I already fixed it. The next version will include this fix.
B2) This is not a bug. This is the desired behavior. When importing a new set of rules the profile is reset to the default Windows Firewall profile. This is done because a set of rules does not contain any information about WFC level so, in this case it will be reset to the default one. Just tick again Medium Filtering checkbox and you're done. I guess I can change this.
B3) I will see what I can do about IP v6 range validations. Until then, you can use WFwAS to define IPv6 ranges. This has low priority because I doubt many users will attempt to define IPv6 ranges.
W1) Will not be implemented. There was a large topic in the first versions (2.9.x.x) about UAC and WFC requiring administrative privileges. This is why I have implemented also a Windows service (wfcs.exe) which runs with System privileges and the GUI (wfc.exe) with standard user privileges. I see your point. On the other hand, the locking feature does more than locking the access to WFC settings and rules. It also blocks access to Windows Firewall from Control Panel (firewall.cpl) and WFwAS (WF.msc). So, the lock mechanism will not be replaced. And then, switching from a UAC mode to a non UAC mode will also require a password protection otherwise it can be changed anytime by any user.

 

Hi

Okay.

Okay ...

Since my provider and I have NATIVE IPv6 and each day more and more sites/services are also in IPv6, I use this ranges often. But I see, it's not the most important thing right NOW!

But in my test with WFC, the notifications didn't works, if a password was set - and without password, any malware - even without admin rights - can change rules, have access to registry ... is this right?

Greetings,
SwissBIT

 

Yes, the notifications are not displayed when a password is set. This is how it should be. You lock the program with a password because you don't want other users of the same computer to alter your rules. If the notifications would be enabled, then any user can add new rules even if you have prohibited this by setting a password. If you are the only user of your computer there is no need to lock the program.

Changing Windows Firewall rules requires administrative privileges because the rules are stored in HKLM branch of the Windows registry. Without administrative privileges you can't modify the rules. This applies also to malware. Just make sure that you don't execute unknown software from untrusted websites and give them administrative rights. If a malware gains admin rights (usually after the user clicks OK in the UAC prompt without reading it) and starts messing around with your computer, the firewall rules are your last concern. You already have bigger problems. Malware should be catch by an antivirus. The firewall has a different purpose. Anyway, you can activate "Disable the ability of other programs to add firewall rules" to make sure that other programs, even if they have admin rights will not add new rules to allow themselves to connect to the Internet.

 

I can't reproduce the problem with Netflix. I have created a rule for netflix.exe and then I disconnected the wireless connection, connected it gain and no notification. The program is able to connect. However, I have a different path for it. It seems that for every version, the path is different. Windows Firewall rules apply per path basis, so if the path is different (a newer version with a different location) then a new notification will be displayed.

Regarding the Windows Store, it seems that there need to be 2 rules: one that allow wwahost.exe and one for svchost.exe to allow all connections for the service WSService (Windows Store Service). I have updated the recommended rules to include both rules. Tested and working. This will be included in the next version.

Also, copy file name to clipboard is already implemented. Yes, in the next version.

I did not have enough time to work on the website but some improvements were done to WFC. The new version will be out in a few days.

Have a great weekend.

 

Hi

First, thank you for the quick and detailed explanations!

Okay but see below ...

Two last questions on this point - if you allow:

Could a malware take over or intercept the GUI process wfc.exe (in unlocked state) - to create/change/delete firewall rules or execute a command with "administrator console" (cmd) (for example) over the service process wfcs.exe on this indirect way? Or is this not possible or a realistic scenario?

I must have a solution for the following situation:

- I use my PC not alone.
- I am the only admin (for all the admin things, inclusive firewall rules)
- I will always see the WFC notifications.

Then - at least at the end of my session - I must always (manual, each time) lock the WFC GUI with a password, otherwise the next user has admin access (even over CMD)! I mean, trust in other users is good and right, but control is better! Then - at the beginning of my next session - I need to unlock the GUI ... and so on and so forth. And so, this part of the software is not user friendly enough, in my opinion ...

I hope you are not annoyed by my persistence, but this is simply a very important aspect for me.

Many thanks for your answer in advance and have a nice weekend!

Greetings,
SwissBIT

 

This is not a realistic scenario. A malware will try to disable eventually Window Firewall service, not WFC. Machines with Windows Vista, 7, 8, they all have Windows Firewall installed, but maybe only 0,01% have WFC installed.
WFC being a target of malware is very low chance.

Regarding the lock/unlock steps that you must take, indeed in your scenario, is not very intuitive. The majority of WFC users are single PC users and they don't need to lock the program and 99% of the users will not even use the lock feature because they don't need to. The purpose of WFC was to be very easy to be used even on standard user accounts, without UAC prompts, because many users use standard user account instead of admin accounts for extra protection (the damage that a malware can do from a standard user account is lower than what it can do on an admin account). If I introduce UAC prompts for standard user accounts I will affect thousands of users. In the last 3 years this is the first time when someone is complaining about locking feature being so rigid. I will try to find a solution for this scenario.