Windows Firewall Control (WFC) by BiniSoft.org

"Only the last version of WFC (4.0.9.2) can prevent AppGuard from creating thoese rules. Obviously, not on your machine. I am working on this."

Thank you!

 

Discovered another app that creates by itself inbound rules for TCP and UDP Wanted to play some BF 3 and discovered this rules.
It s related to BF3 EA battlelog plug in.It s the stuff that gets into the browser so you can play BF 3 online.It s called Sonar ,the executable generating it is SonarHost.exe .The path of the application is usually in Program Files \Battlelog Web Plugins \Sonar\0.70.4\SonarHost.exe
Another sneaky app ,but much dangerous as it resides in the browser.
Steam uses Chromium browser engine so they are somehow related

Thanks for the feedback Alexandru.

 

Hi,

I have tested now a program on a USB stick, which need Internet Access - and with a related allow rule for the outgoing traffic.

It is true, after removing and reinserting the stick, the rule do not works anymore.

Then (as has been said): a double click is necessary - or (as I tested) after a reboot it goes again.

Because this is not satisfactory, I have created a workaround for me:

1. I have installed the program "AutoRunnerX". With this program can be triggered on an existing file on ANY USB drive.

2. This trigger then executes a Firewall command (via batch files and UAC prompt, within my restricted user account) to reenable the rule(s). I use "Take Command" (windows command prompt program) for this (because I almost always use this program for batch-things), but with onboard equipment that should probably can also be accomplished.

The Win 7 Firewall command itself is (for me) ...

netsh advfirewall firewall set rule group="[Portable]" new enable=yes

... so all rules in the group [Portable] are reenabled at once. So I can for example connect a complete USB-Hub with different drives and all the rules for work then once.

3. Now, I can start the desired Program from USB-Stick and have Internet Access with it!

Greetings,
Alpengreis

 

Regarding the issue with USB drives,

If windows firewall tags a rule with the path to the application, then the rule should still work when the USB drive is re-inserted because the path does not change!

The fact that it is possible to "fix up" the rules using netsh suggests that this should also be possible from within WFC.

As I said, just "applying" the rule again from properties gets it working, so only need to do this in software.

 

Because USB drives ...

The path does not change, If the USB drive have a fix drive-letter! Otherwise, the path can change (at least in combination with other USB devices that were temporarily in operation or are)! Therefore, I have assigned all my relevant USB drives fixed drive letter!

Then, with this condition, it goes smoothly with your double click variant as well as with my version.

The downside to the double click variant is that you have to do it manually always. With my version, the re-plugging of USB Drives is enough.

Also it's possible to extend my version, so that USB drives without fixed drive names can automatically generate a rule. And then is for example also possible to automatically remove a such rule after next reboot or after a certain time.

Whether someone wants to do so, of course, is another question. It should be just a tip for those who wanted to be happy to have everything automatically - like me ;-)

Greetings,
Alpengreis

 

I see no issue with the USB stuff.If the app has the right path in the firewall it works.In this aspect wfc is perfectly fine.You are describing a non issue
I wouldn t like automatically rule generators for USB sticks apps ,it s like letting autoruners malware do their stuff by default.
If the rule made fits the path it simply works.

 

No, that's not correct. If you remove the stick and reinserting then, the rule exist but do not work anymore (tested here on Win 7 (Ultimate)). Then - without other tools - a double click with "apply" within WFC is necessary or a reboot.

And my solution with autorule starts only, if a special file exist on a my system already known stick. Also it proof a checksum on the stick. My such sticks are formatted in NTFS with related rights. And last but not least, the execution of the rule auto-re-enable needs my UAC-"yes" with my Fingerprint (Fingerprint Reader).

This is not the same as the (old) really dangerous autorun.inf process - this is not possible on my system. An example: If I insert a unknown stick, then it executes purely nothing (except the on-the-fly malware check for the stick). Another example: If I insert one of my sticks, but the portable program has been changed, then nothing is started.

And note: the batch files are NOT on the stick itself, they are on my PC with no write-access with my restricted user account (regulated by ntfs rights). The trigger file and the executable program on the stick has also no write access in my restricted user account (regulated by ntfs rights too).

Of course, I could even disable the autorule-process - instead this, I could make a Shortcut to the desktop for re-enable the desired rule only (not the hole portable group rules) for the related stick - with more checks - for even higher security. But for system here with my sticks with "my" portable programs, that not come in any foreign hands, the current solution is safe enough for me.

My intention to make this was, to avoid a manual search in the WFC Rule Manager each time, if I insert one of my sticks (and I have maybe 20 sticks or drives) with a portable program.

And please understand: it's just a workaround for ME PERSONAL. Wroted here as idea. It's not a manual.

In this sense,
Alpengreis

 

No it doesn't, that is the point. Apps have the correct path specified by the rule, but the rule doesn't work. There may be some other "hidden" data that changes which stops the rule from working. As I said, a simple "Apply" on the rule makes it work again.

 

Hi Alexandru,

I have a feature request would it be possible to display the full command with a parameters in the notification window instead of command name and extension only? Because sometimes I have a notification like "rundll32.exe tries to connect somewhere". But that's absolutely useless. The interesting part is rundll parameter - what it is executing. So if you get that information from the Windows Firewall it would be nice to display it for example as tool tip of the command name.

 

Hi Alexandru!

Thank you for the clarification.

Yep, I'm using the second monitor very often and not only one, but more different monitors (one at home, another at office etc.). Usually the notification window size is fine, but sometimes it changes for no reason. It was for the first time on my new laptop, which I have for 6 months. Once or maybe twice it happened on my old laptop. It usually happens once in a several months. I don't know why. But I think that I'm not alone who experiences that.

 

BTW I have WFC version 4.0.8.6. Now I'm trying to install the latest one (4.0.9.2), but when I have executed the installer I got message "Version 4.0.9.2 can not update a previous version.". Is it known? Just for your information.

 

"Installation notes: This version can not update a previous version. Please first uninstall any WFC version from Programs and Features available in Control Panel and then execute the new installer."

OK, sorry for that

 

For this, WFC should know when a new USB drive is inserted, and then find all the rules with the path on the same drive letter as the inserted USB drive and then reapply them. This would mean to add 80% of the functionality from USB Flash Drives Control in WFC. Not really a plan.

No, it is not possible. That info is not logged by Windows Firewall. Check the Connections Log and you will see only rundll32.exe. The same applies for service name for svchost.exe, this info is not logged and can not be retrieved so easy.

 

Alexandru, I cannot add you (binisoft) to AppGuard's 'Publishers' list...wfc.exe is not signed. Sorry if this has been addressed.

 

Digital signature costs money....

 

...Yep!

 

Alexandrud,

you know the the location selection in customize rule dialog was a bit buggy (in two different cases). I hope, it works always correct now.

Nevertheless, I'm a bit careful with this thing, because it's VERY important here, that this selection is always correct.

I know, the notification window is not resizable, and I also know, it's not intended to make this globally bigger.

It would be really nice to have the little missing piece immediately in view.

My question is now: would it be possible to add a possibility to change the value for the hight? Either in the WFC preferences itself or in the related regkey? I had tried to change the value in the "PlacementNotification" Key from 306 to a higher value, but it was automatically reset.

Greetings,
Alpengreis

 

I'm using avast, I noted that there is a incompatibility between WFC and avast...Now I followed the link on the WFC homepage and read that Alex said the solution was to set the webguard to scan only, on avast 9 scan only is the only option!...What do I need to do to resolve the conflict?

 

Sorry for the late response, but that is what this part (the bold parts) of the suggestion was for:

 

Just tested this over and over on multiple machines. The uninstall works correctly on standard user accounts without closing the program from the system tray area. Tested with version 4.0.9.0 and 4.0.9.2. Anyone else having this problem ?

Tested this again and checked the template for the text box control. The MaxLength value is 2048. The next version will allow 4096 characters in a text box. Please check your input if it does not contain any new line character (Enter) in that string. There is no limitation in WFC that may prevent you to paste there more than 64 characters. That field does not accept multiple lines and if a new line character is found in your string, then the string will be copied only to the specific index where an Enter is found.

Set the PlacementNotification value to the following format: X'Y'Width'Heigth'Scale'Normal something like this: 100'100'342'366'120'Normal. The default value of the red text is 306. If you make it 366 then you will have a taller notification dialog. The next time the notification dialog will open will have this height. When you close the notification dialog, the value of the height will not change.

Do you still have a conflict ? From what I read, the recent versions of Avast have fixed this problem. To determine if you have a conflict, when a new notification is displayed, do you see the original program that is blocked or the proxy ? IF you allow a specific program, does the rule apply correctly ?


Regarding the problem with AppGuard and other programs that can still create rules I can't reproduce the problem. These rules are deleted automatically. Check the WFC event log for events with ID 300. This is still under observation.

 

Windows Firewall Control v.4.0.9.4 - New Version

What's new:
- Fixed: The notification dialog hangs when multiple connection attempts are received for a specific program in a short period of time and the user chooses to create a new rule from the notification dialog.
- Fixed: The validation for Program field in Properties dialog of a rule does not work.
- Fixed: If the Rules Panel is open and the user uses the system tray context menu to open a different view, the window is focused but the view is not changed.
- Fixed: In Windows 8, some group names are not recognized properly in Manage Rules data grid.
- Fixed: The Properties dialog is opened if the user presses on the Cancel button with Enter key when the dialog to export the selected rules is canceled.
- Improved: The text boxes available in Properties dialog of a rule support now maximum 4096 characters.

Installation notes: This version can update only version 4.0.9.2. If you use an older version, please first uninstall WFC from Programs and Features available in Control Panel and then execute the new installer.

Other notes: I wasn't able to reproduce the problem with AppGuard and Steam. Even if they create the rules, WFC deletes them automatically, at least on my test machines. Anyway, it is strange that AppGuard needs inbound access to our computers. I could understand the need for outbound access to check the license or for updates, but why they need to connect to our computers ? Maybe someone more familiar with this software may have an answer ?

Download location: http://binisoft.org/download/wfc4setup.exe
SHA1: 7c64ea0df1d35818f14e23010f0ae260a7c8ed3c

Thank you for your support and your feedback,
Alexandru

 

Thanks for this update.

 

"Other notes: I wasn't able to reproduce the problem with AppGuard and Steam. Even if they create the rules, WFC deletes them automatically, at least on my test machines."


Just unacceptable for a any firewall/controller to allow connections that are blocked.
WFC is not deleting these rules. They are the inbound rules that are being allowed , the one outbound rule remains blocked (AppGuard GUI).

 

I am still seeing this happening with AppGuard v2.0.2.1012 and WFC 4.0.9.2. It appears just as 2muchtime documented in post #773. I also see in the WFC events that AppGuard rules have been automatically deleted, yet when I open the rules panel there are two new AppGuard inbound rules, one TCP and one UDP. Another interesting thing is that if I block the two inbound rules, they will change to an allow status at the next reboot or when whatever triggers this occurs. The creation and change of firewall rules is not absolutely predictable, sometimes it happens at morning boot, sometimes on every reboot, sometimes not at all for a day, thus the trigger may be from the AppGuard servers or from some strange internal timing mechanism, I just can't know. In examining the System event log, the AppGuard service is starting after the Windows Firewall service but before the WFC service by about 2 seconds if this means anything. The disturbing thing, to me at least, about this type of activity is not so much with WFC as it is that any program on my computer has the ability to not only create firewall rules, but to change them from a block to an allow condition. This opens many questions about the effectiveness of a software firewall in the intrusive internet environment that exists today.

Also, to clarify my prior postings, I have only seen this activity with AppGuard version 2, when I reported not seeing this I was using version 1.75.

edit, last sentence should reflect the AppGuard update from version 3 to 4, not 1.75 to 2.

 

alexandru, thanks nice update as always

@focus please check as Appguard current Version is now 4 and not 2