Discussion in 'other firewalls' started by alexandrud, May 20, 2013.
Also: if the TrueCrypt drive (container) is mounted, the data is not encrypted anyway ...
thanks for the nice program. For a future version I have a small suggestion. Can you implement on the connection protocoll also a search/filter field like on the rules window. I can filter by blocked/allowed, direction, time and all/recent already. I miss an additional field to filter the final result down. On the rules window I can type svch and it show me only the entries where *svch* is somewhere. This I wish for the connection protocoll also. What do you think?
I will give it a try.
Is there a way to see what's inside connections/packets that are on hold by WFC? For example, right now, I have a WFC notification of a program trying to make an outbound connection over port 80. I would love if I could take a peak inside the packet to see what information is going out.
I'm guessing this would involve the likes of a tool like Wireshark or Fiddler, but I'm unsure of the technicalities as for how packets are put "on hold" by WFC. In other words, when a WFC notification has fired, is it possible to still capture the packet in some sort of monitoring software? If so, how would I do this?
Thank you. I'm looking forward.
It will be difficult I reckon...
I've noticed a "x" amount of seconds delay between Wireshark display and WFC Connections log display. I also believe that the amount of security software one has on their PC and how it is set up will also play a factor.
WFC doesn't do any packet filtering, so it is not possible. It works in a passive way based on the events generated by Windows Firewall. When you see the notification from WFC, the packet was already dropped by Windows Firewall, it wasn't paused until user intervention.
This is what you will need to capture/analyze packets.
Windows Firewall Control v.126.96.36.199 - New version
- New: Search function was added to Connections Log similar to the one from Manage Rules.
- New: Introduced the concept of read only rules. They are displayed with grey text and cannot be modified or deleted from WFC.
- Fixed: Modifying inbound rules with edge traversal set to 'Defer to user' generates exceptions in Windows Firewall API. These kind of rules are read only and can't be modified from WFC.
- Fixed: Unwanted notifications may appear when defining generic rules that should apply to all programs.
- Fixed: Opening the Properties dialog of a rule fails with an exception for rules defined with a custom protocol which does not appear in WFC.
- Fixed: Notifications are displayed for svchost.exe when Medium notification is used if a rule for svchost.exe and remote port IPHTTPS is enabled.
- Fixed: When creating a new rule from the shell integration the direction and the enabled properties of the existing rules are not taken into consideration.
- Updated: The list of recognized Group names was updated to include new groups from Windows 10.
New translation string
044 = Read Only
Download location: http://binisoft.org/download/wfc4setup.exe
Have a great weekend,
P.S. If I forgot something (bug fix, feature request) please remember me and I will take a look again.
Thankyou kindly young sir
Hello, I have a problem with Steam (+ some Steam games) and Secure rules. WFC is unable to automatic delete rules created by Steam. Can someone confirm this?
I'm using Windows 8.1.
Thank you again for the update. But I do not understand the "concept of read only rules". Is this limited to what you wrote under "Fixed: Modifying inbound..."
or are there other cases that lead to the creation of read only rules?
Thank you for new update!
- The notification system is broken now. I do no more receive any notifications for ICMP (v4 or v6), I have no related block rule there (tested tiwh PING). So the svshost/System notification is broken. Of course, the notification level is set to HIGH.
Even with a resetted policy, I do not receive any notifications for ICMP.
- The read only rules: note that is not the case for "Defer to application" - I don't know if this is correct ... I do also not understand the concept of read-only rules resp. WHY is this necessary ...
- The read only rules are in grey, but (at least) with small font, it's difficult to see the difference to black. Here should be another colour/mode IMHO.
PS: I send you the new translation soon ...
Are these rues created at Windows start-up ? When you shut down the computer or restart it, do you see these rules ?
Because Windows Firewall API can't update the inbound rules defined with edge traversal set to Defer to user, I had to introduce this "read-only" rules concept in WFC. This means you can see these rules in Manage Rules but you can't modify or delete them via WFC because Windows Firewall API will just throw an exception. However, you can use WFwAS to do this, as WFwAS doesn't use Windows Firewall API and has different access. So, to avoid doing something that doesn't work anyway, I made WFC to treat these rules as read-only (read-only, just for WFC).
Other rules with this flag set to true are those two rules used by High Filtering profile. Those rules should not be deleted manually from WFC to avoid synchronization problems between the existing rules and the current profile. In Windows Firewall there is no such thing as block all connections, so WFC uses those two block all rules to achieve this result. They are automatically deleted when the profile is switched from High Filtering.
I accidentally moved a parenthesis in code and an OR condition did not apply anymore. I will publish very soon a fixed version. Thank you for your fast feedback.
Windows Firewall Control v.188.8.131.52 - Quick fix
- Fixed: Notifications for System and svchost.exe are not displayed anymore when High notification level is enabled.
Download location: http://binisoft.org/download/wfc4setup.exe
Have a great Sunday,
I just installed the 184.108.40.206 and still have the same problem with no notifications showing up. I even restarted. Anyone else??
They're created at Steam startup (installing or updating multiplayer games will make rules for them) if they are removed. They won't disappear after restart.
There's a partial workaround, though. Importing rules will stop rules creation, but it must be repeat after restart.
Thanks very much speedy bugfix
Was also about to report this today.
Yes, does not work yet ...
Okay, I understood.
Thanks for fast update! Unfortunately, does not work yet.
PS: Have a great sunday too!
This is really odd. I have tried the high notification system with version 220.127.116.11 on Windows 10 x64 and Windows 8.1 x64 and they show up. Try to disable any svchost.exe rules and you will see new notifications for it. Also, for System. Looking forward for your feedback.
First thx for that great WFC software, really love it so i buyed WFC some time ago because of the notification system, which worked very good for me in the past. Since 18.104.22.168 and 22.214.171.124 i have problems with the notification, too. I tested out a fresh and new installed software on my system, the Samsung Magician Software for SSDs, which will check if my SSD has got a new firmware - but it can't get a connection.
So i looked into the Connections Logs and saw, that it is blocked - and no notification popped up sadly :-(
Also the Steam Software, as mentioned here before by another user in this thread, came up in the connection logs as blocked, but i had allowed it in the past.
My OS is Windows 8.1 Update 1 x64
So the notifications system is still broken in 126.96.36.199 - hope that it will be resolved soon - i'm sure it will ;-)
This is not easy. With a resetted policy (state after windows install), the notify for ICMPv4 appears, for ICMPv6 not! With v188.8.131.52, both were perfect!
I have no related block rule (active). But I have a block for IPv6 for some IPv6 with Protocol ANY - this was NOT a problem in v184.108.40.206! Has the logic changed from changed - because this was a problem in PRE-220.127.116.11, not with 18.104.22.168 but now with POST-22.214.171.124?
If this so, then it costs me much time for recreate all the single IPv6 rules :-(
PS: I have a block rule for svchost.exe for Teredo (UDP). But I should not deactivate it.
Hmm ... It seems, I can not work without some block rules. At the moment, I can no more set the WFC filter level to medium, it's not usable for me ...
PPS: It seems, it's not the terero block rule ...
I HAVE IT: I have to receive ALL such block rules, even such for Location PUBLIC and DOMAIN, which should really not influence this scenario, because I had tested this in PRIVAT location. Then it works with PING-test for IPv4 but not for IPv6.
Sorry, I can so not work with WFC and filter level medium, because of course I cannot deactivate such rules - such ARE definitive NECESSARY here for work in Public WLAN areas for example. I have another solution to deactivate IPv6 things in Public for ex. but I'm not sure, if this safe enough, so the Win Firewall is the most important part to block things in Public areas for ex. - and only for IPv6 I have a such alternative solution, for IPv4 I must block such things with Win Firewall.
ONE alternative would be eventually possible: I could ev. make these rules with Group Policy (but not all system have the GPEdit.msc) ... I use the GPEdit anyway for one or some important rule/s, because within Win Firewall the related block rule(/s?) was/were automatically deleted with every update of a certain program (without secure rules active, I cannot have this active unfortunately) ...
However, GPEdit.msc should be not the normal case to block THESE rules IMHO ...