Windows Firewall Control (WFC) by BiniSoft.org

Discussion in 'other firewalls' started by alexandrud, May 20, 2013.

  1. Alpengreis

    Alpengreis Registered Member

    Joined:
    Oct 7, 2013
    Posts:
    554
    Location:
    Switzerland
    Because the AV scanner results ... first: if you have downloaded the file, check the hash-sum (SHA1, see above). If the hash is correct, it should be a false positive.

    However: I'm VERY sure, Alexandru would NEVER EVER integrate malware things in WFC!

    Alpengreis
     
  2. Rubert

    Rubert Registered Member

    Joined:
    Dec 19, 2012
    Posts:
    6
    Location:
    France
    Yes, my very first move was to verify that the file's hash was correct.

    A false positive is very likely to be the case here (and Malwarebytes certainly seems to produce its fair share of these). I thought, nevertheless, that it was worth raising this issue. There's never any harm in being cautious when it comes to security. There is also the possibility that Alexandru might want to draw the attention of Malwarebytes to an error on their part.
     
  3. Alpengreis

    Alpengreis Registered Member

    Joined:
    Oct 7, 2013
    Posts:
    554
    Location:
    Switzerland
    @Rubert

    Of course, to report this issue was - without a doubt - senseful!
     
  4. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,031
    Location:
    Mexico
    When import rules from a file under Profiles it toggles to Low Filtering even I have Medium Filtering always marked.
     
  5. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,789
    Location:
    The Netherlands
    Like I said, I'm not a firewall expert. I thought that all firewalls do packet filtering. But this "low level network access" stuff is about the ability to bypass firewall with a separate network enabled driver. Like I said, it's more of a HIPS job to stop this, and WFC isn't even a third party firewall, so it was a bit of a dumb question.
     
  6. marzametal

    marzametal Registered Member

    Joined:
    Mar 19, 2014
    Posts:
    766
    You don't need to be an expert to know WFC is not a firewall.
     
  7. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,097
    Location:
    Romania
    This is on purpose when reimporting a full policy. It follows the behavior that is used when restoring the default Windows Firewall rules.

    Regarding the MBAM false positive, I have reported this on their forums:
    https://forums.malwarebytes.org/ind...ndows-firewall-control-false-positive-report/

    Their response is:
     
    Last edited: Jun 2, 2015
  8. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,789
    Location:
    The Netherlands
    I already explained, that's not the point. Like I said, I don't believe that "packet filtering" has got anything to do with "low level network access". It's simply a method to bypass the standard Windows Firewall, I believe "raw sockets" can also be used for this.

    This link is also interesting: http://www.pcmag.com/article2/0,2817,2356130,00.asp
     
  9. marzametal

    marzametal Registered Member

    Joined:
    Mar 19, 2014
    Posts:
    766
    Time to repeat myself again, since you obviously haven't started another thread to get the answers you want...

    The above link, and your previous one do not apply in this thread, since WFC is not a 3rd party firewall. All WFC does is provide an alternative "interface", along with reading Event Viewer (outputs blocks via Connections Log, something that W7F does not do). Applications such as Comodo, Online Amor, etc... the companies/apps that actually "shut down W7F" and force the user to use "their own firewall"; these are the ones that should crap themselves somewhat.

    WFC cannot shutdown W7F "and" act as a firewall on its own. At best, it can shut down W7C, end of story. Which means no firewall whatsoever, nothing to replace it with because WFC is not a replacement. It is just an alternative interface. It even states in Profiles tab under No Filtering... "Windows Firewall is turned off. Avoid using this setting unless you have another firewall running". There are no hooks/injections of any manner performed by WFC.

    If WFC isn't as pimped out or glamorous as you'd like it to be, you could use a free version of Glasswire or fork out some cash and buy it, or even use a VPN, or something else. It sounds to me you are after something that does everything... If that is the case, then even Glasswire is not for you since it uses W7F, rather than replaces it.
     
    Last edited: Jun 2, 2015
  10. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,789
    Location:
    The Netherlands
    Actually, even though your post was quite informative, it was not time to repeat yourself, because it seems you are completely misunderstanding me. I was well aware of the fact that WFC is not a third party firewall. But for some reason I thought that it was perhaps possible to make some kind of rule to block apps from getting "low level network access". Obviously, that is not possible.

    The link that I posted was just for general info, not especially directed to you. But the way I understand it, is that it's possible to bypass the Windows Firewall (and other firewalls using the Windows Filtering Platform) by installing a special "network driver". But I believe that these drivers are not used to bypass incoming and outgoing connections, but to capture network traffic. Firewalls without HIPS (like Win Firewall) will normally not block this.
     
  11. Alpengreis

    Alpengreis Registered Member

    Joined:
    Oct 7, 2013
    Posts:
    554
    Location:
    Switzerland
    @Rasheed187

    AFAIK:

    On Windows Vista and Windows Server 2008 and later, it should be possible to have packet filter rules over the Windows Filtering Platform "WFP" via the WFP Win32 API. However: the recommendation is, that you enable either static packet filtering or Windows Firewall, but not both. Conflicts between two sets of filter rules can result in desired traffic being unexpectedly blocked.

    Then: "Packet filtering" HAS to do with "low(er) level network access", then follows the Kernel Level (with the NIC-driver, and for example with WinPcap the NPF inside the NDIS stack (NPF is the protocol driver, which allows reasonable independence from the MAC layer and as well as complete access to the raw traffic) and then the User Level (Application).

    And about HIPS (Host-based Intrusion Prevention System): this is another security "system" - in contrast to a network-based intrusion prevention system that specializes in detecting attack patterns in the network traffic.

    BUT: all this is an OS, resp. WFP/Firewall/... "thing" and has nothing to do with WFC, which is the GUI for Windows Firewall only!


    So, please, for further questions about such technical things, ask in a specialized forum, NOT here.

    Greetings
    Alpengreis
     
  12. Alpengreis

    Alpengreis Registered Member

    Joined:
    Oct 7, 2013
    Posts:
    554
    Location:
    Switzerland
    [Feature-Suggestion (re-activated)] Port info for remote port

    Actual we have the possibility to show the port info for LOCAL port with the left mouse button. Unfortunately in much/most cases, the local port is not very interesting. On the other side, the remote port is in most cases the interesting port. Many outgoing connections are port 80 and/or 443, I know - nevertheless for other connections, a remote port info would be senseful.

    Would it be possible to integrate this, maybe with the middle click or so (you could also change then to middle click for the local port)?

    Kind regards
    Alpengreis
     
  13. Snoop3

    Snoop3 Registered Member

    Joined:
    Jan 2, 2011
    Posts:
    474
    just grab PeStudio and link it to your download manager as the virus scanner and it automatically pings VT with the hash. that way you get 57 opinions instead of just one.
     
  14. marzametal

    marzametal Registered Member

    Joined:
    Mar 19, 2014
    Posts:
    766
    @Alpengreis - In the Connections Log... click and hold onto the REMOTE PORT title bar, and drag it to the left of the screen... the whole column will follow you... drag it to wherever you wish :) That should make pleasant viewing for you...
     
  15. Alpengreis

    Alpengreis Registered Member

    Joined:
    Oct 7, 2013
    Posts:
    554
    Location:
    Switzerland
    @marzametal

    Thanks, but what I meant is this ...

    WFC-port_info.jpg WFC-port_info2.jpg

    Of course - it's possible manually, but why not automatically also for the more interesting remote port ...

    However: it's not a VERY VERY SUPER VERY important thing :)
     
  16. marzametal

    marzametal Registered Member

    Joined:
    Mar 19, 2014
    Posts:
    766
    Ahhhh remote port in the alert box... +1
     
  17. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,097
    Location:
    Romania
    The middle mouse button closes any window/dialog in WFC. I will add this functionality for the Source item, because there is room for this. Left click (current) -> local port, right click (empty now) -> remote port. Off course with the corresponding tooltip. I think this is the best solution.
     
  18. Alpengreis

    Alpengreis Registered Member

    Joined:
    Oct 7, 2013
    Posts:
    554
    Location:
    Switzerland
    Okay, sounds good!
     
  19. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,789
    Location:
    The Netherlands
    Thanks for the feedback, and yes I agree.
     
  20. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,097
    Location:
    Romania
    Windows Firewall Control v.4.5.0.1

    What's new:
    - New: The notification dialog will display also the parent process to see which process launched the program that was blocked.
    - Improved: The behavior for pressing in the notification dialog on the Source was updated to allow reading more info also for the remote port.
    - Fixed: The program fails to start if the translation file has an invalid format.

    New translation strings
    699 = Parent process

    Download location: http://binisoft.org/download/wfc4setup.exe
    SHA1: 41e95ecfc403e1121be2f395cc5fa304d7f8c7ee

    Have a great day and thank you for your feedback,
    Alexandru

    upload_2015-6-10_17-35-11.png
     
  21. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,789
    Location:
    The Netherlands
    I'm still using WFC 4.4.3.0, and once again I noticed that it doesn't remember window size and position, perhaps you can take a look at this. I'm using Win 8.1 64 bit. I do have to say that that I still prefer WFC as my firewall controller, but I do miss a quick way to see which apps are allowed or blocked to access the network, sort of like in GlassWire and TinyWall.
     
  22. marzametal

    marzametal Registered Member

    Joined:
    Mar 19, 2014
    Posts:
    766
    Do you use any system cleaners? Even if window size is unticked in these apps, they do have a tendency to "manipulate positioning and x/y coordinates"... to a lesser extent, any cleaning of criteria maintained by Control Panel or Windows Services could also affect screen size. I've seen both CCleaner and PrivaZer muck around with my window sizes before... also Windows critical errors have the same effect, as do forced reboots, just to name a few.

    What is your definition of quick? Right click WFC notification icon, mouse over Rules Panel, click on Manage Rules, then select "Filter by enabled" from the Filters tab... all that takes is 5-7 seconds. Then to prevent repeating the process over and over, pin WFC to the taskbar but keep it open, which will require the above to be done once every Windows load. Small price to pay for bloating up a ripper piece of software.

    It seems TinyWall provides more features that aren't accompanied with W7F, while WFC keeps true to what W7F can do; which keeps it under the "Controller" banner. TW and GW want to do their own thing, along with manage W7F. What is preventing you from jumping ship to TW or GW?

    I had a look at TW's website, and I doubt a comparison can be made between TW and WFC from a GUI standpoint. TW is designed to look and feel like Windows, hence has the ability to provide dialog boxes left right and center, with a crapload of tabs wherever required (i.e.: layered screens); while WFC keeps everything in the one window (details change when mouse clicks and drop downs selected as per norm...).
     
    Last edited: Jun 10, 2015
  23. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,097
    Location:
    Romania
    WFC uses its own mechanism to save and load the window size, position and state. These settings are saved in Windows Registry each time a window is closed. Make sure that you don't have a software which prevents WFC from writing to Windows Registry or even worse, a software that deletes Windows Registry entries based on empirical rules (CCleaner, etc). Also, make sure that when you close a window, it is not outside of the screen. In this case, the default values are loaded on the next time when the window is opened.

    To see the current network connections, use the Tools tab from WFC to launch Resource Monitor. This integrated tool of the operating system has a Network tab which displays live the active network activity.
     
  24. Alpengreis

    Alpengreis Registered Member

    Joined:
    Oct 7, 2013
    Posts:
    554
    Location:
    Switzerland
    [Bug?] The consideration of LOCATION works not correctly?

    The in version 4.4.2.4 introduced consideration of location works ev. not correctly.

    Steps to reproduce:

    1. Make sure, that you are in PRIVATE Location; set the Filter Profile to Medium and the Notification Level to High and UNSET all advanced Nofification options.

    2. Create this outbound allow rule (Location is private only):
    icmpv6-allow.JPG

    3. Create this outbound block rule (Location is Public and Domain):
    icmpv6-block.JPG

    4. Make sure, that NO ICMPv6 ECHO (PING) is not allowed for private location.

    5. In private location, make a outgoing icmpv6 ping connection as follow:
    PING -6 001:1af8:3100:a006:1::
    icmpv6-ping-notok.JPG

    RESULT: NO notification is generated!


    Now, deactivate the block rule (which should NOT influence the notification in
    private location).

    Repeat the steps above except step 3:
    icmpv6-ping-notok.JPG

    icmpv6-ping-notok-msg.JPG

    RESULT: Notification is generated!

    EDIT: If the block rule is created as follow (PROGRAM = ANY) ...
    icmpv6-block-OK.JPG

    then the NOTIFY IS generated!

    I don't know: maybe this behaviour is not really a bug? But ...

    Why the rule with "Program = SYSTEM" for Location Public & Domain have influcence to the Private location rule (of course the test was maked ALWAYS in private location only)? Note also: the block rule itself works correct (does NOT block the connection in private location) - only the notification is the problem!


    Alexandru: I believe, I've reported this behaviour already in other relation and via mail (you asked me: "Are you sure, you was always in private location?" and I said: "Yes, always in private!"). So, this is probably the same behaviour again.

    Thanks!
    Alpengreis

    EDIT2: Added some important details in Step 1 ...
    EDIT3: Not sure, if this REALLY a bug or not ...
     
    Last edited: Jun 12, 2015
  25. Spishak462

    Spishak462 Registered Member

    Joined:
    Jun 13, 2015
    Posts:
    1
    I have had a longstanding issue that I cannot seem to figure out.

    I have a couple programs that no matter how many times I make an "allow/any/all" rule they are randomly blocked.

    The allow rule is there, and the program will be blocked with a notification asking to allow/block. I will hit allow, which creates an exact duplicate of the allow rule, and yet the program is still blocked. I can literally hit allow twenty times which does nothing but create twenty duplicates of the same allow rule, and the program will still be blocked. The only way to get the program to connect, is to change the profile on WFC to LOW. Once I do that, the program connects right away. This all very random. Ten times, the program will connect fine, and then out of the blue it will be blocked again.

    This usually seems to happen more often right after I wake my computer. If the program is blocked, I can just wait fifteen to thirty minutes or so, and then it will connect just fine without any intervention from me. This has happened over multiple versions up to the most current.

    I have tried restarting the service, restarting the program, deleting the rule. A lot of the time rebooting the computer will fix this, but even that isn't 100%

    The program that I have the most trouble with is Mailwasher.

    I cant for the life of me figure it out.

    Any ideas??

    Thanks!
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.