Windows Firewall Control (WFC) by BiniSoft.org

Discussion in 'other firewalls' started by alexandrud, May 20, 2013.

  1. Alpengreis

    Alpengreis Registered Member

    Joined:
    Oct 7, 2013
    Posts:
    693
    Location:
    Switzerland
    @kC_
    COULD be because the "unusual" file name with point in the middle ...

    @alexandrud
    Is this possible that the parser does not recognize such "special" file names?

    Greetings
     
  2. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,509
    Location:
    Romania
    It works on my side with your third entry too:

    upload_2023-12-4_20-31-21.png

    Are you sure that the service made a connection so that it got blocked? Can you confirm in Connections Log that there is an outbound blocked connection for it? No block, no rule.

    The check in WFC is made for the entire path, if it starts or ends with the notification exception value.
     
  3. kC_

    kC_ Registered Member

    Joined:
    Apr 6, 2007
    Posts:
    580

    Ah i just deleted all proton rules again, added the exception....
    on first connect it failed to connect but i could see the rules were allowed
    i disconnected/reconnected and all OK

    thanks sorry was my bad!
     
  4. n8chavez

    n8chavez Registered Member

    Joined:
    Jul 19, 2003
    Posts:
    3,614
    Location:
    Location Unknown
    Well, I'd like to officially submit my name in the nominations for dumbass of the year! After creating an inbound rule to go along with the already there outbound rule everything seems to be working fine. I didn't think this needed to be done since I'm not filtering inbound. Strange. Also, why wouldn't the log show something was blocked inbound. I had the same issue on low filtering, which I though had no effect on outbound connections. Oh well. It works now. Thanks!
     
  5. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,509
    Location:
    Romania
    Windows Firewall filters by default all inbound connections and allows just the connections for which there is an allow rule.
    By default Windows Firewall works like this: inbound blocked by default unless allowed by a rule, outbound allowed by default unless blocked by a rule. This is the correspondent of Low Filtering profile in WFC.
    When you set Medium Filtering profile in WFC, it works like this: inbound blocked by default unless allowed by a rule, outbound blocked by default unless allowed by a rule.
     
  6. AmigaBoy

    AmigaBoy Registered Member

    Joined:
    Sep 12, 2015
    Posts:
    242
    May I ask what would be the best way to deal with processes making constant, incessant connection attempts when blocked?

    1. A block rule (the obvious solution)
    2. No rule, but with a Notification exception. Is this somehow different from no.1 above? Of course, it leaves the door open when switching to Low Filtering.
    3. Some other way?

    Can such programs cause a performance hit to WFC? Perhaps related to the constant logging activity?
     
  7. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,509
    Location:
    Romania
    When a connection drop event is triggered, WFC service is evaluating the event in this order:
    - Existing notifications exceptions. It checks if the program path starts or ends with any of the notifications exceptions defined.
    - Existing firewall block rules. It checks if there is a matching block rule based on: path, local port, remote port, remote IP, protocol, location, service.
    - Existing firewall allow rules. It checks if there is a matching block rule based on: path, local port, remote port, remote IP, protocol, location, service.
    At this point, if there is no matching exception or firewall rule, a new notification is displayed.

    A notification exception will stop the evaluation of the existing firewall rules, which is the most resource intensive task that WFC does (comparing the details of a dropped event against all existing firewall rules to find a matching rule). However, if you have a few block rules, you will not notice any performance difference between a notification exception and a block rule. But, if you have hundreds of block rules, then I would suggest using a notification exception instead of a block rule. If you use Low Filtering profile from time to time, then a block rule too.

    Less rules = better performance = less CPU usage. If the notifications are disabled, then there is no performance impact at all since WFC service doesn't perform any processing anymore.
     
  8. AmigaBoy

    AmigaBoy Registered Member

    Joined:
    Sep 12, 2015
    Posts:
    242
    Thank you for the detailed and very helpful explanation.
    So in this scenario, the process is blocked by the Windows Firewall, with minimal impact on WFC since the evaluation order stops at step 1.
     
  9. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,509
    Location:
    Romania
    In all scenarios, Windows Firewall does the block or the allow. When Low Filtering profile is used, there is no processing from WFC side. Just Medium Filtering + Notifications results in processing. The block rule recommendation was for the case when you use Low Filtering profile and you really want to block something. If there is no such case, block rules are not required at all. I personally don't have any block rule.
     
  10. Znevna

    Znevna Registered Member

    Joined:
    Nov 9, 2023
    Posts:
    8
    Location:
    Romania
    Interesting, I did not know that this is how it works. I always used it in Medium Filtering + Notifications + a lot of block rules for stuff that wants to access the internet for no reason. But the Rules Panel with ~300 rules is sluggish even on a Ryzen 7 5800X, if it doesn't hang that is.
    Using the "Notifications exceptions" way to get rid of so many rules would be better I think, but that would require some more options to the notification settings: as in: let the user choose the notification prompt between allow/block or just to add a new exception. Adding an extra button to the existing ones might not fly with some users used to the current notification layout. Just an idea.
     
  11. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,509
    Location:
    Romania
    Check the screenshot from page 41 from the user guide. You can add notification exceptions from the existing notification dialog since forever.
     
  12. AmigaBoy

    AmigaBoy Registered Member

    Joined:
    Sep 12, 2015
    Posts:
    242
    From a security point of view, it would seem a rule would be preferable? With a notification exception, you are excluding a process name no matter where it is located. Sure, it would still be blocked (in Medium) but notifications could be missed, so I'm not sure.

    I haven't really noticed a performance difference or issue (around 300 rules in total), except for one corner case where just using a notification exception doesn't make a difference anyway.
     
  13. Znevna

    Znevna Registered Member

    Joined:
    Nov 9, 2023
    Posts:
    8
    Location:
    Romania
    Ok, I've found three new features, thanks.
    But the one in question is a little lacking as the above user mentions, you can either add the file or the path, not the file from that path. And both existing options are not wanted in most cases, so.. maybe a 3rd option in there would do the trick? Else it requires manual adding.

    From a security point of view, yes, having a block rule would be better as mentioned in previous replies.
    Performance in general no, but scrolling in that window is sluggish and a few times it even required a force close.
     
  14. Alpengreis

    Alpengreis Registered Member

    Joined:
    Oct 7, 2013
    Posts:
    693
    Location:
    Switzerland
    @AmigaBoy

    You can add also a path.
     
  15. Znevna

    Znevna Registered Member

    Joined:
    Nov 9, 2023
    Posts:
    8
    Location:
    Romania
    We were talking about the option to add an exception from the actual notification, and you can only choose File or Path currently, not both.
     
  16. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,509
    Location:
    Romania
    Let's say you get a notification for:
    C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23110.3-0\MpCmdRun.exe
    and then one for:
    C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23100.2008-0\MpCmdRun.exe
    and then one for:
    C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23100.2009-0\MpCmdRun.exe
    Doesn't make more sense to disable notifications for MpCmdRun.exe instead of C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23110.3-0\MpCmdRun.exe so that you are not bothered again with the other versions? Yes, the notification dialog currently allows you to create a notification exception for MpCmdRun.exe (so that even if the version changes, don't bother me again) or for the folder C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23110.3-0 (so that if there are other programs from the same folder trying to connect, I don't care). I could add a third option to exclude the full path, but, this is not a priority.
    Sluggish? This might be a driver issue on your machine. Can you make a video of this behavior? Thank you.
     
  17. Alpengreis

    Alpengreis Registered Member

    Joined:
    Oct 7, 2013
    Posts:
    693
    Location:
    Switzerland
    Ok, I thought @AmigaBoy meant it also generally, sorry.

    However: it would be nice to have direct in notification a such additional option for full path for certain cases. But I think it's not sooo important because you can manually editing.
     
    Last edited: Dec 12, 2023
  18. Znevna

    Znevna Registered Member

    Joined:
    Nov 9, 2023
    Posts:
    8
    Location:
    Romania
    I'll try to make a video, but it's pretty easy to reproduce:
    1.) have a bunch of different rules for different programs (~100 of different .exe files should do).
    2.) scroll the Rules Panel window up/down a few times using the scrollbar (indeed it requires a few scrolls before it gets noticeable, probably more than 20) the faster you scroll between lines containing .exe files, the more it hangs and maybe even stop responding altogether requiring a restart of wfcui.exe.
    Watching the behaviour with Process Monitor with filters set only to wfcs.exe and wfcui.exe I can see that it reads something about those .exe files at every new line shown (wfcs.exe reads about the same stuff at every new blocked/allowed connection?). So having it read that info at every scroll about how many files fit in that scroll might be the cause for the sluggishness. As to why it crashes.. I don't know how to debug that, I only caught these in event viewer:
    Event 911, WFC:
    Code:
    System.Windows.Threading.DispatcherUnhandledExceptionEventArgs was caught.
       Exception: System.Runtime.InteropServices.COMException (0x88980406): UCEERR_RENDERTHREADFAILURE (Exception from HRESULT: 0x88980406) at System.Windows.Media.Composition.DUCE.Channel.SyncFlush() at System.Windows.Interop.HwndTarget.UpdateWindowSettings(Boolean enableRenderTarget, Nullable`1 channelSet) at System.Windows.Interop.HwndTarget.UpdateWindowPos(IntPtr lParam) at System.Windows.Interop.HwndTarget.HandleMessage(WindowMessage msg, IntPtr wparam, IntPtr lparam) at System.Windows.Interop.HwndSource.HwndTargetFilterMessage(IntPtr hwnd, Int32 msg, IntPtr wParam, IntPtr lParam, Boolean& handled) at MS.Win32.HwndWrapper.WndProc(IntPtr hwnd, Int32 msg, IntPtr wParam, IntPtr lParam, Boolean& handled) at MS.Win32.HwndSubclass.DispatcherCallbackOperation(Object o) at System.Windows.Threading.ExceptionWrapper.InternalRealCall(Delegate callback, Object args, Int32 numArgs) at System.Windows.Threading.ExceptionWrapper.TryCatchWhen(Object source, Delegate callback, Object args, Int32 numArgs, Delegate catchHandler)
    
    Event 911, WFC:
    Code:
    System.UnhandledExceptionEventArgs was caught.
       Exception: System.ArgumentException: Parameter is not valid. at System.Drawing.Bitmap..ctor(Int32 width, Int32 height, PixelFormat format) at System.Drawing.Icon.BmpFrame() at System.Windows.Forms.ThreadExceptionDialog..ctor(Exception t) at System.Windows.Forms.Application.ThreadContext.OnThreadException(Exception t) at System.Windows.Forms.Control.WndProcException(Exception e) at System.Windows.Forms.NativeWindow.Callback(IntPtr hWnd, Int32 msg, IntPtr wparam, IntPtr lparam)
    
    Event 1026, .Net Runtime:
    Code:
    Application: wfcUI.exe Framework Version: v4.0.30319 Description: The process was terminated due to an unhandled exception. Exception Info: System.ArgumentException at System.Drawing.Bitmap..ctor(Int32, Int32, System.Drawing.Imaging.PixelFormat) at System.Drawing.Icon.BmpFrame() at System.Windows.Forms.ThreadExceptionDialog..ctor(System.Exception) at System.Windows.Forms.Application+ThreadContext.OnThreadException(System.Exception) at System.Windows.Forms.Control.WndProcException(System.Exception) at System.Windows.Forms.NativeWindow.Callback(IntPtr, Int32, IntPtr, IntPtr) 
     
  19. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,509
    Location:
    Romania
    I used Browse to allow button from Rules Panel and created new rules for all executable files from C:\Windows\System32 (500+) and then I started scrolling up and down like a madman. After 40-50 of ups and downs I was able to reproduce this. I will try to improve the mechanism that reads the icons so that this will not be a problem anymore.
     
  20. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,509
    Location:
    Romania
    This problem will be fixed in the next release. I added a cache mechanism so that the icons are extracted only once, not on each display (scroll up, scroll down). And also this:

    upload_2023-12-14_9-58-58.png
     
    Last edited: Dec 14, 2023
  21. Znevna

    Znevna Registered Member

    Joined:
    Nov 9, 2023
    Posts:
    8
    Location:
    Romania
    Nice! Thank you!
     
  22. Alpengreis

    Alpengreis Registered Member

    Joined:
    Oct 7, 2013
    Posts:
    693
    Location:
    Switzerland
    That's indeed nice then, thank you @Znevna too :)
     
  23. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,509
    Location:
    Romania
    Windows Firewall Control v.6.9.9.1

    Change log:
    - Improved: The notification dialog was updated to be able to add a notification exception for the full path too.
    - Improved: Loading time was decreased for Rules Panel and Connections Log with a new cache mechanism for program icons.
    - Fixed: Rules Panel may crash if there are hundreds of firewall rules and the rules are scrolled up and down multiple times.

    There is just one new translation string 248 = Exclude full path which I already updated in all included language files.

    Download location: https://binisoft.org/download/wfc6setup.exe
    SHA256: cef52f11a0e28d7eb02012f45ca5947d6fed094cbcf7ed2935ed1be15d3db325
    SHA512: d6024384fa9c1d581fde3c148bdbc37da6608bfe3b4752a63aa43274adce525175bc493f93ef7e37a73294b324db0cb34b6871e6beb186774dda8d25abb5c855

    Thank you for your feedback and your support,
    Alexandru Dicu

    This is the last release for this year. I am running out of version numbers :) The next big change is dark theme support which requires a lot of work. This will be included in version 7 which will come next year. Happy holidays to all of you!

    P.S. In case someone needs the previous version, it can be downloaded from: https://binisoft.org/download/old/6990/wfc6setup.exe
     
  24. Silver_fang

    Silver_fang Registered Member

    Joined:
    Sep 1, 2021
    Posts:
    9
    Location:
    sweden
    WFC is blocking windows updates even after allowing the SVCHOST and the blocked connection, also others.. see picture:
    https://i.imgur.com/HG0L6t7.png

    How can I allow this?
    Note I do use nordvpn at times but even without vpn enabled it still blocks... i have to turn of WFC in order to do windows update.

    Please help
     
  25. Claudio R

    Claudio R Registered Member

    Joined:
    Jan 22, 2018
    Posts:
    60
    Location:
    Italy
    Best wishes to you and thank you
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.