Windows Firewall Control (WFC) by BiniSoft.org

Thank you for sharing this.

 

I believe it would, because if the normal rule for High Filtering UDP would be block ports 0-65535, leaving a hole for 123 as in 0-122,124-65535 would permit Ntp out as per normal rules then.

I've done a similar thing but on ip basis for my chosen DNS servers and it works great. With separate TCP and UDP rules one could combine ip and port address space block/allow for much greater control. It would be great for a permanent fixed point VPN too, to help block everything except the VPN endpoint, additional security to the usual routing table modifications.

 

@alexandrud
If unauthorized rules that WFC disables (prefix U in the rule description) were marked in a different color, it would make life easier for the user. Either the whole line or just the rule name.

 

@kilves76

I think also, High Filtering profile should stay as it is.

You could create a special rule set (as you described and of course for blocking all other things too) for your purpose and activate that with cmd commands (batch) as following:

1) Create the rules and give a special group name - for example "MyHighFiltering"
2) Enable the rules with the CMD command: netsh advfirewall firewall set rule group="[MyHighFiltering]" new enable=yes
3) Deactivate the rules with the CMD command: netsh advfirewall firewall set rule group="[MyHighFiltering]" new enable=no

You could run this from Low or Medium Profile (related to the created rule set also).

Of course the command above can be included in a CMD batch file (.CMD) - so, you could make 2 Desktop-Icons then - one for enablng and one for disabling.

 

A new, final screenshot on this issue - it's "Teams for work or school" again. Still haven't figured out if this thing is a Store App or not. I think it isn't. It does not create its own outbound rules - only inbound. It keeps triggering the experimental feature.

 

I am not familiar with MS Teams. I installed it and I already created 3 rules for it so that I can get over the login page:

However, I have 2 shortcuts: one to a MS Teams and a NEW MS Teams which is confusing, which is which? Anyway, I could not use none of them.

Just remove MS-TEAMS.EXE from the list. It seems that the allow rule is not good since it still gets blocked which results in a new rule over and over.

 

Teams versions are utterly confusing. My problem is with the "work or school" version which goes inside the "windowsapps" folder, the second rule on your screenshot. I believe it is what Microsoft now calls the "new" one. From the link in my previous message, it is this:



I think a single allow rule works because Teams works fine with it. It won't work if the rule is not there. But it looks like at certain times (update check? something else?) many duplicates are created. I will remove MS-TEAMS.EXE to avoid these duplicates, but it auto-updates quite often changing its folder location (just like a Store App) so I will have to allow it manually every time via the pop-up notification. Both for Teams itself and its updater (ms-teamsupdate.exe).

The significant difference from a "standard" Store App, is that it does NOT auto-create its own outbound rule at all.

 

I am not very well verse in the ways of firewalls; I'm old and fragile, so please be gentle.

It seems that MS has added a new feature to their Firewall, and that is to remove rules it doesn't like.

1. Is there any way around this and continue with the standard firewall?
2. Is there any simple firewall I can use in addition that the basic that will only block my new rules?

Regards and thanks in advance.

h

 

Can you give an or some examples of such rules which get deleted by Windows Firewall? I need to be able to reproduce this on my side to see what is going on. Then I could find a solution. Thank you.

 

The rules are simple, just block all in and out communications from a program (1 rule for in, 1 rule for out).

Thanks

 

I did this with several programs and there is no deletion on my Windows 11 23H2 machine.



How do you create these firewall rules? From WFwAS or from WFC? Are they in a specific group? Do you have Secure Rules feature enabled in WFC?

 

I was afraid this would be the answer. I'm sure this isn't the way it's supposed to work, or even the way it works on most machines, but I am having this problem (I have run several scans of various programs to check for viruses), but it is happening to me.

Running from WFwAS.

 

As mentioned before, the duplicates issue (combined with the experimental feature) also occurs with Microsoft Edge WebView2, although with much less duplicates than Microsoft Teams. You can see below how connections are still being blocked, while a proper Allow rule is in place. This possibly leads to duplicates.

Since these are both Microsoft products, I wonder if this could be related with special security folder permissions that are sometimes related with MS processes. "C:\Program Files\WindowsApps" (the new Teams gets installed there) is certainly more restricted than "C:\Program Files\non-MS stuff".

 

If you create your rules from WFwAS they will have no group name set.

If you enable Secure Rules from WFC, the rules that you create in WFwAS will be deleted by WFC. Do you have Secure Rules checked in Security tab?



If the answer is yes, then use WFC to create new firewall rules, not WFwAS.

If the answer is no:
- Open Event Viewer, by launching eventvwr.msc
- Navigate to the following log name: Applications and Services Logs -> Microsoft -> Windows -> Windows Firewall With Advanced Security -> Firewall
- Select the latest events with ID 2006 and check the event data. It contains the software which deleted a firewall rule in Windows Firewall.

 

The experimental feature is an experimental feature. Unlike the regular notifications, the experimental feature does not check if an existing allow or block rule matches a new dropped connection. Let's say you have MS-TEAMS.EXE in the notifications exceptions list. Once this software is blocked, it generates an event about a dropped connection. WFC service checks the path and creates an allow rule. All new connection attempts for ms-teams.exe should be allowed by the newly created allow rule.
However:
- if there is a block rule for ms-teams.exe, you will end up having multiple duplicates because the experimental feature does not check against the existing firewall rules.
- if a connection is blocked by a 3rd party security software, not by Windows Firewall, you will end up with duplicate rules.

A new notification is displayed if a new dropped connection does not match (ports, IP addresses, protocol, location) an existing allow rule. If there is an allow rule defined and your connections are still blocked, it may be a symptom that Windows Firewall filtering does not work correctly. This usually happens when a software proxy from a different security product is used for filtering purposes. Windows Firewall is incompatible with software proxies, web filtering modules, NDIS drivers, any filtering modules that intercepts network packets. They redirect the network traffic to the proxy and the problem is that the traffic does not reach anymore the Windows Firewall filtering driver. In this case, Windows Firewall rules do not apply correctly because the traffic appears to be made by the proxy, not by the original program. This incompatibility is between software proxies and Windows Firewall, not an incompatibility with Windows Firewall Control which does not have any control over this behavior. Known problems between Windows Firewall and various filtering modules were reported for: Avast WebShield, Avira WebGuard, Kaspersky Internet Security, 360 Total Security, Symantec.

Another source that may cause dropped connections even if there is a firewall allow rule defined may be a custom hosts file or a program like PeerBlock that blocks IP addresses based on a blacklist. All blocked connections are logged in the Security event log.

Are in any of these scenarios?

Anyway, I will try to tweak the experimental feature by integrating the logic that searches the existing firewall rules. I will give it a try for the next WFC release.

 

THAT would be a great improvement IMHO

 

No. The only thing that could be blocking teams.exe is Medium Filtering, BUT: the duplicates are created with the Allow rule already present and Teams works fine anyway. Nothing else is blocking it. The allow rule I have is auto-created by the experimental feature. I will now disable the auto-created rule and try with a manually created one, to see if something changes.

Note that the only way to manually add a rule for Teams, is with "Blank Rule" and then paste the path. "Browse to allow" is not possible because access to "C:\Program Files\WindowsApps" is just not allowed by Windows.

 

No hosts file/external program but I do have a Windows Firewall block rule in place, which blocks Microsoft-telemetry related IP ranges. It's most probably outdated - I will try disabling that, too.

 

If you close wfcUI.exe and restart it with Run as administrator then you will be able to browse that folder.

This kind of rule doesn't stop Microsoft telemetry. When you check for Windows updates, the stream sent is encrypted. Besides the current installed updates, Windows version, etc, it may contain any telemetry data. Blocking Microsoft IP ranges creates more problems than it solves.

 

You are correct on both those points. About the duplicate rules issue: after having replaced the experimental feature auto-created Allow rules with manually created ones, I haven't yet seen any duplicates. It's rather unusual since the duplicates usually appear quickly but I'll wait some more. I haven't yet disabled the anti-telemetry rule, in order to focus on those Teams/Edge WebView2 rule changes alone.

 

Update: just got a single duplicate. I checked the Connections Log and there are 3 Teams attempts on a single IP address. I verified that IP and it is included in the telemetry block ranges.

So, it looks quite likely that's the cause... I am deleting the anti-telemetry rule, switching back to the auto-created rules and will only post back if further duplicates appear.

Thanks for the detailed and helpful answers!

 

@AmigaBoy

Thanks for sharing with us, it can be very helpful for others too! You are/were certainly not alone with an anti-telemetry rule ...

 

Connections Log would benefit from a new Refresh setting - Auto Refresh in seconds. Just following a program's behavior and it's numbing hitting Refresh manually, not getting real time feedback. Would be nicer to just leave it on auto refresh and follow the developments.

 

@alexandrud

What you think about my suggestion?

https://www.wilderssecurity.com/thr...-by-binisoft-org.347370/page-290#post-3183854

Greetings

 

It will be included in the next version