Clearing up confusion on WFP

E

Eddie Morra

Thread author
Hiya

I think sometimes there might be some confusion when it comes to third-party software-level Firewall components and the Windows Filtering Platform (WFP). I'm not pointing the finger on anyone or any community, but in the past, I've seen people express dislike to third-party software-level Firewall components over Windows Firewall on the grounds of it being "based on Windows Firewall", or along those lines. Hopefully, this will clear up some confusion for anyone who may have misunderstood how Windows Firewall and third-party Firewall components using WFP are alike.

1. Windows Firewall relies on WFP for filtering network operations.
2. Third-party Firewall components which relies on WFP is not equal to them being "based" on Windows Firewall.
3. Even if a vendor is using WFP (same as Windows Firewall), it does not mean that it is identical in terms of network protection... the filtering will be a vendor-specific implementation and thus the vendor will have the flexibility of adding/removing features (not to mention the ability for them to apply for their own optimisation).

Windows Firewall has improved a lot and may be more appropriate for many nowadays in comparison to the old days.. but this does not mean that any third-party relying on the same underlying technology as Windows Firewall is "useless". You need to remember that the filtering is still a vendor-specific implementation, and that WFP is actually quite robust and secure... it would make no sense for someone to unnecessarily re-invent the wheel when it wouldn't be better than what is already available and offered to them; using what is already available (especially when it is already robust, secure and well-tested) is a no-brainer when it comes to development costs and deadlines, too.

Please check the following documentation.
Windows Filtering Platform (WFP) is a set of API and system services that provide a platform for creating network filtering applications. The WFP API allows developers to write code that interacts with the packet processing that takes place at several layers in the networking stack of the operating system. Network data can be filtered and also modified before it reaches its destination.

By providing a simpler development platform, WFP is designed to replace previous packet filtering technologies such as Transport Driver Interface (TDI) filters, Network Driver Interface Specification (NDIS) filters, and Winsock Layered Service Providers (LSP).

Windows Filtering Platform is a development platform and not a firewall itself. The firewall application that is built into Windows Vista, Windows Server 2008, and later operating systems Windows Firewall with Advanced Security (WFAS) is implemented using WFP.
Source: Windows Filtering Platform

The above quoted documentation qualifies as evidence for my claim of WFP usage not being the equivalent as being "based" on Windows Firewall. My claim is reliant on Microsoft's documentation, which at best is still sketchy though, because we all know what Microsoft is like with documentation.

For anyone who wants a laugh about old Anti-Virus solutions and mistakes: http://www.uninformed.org/?v=4&a=4&t=pdf

TLDR:
Once upon a time, Kaspersky probably thought that building an Anti-Virus was the same as "OS development" and started going nuts with making changes to the Windows kernel, even when they did not really need to make certain changes to support features they were after (unnecessarily reducing system stability, integrity and security). Obviously, they've learnt from those mistakes and turned a new leaf on how they approach certain features with more consideration into robustness and security for a very long time now.

McAfee Internet Security Suite 2006 was vulnerable because they were using a now-obsolete mechanism named Layered Service Provider (LSP) for filtering network operations... if only WFP was around at the time to save them.

Cya
 
E

Eddie Morra

Thread author
As an addition to my original post, it goes without saying that there are utilities out there which evolve around Windows Firewall in one shape or another. Essentially, boosters for Windows Firewall. However, WFP in itself, is not based on Windows Firewall. It's the other way around. Windows Firewall is based on WFP.

You can use WFP to filter network operations system-wide for controlling incoming/outgoing packets regardless of whether Windows Firewall is enabled or not.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top