Advice Request Looking for alternative to Windows Firewall to block IP Adress

[Galadrium]

Hello

I have noticed recently that my computer is connected to shady foreign IP Addresses
I tried blocking said IP addresses with Windows Firewall but to no effect, I am still connected
-I tested this via the ping (IP address) command in cmd

Is there any software that I can use to block IP addresses effectively?
Or will using a VPN fix this?

Note: I am currently using Evorim Free Firewall. I prefer to use it, albeit its block IP function also does not work.

 

[n8chavez]

You could always use the hosts file, or better yet, YogaDNS. After that, just create a rule in YogaDNS that blocks the IPs. In YogaDNS you can either create a specific rule or point in to a list of IPs to block.

 

[The_King]

Have a look at Tinywall 3 seems to be popular on here.

TinyWall Version 3 released! (Sept 2020)

Hello Everybody! Just letting you know that I've released Tinywall 3.0! I've made the original announcement on Wilders because that's currently the main thread, but I hope I do not need to point out explicitly (better, let me point it out here and now) that when I say Thank You there, I do not...

malwaretips.com

 

[CyberTech]

Simplewall, it's easy and simple that's the one you are looking for..

 

[SeriousHoax]

Are you sure you created the rule properly in Windows Firewall?
I just tested one here and it's working perfectly. Make sure you selected Ports as Any, Remote address as those IP addresses and marked all the profiles.

 

[NewbyUser]

Hello

I have noticed recently that my computer is connected to shady foreign IP Addresses
I tried blocking said IP addresses with Windows Firewall but to no effect, I am still connected
-I tested this via the ping (IP address) command in cmd

Is there any software that I can use to block IP addresses effectively?
Or will using a VPN fix this?

Note: I am currently using Evorim Free Firewall. I prefer to use it, albeit its block IP function also does not work.

A better idea is to find out what is so persistently connecting and remove that. Perhaps you have some malware or a rogue browser extension or adware. Also Ping doesn't have anything to with connecting, it merely "finds" the address, it doesn't necessarily mean you're connected to it.

 

[Galadrium]

Hello
Yes I am sure I created the rule properly in Windows firewall but it does not work
In this example I am trying to block this IP Address: 202.138.178.80


However after applying the rule, ping shows the connection still passes through.

If ping is not the command used to test if a firewall rule is working, then what should be used?

 

[NewbyUser]

Hello
Yes I am sure I created the rule properly in Windows firewall but it does not work
In this example I am trying to block this IP Address: 202.138.178.80

View attachment 261409
However after applying the rule, ping shows the connection still passes through.

If ping is not the command used to test if a firewall rule is working, then what should be used?

You may have a rule allowing traffic to that address above the rule you created. It's not typically needed for firewall rules but try restarting your computer.

 

[NormanF]

Ports are no longer going to be blocked in TinyWall in the future because legitimate applications route traffic through them. Only domains will be blocked.

 

[Galadrium]

Yes, I do need a full block on an IP address.
By the way, how can I block a range of IP addresses?

Example I want to block all the values from 202.138.x.x to 202.138.255.255
Does the IP range become: 202.138.0.0-202.138.255.255?

From my understanding the first 2 part of the IP address identifies the network (in this case: 202.138)
The 2nd part identifies the node (which is x.x)

I find that the offending IP that is connecting me uses the same network but different node
I am able to see this using TCPEye
It is using the SearchApp.exe program to connect towards the internet.
I know the program itself is legitimate but, I am suspicious about the IP itself. I have scanned that program with Virus total and found no infections what so ever.

 

[wat0114]

@Galadrium

you would need an outbound block rule for the program path of search app.exe to remote port any, remote ip 202.138.xxx.xxx-202.138.255.255

If you want the actual ip range, try using any number of available online Whois services to find them.

I suppose you could also just block any program from connecting to the ip range.

Sorry but I also wanted to mention it becomes futile trying to block ip ranges with a firewall. Default-deny is easier to manage and more reliable.

 

[NewbyUser]

I still suggest finding the cause or source of the communication. But as you are using Windows firewall perhaps a solution to manage that in an easier fashion would work. Windows Firewall Control and Tinywall are both excellent and both are free. Personally I prefer WFC when I don't use another security solution.

Windows Firewall Control

Windows Firewall Control is a powerful tool which extends the functionality of Windows Firewall by adding outbound notifications and many other features.

www.binisoft.org

TinyWall - A free, lightweight and non-intrusive firewall

TinyWall is a free, feature-rich, and lightweight firewall for Windows, known for its unique no-popup approach.

tinywall.pados.hu

 

[Galadrium]

@NewbyUser

Thank you for the suggestion, I will try WFC
The reason why I'm sticking to Evorim firewall is because it has notifications whenever a new program connects to the internet. It doesn't leave you in the dark and let any program connect to the internet without notifying you. You decide what the setting will be once it detects a new program connecting to the internet (i.e. Allow/Ignore/Block).

I'll also try Tinywall and see how it works.

I think it is too much work to find the root cause of the communication. I don't have in depth expertise yet in malware analysis and can only see surface level activity such as network activity like this one. If you mean I'm going to try doing static or dynamic malware analysis on the program (i.e. look at its PE header, etc.), I have yet to train myself.

I was thinking of blocking the connection and evaluate if there are any issues. If it does no harm, I will proceed with the block. If it does any harm, then I will reverse it and try to assess from there.

 

[Galadrium]

Ok I tested both out.
Strangely enough, I find that WFC worked while Tiny wall didn't. I tested this out after uninstalling Evorim Free Firewall.

Here is my test result with WFC in an attempt to block 202.138.178.80

You can see that the rule is enabled with MB WFC

However, if I disable it in WFC and try blocking the same IP address with Simplewall, it does not work

The rule is enabled in Simplewall and disabled in MB's WFC.

I find it odd that is this the case, or perhaps NormanF's suggestion is true?

Edit: Further tested blocking an IP range in MB's WFC
Blocking 202.138.178.0-202.138.178.255 works. I tried pinging several IPs within this range and they were all blocked
Blocking an even greater IP range of 202.138.0.0-202.138.255.255 also works

I am impressed with MB's WFC. It is just what I need
I am not really going for a per-program basis block because what if the attacker is relying on a masked IP forwarding service (like No-ip) and uses a range of IP but masks what program he actually uses. It's like playing whack-a-mole if I would try blocking on a per program basis. I feel there's more flexibility to block on an IP basis as he would eventually run out of available IPs to use.

 

[Galadrium]

I hit a setback however, when trying to install WFC in Windows 10

I have already removed Comodo Firewall from the past with Revo Uninstaller. I don't know why Windows Security Center is still reading it as such. Is there any way to remove this error or can I proceed to install & use WFC safely?

 

[Gandalf_The_Grey]

I hit a setback however, when trying to install WFC in Windows 10

View attachment 261478

I have already removed Comodo Firewall from the past with Revo Uninstaller. I don't know why Windows Security Center is still reading it as such. Is there any way to remove this error or can I proceed to install & use WFC safely?

That's a problem when uninstalling Comodo Firewall with third-party uninstallers, in the future just use Comodo's own uninstaller.

First look for leftovers (and delete them manually) of Comodo with the Antivirus Removal Tool:
Antivirus Removal Tool - The technician friendly tool to detect and completely remove antivirus software.
Use the search function:

You can remove Comodo Firewall from windows security center with the Farbar Recovery Scan Tool as described here by @SeriousHoax :

Troubleshoot - How to clean all registered security programs in Windows defender center?

Hi there yesterday i tryed to install for testing forticlient and it prompt me some security software was installed on my pc. Is more time i dont use those programs, and i think some of them have "traces" on windows center and are still registered as av, firewall, etc. I tryed to use pc cleaners...

malwaretips.com

Afterwards there should be no warning from WFC anymore.

 

[Galadrium]

Ok I was able to remove the warning with Farbar, it was the only one that picked it up.
Ok this is driving me nuts.

I forgot to mention that I tested out WFC in a virtual machine, not on my system . I usually test things out in the virtual machine just in case it does not work out well.
It is working as intended on the virtual machine
Its not working intended on my actual system.

When I do the ping test on my real system, the first 2 packets result in a failure, while the rest is a success

When I do a ping again, it results in 4 packets successfully going outbound, despite the outbound rule I created with MB's WFC

Here is my WFC outbound rules in my actual system.

I am currently trying to find any "firewall rule" that circumvents me from blocking an IP. Are there any leads?

 

[Galadrium]

It seems I have found the issue. The culprit is my current firewall, however I cannot find any setting to stop this from happening.
Uninstalling it will make the IP block of MB's WFC work
Installing it does not make it work
Conclusively, the program is still in a buggy state. Only application level block and block-all internet access features work.

I use Evorim Fire wall to do program blocks
Looks like I need to find another alternative, but excluding Simplewall as that does not work.
I will re-evaluate Tiny wall.

In the end I just want to be able to be notified for any new programs that connect to the internet
Also need a firewall that can do a "block-all-internet-access" mode/option and re-enable it
And also be able to block IP addresses and entire IP ranges like MB's WFC.

Edit:
Tried Tiny wall, it does not have any notifications for when a new program attempts to connect to the internet, unlike Evorim Free Firewall and simplewall
It does have some other nice features though like block LAN traffic exclusively and password protect your settings in Tiny wall.

MB's WFC has a display notification feature but I have not yet able to get it triggered to see what it looks like
It also doesn't have a "Block all internet access" feature for when I need to leave my PC afk and then just re-enable it when I am back.

 

[SeriousHoax]

Looks like I need to find another alternative, but excluding Simplewall as that does not work.

Simplewall also works fine here. Something must be broken on your system.

 

[The_King]

Evorim is a full featured Firewall. Running two firewalls is not a good idea.
WFC is more a front end interface for Windows firewall. Which is basically disabled if you have another FW installed on your system.