Advice Request Looking for alternative to Windows Firewall to block IP Adress

Please provide comments and solutions that are helpful to the author of this topic.

Galadrium

Level 1
Thread author
Verified
Well-known
Apr 30, 2021
11
Hello

I have noticed recently that my computer is connected to shady foreign IP Addresses
I tried blocking said IP addresses with Windows Firewall but to no effect, I am still connected
-I tested this via the ping (IP address) command in cmd

Is there any software that I can use to block IP addresses effectively?
Or will using a VPN fix this?

Note: I am currently using Evorim Free Firewall. I prefer to use it, albeit its block IP function also does not work.
 

The_King

Level 12
Verified
Top Poster
Well-known
Aug 2, 2020
540
Have a look at Tinywall 3 seems to be popular on here.
 

SeriousHoax

Level 47
Well-known
Mar 16, 2019
3,630
Are you sure you created the rule properly in Windows Firewall?
I just tested one here and it's working perfectly. Make sure you selected Ports as Any, Remote address as those IP addresses and marked all the profiles.
1.png2.png
 

NewbyUser

Level 2
Verified
Well-known
Jul 16, 2021
53
Hello

I have noticed recently that my computer is connected to shady foreign IP Addresses
I tried blocking said IP addresses with Windows Firewall but to no effect, I am still connected
-I tested this via the ping (IP address) command in cmd

Is there any software that I can use to block IP addresses effectively?
Or will using a VPN fix this?

Note: I am currently using Evorim Free Firewall. I prefer to use it, albeit its block IP function also does not work.
A better idea is to find out what is so persistently connecting and remove that. Perhaps you have some malware or a rogue browser extension or adware. Also Ping doesn't have anything to with connecting, it merely "finds" the address, it doesn't necessarily mean you're connected to it.
 

Galadrium

Level 1
Thread author
Verified
Well-known
Apr 30, 2021
11
Hello
Yes I am sure I created the rule properly in Windows firewall but it does not work
In this example I am trying to block this IP Address: 202.138.178.80

R2.png
However after applying the rule, ping shows the connection still passes through.

If ping is not the command used to test if a firewall rule is working, then what should be used?
 
Last edited by a moderator:
  • Like
Reactions: Nevi

NewbyUser

Level 2
Verified
Well-known
Jul 16, 2021
53
Hello
Yes I am sure I created the rule properly in Windows firewall but it does not work
In this example I am trying to block this IP Address: 202.138.178.80

View attachment 261409
However after applying the rule, ping shows the connection still passes through.

If ping is not the command used to test if a firewall rule is working, then what should be used?
You may have a rule allowing traffic to that address above the rule you created. It's not typically needed for firewall rules but try restarting your computer.
 
  • Like
Reactions: Nevi and oldschool

NormanF

Level 7
Verified
Jan 11, 2018
343
Ports are no longer going to be blocked in TinyWall in the future because legitimate applications route traffic through them. Only domains will be blocked.
 

Galadrium

Level 1
Thread author
Verified
Well-known
Apr 30, 2021
11
Yes, I do need a full block on an IP address.
By the way, how can I block a range of IP addresses?

Example I want to block all the values from 202.138.x.x to 202.138.255.255
Does the IP range become: 202.138.0.0-202.138.255.255?

From my understanding the first 2 part of the IP address identifies the network (in this case: 202.138)
The 2nd part identifies the node (which is x.x)

I find that the offending IP that is connecting me uses the same network but different node
I am able to see this using TCPEye
It is using the SearchApp.exe program to connect towards the internet.
I know the program itself is legitimate but, I am suspicious about the IP itself. I have scanned that program with Virus total and found no infections what so ever.
 

wat0114

Level 11
Verified
Top Poster
Well-known
Apr 5, 2021
539
@Galadrium

you would need an outbound block rule for the program path of search app.exe to remote port any, remote ip 202.138.xxx.xxx-202.138.255.255

If you want the actual ip range, try using any number of available online Whois services to find them.

I suppose you could also just block any program from connecting to the ip range.

Sorry but I also wanted to mention it becomes futile trying to block ip ranges with a firewall. Default-deny is easier to manage and more reliable.
 
Last edited:
  • Like
Reactions: Nevi

NewbyUser

Level 2
Verified
Well-known
Jul 16, 2021
53
I still suggest finding the cause or source of the communication. But as you are using Windows firewall perhaps a solution to manage that in an easier fashion would work. Windows Firewall Control and Tinywall are both excellent and both are free. Personally I prefer WFC when I don't use another security solution.


 
  • Like
Reactions: Galadrium

Galadrium

Level 1
Thread author
Verified
Well-known
Apr 30, 2021
11
@NewbyUser

Thank you for the suggestion, I will try WFC
The reason why I'm sticking to Evorim firewall is because it has notifications whenever a new program connects to the internet. It doesn't leave you in the dark and let any program connect to the internet without notifying you. You decide what the setting will be once it detects a new program connecting to the internet (i.e. Allow/Ignore/Block).

I'll also try Tinywall and see how it works.

I think it is too much work to find the root cause of the communication. I don't have in depth expertise yet in malware analysis and can only see surface level activity such as network activity like this one. If you mean I'm going to try doing static or dynamic malware analysis on the program (i.e. look at its PE header, etc.), I have yet to train myself.

I was thinking of blocking the connection and evaluate if there are any issues. If it does no harm, I will proceed with the block. If it does any harm, then I will reverse it and try to assess from there.
 

Galadrium

Level 1
Thread author
Verified
Well-known
Apr 30, 2021
11
Ok I tested both out.
Strangely enough, I find that WFC worked while Tiny wall didn't. I tested this out after uninstalling Evorim Free Firewall.

Here is my test result with WFC in an attempt to block 202.138.178.80
R1.png

You can see that the rule is enabled with MB WFC

However, if I disable it in WFC and try blocking the same IP address with Simplewall, it does not work
R2.png

The rule is enabled in Simplewall and disabled in MB's WFC.

I find it odd that is this the case, or perhaps NormanF's suggestion is true?

Edit: Further tested blocking an IP range in MB's WFC
Blocking 202.138.178.0-202.138.178.255 works. I tried pinging several IPs within this range and they were all blocked
Blocking an even greater IP range of 202.138.0.0-202.138.255.255 also works

I am impressed with MB's WFC. It is just what I need
I am not really going for a per-program basis block because what if the attacker is relying on a masked IP forwarding service (like No-ip) and uses a range of IP but masks what program he actually uses. It's like playing whack-a-mole if I would try blocking on a per program basis. I feel there's more flexibility to block on an IP basis as he would eventually run out of available IPs to use.
 
Last edited:

Galadrium

Level 1
Thread author
Verified
Well-known
Apr 30, 2021
11
I hit a setback however, when trying to install WFC in Windows 10

R1.png


I have already removed Comodo Firewall from the past with Revo Uninstaller. I don't know why Windows Security Center is still reading it as such. Is there any way to remove this error or can I proceed to install & use WFC safely?
 

Gandalf_The_Grey

Level 76
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,471
I hit a setback however, when trying to install WFC in Windows 10

View attachment 261478

I have already removed Comodo Firewall from the past with Revo Uninstaller. I don't know why Windows Security Center is still reading it as such. Is there any way to remove this error or can I proceed to install & use WFC safely?
That's a problem when uninstalling Comodo Firewall with third-party uninstallers, in the future just use Comodo's own uninstaller.

First look for leftovers (and delete them manually) of Comodo with the Antivirus Removal Tool:
Antivirus Removal Tool - The technician friendly tool to detect and completely remove antivirus software.
Use the search function:
antivirus_removal_tool_main-1024x642.png
You can remove Comodo Firewall from windows security center with the Farbar Recovery Scan Tool as described here by @SeriousHoax :
Afterwards there should be no warning from WFC anymore.
 

Galadrium

Level 1
Thread author
Verified
Well-known
Apr 30, 2021
11
Ok I was able to remove the warning with Farbar, it was the only one that picked it up.
Ok this is driving me nuts.

I forgot to mention that I tested out WFC in a virtual machine, not on my system . I usually test things out in the virtual machine just in case it does not work out well.
It is working as intended on the virtual machine
Its not working intended on my actual system.

R1.png

When I do the ping test on my real system, the first 2 packets result in a failure, while the rest is a success

When I do a ping again, it results in 4 packets successfully going outbound, despite the outbound rule I created with MB's WFC

R1.png

Here is my WFC outbound rules in my actual system.

R1.png


I am currently trying to find any "firewall rule" that circumvents me from blocking an IP. Are there any leads?
 

Galadrium

Level 1
Thread author
Verified
Well-known
Apr 30, 2021
11
It seems I have found the issue. The culprit is my current firewall, however I cannot find any setting to stop this from happening.
Uninstalling it will make the IP block of MB's WFC work
Installing it does not make it work
Conclusively, the program is still in a buggy state. Only application level block and block-all internet access features work.

I use Evorim Fire wall to do program blocks
Looks like I need to find another alternative, but excluding Simplewall as that does not work.
I will re-evaluate Tiny wall.

In the end I just want to be able to be notified for any new programs that connect to the internet
Also need a firewall that can do a "block-all-internet-access" mode/option and re-enable it
And also be able to block IP addresses and entire IP ranges like MB's WFC.

Edit:
Tried Tiny wall, it does not have any notifications for when a new program attempts to connect to the internet, unlike Evorim Free Firewall and simplewall
It does have some other nice features though like block LAN traffic exclusively and password protect your settings in Tiny wall.

MB's WFC has a display notification feature but I have not yet able to get it triggered to see what it looks like
It also doesn't have a "Block all internet access" feature for when I need to leave my PC afk and then just re-enable it when I am back.
 
Last edited:

The_King

Level 12
Verified
Top Poster
Well-known
Aug 2, 2020
540
Evorim is a full featured Firewall. Running two firewalls is not a good idea.
WFC is more a front end interface for Windows firewall. Which is basically disabled if you have another FW installed on your system.
 
  • Like
Reactions: Nevi

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top