simplewall - A tool to configure Windows Filtering Platform

Deletedmessiah

Level 25
Verified
Top Poster
Content Creator
Well-known
Jan 16, 2017
1,469
While I really like the firewall, I found that it sends an alarming amount of data to a certain Server starting with 40.x.x.x
Now that I was looking at it with Microsoft Message Analyzer for a while it stopped doing that. Right now it only connects to anything if I request updates.(This time it's only "henrypp.org")
I only have records of it with process monitor. But there's not much information. Not even the IP. (Oops)
It does that many times per second with a payload of about 11300 bits over UDP

Can someone please look at it (Newest version) closer in a VM, with MMA running outside? I suspect it detects package analyzers. :(
That doesn't sound good, Does it send lot of data when you disable check for updates?
 

Yellowing

Level 5
Verified
Jun 7, 2018
221
Checking for updates takes only two packets. And both go to henrypp.org and not some IP. (That IP does not get resolved)
Now I have a recoding (Message Analyzer file) of some of the stuff happening. But it is incoming over UDP this time.

I don't know much about network or Microsoft Message Analyzer or how it links incoming packets with process ID. :(
 
Jun 13, 2018
4
Hey man, there's a weird window in your thot wallpaper gallery app

68747470733a2f2f7777772e68656e727970702e6f72672f696d616765732f73696d706c6577616c6c2e706e673f666978696d67
 
  • Like
Reactions: henrypp

henrypp

Level 1
Verified
Aug 24, 2017
48
@Yellowing, i dont see anything, any proof?

I don't know much about network or Microsoft Message Analyzer or how it links incoming packets with process ID. :(
As i see you do not understand and do not see any request from simplewall itself, but...

Only one request for UDP simplewall makes, it's DNS request for your configured hosts. Only.

ps: you can block simplewall itself (just uncheck it).
ps: simplewall can log blocked and allowed packets (win8+ only) in real time to log file.
 

Yellowing

Level 5
Verified
Jun 7, 2018
221
@Yellowing, i dont see anything, any proof?
Here. It is a log that you open in Microsoft Message Analyzer. You have to change the extension to: ".matp"
These are NOT packets that are incoming because simplewall made an update!
EDIT: Removed due to privacy concerns. PM me if you want it. (I'll send it to Henry right now)


The rest you said does not make sense to me. :cry: Please rephrase it. :giggle:

To be clear: I am only interested in connection coming from or going to simplewall.exe. Not whatever the log file logs.
 
Last edited:

Yellowing

Level 5
Verified
Jun 7, 2018
221
Simplewall is trying to get connection over IPv6. But IPv6 is disabled. So it spams my port multiple times per second. Please help, @henrypp.
Code:
Process ID    Process Name    Protocol    Local Port    Local Address        Remote Port        Remote Port Name    Remote Address                  Received Bytes    Sent Bytes    Received Packets    Sent Packets    Process Path
8136          simplewall.exe  UDP IPv6    54405         #removed#            53                 domain              #removed too, PM me#            -                 38            -                    1              C:\Program Files\simplewall\simplewall.exe
I am trying to find out who that IP is, but I can't. Everyone says it is unassigned.
This is just info for one packet. There are thousands: All with different local ports. Simplewall seems desperate to get a connection.

Just over a few seconds it scanned the ports between 49273 to 65517. (In random increments)
 
Last edited:

Yellowing

Level 5
Verified
Jun 7, 2018
221
To clear some things up about the weird Simplewall connections:
I figured that simplewall scans my network because I have IPv6 disabled and it can't connect over its usual port. The problem is it scans without pause and "spams" my network and SSD because log. (I assume this could only become a problem if twenty more programs start doing the same :D)
It's most likely a bug: Simplewall also throws a silent exception with every packet. (I can see them with a debugger) If this would be a normal port scan you wouldn't program it to throw exceptions because you expect to also scan ports that are closed.
However: This isn't because it wants to check for updates. It can update without problem and did so before. Those are other connections, directly to henrypp.org
It is also most likely a bug because it fills up the log file of dropped packets that simplewall itself makes, with one per second. Thus, negating any use one could get out of it.

"DNS request for your configured hosts": Why does it have to request over 20k ports?


I contacted henrypp per PM and gave him all available log files. :)
Lets wait for what he has to say about them.
 

henrypp

Level 1
Verified
Aug 24, 2017
48
@Yellowing,

Simplewall is trying to get connection over IPv6. But IPv6 is disabled. So it spams my port multiple times per second. Please help, @henrypp.

Variant 1 53 port is a DNS request (convert host address to ip's), i foresee you have configured hosts for simplewall thats why he try to connect 53 port, and your dns resolver it does not matter IPv6 enabled or not, he resolve addresses through all available interfaces by priority.

Code:
‎15-‎Jul-‎18 ‏‎02:01:07,###\###,C:\program files\simplewall\simplewall.exe,1.1.1.1:53 (1dot1dot1dot1.cloudflare-dns.com) (Remote),192.168.178.20:63490 (###) (Local),UDP,OpenVPN,#204137,OUT,BLOCK

Variant 2 you are using Windows 10. This BS~ have DNS leak (and this is not a bug, this is feature), and you are used OpenVPN who blocks DNS requests for all interfaces exclude his own, thats why you are see overloaded by DNS requests. Solution - completely remove Windows 10 here solution.
 
  • Like
Reactions: Sunshine-boy

jackuars

Level 28
Verified
Top Poster
Well-known
Jul 2, 2014
1,722
Hello! Developer of this tool is here, you can post any observations to me.
Can you also make provision to see the download & upload meter in Simplewall to see how much network bandwidth is each process consuming? So that i can disable whichever is taking more bandwidth when I don't need them.
 

fredgo

Level 1
Verified
Jul 11, 2018
22
It basically starts using task scheduler if you select that so you have no uac alert.
Thanks for the reply. I have 'skip uac prompt' ticked, and I installed it on a non-admin account into the system directory via the setup app which required admin password prompt. Should it be asking every time I log on to a non-admin account even with this ticked?
 

henrypp

Level 1
Verified
Aug 24, 2017
48
Thanks for the reply. I have 'skip uac prompt' ticked, and I installed it on a non-admin account into the system directory via the setup app which required admin password prompt. Should it be asking every time I log on to a non-admin account even with this ticked?
It's normal, because task scheduler required username/pass for running admin account under non-admin.
Open taskschd.msc and create new task with highest priveleges under non-admin account.
 

fredgo

Level 1
Verified
Jul 11, 2018
22
It's normal, because task scheduler required username/pass for running admin account under non-admin.
Open taskschd.msc and create new task with highest priveleges under non-admin account.
Thanks for replying.
That is quite odd, no other firewall or av I've ever used has run like this as once it's installed in to the system via admin it doesn't need to ask for admin rights every startup. Is this not possible to have installed like this to run as admin without having to task each user with an elevated sheduled task? Does the 'skip uac promt' not do anything?

I'm looking at using this on a few computers but can't reasonable set it up like this sadly.

Edit: so everyone here running simplewall on non-admin accounts has to enter the admin password at uac prompt every time they log into their computers account?
 
Last edited:

Yellowing

Level 5
Verified
Jun 7, 2018
221
@Yellowing
Code:
‎15-‎Jul-‎18 ‏‎02:01:07,###\###,C:\program files\simplewall\simplewall.exe,1.1.1.1:53 (1dot1dot1dot1.cloudflare-dns.com) (Remote),192.168.178.20:63490 (###) (Local),UDP,OpenVPN,#204137,OUT,BLOCK
Variant 2 you are using Windows 10. This BS~ have DNS leak (and this is not a bug, this is feature), and you are used OpenVPN who blocks DNS requests for all interfaces exclude his own, thats why you are see overloaded by DNS requests. Solution - completely remove Windows 10 here solution.
Hi :)
I haven't configured hosts for anything, so Variant 2 is applicable. :(
Unfortunately I am using ProtonVPN atm, and they use OpenVPN in their program. But they don't use "block-outside-dns" in their automatically created "config.ovpn" file. :mad:
I should probably change to OpenVPN and use preconfigured server files from ProtonVPN instead, so that I can change them with no problem.
I hope WindscribeVPN doesn't have this issue.

Well see if this in a while when I'm finished... :giggle:
 

Yellowing

Level 5
Verified
Jun 7, 2018
221
@henrypp Now I have finally finished configuring OpenVPN with "block-outside-dns". I even got confirmation that it works in log. :)
(I had an issue with tap-driver installation, so it took a little longer...)

Still, Simplewall does the same thing. :( Scanning all upper ports, spamming the dropped packages log-file... Any more ideas, plese? :)
 
Jun 13, 2018
4
Edit: so everyone here running simplewall on non-admin accounts has to enter the admin password at uac prompt every time they log into their computers account?

Yes, there are very unsafe workarounds for this (that keep your password in plaintext on the disk) but if you run a regular user and need to open a program on startup as admin you are screwed.

This doesn't work anymore on Windows 10 at least https://stackoverflow.com/questions...utomatically-as-admin-on-windows-7-at-startup and of course using UAC on anything but max level is stupid.
 

fredgo

Level 1
Verified
Jul 11, 2018
22
Yes, there are very unsafe workarounds for this (that keep your password in plaintext on the disk) but if you run a regular user and need to open a program on startup as admin you are screwed.

This doesn't work anymore on Windows 10 at least How to run a program automatically as admin on Windows 7 at startup? and of course using UAC on anything but max level is stupid.
Thanks for the info. How do all other apps which need root, av, firewalls etc do this but this app can't?
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top