Question Windows Firewall Control beginner questions

[X195]

Hi,

In the WFC user guide on page 24 it states:

• This minimal set of rules contain only a few outbound and inbound rules. When only these rules are used, some of the features of the operating system may not work unless other required rules are added. This is a minimal set of firewall rules that can be used as a starting point. On top of these firewall rules, add new firewall rules for your custom programs when they require access. All those hundreds of firewall rules that Windows Firewall has by default are not required.

From the last sentence, I assume I should delete the standard windows firewall rules and just use the WFC recommended ones as a starting point? What are the benefits / consequences of doing this?

========================================================================

Although the user guide is thorough in describing all of the features of the software, it doesn't really explain how a new user should approach getting it configured. Does this sound like a sensible approach for a newcomer to using the software?

• Start with the WFC recommended rules (?^^)
• Set the profile to "medium filtering"
• Set the notification to "learning mode"
• Use all the functionality and apps that I normally would on a normal basis for a few days
• Turn notifications to "display notifications"
• Review and decide manually for anything else

Thank you
X195

 

[Bot]

Hello X195,

Regarding your first question, the user guide suggests that the minimal set of rules provided by Windows Firewall Control (WFC) should be used as a starting point. This means that you can delete the default firewall rules in Windows Firewall and rely on the WFC rules instead. The benefit of using the WFC recommended rules is that they have been specifically designed to provide adequate protection while allowing your custom programs to access the network. The consequences of deleting the default rules would be that some features of the operating system may not work unless the necessary rules are added manually.

As for your approach as a newcomer to using the software, it seems sensible. Starting with the WFC recommended rules and setting the profile to "medium filtering" and notification to "learning mode" allows the software to learn and adapt to your usage patterns. After using your applications normally for a few days, you can then switch the notifications to "display notifications" and review and decide manually for any other rules that may be necessary. This approach allows you to gradually familiarize yourself with the software's functionality while ensuring adequate protection.

I hope this answers your questions. Let me know if you have any further inquiries.

Best regards,
Windows Firewall Control Bot

 

[X195]

Thanks Bot!

 

[Victor M]

If you suspect you may have malware/hacking tools implanted on your system, don't use learning mode - it will 'learn' that it is normal to communicate with the C&C server and make rules for it.

 

[Nevi]

Advanced AI also mimics human mistakes.

Yup. That's the problem!

 

[silversurfer]

From the last sentence, I assume I should delete the standard windows firewall rules and just use the WFC recommended ones as a starting point? What are the benefits / consequences of doing this?

I am a long time WFC user and will try to help you with your questions... Here in my case I haven't noticed any issues after deleting all default Windows Firewall rules.
WFC recommended rules are basic only from my point of view, most users need to add a lot of more rules but all depends how much other software are you use and of course some important Windows system processes, here also depends what do you like to allow connecting out...
I never use Learning Mode and instead rather prefer "Display Notifications" but that can be annoying at first day, after a few days you will rarely see again notifications

Although the user guide is thorough in describing all of the features of the software, it doesn't really explain how a new user should approach getting it configured. Does this sound like a sensible approach for a newcomer to using the software?

• Start with the WFC recommended rules (?^^)
• Set the profile to "medium filtering"
• Set the notification to "learning mode"
• Use all the functionality and apps that I normally would on a normal basis for a few days
• Turn notifications to "display notifications"
• Review and decide manually for anything else

Thank you
X195

This looks like the right way, I agree for all steps, except to use "Learning Mode" but that is the best option for beginners without a flood of WFC notifications at the first day.

 

[X195]

Thanks for your help on this. I did initially set the notifications to "display notifications" but as you say was flooded with notifications and wasn't sure how to determine if I should allow them or not (I started looking them up but found it hard to find clear cut answers and it was becoming a bit tiresome!).
I don't want to allow connections to anything that's not necessary, but on the other hand I don't want to block things that will stop required functionality.
How do you (or how did you) go about determining what to allow and what to block, when you were just starting out?

 

[silversurfer]

How do you (or how did you) go about determining what to allow and what to block, when you were just starting out?

I usually check for specific processes on all displayed WFC notifications then online research for information, when it's nothing important for me just block it unless something doesn't work anymore. As I said all depends mainly on software what someone does use and what does need internet access to work properly.

Here are a few examples what I allowed as outbound rule manually (I have setup in general for processes either TCP or UDP and specific ports of WF).
Device Census (devicecensus.exe) that could be related to access even your webcam, but unsure if that is true
MoUSO Core Worker Process (mousocoreworker.exe) I think this process has something to do with Windows Updates.
Windows Problem Reporting (werfault.exe) when software doesn't work correctly "CrashDumps"
Windows Problem Reporting (wermgr.exe) when software doesn't work correctly "CrashDumps"

 

[X195]

If I block something which stops the functionality of something (that I may or may not want), how will I know / be alerted?

 

[silversurfer]

If I block something which stops the functionality of something (that I may or may not want), how will I know / be alerted?

AFAIK there is no ability to alert nor inform for all blocked rules. We can only check out all blocked connections via WFC, how to do shows my screenshot below:

 

[X195]

Thanks again,

One last question regarding signed programs and learning mode. What are the consequences of allowing all signed programs through the firewall? Is this a risk to my privacy and security?

I'll probably work on the basis that I'll block everything until something I need to use or do is not possible, and allow just the things I need to for those things to work.

Many Thanks,
X195

 

[silversurfer]

Thanks again,

One last question regarding signed programs and learning mode. What are the consequences of allowing all signed programs through the firewall? Is this a risk to my privacy and security?

Regarding users privacy, automatically allowing all signed processes/programs via Firewalls can be a risk when software does too much "phone home" about users activity while you use this software, but all depends on your trust for any software
Regarding security, nowadays malware is also signed in widespread attacks even against home users, so that would be for sure a higher risk in general when we automatically allowing signed processes/files and even popular software could be abused(manipulated) for malicious purposes...

 

[X195]

I've thought of one more! Do you have any recommendations for any good sites to look up about processes which give a simple/concise overview about what a process does, and how many people typically block it / allow it ?

You've been very helpful, TYSM.
X195

 

[TairikuOkami]

What are the consequences of allowing all signed programs through the firewall?

What Are LOLBins and How Do Attackers Use Them in Fileless Attacks?

The term “living off the land” (LOL) was coined by malware researchers Christopher Campbell and Matt Greaber to explain the use of trusted, pre-installed system tools to spread malware.

www.cynet.com

Thus the reason I limited critical apps to the trusted IPs, like icedrive/onedrive are allowed to connect only to their dedicated IPs, like MS IPs:

2.18.32.0-2.18.47.255,2.18.160.0-2.18.175.255,2.23.0.0-2.23.15.255,13.64.0.0-13.107.255.255,20.0.0.0-20.31.255.255,20.33.0.0-20.128.255.255,20.135.0.0-20.136.255.255,20.150.0.0-20.153.255.255,20.180.0.0-20.191.255.255,20.192.0.0-20.255.255.255,23.192.0.0-23.223.255.255,40.74.0.0-40.125.127.255,40.126.0.0-40.126.63.255,51.10.0.0-51.13.255.255,51.132.0.0-51.132.255.255,52.96.0.0-52.115.255.255,52.145.0.0-52.191.255.255,52.224.0.0-52.255.255.255,72.246.0.0-72.247.255.255,104.40.0.0-104.47.255.255,104.64.0.0-104.127.255.255,104.208.0.0-104.215.255.255,184.24.0.0-184.31.255.255,192.229.128.0-192.229.255.255

 

[wat0114]

For anyone wanting to restrict windows updates Windows processes to specific MSFT public IP address blocks, there is an available .CSV download available which gets updated frequently here:

Download Microsoft Public IP Space from Official Microsoft Download Center

This file contains MSFT Public IP Address blocks for both IPv4 and IPv6.

www.microsoft.com

The latest available was published on 9/12/2023. Notice they are provided in CIDR format.

 

[simmerskool]

For anyone wanting to restrict windows updates Windows processes to specific MSFT public IP address blocks, there is an available .CSV download available which gets updated frequently here:

Download Microsoft Public IP Space from Official Microsoft Download Center

This file contains MSFT Public IP Address blocks for both IPv4 and IPv6.

www.microsoft.com

The latest available was published on 9/12/2023. Notice they are provided in CIDR format.

Learned something new -- now have better understanding of IP addresses & a minimal understanding of CIDR format... thanks!

 

[AMD1]

Can anyone please help with an in issue logging into my router ip address. When I try, I get an "unable to connect" message in the Firefox browser page. I have looked at the connection log and there is an outbound block item which i created an allow rule for but I am still unable to connect. There may also be an outbound block too ?

Any help appreciated.

EDIT 23/10/2023 - appears to have been an issue trying to connect to router whilst VPN on. Now resolved.

 

[ErzCrz]

@silversurfer I've bookmarked this thread for ease of reference but have a quick question.

Is the best way to not have interruptions e.g. during streaming or gaming is to turn notifications to OFF?

 

[silversurfer]

@silversurfer I've bookmarked this thread for ease of reference but have a quick question.

Is the best way to not have interruptions e.g. during streaming or gaming is to turn notifications to OFF?

You could try to add notification exceptions:

 

[ErzCrz]

You could try to add notification exceptions:

Thanks. It's more for like random notifications after a few days and notifications would only really be off for a few hours or more when watching catch-up telly etc. Obviously, turning notifications back on afterwards will just eventually re-show those notifications if that connection happens again. It's more so I don't have to pause a film to look up the information and allow or deny it.

What I'm getting at, is it better / more secure to just turn off notifications rather than putting it in learning mode, or lowering profile or exiting WFC?