Question Windows Firewall Control beginner questions

Please provide comments and solutions that are helpful to the author of this topic.

X195

Level 1
Thread author
Aug 31, 2023
14
Hi,

In the WFC user guide on page 24 it states:
  • This minimal set of rules contain only a few outbound and inbound rules. When only these rules are used, some of the features of the operating system may not work unless other required rules are added. This is a minimal set of firewall rules that can be used as a starting point. On top of these firewall rules, add new firewall rules for your custom programs when they require access. All those hundreds of firewall rules that Windows Firewall has by default are not required.
From the last sentence, I assume I should delete the standard windows firewall rules and just use the WFC recommended ones as a starting point? What are the benefits / consequences of doing this?

========================================================================

Although the user guide is thorough in describing all of the features of the software, it doesn't really explain how a new user should approach getting it configured. Does this sound like a sensible approach for a newcomer to using the software?
  • Start with the WFC recommended rules (?^^)
  • Set the profile to "medium filtering"
  • Set the notification to "learning mode"
  • Use all the functionality and apps that I normally would on a normal basis for a few days
  • Turn notifications to "display notifications"
  • Review and decide manually for anything else
Thank you
X195
 
Last edited by a moderator:

Bot

AI-powered Bot
Apr 21, 2016
3,550
Hello X195,

Regarding your first question, the user guide suggests that the minimal set of rules provided by Windows Firewall Control (WFC) should be used as a starting point. This means that you can delete the default firewall rules in Windows Firewall and rely on the WFC rules instead. The benefit of using the WFC recommended rules is that they have been specifically designed to provide adequate protection while allowing your custom programs to access the network. The consequences of deleting the default rules would be that some features of the operating system may not work unless the necessary rules are added manually.

As for your approach as a newcomer to using the software, it seems sensible. Starting with the WFC recommended rules and setting the profile to "medium filtering" and notification to "learning mode" allows the software to learn and adapt to your usage patterns. After using your applications normally for a few days, you can then switch the notifications to "display notifications" and review and decide manually for any other rules that may be necessary. This approach allows you to gradually familiarize yourself with the software's functionality while ensuring adequate protection.

I hope this answers your questions. Let me know if you have any further inquiries.

Best regards,
Windows Firewall Control Bot
 

silversurfer

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,286
From the last sentence, I assume I should delete the standard windows firewall rules and just use the WFC recommended ones as a starting point? What are the benefits / consequences of doing this?
I am a long time WFC user and will try to help you with your questions... Here in my case I haven't noticed any issues after deleting all default Windows Firewall rules.
WFC recommended rules are basic only from my point of view, most users need to add a lot of more rules but all depends how much other software are you use and of course some important Windows system processes, here also depends what do you like to allow connecting out...
I never use Learning Mode and instead rather prefer "Display Notifications" but that can be annoying at first day, after a few days you will rarely see again notifications ;)

Although the user guide is thorough in describing all of the features of the software, it doesn't really explain how a new user should approach getting it configured. Does this sound like a sensible approach for a newcomer to using the software?
  • Start with the WFC recommended rules (?^^)
  • Set the profile to "medium filtering"
  • Set the notification to "learning mode"
  • Use all the functionality and apps that I normally would on a normal basis for a few days
  • Turn notifications to "display notifications"
  • Review and decide manually for anything else
Thank you
X195
This looks like the right way, I agree for all steps, except to use "Learning Mode" but that is the best option for beginners without a flood of WFC notifications at the first day.
 

X195

Level 1
Thread author
Aug 31, 2023
14
Thanks for your help on this. I did initially set the notifications to "display notifications" but as you say was flooded with notifications and wasn't sure how to determine if I should allow them or not (I started looking them up but found it hard to find clear cut answers and it was becoming a bit tiresome!).
I don't want to allow connections to anything that's not necessary, but on the other hand I don't want to block things that will stop required functionality.
How do you (or how did you) go about determining what to allow and what to block, when you were just starting out?
 

silversurfer

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,286
How do you (or how did you) go about determining what to allow and what to block, when you were just starting out?
I usually check for specific processes on all displayed WFC notifications then online research for information, when it's nothing important for me just block it unless something doesn't work anymore. As I said all depends mainly on software what someone does use and what does need internet access to work properly.

Here are a few examples what I allowed as outbound rule manually (I have setup in general for processes either TCP or UDP and specific ports of WF).
Device Census (devicecensus.exe) that could be related to access even your webcam, but unsure if that is true ;)
MoUSO Core Worker Process (mousocoreworker.exe) I think this process has something to do with Windows Updates.
Windows Problem Reporting (werfault.exe) when software doesn't work correctly "CrashDumps"
Windows Problem Reporting (wermgr.exe) when software doesn't work correctly "CrashDumps"
 

silversurfer

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,286
If I block something which stops the functionality of something (that I may or may not want), how will I know / be alerted?
AFAIK there is no ability to alert nor inform for all blocked rules. We can only check out all blocked connections via WFC, how to do shows my screenshot below:

wfc#1.png
 

X195

Level 1
Thread author
Aug 31, 2023
14
Thanks again,

One last question regarding signed programs and learning mode. What are the consequences of allowing all signed programs through the firewall? Is this a risk to my privacy and security?

I'll probably work on the basis that I'll block everything until something I need to use or do is not possible, and allow just the things I need to for those things to work.

Many Thanks,
X195
 

silversurfer

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,286
Thanks again,

One last question regarding signed programs and learning mode. What are the consequences of allowing all signed programs through the firewall? Is this a risk to my privacy and security?
Regarding users privacy, automatically allowing all signed processes/programs via Firewalls can be a risk when software does too much "phone home" about users activity while you use this software, but all depends on your trust for any software ;)
Regarding security, nowadays malware is also signed in widespread attacks even against home users, so that would be for sure a higher risk in general when we automatically allowing signed processes/files and even popular software could be abused(manipulated) for malicious purposes...
 

X195

Level 1
Thread author
Aug 31, 2023
14
I've thought of one more! Do you have any recommendations for any good sites to look up about processes which give a simple/concise overview about what a process does, and how many people typically block it / allow it ?

You've been very helpful, TYSM.
X195
 

TairikuOkami

Level 36
Verified
Top Poster
Content Creator
Well-known
May 13, 2017
2,511
What are the consequences of allowing all signed programs through the firewall?
Thus the reason I limited critical apps to the trusted IPs, like icedrive/onedrive are allowed to connect only to their dedicated IPs, like MS IPs:
2.18.32.0-2.18.47.255,2.18.160.0-2.18.175.255,2.23.0.0-2.23.15.255,13.64.0.0-13.107.255.255,20.0.0.0-20.31.255.255,20.33.0.0-20.128.255.255,20.135.0.0-20.136.255.255,20.150.0.0-20.153.255.255,20.180.0.0-20.191.255.255,20.192.0.0-20.255.255.255,23.192.0.0-23.223.255.255,40.74.0.0-40.125.127.255,40.126.0.0-40.126.63.255,51.10.0.0-51.13.255.255,51.132.0.0-51.132.255.255,52.96.0.0-52.115.255.255,52.145.0.0-52.191.255.255,52.224.0.0-52.255.255.255,72.246.0.0-72.247.255.255,104.40.0.0-104.47.255.255,104.64.0.0-104.127.255.255,104.208.0.0-104.215.255.255,184.24.0.0-184.31.255.255,192.229.128.0-192.229.255.255
 

wat0114

Level 12
Verified
Top Poster
Well-known
Apr 5, 2021
565
For anyone wanting to restrict windows updates Windows processes to specific MSFT public IP address blocks, there is an available .CSV download available which gets updated frequently here:


The latest available was published on 9/12/2023. Notice they are provided in CIDR format.
 

simmerskool

Level 31
Verified
Top Poster
Well-known
Apr 16, 2017
2,073
For anyone wanting to restrict windows updates Windows processes to specific MSFT public IP address blocks, there is an available .CSV download available which gets updated frequently here:


The latest available was published on 9/12/2023. Notice they are provided in CIDR format.
Learned something new -- now have better understanding of IP addresses & a minimal understanding of CIDR format... thanks! :geek:
 
  • Like
Reactions: wat0114 and Nevi

AMD1

Level 5
Verified
Aug 21, 2012
210
Can anyone please help with an in issue logging into my router ip address. When I try, I get an "unable to connect" message in the Firefox browser page. I have looked at the connection log and there is an outbound block item which i created an allow rule for but I am still unable to connect. There may also be an outbound block too ?

Any help appreciated.

EDIT 23/10/2023 - appears to have been an issue trying to connect to router whilst VPN on. Now resolved.
 
Last edited:
  • Like
Reactions: Nevi

ErzCrz

Level 21
Verified
Top Poster
Well-known
Aug 19, 2019
1,026
You could try to add notification exceptions:
Thanks. It's more for like random notifications after a few days and notifications would only really be off for a few hours or more when watching catch-up telly etc. Obviously, turning notifications back on afterwards will just eventually re-show those notifications if that connection happens again. It's more so I don't have to pause a film to look up the information and allow or deny it.

What I'm getting at, is it better / more secure to just turn off notifications rather than putting it in learning mode, or lowering profile or exiting WFC?
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top