You can do that with Simplewall, at least.
Are you really sure about this? Since this is a WFP bug, and simplewall based on it, how was this fixed? According to the issues, this is still a problem.
I never use those general rules. It’s possible to get it working by approving individual services and components.
I didn’t bother opening the link because it was from 2022.
edit. I remembered incorrectly. I have enabled the general Windows Update Service, but I’ve removed all permissions that are not essential for its operation.
PaintMaster666
I’ll give it another shot when it’s ready!
It should be able to work with only a rule for wuaserv. You don’t need to manually create it, after you try to update, a notification should appear (in dashboard or popup depending on what you set it to in the settings tab). So if another process is also needed to update, it should notify you of that as well.
You don’t have to allow access to all of svchost. It’s just many people do this by making it a wildcard rule, since there are so many subprocesses and they don’t want to deal with all of them.
Minimal Firewall is a true frontend for Windows Firewall, it doesn’t work deeper on the network stack and have to worry about precedence or other issues with filters.
1 Like
Actually, I’m not entirely sure about its ‘full’ functionality anymore. I believe it has been working for a long time, but now I can’t get any response from Windows Update. And yes, I have already restarted the services and the computer itself. I’ll just wait and see if it starts working again tomorrow, especially since the Simplewall logs don’t show anything being blocked except for svchost.
By the way, the updates have been fixed, you need to enable the option Settings -> Rules -> Allow Windows Update.
It creates a copy of svchost with a different name so the firewall can control it, and then edits the registry to redirect update services to this process. Horrible, but kinda works. But, as far as I know, there are other services with the same issue. On VM, I couldn’t get Microsoft Store to work without allowing network access to all svchost processes, even though I checked the logs and allowed access to all services that tried to connect. Someone said the problem was with wlidsvc, seems like it.
Anyway, I don’t care. You shouldn’t use firewalls that don’t have their own driver.
Thanks! I have no idea how it managed to work by sheer luck before this. And the first thing I did was remove the Store…
And I’m absolutely convinced that it should NOT have its own driver, but instead it must get by with the default Windows one.
Do you mean a third-party driver rather than relying on WFP?
1 Like
Yes, you should use a third-party driver instead of relying on Microsoft’s WFP. WFP-based FW cannot work properly with svchost, domain names, can’t pause connections on notification and always cut connections, GUI always require administrator rights. Even worse when it’s just a Windows Firewall configurator. I’ve used those, and Microsoft is always adding its own rules without my permission.
If I have simplewall currently installed and want to try Minimal Firewall I need to uninstall simplewall first, right?
I suppose I can disconnect my ethernet cable as I make the switch.
No, just turn off the filters, and make sure the Windows Firewall is on. It’s basically just a Windows Firewall frontend.
Sorry, I have to respectfully disagree. At that point you are increasing attack surface. Microsoft’s vast team working on testing, fuzzing, signing requirements, etc. to patch any vulnerabilities vs the homebrew of one or a few people.
You always need administrator rights to edit the firewall. That’s more secure than a third-party firewall. A firewall that ships its own driver is injecting code into the kernel. Any bug becomes a privilege-escalation vector. People put too much trust in “open-source,” when big companies have more to lose. And an “audit” is only reliable for that snapshot (in terms of trust if someone is worried about a bad actor creating programs), until a new version is released.
Third party drivers can be better for usability, and perhaps privacy (but probably not, because if Microsoft wants your telemetry, they will get it). But not security. Not unless there is some GrapheneOS-like project that I don’t know about.
2 Likes
You’re telling me about some security and Microsoft team working, etc., but Microsoft still has a huge number of UAC bypasses and still can’t fix a bug where you can’t allow system updates without granting permission to port 443 for all possible svchost processes? Are you sure the real problem is with the custom driver?
For example, NetLimiter doesn’t need UAC rights to use the GUI. It also has custom permission settings to allow control for specific users.
You’re not using WFP and Windows Firewall. These third-party WFP-based firewalls already require administrator privileges to run, which is already increasing the attack surface. Do these firewalls allow monitoring without giving them control over the rules? No. They always require administrator privileges, even on a user account. Have these firewalls undergone any security audits? No, their developers can’t even organize a repository properly, so how can we talk about security?
1 Like
Why would you need to grant permission for all svchost? The WFP COM API allows you to create rules for svchost.exe but tie them to specific service names. You don’t even need a third-party firewall to do that, you can do it in Windows Firewall, such as
Program: C:\windows\system32\svchost.exe
Service: wlidsvc
or
Service: DoSvc
Service: BITS
You can also use third-party firewalls to make them temporary, deleting upon expiry.
The two aren’t mutually exclusive. There can be vulnerabilities in Microsoft, but their update process is generally safe, and they offer $$$ if you can find more. If you are already using an OS where you are concerned about current vulnerabilities, then adding additional kernel-level attack surfaces isn’t going to make it better.
What are the benefits of paused connections? The only benefit I see is a smoother UX for new connections (and I assume if you pause too long, you will get failures anyways). To do this you need to implement something like you must intercept and queue packets, maintain state, and present a consistent TCP stack to both endpoints. You are trading a massive, high-risk kernel attack vector for a minor usability benefit (unless there are more major benefits, I just haven’t personally run across any limitations).
Yes, you increase attack service to have to allow the gui to open as admin mode. This is something I’m working on to separate to push to Windows Store later. Of course, you are not really mitigating vulnerabilities, just shifting them (such as moving to a system service, which can become a persistent vector).
But fortunately, you don’t even have to keep third-party firewalls open if they have persistent rules once it’s set up, unless you are downloading new programs (except wildcards).
Are you suggesting that a elevated GUI compromise (running as administrator and relying on the stable INetFwPolicy2 API) is more dangerous than a kernel driver compromise?
1 Like
You’re not even trying to understand. The problem is with wuauserv and wlidsvc, you can grant them access, but it won’t actually work. You need to allow port 443 for all svchost processes for updates to work. Minimal Firewall doesn’t even prompt for permissions for these services.
You don’t need to restart the installer or any other program when it gives an error if the connection is blocked. And filtering domain names will allow identifying malicious connections, which WFP cannot do.
What I’m saying is that FW with third-party drivers works without problems or questionable solutions, like creating additional processes and changing paths for system services.
But what is easier to exploit: a GUI that’s always running with administrator privileges, or a driver on a system with Secure Boot, HVCI, and tamper protection? What if I have a User account and a firewall like this is the only thing requesting administrator privileges? I think it’s obvious here.
1 Like
I’m still doing research for a Windows Software Firewall AKA a Windows Firewall App because it just seems so easy for an App on a Windows 10/11 PC to have some kind of backdoor trojan that allows a malicious user on the internet to receive data about that particular PC. Despite having a hardware firewall or even just a really good router it seems so easy to circumvent these hardware solutions with just a Windows App that’s running on a Windows 10/11 PC.
Portmaster seems like the best so far:
It also has a comparison with Simplewall which is another popular firewall app: What Makes Portmaster A Great Alternative to Simplewall
1 Like
For the people downvoting me: Please explain why it’s not a good way to go??
The UI alone makes me want to puke.
1 Like
I personally don’t trust people who recommend Portmaster. They come across as little more than ad bots. Portmaster is essentially feature-limited shareware, and I don’t want to see ad messages demanding payment on my computer. Unless they make all features open, like Simplewall or Fort Firewall, I won’t use it.
2 Likes