Welcome
Welcome to vistafirewallcontrol

You are currently viewing our boards as a guest, which gives you limited access to view most discussions and access our other features. By joining our free community, you will have access to post topics, communicate privately with other members (PM), respond to polls, upload content, and access many other special features. In addition, registered members also see less advertisements. Registration is fast, simple, and absolutely free, so please, join our community today!

The latest Betas/Releases

Re: The latest Betas/Releases

Postby sp4096 » Fri May 19, 2017 4:58 am

I saw two more instances of this so I sent few log snippets to support.
It all follows domain rules.
sp4096
 
Posts: 101
Joined: Tue Apr 26, 2016 2:57 am

Re: The latest Betas/Releases

Postby VistaFirewallControl » Fri May 19, 2017 10:03 am

>Interesting thought about memory confusion, but above my skills to debug. Yes, this outbound connection is logged by the WinFilteringPlatform as permitted in the Security log of event viewer.

We noticed and were reported enough of strange things in WFP .
We have a machine that is hibernated for weeks (without reboot) and the notification balloon (the related events) have tendency to disappear after several weeks. Reboot helps always.
The only suspicion is memory inconsistency. No problems were found on all the other machines at least. The memory was tested successfully though


>Please explain entropy and what is ECC?

It's 10 (instead 8) bitness of DIMMs. Due to additional 2 bits the system is able to recover single (1 bit) errors and detect double errors in the memory. This must be supported by motherboard and CPU. Generally servers and expensive brand desktops have that by default
https://en.wikipedia.org/wiki/ECC_memory

>If it ever occurs again, I'll try to catch things better.

Please keep us informed, it may be just false alarm.

There is a set of known problems with allowed events reporting.
The events include allowed process exe file path as generated by WFP. So the path sometimes comes broken in the middle. There are just several arbitrary symbols in the middle of the paths displayed as "Chinese" characters. As the result the path can't be recognized as a listed application and the firewall prompts for a "new" application permissions mistakenly.
The paths comes broken already directly from WFP and we even had to invent a logic to validate paths on the firewall side.
It happens not too often and the paths validation logic was already implemented, so you probably did not even notice that.

Attn sp4096
>I saw two more instances of this so I sent few log snippets to support.
It all follows domain rules


Thank you, we will reply you personally.
VistaFirewallControl
Site Admin
 
Posts: 1479
Joined: Fri Mar 27, 2009 11:25 am

Re: The latest Betas/Releases

Postby VistaFirewallControl » Fri May 19, 2017 10:38 am

Actually sp4096 provided us with a log.
The log helped to make an assumption.

If the IP of LanOnly "surprising" allowance is mentioned in a an entry marked with Added or Updated in the entire log, the problem can be explained and not actually a problem

W10FC (v8) includes so called domain rules, the rules you can be set by domain name, not by IP only. Obviously IP of a domain can mutate, W10FC traces the changes and adjusts per-IP rules accordingly.

So what could happen.
You have an allowing domain rule and the related communication was allowed accordingly.
Then the domain's IP was changed, but the IP was still cached and marked still as belonging to the (allowed) domain. If an application stored the previous IP for a long and then used the IP, the communication will be allowed (that is correct), but the logging system is already not able to interpret the related event as belonging to a per-domain rule.
VistaFirewallControl
Site Admin
 
Posts: 1479
Joined: Fri Mar 27, 2009 11:25 am

Re: The latest Betas/Releases

Postby NoelC » Sat May 20, 2017 7:12 pm

Keep the faith; Windows 10 can actually be quieted down. I've done it. I've just checked my DNS log. My Win 10 test system, sitting doing nothing, has not made an online contact in days.

Of course, you have to be willing to do without Apps entirely, without OneDrive, without Settings Sync, with extra measures taken to kill off telemetry, disable some services and scheduled tasks... When all is said and done it is no more cloud-integrated than the best configurations of earlier versions of Windows.

ECC by the way is nomenclature for "Error Correcting Code". Some high-end professional "workstation class" systems are outfitted with memory that corrects some errors and can halt the system on uncorrectable errors. The path to utter reliability should include a choice of high-reliability hardware.

-Noel
NoelC
 
Posts: 62
Joined: Fri Aug 21, 2015 12:59 am

Re: The latest Betas/Releases

Postby sp4096 » Mon May 22, 2017 2:50 am

@VFC - I sent you a bit more logs regarding that runDLL packet to see if it matches your theory.

@Noel, I know Win10 can be severely trimmed down. I was able to do such things on XP because I had two XP boxes.
Without another Win10 box, it's too risky, especially that I have Windows 7 and Mint on it and want all to function.
I have no problem shutting down services, but scheduled M$ snoopware is just too much to deal with. And when I'll finally get things done, M$ will push another version and we'll have to start researching all over.
And just no skills to know what's essential and what's not. I don't use their square apps, one drive, any synching. But haven't killed them.

ECC sounds great. I'm sure I don't have it on a Thinkpad laptop.

I already violate a rule of "don't ever run beta software on a real computer" by playing with Sphinx versions, but so far they never broke anything here.
sp4096
 
Posts: 101
Joined: Tue Apr 26, 2016 2:57 am

Re: The latest Betas/Releases

Postby PietO » Mon May 22, 2017 7:59 pm

NoelC wrote:Keep the faith; Windows 10 can actually be quieted down. I've done it. I've just checked my DNS log. My Win 10 test system, sitting doing nothing, has not made an online contact in days.
-Noel

Indeed: can confirm this (except DHCP traffic).
PietO
 
Posts: 192
Joined: Wed Mar 02, 2011 12:09 pm

Re: The latest Betas/Releases

Postby sp4096 » Sun May 28, 2017 8:53 pm

@VFC,
Here's another LanOnly that sneaked out through 8.2.25. It's 64-bit VLC v2.2.4.0.
2017:05:28|12:51:09|Allowed|1|IPv4 TCP 88.191.250.2:80(50358)|VLC media player 2.1.0|LanOnly Outgoing|C:\program files\videolan\vlc\vlc.exe
sp4096
 
Posts: 101
Joined: Tue Apr 26, 2016 2:57 am

Re: The latest Betas/Releases

Postby VistaFirewallControl » Mon May 29, 2017 10:43 am

>....... It's 64-bit VLC v2.2.4.0.
> .................. |VLC media player 2.1.0 ..............

What is the actual VLC version.
Could it be that VLC v2.2.4.0 is marked in the Explorer's properties as "VLC media player 2.1.0"
"VLC v2.2.4.0" was grabbed from the About windows probably, but WxFC grabs name from the exe's resources directly, not from UI.
How the discrepancy could be explained?

Anyway the hypothesis is a mistake in WFP audit where the allowed events are picked out from.
WFP Audit informs WxFC about an allowed event and the reported filerID is just distorted
After that WxFC uses the filterID to find the filter name/details to show/log and finds LanOnly/ZoneResult.
The latter is strictly disabling entity and can't produce allowed events.

In order to confirm the hypothesis we need the entire process with internal filterIDs logged.
If you would like to participate in the investigations please contact us for the logging utilities.
As the problem is not reproducible often, the log size can be huge though.
Actually it's the main obstacle.
VistaFirewallControl
Site Admin
 
Posts: 1479
Joined: Fri Mar 27, 2009 11:25 am

Re: The latest Betas/Releases

Postby sp4096 » Mon May 29, 2017 7:22 pm

Re: Version
I saw that version discrepancy. It is running 2.2.4 according to Sphinx detail, explorer properties, VLC about, and in the registry.
How it happened I don't know. All I know is that I downloaded 2.2.4 and installed on top of 2.1.0 installed a day earlier.
It's possible that I inserted 2.1.0 in Application name when installed it first time, knowing that it might be obsolete.

Re: Logging
I see that in VLC check for updates is enabled. Hmmm, perhaps it took priority and went out inspite of LanOnly rule. Perhaps it's a non-issue?
I might be able to reproduce this one, unlike runDLL. Logging version might come handy - if it's easy to use :)

That update notification setting in VLC, which at this point I'll leave alone, is clear as mud. One place it says it'll check every two weeks, yet next to the setting it's 3 days default.
So I can try on June31 or two weeks from May28.
I suppose I'll somehow install the logging version just before use of VLC, right?

EDIT:
On Programs tab, as I review some rules, I'm confused about Zone result for zone already bound to applications.
Especially when Explorer zone or LanOnly is used where I see a mix of enables and disables. Likely I've messed things up over time or over versions.
Please clarify.
sp4096
 
Posts: 101
Joined: Tue Apr 26, 2016 2:57 am

Re: The latest Betas/Releases

Postby VistaFirewallControl » Tue May 30, 2017 10:21 am

>Re: Version

What name WxFC shows for VLC.
If it's 2.1.0 there is no problem.
2.1 was inserted on the detection and was not changed after VLC upgrade.
Obviously there should be no separate entries for 2.1 and 2.2 simultaneously.

>Re: Logging
>I see that in VLC check for updates is enabled. Hmmm, perhaps it took priority and went out >inspite of LanOnly rule. Perhaps it's a non-issue?

There is a sense to send us the Settings/Export file to verify (referring the thread)

>I suppose I'll somehow install the logging version just before use of VLC, right?

Thank you, preparing......

>EDIT:
>On Programs tab, as I review some rules, I'm confused about Zone result for zone already >bound to applications.
>Especially when Explorer zone or LanOnly is used where I see a mix of enables and disables. >Likely I've messed things up over time or over versions.
>Please clarify.

That may be a key, please verify the below and confirm, after that we will continue the logging preparation. Sending us with Settings/Export may make a big sense as well, the problem may be just in settings you mistakenly made.
So how it works.
The zones in the Zones pane are just samples, The Zones pane is just a library.
Till a zone is not applied to a program and sits in the Zones only, it blocks/allows nothing.
Only applied to programs zone may allow or block.
When you apply a zone to a program, WxFC clones (makes a copy) of a zone and put the copy for the program. The copy can be edited separately. No correspondence checking is made automatically.
So if a VLC applied zone (Programs/VLC/F3) has ZoneResult= Enable, there is nothing to investigate. You just set it to enable and it enables.

The permissions arbitration is simple but you should be aware of that.
WxFC starts arbitration of rules first (as listed) from bottom to top.
If a rule matches the requested IP/port/etc the arbitration finishes and Rule(not Zone) Result is used as the verdict. The related event shows ZoneName/RuleName in this case (e.g LanOnly/Lan......)
If none of the rules matches the requested IP/Port/etc, ZoneResult is used as the verdict.
The related event shows accordingly ZoneName (without slash+RuleName) (e.g. LanOnly)

So if you have Programs/VLC/F3/ZoneResult=Enable, there is just setting made by you and it works as you set it.
The same is for RunDLL

There is a sense to send us the Settings/Export file to verify (referring the thread)
Could it be possible?
VistaFirewallControl
Site Admin
 
Posts: 1479
Joined: Fri Mar 27, 2009 11:25 am

PreviousNext

Return to What is VistaFirewallControl, features

Who is online

Users browsing this forum: No registered users and 1 guest

suspicion-preferred