Welcome
Welcome to vistafirewallcontrol

You are currently viewing our boards as a guest, which gives you limited access to view most discussions and access our other features. By joining our free community, you will have access to post topics, communicate privately with other members (PM), respond to polls, upload content, and access many other special features. In addition, registered members also see less advertisements. Registration is fast, simple, and absolutely free, so please, join our community today!

W10FC do not detect new apps and block them

W10FC do not detect new apps and block them

Postby qaqz111 » Sat Jan 16, 2016 1:25 pm

Environment: W10FC-Free-x64 on Win10pro-1511-x64

I'vs setup and used W10FC for quite a while, with some app rules saved and it worked well.

A few days ago I switched W10FC to EnableAll mode and run VS2015 setup program with "/layout" swith to download the online packages(god dam network makes it always failed with online components). This progress lasted for 2 days and I've run the setup/layout many times.

Today I switched W10FC to Normal mode but I found the new app detect mechanism do not function at all. It blocked everything except apps set to EnableAll zone in the W10FC list, all the other apps were blocked and W10FC do not detect them, no zone question dialog at all, and no new apps put into W10FC list at all.

I've noticed that in EnableAll mode new app will be put into W10FC list and set it to DisableAll zone, but now nothing happened in Normal mode either EnableAll mode.

I tried reboot PC, reset W10FC settings, reinstall W10FC, uninstall Free Version and change to Portable version, but the blocking continues.

And now I have no choice but to uninstalled W10FC to access network.

What to do now except reinstall Windows?
Last edited by qaqz111 on Sat Jan 16, 2016 2:48 pm, edited 1 time in total.
qaqz111
 
Posts: 9
Joined: Sun Sep 20, 2015 7:27 pm

Re: W10FC do not detect new apps and block everything

Postby qaqz111 » Sat Jan 16, 2016 1:53 pm

I uninstalled W10FC, rebooted PC, and run the portable version now, the EnableAll mode works right, but Normal mode still block new apps and do not put them into list.


This is the action of W10FC on 5 modes now:

Normal: ruled apps worked ok, but new apps were blocked and do not put into list.
EnableAll: all apps can access network, new apps were put into list with DisableAll zone.
DisableAll: all apps were blocked, new apps do not put into list.
EnableUnknown: all apps can access network, new apps do not put into list.
Enable/DetectUnknown: all apps can access network, new apps put into list with EnableAll zone, zone question dialog appears.


Only in the last mode the zone question dialog appears.
qaqz111
 
Posts: 9
Joined: Sun Sep 20, 2015 7:27 pm

Re: W10FC do not detect new apps and block them

Postby VistaFirewallControl » Sat Jan 16, 2016 7:12 pm

>Today I switched W10FC to Normal mode but I found the new app detect mechanism do not function at all. It blocked everything except apps set to EnableAll zone in the W10FC list, all the other apps were blocked and W10FC do not detect them, no zone question dialog at all, and no new apps put into W10FC list at all.

Please pay attention to the following
- Whether the detection prompt is not shown below other windows (so not it's not hidden by other windows). Just in case…..
-The detection prompt should be expected for unlisted application only. If an application is listed the detection prompt should not be expected at all. The listed applications just follow the zones applied.
- Did you see a notification balloon while an expected to be detected application was not detected.
- Do you have any related events in the Events pane. Please make a screenshot to make all the details clear for us.
- Do you have the application (expected to be detected) related entries in the access.log file of the installation folder. Please send us the application name, the access.log file and the file from Settings/Export.


>I've noticed that in EnableAll mode new app will be put into W10FC list and set it to DisableAll zone, but now nothing happened in Normal mode either EnableAll mode.

In Mode:EnableAll/DisableAll the detection prompt is not shown at all.


>I tried reboot PC, reset W10FC settings, reinstall W10FC, uninstall Free Version and change to Portable version, but the blocking continues.

If you have WindowsFirewall on, the blocking can be made by WindowsFirewall as well.
You can try, ControlPanel/WindowsFirewallWithAdvancedSecurity/Action/RestoreDefaultPlocy.


>And now I have no choice but to uninstalled W10FC to access network.

The uninstallation removes all the W10FC filtering rules completely.
So if the problem remains without W10FC installed, the problem can’t be caused by W10FC.

What to do now except reinstall Windows?

RestoreDefaultPolicy probably.



>I uninstalled W10FC, rebooted PC, and run the portable version now, the EnableAll mode works right, but Normal mode still block new apps and do not put them into list.

W10FC detection/prompting/listing is based on WindowsFilteringPlaform (WFP, the native Windows network security core) ability to gather blocked events and to pass the events to W10FC. The functionality is beyond W10FC and works correctly by default.
If the events can’t reach W10FC for a reason (were not generated by WFP, for instance), W10FC can’t detect new applications.
The main question to diagnose is whether there are _any_ blocked events shown in the notification balloon, EventsPane and access.log
If there are no blocked events at all, we will send you some instructions how to verify/repair the WFP ability to generate/distribute the events.


>This is the action of W10FC on 5 modes now:

>Normal: ruled apps worked ok, but new apps were blocked and do not put into list.
Strange, a WFP problem is expected

>EnableAll: all apps can access network, new apps were put into list with DisableAll zone.
As expected, please see above
>DisableAll: all apps were blocked, new apps do not put into list.
As expected.
>EnableUnknown: all apps can access network, new apps do not put into list.
As expected.

>Enable/DetectUnknown: all apps can access network, new apps put into list with EnableAll zone, zone question dialog appears.
>Only in the last mode the zone question dialog appears.
The the suspicion above is correct it can be explained. The mode detects applications by allowed events. The allowed events have a different source.
Detection with EnableAll is correct as the zone is called "Enable/....."


Please verify the blocked event presence. Looks like there is an integrity problem in WFP.
Looking forward to hear from you.
VistaFirewallControl
Site Admin
 
Posts: 1479
Joined: Fri Mar 27, 2009 11:25 am

Re: W10FC do not detect new apps and block them

Postby qaqz111 » Sun Jan 17, 2016 3:45 am

Thanks for the quickly replying.

I disabled balloon previously, and did not pay attention to the access.log.

I'll make an action with instructions above and post the result here shortly.
qaqz111
 
Posts: 9
Joined: Sun Sep 20, 2015 7:27 pm

Re: W10FC do not detect new apps and block them

Postby qaqz111 » Sun Jan 17, 2016 5:22 am

I first uninstalled W10FC, RestoreDefaultPolicy in WindowsFirewallWithAdvancedSecurity, rebooted PC, reinstall W10FC.

Here's the result for Normal Mode:
-New apps:(there is not any rule and event log at this point)
    Programs tab: keep empty
    Events tab: keep empty
    Connections: apps and connections showed correctly

    prompt: not shown
    balloon: not shown
    access.log: do not created at all

    New apps are blocked, both the system apps and others.
-Ruled apps:(I add it manually, chrome.exe and svchost.exe as ruled apps, iexplore.exe as new app)
    Programs tab: nothing changed
    Events tab: events for ruled apps are listed, but none for new apps
    Connections: apps and connections showed correctly, both ruled and new apps

    prompt: not shown
    balloon: shown for ruled apps, not for new apps
    access.log: log for ruled apps, not for new apps

    Ruled apps worked correctly.
    New apps are blocked, both the system apps and others.


For the next test, I uninstalled W10FC to clear rules and logs, and then reinstalled W10FC.

Enable/DetectUnknown Mode:
-New apps:(no rules and logs at this point)
    Programs tab: add to list with EnableAll zone
    Events tab: loged correctly
    Connections: connections showed correctly

    prompt: shown
    balloon: shown
    access.log: loged correctly
-Ruled apps: worked correctly



The "Enable/DetectUnknown Mode" is most similar to the "Normal Mode", the only difference is that the default zone is set to EnableAll, is that correct?
So the problem is, the detection of "Normal Mode" is broken for some reason, but under "Enable/DetectUnknown Mode" it works correctly.
Maybe some settings of WFP was changed to an unexpected value, or W10FC missed some situation under Normal Mode, I think.
(Hmmm... is there some way to TOTALLY reset the states of that WFP? If it had the "states" that can be reset :shock: )


Also I tested DisableAll,EnableAll,EnableUnknown modes, they worked as expected I think:(every test is done after an uninstall and reinstall)

DisableAll: all apps were blocked, new apps do not put into list, no balloon, no events, no logs.
EnableAll: all apps can access network, new apps were put into list with DisableAll zone, balloon and events and logs for new apps are presented with "Mode Override" zone.
EnableUnknown: all apps can access network, new apps do not put into list, but alloon and events and logs for new apps are presented with "EnabledDetection" zone.


In all the test above I took chrome.exe and iexplore.exe for the sample.
The chrome.exe needs DNS resolve, so the svchost.exe have to be "EnableAll" first.


If the screenshots was needed, please tell me the settings and actions I should take, I'll make a snap and upload it.
qaqz111
 
Posts: 9
Joined: Sun Sep 20, 2015 7:27 pm

Re: W10FC do not detect new apps and block them

Postby VistaFirewallControl » Mon Jan 18, 2016 1:40 pm

>Here's the result for Normal Mode:
>-New apps:(there is not any rule and event log at this point)
>Programs tab: keep empty
>Events tab: keep empty
>Connections: apps and connections showed correctly
>
>.prompt: not shown
>balloon: not shown
>access.log: do not created at all

It’s rather a normal state for just installed from scratch state.


>The "Enable/DetectUnknown Mode" is most similar to the "Normal Mode", the only difference is that the default zone is set to EnableAll, is that correct?

Incorrect, there are other differences.
Mode:Normal can be reformulated as Mode:Disable/DetectUnknown.
So the difference is not in zone assigned to a detected application, but in the detection basis as well.
Mode:Enable/DetectUknown traces allowed events from the application and detects them basing on allowed events.
Mode:Normal (say Mode:Disable/DetectUnknown) traces blocking events and detects applications basing on blocked events.
The blocking itself obviously works perfectly as all the unknown applications are blocked. But WFP is not able to generate (or transfer) the blocked event to W10FC, so having no blocked events in W10FC, W10FC has nothing to do (including a reason to show the detection prompt)

>(Hmmm... is there some way to TOTALLY reset the states of that WFP? If it had the "states" that can be reset )


Let’s focus on the WFP ability to generate/distribute the blocked events.

The WFP (documented) configuration is available via netsh only, so have to use command prompt (cmd [dot] exe) launched as administrator.

netsh wfp show options optionsfor=netevents
should show ON.

Even the state is ON, please trigger it by settings it OFF and back ON.
via
netsh wfp set options netevents = off
and back on.
netsh wfp set options netevents = on

The both should not produce any errors. If they do, please send the error messages.

netsh wfp show netevents
should generate non-empty netevents.xml. The desired blocked WFP events are saved in the file in XML format.

If the above is positive, but the events are not passed to W10FC anyway, please try
http://answers.microsoft.com/en-us/wind ... dcb?auth=1

If problem is not gone, please try to set
HKEY_LOCAL_MACHINE\SOFTWARE\sphinx-soft\Vista-Wall\1.0\GUI\1.0 EnableWFPEventsSubscription to 0 and restart (to reflect the registry changes).
Looks like the latter should not b decisive, but just in case should be tried.


There is a sense to check Windows Events Log for any related events.
WFP is generally implemented as BaseFilteringEngine (BFE) service. So the service should be marked as started in services.msc and should be restartable without errors/warning (including the Events Log)

Looking forward to hear from you.
VistaFirewallControl
Site Admin
 
Posts: 1479
Joined: Fri Mar 27, 2009 11:25 am

Re: W10FC do not detect new apps and block them

Postby qaqz111 » Mon Jan 18, 2016 5:47 pm

Thanks for the advice, I think I know what happened now.

Code: Select all
C:\Windows\system32> netsh wfp show options optionsfor=netevents
netevents = on

C:\Windows\system32> netsh wfp set options netevents = off
成功。<==== Successful

C:\Windows\system32> netsh wfp set options netevents = on
拒绝访问。<==== Access Denied

C:\Windows\system32> netsh wfp set options netevents = on
拒绝访问。

When I try to restart BFE service, I got the same error.

Previously I tried to install VS2015 but failed because of the dam network for many times, and the log file of VS2015 setup program recorded some privilege related errors. So I manually changed permissions of some files and directories according to the MSDN KBs and logs(I've noticed that many directories' permissions were different from a system that did not install VS2015). Maybe some unexpected permission change of somewhere in the system were left over that resulted the abnormal behavior of WFP.

The previous failed installations of VS2015 may have led to more further permission changes that have not been observed, so I decide to reinstall the system rather than go deep into this problem now.

Since the VS2015 offline packages were finally downloaded and verified successfully, I think I can go though the VS2015 installation without any errors now. If this problem came out again in a newly installed system that without failed installations of VS2015, I'll report it here.

Thanks for the help!
qaqz111
 
Posts: 9
Joined: Sun Sep 20, 2015 7:27 pm

Re: W10FC do not detect new apps and block them

Postby VistaFirewallControl » Mon Jan 18, 2016 6:57 pm

The only known file involved in the blocked events WFP processing is
C:\Windows\System32\wfp\wfpdiag.etl
It must have enough permissions for BFE reading/writing.
We had a related issue several years ago in connection with OEM Windows installation on particular HP notebooks where the wfpdiag.etl permissions differed from the expected defaults.

Also we have noticed some un-English characters in the “netsh wfp” output.
The output is Windows language dependent.
So if the shown text matches your system default language and clear to you, there are no problems.
However if the shown message is a text “garbage”, it could be sign of a binary corrupted, so you should try to check the files integrity by comparing the system files with the genuine Windows setup.
VistaFirewallControl
Site Admin
 
Posts: 1479
Joined: Fri Mar 27, 2009 11:25 am

Re: W10FC do not detect new apps and block them

Postby qaqz111 » Mon Jan 18, 2016 8:10 pm

C:\Windows\System32\wfp\wfpdiag.etl

My system is Win10pro1511, the directory "C:\Windows\System32\wfp" does not exist, both in my VS2015 installed machine and another newly installed win10pro1511 machine, but I found this file in this location:

C:\ProgramData\Microsoft\Windows\wfp\wfpdiag.etl


I compared the permissions of this file in VS2015 installed win10pro1511 and another newly installed win10pro1511, they DO have some different permissions. One point is, the file in newly installed system have a user named "BFE" with read/write permissions while the one in VS2015 machine does not have this name in its users list. So it's clear now that the problem is caused by the permissions' corruption of this file.

I tried to add a user named "BFE" to this file, but the system reported "can not find the name". Then I deleted this file, rebooted PC, but "netsh wfp set options netevents=on" still reported "Access Denied". I use "robocopy /copyall" copied this file from newly installed system to VS2015 installed system, the previous command reported "Successful", and the Normal Mode of W10FC works correctly now.


But unfortunately I also found that many files and directories in "C:\ProgramData" have different permissions from what they should be. These changes occurred after a series of failed installations of VS2015 that reported critical error. So the system must be reinstalled now.


Anyway, thanks for the information of "wfpdiag.etl", glad to see this problem is not caused by W10FC :)
qaqz111
 
Posts: 9
Joined: Sun Sep 20, 2015 7:27 pm

Re: W10FC do not detect new apps and block them

Postby VistaFirewallControl » Mon Jan 18, 2016 8:48 pm

I compared the permissions of this file in VS2015 installed win10pro1511 and another newly installed win10pro1511, they DO have some different permissions. One point is, the file in newly installed system have a user named "BFE" with read/write permissions while the one in VS2015 machine does not have this name in its users list. So it's clear now that the problem is caused by the permissions' corruption of this file.

Honestly W10FC tries to check the BFE permissions and adds the permission automatically if it’s not present. And then makes
wfp set options netevents = off
wfp set options netevents = on
It’s exactly the patch made for mentioned HP notebooks.


>I tried to add a user named "BFE" to this file, but the system reported "can not find the name". >and the Normal Mode of W10FC works correctly now.

Great!



>But unfortunately I also found that many files and directories in "C:\ProgramData" have different permissions from what they should be. These changes occurred after a series of failed installations of VS2015 that reported critical error. So the system must be reinstalled now.

Maybe it could be postponed. Don’t trouble trouble until trouble troubles you ;-)
VistaFirewallControl
Site Admin
 
Posts: 1479
Joined: Fri Mar 27, 2009 11:25 am

Next

Return to My App is blocked, What to do

Who is online

Users browsing this forum: No registered users and 1 guest

cron
suspicion-preferred