Microsoft has improved the Windows Firewall ever since it was included in Windows XP and Windows Server 2003. The majority of usability and security issues have been dealt with. Outbound Packet Filtering was for instance introduced under Windows Vista. There are still some issues left that Microsoft has not yet addressed. Especially the firewall’s configuration interface and notifications need improvement.
Windows Firewall Notifier is a third party program for Windows 7 and Vista that improves the handling of the firewall in this regard. When you first start the firewall notifier it performs a series of actions.
The program enables the Windows Firewall if it is not enabled on the system. Once enabled, it will block all inbound and outbound connections for which no firewall rules exist. It then enables Windows firewall inbound connection notifications and outbound connections logging if disabled.
A task is then created in the Windows Task Scheduler that is linked to Windows firewall event log entries. This will basically launch Windows Firewall Notifier whenever an inbound or outbound connection for which no rule exist is blocked.
Configuring the program to run as a task means that it will not run in the background all the time. The Task Scheduler will launch the firewall notifier whenever the system tries to make a connection that is not listed under allowed or blocked connections. The following dialog is then displayed on the screen giving the Windows user options to allow or block the connection.
The notification lists the application’s name, system path and target IP or hostname. Buttons are available to allow or block the connection once, or to allow or block it always.
The program will make the selected changes to the firewall configuration before it closes down again. Users who want to uninstall the firewall software again need to run it again. A dialog to disable it is then presented on screen.
Windows Firewall Notifier is a handy program for Windows Vista and Windows 7 users who make use of the built-in firewall. The program, compatible with both 32-bit and 64-bit editions of supported Windows operating systems, is available for download at the developer website. (via)
Related Articles:
Firewall App Blocker, Improve Windows Firewall Program BlockingWindows 7 Firewall Control
Windows Vista Firewall Control
Windows Logon Notifier
Reset the Windows Firewall
Enjoyed the article?: Then sign-up for our free newsletter or RSS feed to kick off your day with the latest technology news and tips, or share the article with your friends and contacts on Facebook, Twitter or Google+ using the icons below.
I’m not getting any alerts for it except for the occasional mysterious one when coming out of standby that says that it’s trying to connect to another computer in my network on port 0 even though I have a rule that is supposed to allow all connections on all ports within the ip range of my network and even once it tried to connect to IP 0.0.0.0 on port 6. I still don’t know what that one was about. I just tell it to accept for that attempt only and then to close the connection.
I got tired of multiple alerts for svchost so, for the time being, I have returned to allowing it to connect whenever and however it pleases. This is the default behavior of the Firewall and is actually the way other 3rd party Firewalls create default rules for it. I’ve never had a problem with allowing it that way.
Hi,
For those interested in the next version, I can send you the “private” beta of v1.4.0: feel free to ask through the message form on my website (at the bottom).
@Don & Dch48: I’d be glad if you want to give it a try since I made this version following your posts here :-) I’m really busy at the moment and can’t test as much as I wanted to…
Thanks!
Khan
I would be interested in trying out the new version but I tried to leave a message from your website and it said something about spam being detected and the mail not being sent so I don’t know if it went through or not.
HI Khan,
Yes, please email me a zipped ver. of the new release. Also instructions on install and uninstall if I have problems with the new ver.
@Don: I sure will, but I might need your email address ;-)
@Dch48 : can you please try again? You can also send me a mail directly, since my email address is almost the same than my website one (just replace the first dot with a “@”).
If you can’t, I’ll post a link here, the beta is not “that” private ^_^
Khan
Khan,
Hi. Love your program. Would like it very much if you could email me the “private” beta v1.4.0. as I anxious to test it out.
Thanks in advance.
Steve
Hi Steve,
Glad you like WFN! But as for Don, I can’t guess your email address ;-)
@Everybody
To make it easier, here is a download link: http://wokhan.online.fr/progs/WFN_1.4.0b.zip
Please do NOT distribute this version, even if it’s close to a final one. It’s stable, it’s working, but I don’t want a beta to fly around out of control ;-)
To specialized freeware websites: please do not use the link above for the same reason.
To “install” it: as usual, extract the archive in a dedicated folder and launch the exe. If you already enabled a previous version, please use the “Uninstall…” button in the main window (either with this exe or the previous one, doesn’t matter) and then relaunch the application to reinstall 1.4.0b.
Please read the provided readme.txt file if you’re not familiar with WFN (it contains a small changelog as well).
If you have any trouble and can’t uninstall using the exe, launch DisableWFN.cmd.
If you have any feedback, please send me an email (as said, using the form on my website, I’ll answer asap), to prevent this page to become a forum ^_^
Thanks
Khan
Okay, I have some bad news. I ran the uninstaller for 1.3.2 but at the second part, I left the outgoing on so I wouldn’t lose the rules I had. Then I enabled 1.4 and disabled both the blanket svchost rule and the rule for Windows Update. I tried to run Windows Update and after a bit, it said it couldn’t connect and gave the error that means no connection to the server. There was no alert from WFN at all .The same thing happened with Windows Time.
More bad news. I ran the uninstall fully this time, rebooted and then turned WFN back on after deleting the rule for Ventrilo (a voice chat program) . I attempted to run Ventrilo and got a popup saying that WFN had stopped working and it would be shut down. I probably need to uninstall WFN again and completely delete it’s folder and most likely set Windows Firewall back to the default settings wiping out all my custom rules before trying the new WFN again. I really don’t want to do that.
I think you can export your firewall rules in the WIN 7 Firewall GUI? If so, then you could import rules after cleanup.
BTW – I have had ver. 1.3.2 lockup on me with .NET 2.0 log file errors. I tried everything short of a total wipe out that you are proposing to fix the problem. Let PC sit over night and rebooted – and problem magically disappeared.
Also ver. 1.3.2 is buggy. When I change rules in WIN 7 GUI some are not reflected in WFN GUI. Primarily when I delete a rule from the WIN7 firewall GUI, it is not deleted from the WFN GUI block area.
As I said directly to Dch48: no need to save anything. WFN is non intrusive, just uninstall, your rules will stay in place even if you choose to reallow outgoing connections while uninstalling (they won’t be used, that’s all).
Second point: regarding the bug of remaining “blocking rules”… it’s not a bug, it’s a feature: WFN does NOT create any blocking rule, because it could be too restrictive for a standard user. That’s why I’m talking about “exceptions”, they only target items that will be ignored when blocked by default by the Windows firewall :-)
Khan
Okay I’m going to reveal something here that I know will horrify Don. I use P2P software, in particular,µTorrent. For that program you have to have unrestricted access, both incoming and outgoing for at least the TCP and UDP protocols. I did not want to allow IPv6 connections and there is no way in the program to do that. I tried making rules to block them and I kept getting a slew of alerts telling me that the blocks had occurred and asking what I wanted to do. That was unacceptable. What I did was this. The next time an alert for an IPv6 connection came up, I clicked on block and there were no further alerts and µTorrent continued functioning under TCP and UDP. I discovered later that µTorrent had been added to the exclusions list in WFN which blocks things without producing alerts but surprisingly was only blocking IPv6 and allowing the other protocols.
I really do not see any reason to make custom blocking rules with WFN and more than that, I personally don’t see a reason to change the rules that WFN creates by default. I really don’t care about this service detection stuff for svchost. Just give it full outgoing rights because, hey, that’s what every other firewall out there does by defaul when they create rules for it. .I’m happy with the way 1.3.2 works and for me, 1.4 so far is unusable because it doesn’t work without crashing itself.
I can’t let you say that ;-)
1.4.0 is way better than the previous version, and I still have to figure out why it works perfectly on my computer (and others) while it does crash everytime on yours…
Don’t forget it’s still a beta, your help is valuable to get it fully stable and I hope you’ll give 1.4.0 another try.
I have updated the beta with minor changes, if you can redownload it (same URL)… I’d be glad if you could send me the error report (errors.log) that gets created when crashing…
Thanks!!!
Khan
Just tried the new beta and the same problem exists. Try to connect to Ventrilo and up pops “Windows Firewall Notifier has stopped working”. This time however after a bit , a popup showed that .NET error reporting also could not connect so maybe it’s a .NET problem. I also can not find any file called errors.log. It doesn’t exist.
I am now running ver. 1.4.0b. Stable so far.
I thought you modified it to show what svchost.exe service was issuing an alert? This ver. is the same as 1.3.2 in that all it shows is svchost.exe. That is it.
Yes, I did, and it worked (at least with the task scheduler and some other services), I would not have written that it did otherwise.
Unfortunately it fails for the most important service (Windows Update), I did not notice that behavior since I allowed it manually. I’ll think about another solution ; but believe me when I say that this version is better, the svchost modification was not the only one.
Khan
I wish I could use 1.4.0b but unfortunately, I can’t. It crashes.
Well, I think I found the service that was causing all my alerts from svchost.exe – Windows Defender! I always forget I have that running in real time mode. You definitely need an outbound svchost.exe rule for Windows Defender service if you are filtering services like I am.
So far so good with this lastest vers. – no hangups etc.
Thanks Don, I guess Windows Defender uses the same logic than Windows Update. May I ask why are you still using Defender and not MS Security Essentials?
It seems that “service detection” isn’t working anymore for me as well (always showing up svchost) :-/
@Dch48: did you redownload using the same link?
If it still fails while not producing any errors.log file in the WFN folder, can you please try removing the “WindowsFirewallNotifierTask” task from the task scheduler, and launch the install process again?
If it doesn’t work any better, could you please tell me where you extracted the files and what file you have in the WFN folder?
Thanks!
Khan
@Don : Ok, I think I found a bug for the services, still working on it, but since I’m late I won’t be able to fix it before tonight.
Do not bother trying the newly published beta version, services detection is still not fully working, I’ll keep you informed.
Khan
Khan,
One bug I also found with the beta version was it appears to be ignoring my existing Win 7 firewall outbound block rules and creating a WFN block rule. I doubled checked the avastui.exe WIN 7 rule and it should have blocked the connection based on the existing rules; i.e. TCP port 443.
Windows Defender is installed and runs real-time by default in Win 7. So far it has not conflicted with of my other real-time anti-malware software so I just left it in place.
BTW – I am running WIN 7. It’s services are similiar but expanded from Vista’s. Also my alerts are back for svchost.exe. I am allowing BITS, Win Update, RPC, Time, Cryptography, Software Protection, and Windows Defender but still getting svchost.exe alerts from WFN.
Most include MS IPs so it must be OS related but darn if I can find out what service it is. It is always for TCP port 80. I might try allowing the Profile service again. I suspect MS might be using it to log on and dial-out periodically.
I have a folder called Windows Firewall Notifier in C:\Program Files. What I did was run the uninstallation routine then delete all of the files in that folder. I then extracted v1.4.0b and copied and pasted all of those files into the folder in Program Files. Then I ran the install.On first access of something without an outgoing rule, V1.4 crashes itself or at least says it does even though sometimes the rules are successfully created. I go through the same process of uninstall, deletion of files, extraction and pasting in of v1.3.2 and everything works as it should again.
What I’m thinking is that there is a .NET problem with v1.4 that doesn’t exist with 1.3.2. Like I said, I’m really not interested in separate service detections , and therefore different rules for each one cluttering things up so at this point I’m leaning strongly towards staying with 1.3.2.
Don and I have different approaches to what is needed for security. To me, a lot of what he wants is overkill and totally unnecessary. Why would you have a rule blocking the Avast UI from connecting for example? For svchost, every firewall I have tried, Comodo, PCTools, Outpost, Online Armor, Windows 7 Firewall Control, will create a rule for svchost allowing all outgoing connections. The default state of the Windows Firewall will allow the same behavior. That’s good enough for me.
Also, I have Windows Defender too of course, but it has been disabled from the time I first bought this machine. It came with Norton Internet Security pre-installed (and don’t give me the same old tired nonsense about Norton being bad. I used it for over ten years and never had a single complaint, performance issue, or infection. They make an excellent product, I just didn’t want to pay the subscription fee any more.) Norton was completely and fully removed and then the free version of Avast was installed and also has not experienced any problems other than the new webshield interfering with and overriding some of the outgoing rules of WFN if you have it set to scan all traffic and not just what comes through your browser.
I guess I would describe myself as a minimalist when it comes to security apps. I do extensive PC gaming and I can’t be bothered with allowing this and blocking that all the time or alerts freezing my game or crashing it to the desktop. I may even just go back to using the default state of the Win 7 firewall. I think about doing that often.
Please do not reply and tell me to search for remnants of Norton. There are none.
Here’s what I did in regards to ver 1.4.0.
I downloaded it and unzipped it in to it’s own folder. I uninstalled ver 1.3.2. Part of that process asks if you want to keep existing settings and I said yes to all.
I then fired up ver. 1.4.0. I didn’t delete anything. No crashes so far.
As I posted previously I did have a .Net crash with the exisiting 1.3.2. ver. that appeared to be related to the WFN log file.
Khan,
Came across this on the web. Supposed access path for svchost.exe service identification.
Services Display Name Path
BFE Base Filtering Engine C:\windows\System32\bfe.dll
DPS Diagnostic Policy Service C:\windows\system32\dps.dll
MpsSvc Windows Firewall C:\windows\system32\mpssvc.dll
As far as Microsoft’s stance on svchost.exe and for that matter all service containers e.g. svchost.exe, dllhost.exe, etc. or programs that host services e.g. avastsvc.exe. mbamservice.exe, etc., they should never be added stand alone to any firewall rules list. They should only be added in reference to a particular service – period.
Ref: http://technet.microsoft.com/en-us/library/cc730951(WS.10).aspx
BTW – this is a major “secuirty hole” in all non-Eneterprise firewalls today hence my return to the WIN 7 firewall.
BTW – my full AV scan yesterday found a Trojan. First infection I every had on this WIN 7 OS in sometime. Now I could have done it to myself since I have been reconfiguring many outbound firewall rules. However, I am a bit suspicious of 1.4.0b release since I have been running with it for the last week.
Don, I guess from what you are writing that you are misunderstanding the way WFN works. It is NOT a firewall, it does not directly allow or deny connections: its aim is to ease the creation of outgoing connections rules. The user always makes the choice of either allowing or blocking the connection. I’m sorry to tell, but the trojan was probably here because of something you did…
Regarding your other post about services, I’m still working on it, it takes some time since I have less free time than expected…
Khan
Hi Khan, thanks for the excellent software. I’m trying now your beta, i’ll let you know.
Can i suggest you to open a thread in the Wilders Security forum? It’s full of security nerd, and you can find plenty of beta testers…
Hi Svarius,
Thanks for your support! I previously wrote that I should indeed go to Wilders, and I still do, when I finally find the time to :-)
Khan
Khan,
I have run into an issue with ver. 1.3.2.
In keeping with Mcrosoft’s guidelines with firewall rules for containers, I created a rule that allowed all my services w/o specifying svchost.exe. In theory that should allow everything and I should not get any blocks from WFN. Well, I kept getting popups about svchost.exe? So I traced the IPs and they all related to Cert. Auth. sites like GoDaddy etc. So I allowed one connection and traced the connection. Sure enough it was related to the cryptographic service.
Most of the popups occur when I am surfing with IE8. IE8 with default settings checks for certs. validity. My theory is IE8 must be calling the crypto. service and something is getting hosed in WFN and it is ignoring the WIN 7 firewall already in place?
Khan,
Yes, after allowing what was most certainly a certificate store update, I did not receive a further popups from WFN pertaining to svchost.exe the remainder of last night.
I suspect the issue with WFN might be in it’s handling of the Distributed Transaction Service(DTS). Scroll to the last posting on this Wilder’s forum page: http://www.wilderssecurity.com/showthread.php?t=239750&page=17. Appears DTS initiates the connection, then the Wins Update service, and finally the Cryptographic service.
Hi Don,
Thanks for your investigations, I’ll double check WFN behavior based on what you observed, which will help a lot!
As of now, service detection works way better (I didn’t update the beta since the last one is not stable enough), but I still have some issues with the said services (CryptSvc and DTS, and some others). Still working on it…
All of that further validates (in my opinion) having a rule for svchost that allows all outgoing. Who wants to keep dealing with a bunch of alerts? I read what Microsoft has to say about it and I really had to laugh. They say one thing and talk about serious security risks but then they default their firewall to allow all outgoing by everything.
Don, I know you were asked this in the Avast forums but I have to ask again. Why are you using IE8 when IE9 is so much better in every way?
I’m getting concerned that WFN is evolving into a firewall of it’s own with these added detection routines. I thought it was just supposed to be a simplified interface to the Windows Firewall that made the management of outgoing filtering easier. I just hope that these changes don’t wind up ruining what was a fine and simple little utility.
Don’t worry, I’m aware of your needs and I understand your point of view, and that’s why I added an option yesterday allowing to create either application or service rule (exactly what you’re talking about :-) ). Furthermore, service “detection” (which is more an identification routine) will be optional, since of course it uses some resources when WFN is run (not that much, anyway!).
I won’t be able to work on it before Friday, sorry it takes so much time but be sure 1.4.0 is more than a little update, I’m improving some internal stuff which should make it more reliable. Still not stable enough to be another beta, though…
KHan,
Just want to verify WFN operation.
If I get an alert from WFN, it implies that it has encountered the default action for the inbound/outbound firewall. For both inbound and outbound that action would be block. This is why all you have to do is close the WFN popup window and the action is automatically blocked w/o having to click on the “Block” button.
Now when I click on the “Block” button, WFN blocks the executuion and adds the event to WFN exclusion list..
In my instance of svchost.exe, I have a Win 7 firewall rule to allow all registered services. I get a WFN popup implying something has bypassd that rule. If I now select the WFN block “button”, WFN will add svchost.exe to the WFN exclusion list.
My question is the next time svchost.exe is executed and that event causes no exisiting Win 7 firewall rule for it to be satisfied, no popup will be received from WFN since WFN found an instance of the program on the exclusion list. Is this correct?
In other works, adding a program to the WFN exclusion list does not override any existing firewall rule that was manually added for the program?
Khan,
I found out what my problem was with svchost! I am so embaressed.
When I set up most of my initial svchost.exe rules, I only allowed TCP for most of them. Then I compounded the error by only allowing TCP on the allow “all services” rule I created. Smack, smack ………
Appears the Cryptograghic service definitely requires both TCP and UDP. Microsoft “camps out” for extended periods of time on a high valued UDP port. This very well could be Windows Messenger activity which off course is enabled by default in WIN 7. But it also could be to facilitate certificate checking which I what I really thing it is.
So for the services I feel I need, I have left them all undefined except for Windows Time which I know definitely uses UDP port 123 in and out.
One question. Does WFN require that .Net 2.0 be installed for full functionality? By default .Net 2.0 is not installed on WIN 7. MS states that that later .Net releases support prior .Net applications but there have been well know documented exceptions to that statement.
Your assumptions are right, WFN checks the exceptions list for all blocked outgoing connections. In fact I guess that the “block” option should be called “ignore” since this is what it really does… I’ll change that.
By the way you were right about the bug with blocking rules: a popup was shown even if the connection was set to be blocked in the windows firewall. This is a non-sense and I fixed it (still not released,though).
Regarding .Net, WFN uses version 3.5, not 2.0. For my own knowledge, what exceptions are you referring to with v2.0?
Thanks
Khan,
Pertaining to my .Net 2.0 comment, I just noted that there is exisiting Net 2.0 developed software that will only work with the .Net 2.0 framework. This type software will not run right on .Net 3.5.
Also, I wonder if WFN can show blocked UDP connections – at least for system containers like svchost.exe? This would have saved me a lot of time in diagnosing my problem.