Firewall Issues


Pocah

Active member
Member
Local time
6:46 AM
Posts
127
OS
Win 11
I am having an ever-increasing issue with the Win 11 firewall.

Apps are bypassing it. The latest one is iCUE.

This app, from Corsair, is a darn nuisance, because Corsair can't develop software to save their lives and often release a new version that has fatal problems. To limit damage, I block updates in the firewall, and then check the forum before manually updating. Problem is that now it seems that iCUE can see right through the firewall despite attempts to block it. I blocked the app, the loader and the updater. Doesn't stop it.

I don't understand the situation here, but what I am wondering is, is there a better firewall app to help out with this situation?
 

My Computer

System One

  • OS
    Win 11
    Computer type
    PC/Desktop
    CPU
    12700
    Memory
    32gb
    Graphics Card(s)
    3070ti
    Sound Card
    -
    Screen Resolution
    3840x1600, 2560x1080
Even when you enable outbound blocking and remove default rules, windows firewall adds them back at will.
You have to use something like Binisoft WFC, it will protect rules from tampering by an app with admin rights.

capture_12202023_183218.jpg
 

My Computer

System One

  • OS
    Windows 11 Home
    Computer type
    PC/Desktop
    CPU
    AMD Ryzen 5 3600 & No fTPM (07/19)
    Motherboard
    MSI B450 TOMAHAWK 7C02v1E & IFX TPM (07/19)
    Memory
    4x 8GB ADATA XPG GAMMIX D10 DDR4 3200MHz CL16
    Graphics Card(s)
    MSI Radeon RX 580 ARMOR 8G OC @48FPS (08/19)
    Sound Card
    Creative Sound Blaster Z (11/16)
    Monitor(s) Displays
    24" Philips 24M1N3200ZS/00 (05/24)
    Screen Resolution
    1920×1080@165Hz via DP1.4
    Hard Drives
    ADATA XPG GAMMIX S11 Pro SSD 512GB (07/19)
    PSU
    Seasonic M12II-520 80 Plus Bronze (11/16)
    Case
    Lian Li PC-7NB & 3x Noctua NF-S12A FLX@700rpm (11/16)
    Cooling
    CPU Cooler Noctua NH-U12S@700rpm (07/19)
    Keyboard
    HP Wired Desktop 320K + Rabalux 76017 Parker (01/24)
    Mouse
    Logitech M330 Silent Plus (04/23)
    Internet Speed
    400/40 Mbps via RouterOS (05/21) & TCP Optimizer
    Browser
    Edge & Brave for YouTube & LibreWolf for FB
    Antivirus
    NoAV & Binisoft WFC & NextDNS
    Other Info
    Backup: Hasleo Backup Suite (PreOS)
    Notifier: Xiaomi Mi Band 7 NFC (05/24)
    Headphones: Sennheiser RS170 (09/10)
    Phone: Samsung Galaxy Xcover 7 (02/24)
    2nd Monitor: AOC G2460VQ6 @75Hz (02/19)
If you create a new rule for the app in question and set it to block outbound (and optionally inbound) then any rule that allows that specific app will have no effect.

Those rules which allow it are created by that app, deleting them doesn't help since they can be recreated without your knowledge, but creating block rule voids them all because block rule has precedence over allow rules.
 

My Computer

System One

  • OS
    Windows 11 Pro 23H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    MSI / MS-7B29
    CPU
    Intel i3 8100 @3.6Ghz
    Motherboard
    H310M PRO-VDH (MS-7B29)
    Memory
    1 x 16GB DDR4 @2400 MHz
    Graphics Card(s)
    Nvidia GeForce GT 1030 2GB SDDR4
    Sound Card
    Realtek VEN_10EC&DEV_0887 / NVIDIA VEN_10DE&DEV_0081
    Monitor(s) Displays
    Acer V226HQL
    Screen Resolution
    1920 x 1080
    Hard Drives
    SSD 500 GB Crucial MX500 / HDD 1 TB TOSHIBA DT01ACA100
    PSU
    ATX, details unknown
    Case
    Everest 551B
    Cooling
    details unknown
    Keyboard
    Mechanical Gaming Hydra R7 - Rampage
    Mouse
    Logitech G703
    Internet Speed
    Down: 28Mbps / Up: 19Mbps
    Browser
    Microsoft Edge
    Antivirus
    Microsoft Defender Antivirus
    Other Info
    Bluetooth: TP Link 5.0 Nano USB adapter UB500
    WLAN: D-Link 150 Pico USB adapter, N standard
    Web camera: Logitech C270 HD 720p @30fps
    Microphone: Trust MICO, model 23790
Those rules which allow it are created by that app, deleting them doesn't help since they can be recreated without your knowledge, but creating block rule voids them all because block rule has precedence over allow rules.
Yes, but Windows works in mysterious ways and it presumes that user is always wrong, like accidentally blocking an app.
Besides apps change with an each update, so blocking an exe will not block an updated exe. I had a problem to enable them.
C:\program files\windowsapps\microsoft.windowsstore_22311.1401.2.0_x64__8wekyb3d8bbwe\winstore.app.exe
 

My Computer

System One

  • OS
    Windows 11 Home
    Computer type
    PC/Desktop
    CPU
    AMD Ryzen 5 3600 & No fTPM (07/19)
    Motherboard
    MSI B450 TOMAHAWK 7C02v1E & IFX TPM (07/19)
    Memory
    4x 8GB ADATA XPG GAMMIX D10 DDR4 3200MHz CL16
    Graphics Card(s)
    MSI Radeon RX 580 ARMOR 8G OC @48FPS (08/19)
    Sound Card
    Creative Sound Blaster Z (11/16)
    Monitor(s) Displays
    24" Philips 24M1N3200ZS/00 (05/24)
    Screen Resolution
    1920×1080@165Hz via DP1.4
    Hard Drives
    ADATA XPG GAMMIX S11 Pro SSD 512GB (07/19)
    PSU
    Seasonic M12II-520 80 Plus Bronze (11/16)
    Case
    Lian Li PC-7NB & 3x Noctua NF-S12A FLX@700rpm (11/16)
    Cooling
    CPU Cooler Noctua NH-U12S@700rpm (07/19)
    Keyboard
    HP Wired Desktop 320K + Rabalux 76017 Parker (01/24)
    Mouse
    Logitech M330 Silent Plus (04/23)
    Internet Speed
    400/40 Mbps via RouterOS (05/21) & TCP Optimizer
    Browser
    Edge & Brave for YouTube & LibreWolf for FB
    Antivirus
    NoAV & Binisoft WFC & NextDNS
    Other Info
    Backup: Hasleo Backup Suite (PreOS)
    Notifier: Xiaomi Mi Band 7 NFC (05/24)
    Headphones: Sennheiser RS170 (09/10)
    Phone: Samsung Galaxy Xcover 7 (02/24)
    2nd Monitor: AOC G2460VQ6 @75Hz (02/19)
Besides apps change with an each update, so blocking an exe will not block an updated exe.
Agree with that! in an app is updated then block rule might no longer be valid due to path or file name change, so you'd need to recreate or update the block rule.
 

My Computer

System One

  • OS
    Windows 11 Pro 23H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    MSI / MS-7B29
    CPU
    Intel i3 8100 @3.6Ghz
    Motherboard
    H310M PRO-VDH (MS-7B29)
    Memory
    1 x 16GB DDR4 @2400 MHz
    Graphics Card(s)
    Nvidia GeForce GT 1030 2GB SDDR4
    Sound Card
    Realtek VEN_10EC&DEV_0887 / NVIDIA VEN_10DE&DEV_0081
    Monitor(s) Displays
    Acer V226HQL
    Screen Resolution
    1920 x 1080
    Hard Drives
    SSD 500 GB Crucial MX500 / HDD 1 TB TOSHIBA DT01ACA100
    PSU
    ATX, details unknown
    Case
    Everest 551B
    Cooling
    details unknown
    Keyboard
    Mechanical Gaming Hydra R7 - Rampage
    Mouse
    Logitech G703
    Internet Speed
    Down: 28Mbps / Up: 19Mbps
    Browser
    Microsoft Edge
    Antivirus
    Microsoft Defender Antivirus
    Other Info
    Bluetooth: TP Link 5.0 Nano USB adapter UB500
    WLAN: D-Link 150 Pico USB adapter, N standard
    Web camera: Logitech C270 HD 720p @30fps
    Microphone: Trust MICO, model 23790
Yes, but Windows works in mysterious ways and it presumes that user is always wrong, like accidentally blocking an app.

Yes, this seems to be what I am finding. With iCUE, on two other PC's the block in the firewall seems to work, but not on the third. I can't for the life of me find out why.

This is what I find annoying about Firewall, there seems to be a depth of function that is just not accessible to the end user.
 

My Computer

System One

  • OS
    Win 11
    Computer type
    PC/Desktop
    CPU
    12700
    Memory
    32gb
    Graphics Card(s)
    3070ti
    Sound Card
    -
    Screen Resolution
    3840x1600, 2560x1080
Yes, this seems to be what I am finding.
You can try to block it per name, if you do not use it, like:
Code:
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d "1" /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "1" /t REG_SZ /d "iCUE.exe" /f
in an app is updated then block rule might no longer be valid due to path or file name change
Indeed, WFC solved that issue by providing a "secret" wildcard (due to malware) based on the file name or path (in capital letters).
capture_12202023_185516.jpg
 

My Computer

System One

  • OS
    Windows 11 Home
    Computer type
    PC/Desktop
    CPU
    AMD Ryzen 5 3600 & No fTPM (07/19)
    Motherboard
    MSI B450 TOMAHAWK 7C02v1E & IFX TPM (07/19)
    Memory
    4x 8GB ADATA XPG GAMMIX D10 DDR4 3200MHz CL16
    Graphics Card(s)
    MSI Radeon RX 580 ARMOR 8G OC @48FPS (08/19)
    Sound Card
    Creative Sound Blaster Z (11/16)
    Monitor(s) Displays
    24" Philips 24M1N3200ZS/00 (05/24)
    Screen Resolution
    1920×1080@165Hz via DP1.4
    Hard Drives
    ADATA XPG GAMMIX S11 Pro SSD 512GB (07/19)
    PSU
    Seasonic M12II-520 80 Plus Bronze (11/16)
    Case
    Lian Li PC-7NB & 3x Noctua NF-S12A FLX@700rpm (11/16)
    Cooling
    CPU Cooler Noctua NH-U12S@700rpm (07/19)
    Keyboard
    HP Wired Desktop 320K + Rabalux 76017 Parker (01/24)
    Mouse
    Logitech M330 Silent Plus (04/23)
    Internet Speed
    400/40 Mbps via RouterOS (05/21) & TCP Optimizer
    Browser
    Edge & Brave for YouTube & LibreWolf for FB
    Antivirus
    NoAV & Binisoft WFC & NextDNS
    Other Info
    Backup: Hasleo Backup Suite (PreOS)
    Notifier: Xiaomi Mi Band 7 NFC (05/24)
    Headphones: Sennheiser RS170 (09/10)
    Phone: Samsung Galaxy Xcover 7 (02/24)
    2nd Monitor: AOC G2460VQ6 @75Hz (02/19)
Indeed, WFC solved that issue by providing a "secret" wildcard based on the file name or path (in capital letters).
I'm curious what would happen if malware is renamed to a name which the WFC allows as wildcard?
I assume it would allow malware out the same way it allows legitimate program?
 

My Computer

System One

  • OS
    Windows 11 Pro 23H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    MSI / MS-7B29
    CPU
    Intel i3 8100 @3.6Ghz
    Motherboard
    H310M PRO-VDH (MS-7B29)
    Memory
    1 x 16GB DDR4 @2400 MHz
    Graphics Card(s)
    Nvidia GeForce GT 1030 2GB SDDR4
    Sound Card
    Realtek VEN_10EC&DEV_0887 / NVIDIA VEN_10DE&DEV_0081
    Monitor(s) Displays
    Acer V226HQL
    Screen Resolution
    1920 x 1080
    Hard Drives
    SSD 500 GB Crucial MX500 / HDD 1 TB TOSHIBA DT01ACA100
    PSU
    ATX, details unknown
    Case
    Everest 551B
    Cooling
    details unknown
    Keyboard
    Mechanical Gaming Hydra R7 - Rampage
    Mouse
    Logitech G703
    Internet Speed
    Down: 28Mbps / Up: 19Mbps
    Browser
    Microsoft Edge
    Antivirus
    Microsoft Defender Antivirus
    Other Info
    Bluetooth: TP Link 5.0 Nano USB adapter UB500
    WLAN: D-Link 150 Pico USB adapter, N standard
    Web camera: Logitech C270 HD 720p @30fps
    Microphone: Trust MICO, model 23790
I assume it would allow malware out the same way it allows legitimate program?
Yes, thus the reason, it is preferable to allow only based on a "protected" path and not allow something like Temp folder. Then again, unless someone would be in a targeted attack, it does not really matter. Most people give away their PC for mere asking (phishing).
 

My Computer

System One

  • OS
    Windows 11 Home
    Computer type
    PC/Desktop
    CPU
    AMD Ryzen 5 3600 & No fTPM (07/19)
    Motherboard
    MSI B450 TOMAHAWK 7C02v1E & IFX TPM (07/19)
    Memory
    4x 8GB ADATA XPG GAMMIX D10 DDR4 3200MHz CL16
    Graphics Card(s)
    MSI Radeon RX 580 ARMOR 8G OC @48FPS (08/19)
    Sound Card
    Creative Sound Blaster Z (11/16)
    Monitor(s) Displays
    24" Philips 24M1N3200ZS/00 (05/24)
    Screen Resolution
    1920×1080@165Hz via DP1.4
    Hard Drives
    ADATA XPG GAMMIX S11 Pro SSD 512GB (07/19)
    PSU
    Seasonic M12II-520 80 Plus Bronze (11/16)
    Case
    Lian Li PC-7NB & 3x Noctua NF-S12A FLX@700rpm (11/16)
    Cooling
    CPU Cooler Noctua NH-U12S@700rpm (07/19)
    Keyboard
    HP Wired Desktop 320K + Rabalux 76017 Parker (01/24)
    Mouse
    Logitech M330 Silent Plus (04/23)
    Internet Speed
    400/40 Mbps via RouterOS (05/21) & TCP Optimizer
    Browser
    Edge & Brave for YouTube & LibreWolf for FB
    Antivirus
    NoAV & Binisoft WFC & NextDNS
    Other Info
    Backup: Hasleo Backup Suite (PreOS)
    Notifier: Xiaomi Mi Band 7 NFC (05/24)
    Headphones: Sennheiser RS170 (09/10)
    Phone: Samsung Galaxy Xcover 7 (02/24)
    2nd Monitor: AOC G2460VQ6 @75Hz (02/19)
@Pocah
If you want to do it in Windows firewall see tutorial below on how to block a program in Windows firewall.

When you get to step where a program needs to be chosen specify full path to program you want to block, ex. iCUE path and executable.
You need to update this block rule every time the program in question is updated.
 

My Computer

System One

  • OS
    Windows 11 Pro 23H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    MSI / MS-7B29
    CPU
    Intel i3 8100 @3.6Ghz
    Motherboard
    H310M PRO-VDH (MS-7B29)
    Memory
    1 x 16GB DDR4 @2400 MHz
    Graphics Card(s)
    Nvidia GeForce GT 1030 2GB SDDR4
    Sound Card
    Realtek VEN_10EC&DEV_0887 / NVIDIA VEN_10DE&DEV_0081
    Monitor(s) Displays
    Acer V226HQL
    Screen Resolution
    1920 x 1080
    Hard Drives
    SSD 500 GB Crucial MX500 / HDD 1 TB TOSHIBA DT01ACA100
    PSU
    ATX, details unknown
    Case
    Everest 551B
    Cooling
    details unknown
    Keyboard
    Mechanical Gaming Hydra R7 - Rampage
    Mouse
    Logitech G703
    Internet Speed
    Down: 28Mbps / Up: 19Mbps
    Browser
    Microsoft Edge
    Antivirus
    Microsoft Defender Antivirus
    Other Info
    Bluetooth: TP Link 5.0 Nano USB adapter UB500
    WLAN: D-Link 150 Pico USB adapter, N standard
    Web camera: Logitech C270 HD 720p @30fps
    Microphone: Trust MICO, model 23790

Latest Support Threads

Latest Tutorials

Back
Top Bottom