Windows firewall blocks outbound connection that is allowed by a rule

29
2013-07
  • Martin Liversage

    I have configured Windows Firewall to block all outbound connections. I have then created "allow" rules to enable certains applications to create outbound connections. Unfortunately it seems that some connections that should be allowed are still blocked and I don't understand why.

    I have a simple rule to allow Windows Problem Reporting:

    • Enabled: Yes
    • Action: Allow the connection
    • Programs: C:\windows\system32\wermgr.exe
    • Protocol type: TCP (6)
    • Local port: All Ports
    • Remote port: All Ports
    • Local IP address: Any IP address
    • Remote IP address: Any IP address
    • Profiles: Domain, Private, Public

    Nevertheless, after creating this rule, a connection was blocked and logged in the event log:

    The Windows Filtering Platform has blocked a connection.

Application Information:
    Process ID:     7440
    Application Name:   \device\harddiskvolume3\windows\system32\wermgr.exe

Network Information:
    Direction:      Outbound
    Source Address:     192.168.1.23
    Source Port:        31532
    Destination Address:    65.55.53.190
    Destination Port:       80
    Protocol:       6

Filter Information:
    Filter Run-Time ID: 184645
    Layer Name:     Connect
    Layer Run-Time ID:  48

    Given the rule that was created specifically to allow wermgr.exe to connect I don't understand why the connection was blocked. How can I modify the rule to allow the connection to succeed?

    By the way, this is not an issue isolated to wermgr.exe. Once in a while I see blocked connections for other applications even though I have created rules for them also. Luckily most of the time the rules work as expected.

    • Answers
  • Martin Liversage

    After asking for help in the Windows Filtering Platform (WFP) forum on MSDN I learned that you can capture the activity of WFP (which the firewall employs) using the following commands:

    netsh wfp capture start
netsh wfp capture stop

    The resulting log file is XML which makes it human readable and from that file I learned that wermgr.exe is blocked by the rule WSH Default Outbound Block with the description Blocks all outbound traffic for services who have been network hardened. Apparently this rule takes precedence over my "allow" rule.

    I'm not sure exactly why wermgr.exe is affected by the Windows Service Hardening default rule but I assume that one of the hardened services execute wermgr.exe to perform a task of connecting to the server at 65.55.53.190 (a Microsoft IP address), and wermgr.exe is then blocked just as the service would be.



    • view all most popular Amazon Coupons
    .
    Related Question

    security - Windows Firewall: Logging/Notifying on outgoing request attempts
  • Maxim Zaslavsky

    I'm trying to configure Windows firewall with Advanced Security to log and tell me when programs are trying to make outbound requests. I previously tried installing ZoneAlarm, which worked wonders for me with this in Windows XP. But now, I'm unable to install ZoneAlarm on Windows 7.

    Is it possible to somehow monitor a log or get notifications when a program tries to do that if I set all outbound connections to auto-block, so that I can then create a specific rule for the program and block it?

    Update
    I've enabled all the logging options available through the properties windows of the Windows Firewall with Advanced Security Console. But I'm only seeing logs in the %systemroot%\system32\LogFiles\Firewall\pfirewall.log file, not in the Event Viewer, as the first answer suggested.

    However, the logs that I can see only tell me the requests or response's destination IP and whether the connection was allowed or blocked. But it doesn't tell me what executable it comes from. I want to find out the file path of the executable that each blocked request comes from. So far, I haven't been able to.


    • Related Answers
  • 8088

    You should be able to see this in Event Viewer. First you'll need to tweak the logging options in the Advanced Settings Console:

    alt text

    In the Event Viewer's left pane, expand to Applications and Services Log -> Microsoft -> Windows -> Windows Firewall with Advanced Security:

    alt text

    There, you can create a custom view and filter the log to only outbound connection attempts.

  • fraber

    I was looking for same problem, and neither the Event Viewer (no events) nor the pfirewall.log option (no name of the violating program) helped me to identify what's going on.

    Looking around I fond Windows Firewall Notifier, which even provides a GUI that shows the offending program and allows to generate exception rules (you need to thell WFN to create rules, not exceptions when calling it for the first time).