Simplewall: Svchost service identification?
I've just started looking at Simplewall and wanted to know if it would be possible to differentiate between individual Svchost services for rules. For example, I might like to allow CryptSvc to make Internet connections but not DeviceAssociationService.
Thanks
One other question, any chance of adding the PID to the notification dialogue?
Radagast
All 4 comments
+1
ltGuillaume
on 14 Nov 2017
WFP isn't provide any condition to allow apps by service name, only by it's paths, and same for the second question too, WFP dropped events callback does not provide any information about processes (only paths).
henrypp
on 20 Nov 2017
extensive search for that topic shows that a probable way to implement this is by using Service SID.
from cmd eg. sc showsid spooler.
This way you would be filtering by user/service ID, not by application path.
Funny thing is that Windows Firewall itself allows (in custom rules) service filtering, but they are very unclear how it is exactly achieved on a lower level. (iirc Windows firewall uses userland WFP in a similar way as your own application).
PS>
I can see now what is the way for the windows firewall to implement service-layer filtering.
https://msdn.microsoft.com/en-us/library/windows/desktop/aa365489(v=vs.85).aspx
is this part of WFP or just windows firewall? Maybe it can be added to simplewall?
pwn0r
on 28 Nov 2017
Windows Firewall itself allows (in custom rules) service filtering, but they are very unclear how it is exactly achieved
While it does not provide filtering, Process Hacker will identify the service name & firewall status
kekukui
on 30 May 2020
Related issues
ghost
路
4Comments
p-groarke
路
4Comments
privacyguy123
路
4Comments
Jtasiu
路
4Comments
TontyTon
路
3Comments
Most helpful comment
extensive search for that topic shows that a probable way to implement this is by using Service SID.
from cmd eg. sc showsid spooler.
This way you would be filtering by user/service ID, not by application path.
Funny thing is that Windows Firewall itself allows (in custom rules) service filtering, but they are very unclear how it is exactly achieved on a lower level. (iirc Windows firewall uses userland WFP in a similar way as your own application).
PS>
I can see now what is the way for the windows firewall to implement service-layer filtering.
https://msdn.microsoft.com/en-us/library/windows/desktop/aa365489(v=vs.85).aspx
is this part of WFP or just windows firewall? Maybe it can be added to simplewall?