Behavior:Win32/WDBlockFirewallRule.P

leo · February 10, 2021, 11:10am

Windows 10 Defender issue/detection I am guessing it has to do with glasswire since it is a fresh install of windows.

leo · February 10, 2021, 11:17am

Also couple of days ago glasswire server was crashed. I just notice icon doesnt look right so i checked it. It made a memory dump on desktop too.

Ken_GlassWire · February 10, 2021, 12:09pm

@leo

If you go to the top left menu and choose “About”, what version of GlassWire do you have?

Did you use our “Block all” firewall mode?

leo · February 10, 2021, 1:40pm

I have reinstalled everything again so I cant go and choose “About” but I can tell you that it was downloaded directly from glasswire website today. So whatever version is public to day that is the one. 2.2 i think? I was using ask to connect mode.

Ken_GlassWire · February 10, 2021, 1:57pm

@leo

For even a moment could you have switched to “block all” mode?

Could you email me a screenshot of your firewall so I can see what’s blocked there? It will help me find the cause.
https://www.glasswire.com/contact/

Please include a link to this thread.

leo · February 10, 2021, 2:14pm

Cant help you sorry. All I can say is it was a fresh install of windows 10 updated to latest, no additional applications, detection appeared shortly after switching on the firewall. Nothing was blocked by me.

Ken_GlassWire · February 10, 2021, 3:18pm

OK, we will try to recreate the issue. Thanks for your report.

Mank · February 11, 2021, 3:29am

@Ken_GlassWire

I don’t know if it will help, but I’ve received two different warnings of the same detection. One on Feb 3rd, and another just last night. Here are the details as indicated in my Windows security panel:

Affected Items:
behavior: pid:2828:1937012556366723
process: pid:2828,ProcessStart:132570650589753017
regkeyvalue: HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{DC885274-6863-4465-9991-FC96B9399514}

In both cases I received a warning that remediation was not complete and that I needed to reboot my system in order for the removal to be effective.

The process ID indicated(2828) was an instance of svchost that was running in memory. I’m still using GW version 2.2.241, so I doubt this is something new introduced in one of the newer versions of GW. It seems a recent update to the security engine in Windows might not be playing well with whatever GW is doing.

ETA: I am in ask to connect mode.

Ken_GlassWire · February 11, 2021, 11:23am

@Mank

Thanks, I’ll share this with our team. Do you think you could have accidentally used “block all” for just a few moments?

Joel_Stewart · February 11, 2021, 10:26pm

Same here. Version 2.2.268 of glasswire. Never set “block all” even accidentally.

PID points to svchost.exe

Behavior:Win32/WDBlockFirewallRule.P

Finis_Ronin · February 11, 2021, 10:52pm

Exactly the same problem here.
WG Version: 2.2.268
Never used “block all” functionality.

PID also pointed to svchost.exe

Behavior:Win32/WDBlockFirewallRule.P

leo · February 11, 2021, 11:03pm

I never used block all myself, I have reinstalled the os, updated to latest and then installed glasswire and activated the firewall and no detections this time everythink OK. Difference is the last time I installed glasswire while windows was still updating so maybe that was the issue. Also is it possible that glasswire blocked my clock from properly updating? Because I had that issue and I am not sure if it was due to glasswire but I never had such issue and I read that glasswire is now blocking stuff without our knowledge. May I ask why is that necessary?

Ken_GlassWire · February 11, 2021, 11:32pm

@leo Sorry for the issue. I have never heard of anyone having an issue with their clock and GlassWire before. I think it is probably unrelated.

workbox · February 11, 2021, 11:49pm

Yep here as well right in the middle of the game popup from windows defender.
I would post image but link won’t allowed and upload too large.

Ilan_Laloum · February 11, 2021, 11:56pm

ME TO: 2.2.268

Detected: Behavior:Win32/WDBlockFirewallRule.P
Status: Failed
This threat or app might not be completely remediated.
Date: 12-Feb-21 01:36 AM
**Details: This program is dangerous and executes commands from an **
attacker.

Affected items:
behavior: pid:3544:1937012556366723
process: pid:3544,ProcessStart:132574784832248217
regkeyvalue: HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{A614730C-5CC2-404E-B2D5-7DB8BDF79303}

Best regards,
Ilan,

Ken_GlassWire · February 11, 2021, 11:57pm

@workbox @Ilan_Laloum

Could you email me a screenshot of what you have blocked with the firewall if you feel comfortable doing so?
https://www.glasswire.com/contact/

Please include a link to this thread also.

workbox · February 12, 2021, 12:19am

Email sent to bugs@glasswire

ReubenTalbott · February 12, 2021, 12:26am

I am having the same error, I have attached a screen shot.

ReubenTalbott · February 12, 2021, 12:29am

Defender also links to a page when I press “Learn more” but since I am a new user I can’t post the URL.

Mank · February 12, 2021, 1:09am

No, not possible that I used “Block All” as I was asleep when this occurred and I was set to “Ask To Connect”. I found the notifications from Windows Defender when I awoke. I will perform a full scan using Windows Defender and report back if it detects it again.