Glasswire creating hidden exceptions to apps

GlassWire General
1

Been watching traffic with GlassWire running. And noticed certain apps were getting through. I didn’t get a notification to block traffic. And the “ALLOW” firewall entry keeps getting regenerated every reboot. even if I directly delete using windows native firewall tool.

Looking at the actual windows firewall I have several allow entries that I didn’t create, nor want. For brevity I will just list a well known one

What is most disturbing is the allow exception to adobe cloud experience is not listed in glasswire at all. Only within the actual windows firewall table can it be found.

program path:
c:\program files\adobe\adobe creative cloud experience\libs\node.exe

Name:
GlassWire.out.app_203002223.profile_1.mode_2

Direction:
Outbound

Action:
Allow

image
image918×610 23.7 KB

I am also not so happy about glasswire creating auto-exceptions to certain windows services. I should have the option to bork myself if I want.

2

Sorry for the issue and thanks for your feedback.

Are you using any other firewall software along with GlassWire? This can cause the issue with Adobe you’re experiencing.

Also, is the screenshot you show from another app or is it from the Windows Firewall control panel itself? Please confirm.

3

you can use any windows firewall tool to see this. I happen to have used a freeware firewall control panel tool.

But you can the same thing by just using regular old “Windows defender with Advanced Security” snap-in

image
image1920×982 208 KB

or just use Netsh.

No other firewall software is running other than to just temporarily read the firewall rules. Not even an antivirus is running

Here are some of the hidden exceptions made by glasswire.

If I attempt to clean up the firewall rules myself. Glasswire restores them next reboot.

It could be possible that Adobe is directly patching into your tool and altering your DB. They have coresync and ccxprocess running.

4

I failed to include one more hidden exception in the pic

image
image1222×20 2.15 KB

Lsass This one is particularly nasty as it provides remote execution control through the Intel IMEI and AMD platform security process. They leave a provisioning port open at 16992-16993

It talks directly to your southbridge though the AMT and can take total control of your computer which you can find in your device manager

5

Device manager snap shot. In my case, all this has been disabled.

image
image315×584 22.6 KB

6

If you don’t close the port and leave an lsass exception. And/or leave IMEI running and leave AMT device driver installed.
To get into your computer remotely it is as easy as this…

image
image777×413 12.4 KB

1 Like
7

Unfortunately using two firewalls simultaneously with GlassWire is not recommended due to how GlassWire protects its own rules, so this is probably the reason for the issue you are experiencing with “hidden exceptions”.

We appreciate your feedback on host blocking and we’ll investigate it in the future.

8

Worth mentioning, if I recall correctly Microsoft also allows it’s services/etc through the firewall as trusted. Should be some behind the scenes checks, hashing, and all that.

Testing my memory early this morning, if this is inaccurate please correct me. GlassWire communicates and adds a nice UI for Microsoft Defender Firewall - which GlassWire uses the Defender API. If you look at the Defender Firewall you’ll see all the same apps/etc listed.

1 Like
9

Yes, this is all it is. Is a nice UI to read the windows defender rules.

But in addition, Deep inside Windows firewall core is what they call WSH (Windows services hardened) rules. These rules are not visible by ordinary firewall tools. They are applied “first” and cannot be disabled. You won’t find much about them. But certain tools list them. They permanently open up ports and services to the outside world.
Here are a few of them…

image
image1299×1198 125 KB

You cannot stop windows from allowing access to the outside world through these services. But you CAN stop the outgoing IP’s they use. To find these culprits, simple let glasswire sit idle for a few hours. let it collect all the ip’s that fired off while you were doing nothing. Track down all the IP ranges of these. and enter them as a CIDR directly into the firewall using netsh. Many of these ips are shared with services you might care about. You can temporarily disable these rules when you want them. and re-enable them when your done. If Glasswire supported entering ip blocking then this would be ideal.

1 Like