Been watching traffic with GlassWire running. And noticed certain apps were getting through. I didn’t get a notification to block traffic. And the “ALLOW” firewall entry keeps getting regenerated every reboot. even if I directly delete using windows native firewall tool.
Looking at the actual windows firewall I have several allow entries that I didn’t create, nor want. For brevity I will just list a well known one
What is most disturbing is the allow exception to adobe cloud experience is not listed in glasswire at all. Only within the actual windows firewall table can it be found.
program path: c:\program files\adobe\adobe creative cloud experience\libs\node.exe
Lsass This one is particularly nasty as it provides remote execution control through the Intel IMEI and AMD platform security process. They leave a provisioning port open at 16992-16993
It talks directly to your southbridge though the AMT and can take total control of your computer which you can find in your device manager
If you don’t close the port and leave an lsass exception. And/or leave IMEI running and leave AMT device driver installed.
To get into your computer remotely it is as easy as this…
Unfortunately using two firewalls simultaneously with GlassWire is not recommended due to how GlassWire protects its own rules, so this is probably the reason for the issue you are experiencing with “hidden exceptions”.
We appreciate your feedback on host blocking and we’ll investigate it in the future.
Worth mentioning, if I recall correctly Microsoft also allows it’s services/etc through the firewall as trusted. Should be some behind the scenes checks, hashing, and all that.
Testing my memory early this morning, if this is inaccurate please correct me. GlassWire communicates and adds a nice UI for Microsoft Defender Firewall - which GlassWire uses the Defender API. If you look at the Defender Firewall you’ll see all the same apps/etc listed.
Yes, this is all it is. Is a nice UI to read the windows defender rules.
But in addition, Deep inside Windows firewall core is what they call WSH (Windows services hardened) rules. These rules are not visible by ordinary firewall tools. They are applied “first” and cannot be disabled. You won’t find much about them. But certain tools list them. They permanently open up ports and services to the outside world.
Here are a few of them…
You cannot stop windows from allowing access to the outside world through these services. But you CAN stop the outgoing IP’s they use. To find these culprits, simple let glasswire sit idle for a few hours. let it collect all the ip’s that fired off while you were doing nothing. Track down all the IP ranges of these. and enter them as a CIDR directly into the firewall using netsh. Many of these ips are shared with services you might care about. You can temporarily disable these rules when you want them. and re-enable them when your done. If Glasswire supported entering ip blocking then this would be ideal.