Thanks for weighing in and providing your feedback. I couldn’t tell from the screenshots either, but I was also curious as to whether the path is different for the second launch of the app. This would mean that it’s related to the issue of GlassWire not retaining firewall rules for new versions of an app that you already set a rule for.
We are looking into potential solutions for the app versioning issue. We do use the path today to detect “new” apps and prompt the user as to whether they want to Allow/Block the app, so we have to find something else to check. As you mentioned, using the vendor wouldn’t be the best solution either. I know this is a long standing issue, but the team is doing research to figure out the most appropriate way to handle this so we can finally get it resolved.
I don’t have a single app in my app list which has defaulted to block in and allow out. That would seem to be a strange mixed default anyway. Shouldn’t the default match whatever your firewall mode is? So Allowed for Click To Block and Blocked for Ask To Connect or Block All?
I believe it includes an online session GUID as part of the folder path.
From a security point-of-view, I would probably always allow any program that is signed by Microsoft. The chance that it contains malicious code that will end up compromising my computer is really small.
Now, there may be cases where I would like to block some Microsoft apps. But if the trade-off to allowing all Microsoft apps to access the network is to have a MUCH simplified experience with GlassWire where I don’t have a steady stream of pop-ups asking if I want to allow access or silent blocking of apps I do want to access the network, I would take that in a hearbeat.
I would probably do the same for anything signed by Google.
As I already mentioned, I would like GlassWire to validate that a certificate is real (such as a cert from Microsoft being signed by Microsoft rather than “Let’s encrypt” or any other certificate authority) and then explain that an executable was signed with a certificate GlassWire verified was accurate and then offer to always allow any programs signed with the same certificate.
Whilst apps from Microsoft or Google are unlikely to include intentionally malicious code, they may exhibit unwanted behaviour; e.g. auto updating or sending telemetry data back to the vendor. A couple of Microsoft examples are Desktop Widgets and Copilot which will make outgoing connections even if you don’t use them.
It sounds like GlassWire have recognised that using the vendor alone is not the best solution. So it will be interesting to see what they come up with.
This app lives in the C:\Program Files\WindowsApps\ folder which is a protected area for Windows Store apps. Perhaps GlassWire cannot monitor anything in this folder?
Interesting to note that a search filter of “Teams” includes Steam Client Service. But a search of "Teams " (with a space) or “Microsoft Teams” return nothing at all.
It apears - at least in this case - that the paths are different. Very odd - DefenderBootstrapper.exe is always at version 0.4.48. But it is running from a different directory. But the directory “OnlineInteraction” is empty. It looks like something gets launched from there and then disappears.
But I don’t want to be bombarded with these ongoing nags to allow or deny connections. GlassWire has to figure out a way to know we are talking about the same app again and again and again.
I said it before and I will say it again - the reason I run GlassWire is to protect me in the event I somehow get a malicious program on my computer and it is trying to phone home.
I can’t think of a single instance in the many years I have been running GlassWire where GlassWire saved me from such a malicious program.
And I can’t count the hours I have spent:
unblocking things that should not have been blocked
trying to figure out if something showing as “Blocked” is actually blocked (and won’t prompt me when it next tries to access the network), or that particular version has never tried to access the network and will prompt me the next time it does
trying to figure out why some unrelated program like Quick Assist or Google Drive for Desktop is not working, only to discover that Microsoft Edge WebView2 is blocked
I am really uncertain as to why I am still using GlassWire as part of my layered security. I am beginning to think that having the Windows firewall, antivirus, and being on top of patches using Windows Update, UniGetUI & SecTeer VulnDetect is sufficient.
Yeah, I’m not sure how effective it really is as a security product. It clearly misses changes to apps and which happen early in the boot sequence and the VirusTotal functionality now requires the user to setup their own separate account and API key.
I use it more as a privacy enhancement to identify and block apps which phone home for no user benefit. It is also a nice visual monitor of general network activity.
speaking of security, as in the past I was interested in subscribing for GlassWire maybe you users or developers could clarify a doubt I have about it. If I’m not wrong and as far as I know GlassWire is based on the Windows Firewall, I mean it uses Windows Firewall API, in a few words it’s a enhanced UI for it with added features and it’s not a separate firewall. So if some malware bypasses the Windows Firewall it also could bypass GlassWire, maybe. Is it right or am I wrong ?
I’m not a techician of course, I’m just a potential subscriber. Anyway if actually GlassWire is a good enhanced UI with added features but anyway it depends on Windows Firewall (I ask for confirmation or not of this) I’m sorry but I prefer to have both “normal” Windows Firewall and a added firewall which works independently from it, as I currently have in my system.
I don’t work for GlassWire, but I can confirm that it is an enhanced UI for managing the built-in Windows Firewall. There are alternative third-party firewall apps available which do replace the Windows Firewall, but they don’t tend to run alongside the built-in firewall because that can cause all sorts of conflicts.
If you want both the Windows Firewall and an additional independent firewall then it is best to look into a separate device that sits on your network.
thank you for the clarification about GlassWire and for your suggestion. About the 3rd party firewall I’m using I presume it works independently from Windows Firewall because if I disable the latter by using the Windows security dashboard it doesn’t automatically disable the 3rd party firewall, I guess it uses a dedicated driver. So if a malware should manage to bypass / disable the Windows Firewall, the 3rd party firewall should remain active, I think, at least I hope. Furthermore I can say that it’s much more configurable than the Windows Firewall and I have been using them together for several years without a single issue.
[edited]
I did a search and according to the 3rd party firewall’s developer:
**** vs. Windows built-in firewall.
**** and the built-in firewall work completely independently
I can’t remember I ever had a 3rd party firewall where I activly had to disable the windows one. So I wouldn’t do that unless the install instruction explicitly tell me to do it (or the software does it by themself).
I’m not sure how good GW would help nowadays against attacks where DLL sideloading happens. For me with my novice understanding I wouldn’t see how to spot that easily (when they would only try to move small data like session cookies, login pw and so on).
maybe I expressed myself badly (English isn’t my native language) but the 3rd party firewall I’m using didn’t force me to disable Windows Firewall, I simply did a test just to see if disabling Windows Firewall could also disable the 3rd party firewall, which didn’t happen.
About the protection vs. DLL sideloading, if Glasswire does this it is certainly a point in its favor
For who is interested here is a link to a recent article about this kind of threat
For me english isn’t my first language either so there is always a good chance I understand things different than they were ment I just wanted to warn about disabling the windows firewall (unnecessary).
With the DLL-sideloading comment I meant that I would think GW wouldn’t really help there (bear in mind I could be totally wrong here).
AFAIK GlassWire only monitors executables, not any linked libraries.
Z****n A*****m is perhaps one of the most well known third-party firewalls for Windows. This does disable the built-in Windows Firewall during installation. I suspect mostly to avoid conflicts and potential confusion from having two separate sets of firewall rules. Which would be a nightmare for the vendor to provide support for.
I think you’re right and I don’t know if a firewall capable to protect vs DLL Sideloading does exists, maybe not. Furthermore as reported in the article I posted “Because the application loading the malicious DLL is trusted, security solutions may not flag the execution as suspicious.”
I just wanted to warn about disabling the windows firewall (unnecessary).