Blocking doesn't work

Question

Blocking doesn't work

Closed this issue 10 months ago · 3 comments

Hey,
Tried the release binary and also to compile my own (BTW, it was really challenging to compile successfully, GCC could not compile and VS required few modifications to succeed), and the WFP blocking doesn't effectively block the network traffic of the binary - I tried a number of binaries.
We can clearly see that the rule added successfully (e.g. by netsh wfp show state) but still the process can communicate.

Answer 1 · 2024-02-18T08:20:44.000Z

Ping uses ICMP traffic and it is not handled by the FWPM_LAYER_ALE_AUTH_CONNECT_V4 layer in the WFP. EDRSilencer uses FWPM_LAYER_ALE_AUTH_CONNECT_V4 layer in the filter so ICMP traffic will not be restricted. You may try "C:\Windows\System32\curl.exe" for testing.

Answer 2 · 2024-02-18T09:53:21.000Z

Still experiencing this problem...

Answer 3 · 2024-07-24T07:58:50.000Z

Hi,

Can you double check if filters are actually added in your WFP? You may check it using "WFPExp.exe". Also, could you double check if there is any WFP allow rules particularly for powreshell?

I tried to perform your case in my environment but the blocking works from my side.