Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Blocking doesn't work #13

Closed
cookpoo78 opened this issue Feb 18, 2024 · 3 comments
Closed

Blocking doesn't work #13

cookpoo78 opened this issue Feb 18, 2024 · 3 comments

Comments

@cookpoo78
Copy link

Hey,
Tried the release binary and also to compile my own (BTW, it was really challenging to compile successfully, GCC could not compile and VS required few modifications to succeed), and the WFP blocking doesn't effectively block the network traffic of the binary - I tried a number of binaries.
We can clearly see that the rule added successfully (e.g. by netsh wfp show state) but still the process can communicate.
image
@netero1010
Copy link
Owner

Ping uses ICMP traffic and it is not handled by the FWPM_LAYER_ALE_AUTH_CONNECT_V4 layer in the WFP. EDRSilencer uses FWPM_LAYER_ALE_AUTH_CONNECT_V4 layer in the filter so ICMP traffic will not be restricted. You may try "C:\Windows\System32\curl.exe" for testing.

@cookpoo78
Copy link
Author

cookpoo78 commented Feb 18, 2024
edited

Still experiencing this problem...
image

@netero1010
Copy link
Owner

Hi,

Can you double check if filters are actually added in your WFP? You may check it using "WFPExp.exe". Also, could you double check if there is any WFP allow rules particularly for powreshell?

I tried to perform your case in my environment but the blocking works from my side.
image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@netero1010 @cookpoo78