Windows 10: Why are there multiple entries of a program in my Windows Firewall Inbound Rules?

Hello,

I was attempting to figure out why my Windows Defender - AntiMalware Service Executable has been using more ram than normal which led me into my Windows Firewall settings. I noticed for my Inbound Rules, there are several entries for a specific process related to (1) game. At least 2 of each entry aren't even enabled. I noticed it's specifically for "Domain" entries. Should I enable those entries?

Also, if anyone happens to know why my Windows AntiMalware Service under my task manager has been using over 100 MB of ram - only 1.6%. Not a big deal but usually it operates under 100 MB unless an update is pending. No updates, virus scans or errors are pending so I'm not entirely sure.

I attached a screenshot to provide a visual representation.

Thank you.

https://preview.redd.it/46cvkxi5n7k...bp&s=0ba205b4a88c1bd769f8ebebcba0d8962763f720

submitted by /u/Yamistewie
[link] [comments]

:)

 

Firewall no longer allowing "Allowed" program on Inbound Rule

Using Windows 10 and trying to allow a program to access my computer remotely through a specified port.

This used to work by allowing it in the firewall settings and turning on both public and private firewalls.

Now I have to turn off the public firewall to allow it to access my computer remotely even though it is in the inbound rules list with :

Profile: Private, Public

Enabled: Yes

Action: Allow:

Program: [path to program]

Everything else : any

This allowing used to work but now it doesn't.

 

Inbound Firewall Rule that Blocks

Code:

Please help me understand how the 2 Inbound Rules created by MMC actually operate.

Action, Enabled, Service, Program,                     Protocol

Block,  Yes,     Any,     C:\windows\system32\mmc.exe, TCP

Block,  Yes,     Any,     C:\windows\system32\mmc.exe, UDP
If these 2 rules were Outbound Rules, I'd say that client process 'mmc.exe' is blocked.

But applying equivalent logic (that 'mmc.exe' is blocked) to Inbound Rules doesn't make sense -- why would 'mmc.exe' (which created these Rules) block itself?

What (somewhat) makes sense is that 'mmc.exe' is a requester, and that these rules block all TCP & UDP datagrams & all processes.

If so, then there's quite a difference between Outbound & Inbound Rules.

In Outbound Rules, 'Program' specifies the target (the process that's blocked), whereas in Inbound Rules, 'Program' specifies the requester (the process that provokes blocking).

This is crucial reasoning because, if correct, then, as a consequence, every process is the target of Inbound Rules that Block.

What about Inbound Rules that Allow? I've always assumed that an Inbound+Allow means the specified 'Program' installs a listener (i.e., has handler(s) for the specified socket(s)).

I think that's pretty straightforward.

I've read what Microsoft provides and it's grossly inadequate -- what a surprise, eh?

Microsoft documentation presents only trivial explanation of how to complete the fields (example: "Type the path to the program in the text box"), or the tutorial's scope is limited (example: "On the Action page, select Allow the connection, and then click
 Next" -- no mention of "Block the connection").

Other web hits are just plain wrong (examples: "Program – Block or allow a program"; "Program - creates rule that controls connections for an app or program"; "if you are downloading a file through BitTorrent, the download of that file is filtered through an
 inbound rule" -- Rules control connections, not streams) or show ridiculous cases (example: "I want to block all outgoing connections on port 80").
Does anyone know of an architectural reference or guidebook that explains how Firewall Rules are implemented in a running system?
Warm Regards -- Mark.

 

Valid inbound rule in windows firewall?

Yesterday I was bitten by an alert that windows defender had stopped an attack however I should not do anything before contacting MICROSOFT CERTIFIED HELP DESK SUPPORT and absolutely do not shutdown the computer as data loss and an unbootable system could
be the result. My screen was frozen and computer beeping so after trying a couple things i called the number (855-335-7701). Long story short they were trying to pass themselves off as SkyService247 and wanted to protect my computer for an annual fee. Never
did find out how much. When they added a syskey password I pulled the plug. Luckily I had a restore point set earlier in the day so when my computer failed to reboot, I was able to restore it and it works OK now.

However, I see an entry in the inbound rules for windows firewall that simply has a name of G, no properties info, and the program is noted as C and they affect either the TCP or ICMPv4 protocol. 36 of these in the inbound rule for the firewall.

My question is are these valid and should they be allowed? I cannot seem to locate any information on these so any feedback will be most appreciated.