Windows 10: Windows Firewall rules being modified/added then immediately deleted

Discus and support Windows Firewall rules being modified/added then immediately deleted in AntiVirus, Firewalls and System Security to solve the problem; Essentially we have been seeing many different logs for "A rule was modified" EVID 4947 in the Windows Firewall, the rule name and rule ID are GUIDs... Discussion in 'AntiVirus, Firewalls and System Security' started by jregan8, Nov 17, 2020.

  1. jregan8 Win User

    Windows Firewall rules being modified/added then immediately deleted


    Essentially we have been seeing many different logs for "A rule was modified" EVID 4947 in the Windows Firewall, the rule name and rule ID are GUIDs which lead us to believe the rules being modified weren't initially created by a user. When looking for the modified rule on the host itself, the rule seemed to not exist. We then discovered that immediately after being modified, the rule was deleted EVID 4948, which explains why we couldn't find it on the host.


    The logs don't offer much in terms of root-cause. We want to understand why Firewall rules are being modified, then immediately deleted. It should also be noted, we have see the exact same activity except instead of modified, a rule is added then deleted.


    My initial theory is that applications are causing this behaviour, or perhaps even GPO rules. It's important for us to understand why this activity is happening and whether it's normal because we would like to monitor when rules are modified/deleted/added outside of normal behaviour - an example use-case being a user/malware creates a firewall exception to communication with a C2C server.


    Thanks for any assistance.

    :)
     
    jregan8, Nov 17, 2020
    #1

  2. Windows Defender Firewall - Rules without a Group - Unable to remove or modify.

    I have some outbound rules in Windows Defender Firewall which I put on/in.

    They have no "Group" though others I have put up have managed to find them selves a Group. These without a Group I have been unable to Delete or Modify.

    They have on them (in properties) "this rule has been applied by the system administrator and cannot be modified".


    I have tried resetting the rules to those loaded at setup and it does
    remove my other rules, but not these without a Group.
     
    chrissiehauxwell, Nov 17, 2020
    #2
  3. Windows 10 Firewall won't keep my inbound/outbound rules

    Hi,

    I realize the inconvenience caused to you regarding the Windows Firewall. I will certainly assist you.

    I suggest you to restart the Windows firewall service and check if it helps.

    Follow the below steps for the same.

    • Press Windows key + R simultaneously for Run.
    • Type services.msc and then Enter.
    • Right click on the Windows firewall services and then restart the services and check if it helps.
    If the issue still persists then I suggest you to remove and then read the Windows fire wall rule.

    Hope this information is helpful. Please get back to us with the information required, if you need further assistance, we’ll be glad to assist you.
     
    Anup Karkal, Nov 17, 2020
    #3
  4. Windows Firewall rules being modified/added then immediately deleted

    Windows Firewall Forgetting Rules

    I've recently installed the latest version of Windows 10 in my PC. I've blocked and allowed some softwares in Windows Firewall. But Firewall keeps forgetting the rules in 1/2 days. For example, I've allowed Pro Evolution Soccer 2016 in Firewall. But in a
    few days, when I open the game, firewall sends message asking if I want to allow that app or not. Then after checking the allowed apps, I do not see that game in the list, which means firewall didn't remember the settings.

    Also, I blocked KMPlayer in firewall to prevent it from connecting to internet (it shows too much ads otherwise). So, I created inbound and outbound rules for KMPlayer and blocked the connection. After that, it was all okay for two days, then again it started
    showing ads, and then checking the rules, I didn't notice the rules there which I created two days ago. And this thing keeps happening. I make the inbound and outbound rules for KMPlayer, it stays all okay for a few days, and then it forgets again.

    So, what is wrong with the firewall and what is the solution of it?

    [Moved from: Windows / Windows 10 / Windows settings]
     
    Ninad Khan, Nov 17, 2020
    #4
Thema:

Windows Firewall rules being modified/added then immediately deleted

Loading...
  1. Windows Firewall rules being modified/added then immediately deleted - Similar Threads - Firewall rules being

  2. How to modify existing firewall rule from CMD

    in Windows 10 Gaming
    How to modify existing firewall rule from CMD: Hello,I would like to modify firewall rule in CMD to have unblocked RDP.I have found this command somewhere:netsh advfirewall firewall add rule name="Open Remote Desktop" protocol=TCP dir=in localport=3389 action=allow profile=domainbut it adds a new rule "Open Remote...
  3. How to modify existing firewall rule from CMD

    in Windows 10 Software and Apps
    How to modify existing firewall rule from CMD: Hello,I would like to modify firewall rule in CMD to have unblocked RDP.I have found this command somewhere:netsh advfirewall firewall add rule name="Open Remote Desktop" protocol=TCP dir=in localport=3389 action=allow profile=domainbut it adds a new rule "Open Remote...
  4. How to modify existing firewall rule from CMD

    in AntiVirus, Firewalls and System Security
    How to modify existing firewall rule from CMD: Hello,I would like to modify firewall rule in CMD to have unblocked RDP.I have found this command somewhere:netsh advfirewall firewall add rule name="Open Remote Desktop" protocol=TCP dir=in localport=3389 action=allow profile=domainbut it adds a new rule "Open Remote...
  5. Firewall rules

    in Windows 10 Network and Sharing
    Firewall rules: [ATTACH] Does this symbol mean I have blocked outbound traffic for an application? If so why did the app just check for an update and confirm its current version? https://answers.microsoft.com/en-us/windows/forum/all/firewall-rules/870791a0-328a-4d5c-ad0a-be99f93dfdb0
  6. Adding firewall rules

    in AntiVirus, Firewalls and System Security
    Adding firewall rules: I am trying to get Windows 10 mail app to work, going through the firewall, using "Malwarebytes Windows Firewall Control" . I have gotten instructions from the program maker to do this: Problem: Windows Mail can't synchronize folders: This applies to Windows 10 while Medium...
  7. Adding a new rule using Windows Defender Firewall

    in AntiVirus, Firewalls and System Security
    Adding a new rule using Windows Defender Firewall: Hi all. I have an HP All-In-One Desktop running Windows 10 Version 1909, Build 18363.720. I regularly run Windows update and the last update I received, March 12, 2020 is KB4551762 OS Builds 18362.720 and 18363.720. I manage my music through an older Logitech Squeezebox...
  8. Firewall Rules

    in Windows 10 Network and Sharing
    Firewall Rules: Can you setup exceptions for firewall rules? For example, if I have a port blocked inbound for ALL via GPO, can I create an exception to that rule to allow just certain IP addresses to get through the port being blocked? Win 10 ENT in a domain environment....
  9. Firewall rules

    in AntiVirus, Firewalls and System Security
    Firewall rules: I accidentally deleted outbound windows firewall rules. Will these reappear? Can this be dangerous? Please help. Thanks https://answers.microsoft.com/en-us/windows/forum/windows_10-security/firewall-rules/1f7cbdda-d9e2-435a-96cb-6caef7699b88"
  10. Windows Firewall Rules

    in AntiVirus, Firewalls and System Security
    Windows Firewall Rules: I was looking at Windows Firewall with Adv Security and noticed 11 individual but seemingly identical entries for Microsoft Solitaire Collection. The default rules were to allow all. First, why 11? And second, why all any at all? Ditto for Stick Notes, Microsoft Phone,...