ZHPDiag – O87 module – FirewallRules (FAEL)

Firewall rules to block or allow specific traffic from one side of the router to another. Inbound rules (WAN to LAN) restrict access to private resources, allowing specific external users to access some resources.

Outbound rules (LAN to WAN) determine which external resources that local users can access.

Bound FAEL module (Firewall Active Exception List). It allows you to list some authorized and active Windows firewall applications. Approval of the programs and the ports connections is done via the method «» inbound rules » (Authorized) or «» outbound rules » (Denied). Research is carried out at the level of the registry key. FirewallRules« , à savoir :

[HKLMSYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyFirewallRules]

Mode de direction : In (Connexion entrante), Out (Connexion sortante),
Type de Profile : Domain (Domaine), Private (Privée), Public (Publique), None (Aucun),
Activation mode : FALSE (Désactivé), TRUE (Activated)
Protocol de connexion : P6, P17,…

Overview ZHPDiag

—\\ Firewall Active Exception List (FirewallRules) (O87)
O87 – FAEL: « {1DB0F4A2-8EEC-4FEE-BD6B-6A29787F3EBA} » | In – Public – TRUE | .(.Opera Software – Opera Internet Browser.) — C:\Program FilesOperaopera.exe
O87 – FAEL: « TCP Query User{0CFC6AB7-D366-45BD-97AD-AFBC12461D3C}C:\program filesoperaopera.exe » | In – Domain – FALSE| .(.Opera Software – Opera Internet Browser.) — C:\program filesoperaopera.exe
O87 – FAEL: « UDP Query User{A2DE116B-A679-4BF4-826A-39C44996A72A}C:\program filesoperaopera.exe » | Out – Private – TRUE | .(.Opera Software – Opera Internet Browser.) — C:\program filesoperaopera.exe
O87 – FAEL: « {3180AB9F-4FB9-467B-84FA-D0D2957D8983} » | In – Public – FALSE | .(.adsl TV / FM – Pas de description.) — C:\Program FilesadslTVadsltv.exe

—\\ Firewall Active Exception List (FirewallRules) (O87)
O87 – FAEL: « {1DB0F4A2-8EEC-4FEE-BD6B-6A29787F3EBA} » | In – Public – P6 – TRUE | .(.Opera Software – Opera Internet Browser.) — C:\Program FilesOperaopera.exe

 

Example of detection

—\\ Firewall Active Exception List (FirewallRules) (O87)
O87 – FAEL: « {2E48CF6F-0755-4128-A24D-533CA7D618A8} » | In – Public – P6 – TRUE | .(.Shenzhen QVOD Technology Co.,Ltd – QvodInstall Module.) — C:\UsersCoolmanDownloadsQvodSetup5.exe
O87 – FAEL: « {5F949ECC-7DD4-4AA6-932F-1965B0630FE4} » | In – Public – P17 – TRUE | .(.Shenzhen QVOD Technology Co.,Ltd – QvodInstall Module.) — C:\UsersCoolmanDownloadsQvodSetup5.exe
O87 – FAEL: « TCP Query User{68CEC2DD-642F-41FC-B7D3-21BECA6CA428}D:\qvodplayerqvodplayer.exe » | In – Public – P6 – TRUE | .(.Shenzhen QVOD Technology Co.,Ltd – ??.) — D:\qvodplayerqvodplayer.exe
O87 – FAEL: « UDP Query User{095F3D15-B5D9-4AC7-97A5-DF76613E0BC4}D:\qvodplayerqvodplayer.exe » | In – Public – P17 – TRUE | .(.Shenzhen QVOD Technology Co.,Ltd – ??.) — D:\qvodplayerqvodplayer.exe

Action ZHPFix

O87 – FAEL: « {ValueCLSID}’ | … | (…) — {FileName}

{Key} : [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyFirewallRules]
{ValueCLSID} : CLSID value
{FileName} : Name of the file

– The tool removes the CLSID value {ValueCLSID}
– The tool deletes the file {FileName}

Report ZHPFix (Example)

O87 – FAEL: « TCP Query User{C609E4FF-807A-4516-83C9-85D43A8DD9E1}C:\Program FilesLive-PlayerLive-Player.exe. | In – Public – P6 – TRUE | .(…) — C:\Program FilesLive-PlayerLive-Player.exe

Report of ZHPFix v1.12.3244 by Nicolas Coolman, Update of the 27/01/2011

= Value(s) the registry =.
TCP Query User{C609E4FF-807A-4516-83C9-85D43A8DD9E1}C:\FilesLive-PlayerLive-Player.exe = program> Value deleted successfully

= File(s) ==========
c:\fileslive-playerlive-player.exe = program> Deleted and quarantined

= Summary =.
1 : Value(s) the registry
1 : File(s)