5/5 - (1 votes)

ZHPDiag – Module O87 – FirewallRules (FAEL)

Firewall rules block or allow specific traffic passing from one side of the router to the other. Inbound rules (WAN to LAN) restrict access to private resources, allowing specific external users to access certain resources.

Outbound rules (LAN to WAN) determine which external resources local users can access.

Linked to the FAEL (Firewall Active Exception List) module. It allows you to list certain authorized and active Windows Firewall applications.

Authorization of program and port connections is done via the “inbound rules” (Authorized) or “outbound rules" (Refused). The search is carried out at the level of the registry key “FirewallRules", to know :

 [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]

- Steering mode : In (Incoming connection), Out (Outgoing connection),
- Profile Type : Domain, Private, Public, None,
- Activation mode : FALSE (Disabled), TRUE (Enabled)
- Connection protocol : P6, P17,…

ZHPDiag Overview

—\\ Firewall Active Exception List (FirewallRules) (O87)
O87 – FAEL: “{1DB0F4A2-8EEC-4FEE-BD6B-6A29787F3EBA}” | In – Public – TRUE | .(.Opera Software – Opera Internet Browser.) — C:\Program Files\Opera\opera.exe
O87 – FAEL: “TCP Query User{0CFC6AB7-D366-45BD-97AD-AFBC12461D3C}C:\program files\opera\opera.exe” | In – Domain – FALSE| .(.Opera Software – Opera Internet Browser.) — C:\program files\opera\opera.exe
O87 – FAEL: “UDP Query User{A2DE116B-A679-4BF4-826A-39C44996A72A}C:\program files\opera\opera.exe” | Out – Private – TRUE | .(.Opera Software – Opera Internet Browser.) — C:\program files\opera\opera.exe
O87 – FAEL: “{3180AB9F-4FB9-467B-84FA-D0D2957D8983}” | In – Public – FALSE | .(.adsl TV / FM – No description.) — C:\Program Files\adslTV\adsltv.exe

—\\ Firewall Active Exception List (FirewallRules) (O87)
O87 – FAEL: “{1DB0F4A2-8EEC-4FEE-BD6B-6A29787F3EBA}” | In – Public – P6 – TRUE | .(.Opera Software – Opera Internet Browser.) — C:\Program Files\Opera\opera.exe

Example of detection

—\\ Firewall Active Exception List (FirewallRules) (O87)
O87 – FAEL: “{2E48CF6F-0755-4128-A24D-533CA7D618A8}” | In – Public – P6 – TRUE | .(.Shenzhen QVOD Technology Co.,Ltd – QvodInstall Module.) — C:\Users\Coolman\Downloads\QvodSetup5.exe
O87 – FAEL: “{5F949ECC-7DD4-4AA6-932F-1965B0630FE4}” | In – Public – P17 – TRUE | .(.Shenzhen QVOD Technology Co.,Ltd – QvodInstall Module.) — C:\Users\Coolman\Downloads\QvodSetup5.exe
O87 – FAEL: “TCP Query User{68CEC2DD-642F-41FC-B7D3-21BECA6CA428}D:\qvodplayer\qvodplayer.exe” | In – Public – P6 – TRUE | .(.Shenzhen QVOD Technology Co.,Ltd – ??.) — D:\qvodplayer\qvodplayer.exe
O87 – FAEL: “UDP Query User{095F3D15-B5D9-4AC7-97A5-DF76613E0BC4}D:\qvodplayer\qvodplayer.exe” | In – Public – P17 – TRUE | .(.Shenzhen QVOD Technology Co.,Ltd – ??.) — D:\qvodplayer\qvodplayer.exe

ZHPFix action

O87 – FAEL: “{ValueCLSID}’ | … | (…) — {FileName}

{Key} : [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
{ValueCLSID} : CLSID value
{FileName} : File name

– The tool removes the CLSID value {ValueCLSID}
– The tool deletes the file {FileName}

ZHPFix Report (Example)

O87 – FAEL: “TCP Query User{C609E4FF-807A-4516-83C9-85D43A8DD9E1}C:\Program Files\Live-Player\Live-Player.exe” | In – Public – P6 – TRUE | .(…) — C:\Program Files\Live-Player\Live-Player.exe

Report of ZHPFix v1.12.3244 by Nicolas Coolman, Update of 27/01/2011

========== Registry Value(s) ==========
TCP Query User{C609E4FF-807A-4516-83C9-85D43A8DD9E1}C:\Program Files\Live-Player\Live-Player.exe => Value deleted successfully

========== File(s) ==========
c:\program files\live-player\live-player.exe => Deleted and quarantined

========== Summary ==========
1: Register value(s)
1: File(s)

About the Author

Back to top