Windows Firewall exception list (?) Is this for real?

  • Thread starter MarkFilipak.Windows
  • Start date
M

MarkFilipak.Windows

From the Event Viewer, 'Applications and Services Logs', 'Microsoft', 'Windows', 'Windows Firewall With Advanced Security' event below, it appears that, in addition to the Inbound & Outbound Rules of which some of us (me) are familiar, there's also such a thing as a Windows Firewall exception list (note "Description", in the event, below). How can I learn more about this exception list?


Log Name: Microsoft-Windows-Windows Firewall With Advanced Security/Firewall
Source: Microsoft-Windows-Windows Firewall With Advanced Security
Date: 18/10/14 16:07:58
Event ID: 2004
Task Category: None
Level: Information
Keywords: (2199023255552)
User: LOCAL SERVICE
Computer: LAPTOP-FGMHQKQ8
Description:
A rule has been added to the Windows Defender Firewall exception list.

Added Rule:
Rule ID: {1533CB76-A11F-43B1-A55E-B565513255AA}
Rule Name: WinDefend Outbound for TCP
Origin: Local
Active: Yes
Direction: Outbound
Profiles: Private,Domain, Public
Action: Allow
Application Path: C:\ProgramData\Microsoft\Windows Defender\platform\4.18.1806.18062-0\MsMpEng.exe
Service Name: WinDefend
Protocol: TCP
Security Options: None
Edge Traversal: None
Modifying User: SYSTEM
Modifying Application: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.1806.18062-0\MsMpEng.exe
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Windows Firewall With Advanced Security" Guid="{D1BC9AFF-2ABF-4D71-9146-ECB2A986EB85}" />
<EventID>2004</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000020000000000</Keywords>
<TimeCreated SystemTime="2018-10-14T20:07:58.277793900Z" />
<EventRecordID>6888</EventRecordID>
<Correlation />
<Execution ProcessID="2056" ThreadID="4740" />
<Channel>Microsoft-Windows-Windows Firewall With Advanced Security/Firewall</Channel>
<Computer>LAPTOP-FGMHQKQ8</Computer>
<Security UserID="S-1-5-19" />
</System>
<EventData>
<Data Name="RuleId">{1533CB76-A11F-43B1-A55E-B565513255AA}</Data>
<Data Name="RuleName">WinDefend Outbound for TCP</Data>
<Data Name="Origin">1</Data>
<Data Name="ApplicationPath">C:\ProgramData\Microsoft\Windows Defender\platform\4.18.1806.18062-0\MsMpEng.exe</Data>
<Data Name="ServiceName">WinDefend</Data>
<Data Name="Direction">2</Data>
<Data Name="Protocol">6</Data>
<Data Name="LocalPorts">*</Data>
<Data Name="RemotePorts">*</Data>
<Data Name="Action">3</Data>
<Data Name="Profiles">2147483647</Data>
<Data Name="LocalAddresses">*</Data>
<Data Name="RemoteAddresses">*</Data>
<Data Name="RemoteMachineAuthorizationList">
</Data>
<Data Name="RemoteUserAuthorizationList">
</Data>
<Data Name="EmbeddedContext">
</Data>
<Data Name="Flags">1</Data>
<Data Name="Active">1</Data>
<Data Name="EdgeTraversal">0</Data>
<Data Name="LooseSourceMapped">0</Data>
<Data Name="SecurityOptions">0</Data>
<Data Name="ModifyingUser">S-1-5-18</Data>
<Data Name="ModifyingApplication">C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.1806.18062-0\MsMpEng.exe</Data>
<Data Name="SchemaVersion">540</Data>
<Data Name="RuleStatus">65536</Data>
<Data Name="LocalOnlyMapped">0</Data>
</EventData>
</Event>​

Continue reading...
 
Back
Top Bottom