windows firewall will not block .exe on a mount point

jojothehumanmonkey 21 Reputation points
2021-02-22T21:20:25.09+00:00

hello and thanks.

need to block .exe on a mount volume
the app is b:\mount\bl\keepass\KeePass.exe, which runs well.

now, i need to block network access for that .exe; windows firewall will not block it.

if i run keepass.exe from 'real' drive, then the firewall can block it.

so how do i block a .exe that is on a mount point.

here is the output of mountvol.exe

\?\Volume{220a8896-6984-11eb-9d63-482ae32ef6d1}\
B:\mount\bl\

thanks much,
jojo

Windows for business | Windows Client for IT Pros | Devices and deployment | Configure application groups
0 comments No comments
{count} votes

Accepted answer
  1. Gary Nebbett 6,216 Reputation points
    2021-02-25T16:39:04.903+00:00

    Hello @jojothehumanmonkey ,

    I was hoping that using a program path like \.\Volume{220a8896-6984-11eb-9d63-482ae32ef6d1}\keepass\keepass.exe or \.\HarddiskVolumeX\keepass\keepass.exe would work - but unfortunately it doesn't; the syntax is accepted, but it creates a native path like \device\mup\HarddiskVolumeX\keepass\keepass.exe (which is not correct, this is the equivalent to a UNC path to the server HarddiskVolumeX and share keepass).

    It is possible to block the connection by using the low-level WFP API (e.g. FwpmFilterAdd0) but this is a lot of work and the resulting rule cannot be managed via MMC or netsh.

    Obviously, just assigning a drive letter to the second volume would work. I will continue to check if there is any way to create a manageable rule for a program on a volume that does not have its own drive letter assigned.

    Gary

    0 comments No comments

2 additional answers

Sort by: Most helpful
  1. Anonymous
    2021-02-23T03:27:23.73+00:00

    Hi ,

    Did you mean putting the path of b:\mount\bl\keepass\KeePass.exe here and create the Firewall rule successfully, but the application still can access the internet?

    70953-image.png

    If I have anything misunderstanding, please feel free to let me know. Please clarify more details to help us identify your issue.

    Best Regards,

    Candy

    --------------------------------------------------------------

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


  2. Gary Nebbett 6,216 Reputation points
    2021-02-24T09:18:46.03+00:00

    Hello @jojothehumanmonkey ,

    Another idea is to use Event Tracing for Windows (ETW) to trace what happens when b:\mount\bl\keepass\KeePass.exe tries to initiate a connection. The most useful provider to trace is "TCPIP Service Trace" and I would also suggest including Microsoft-Windows-TCPIP for additional context. The trace should show the path name that is used when classifying the connect request. Here is a brief example of what the trace data might show:

    71478-image.png

    You probably won't have access to the tools/metadata needed to view the trace comfortably, but if you can just search the trace results for Unicode (UTF-16) strings including "keepass.exe" (case insensitively) then you should see the path that is being considered by the filtering platform. Given that information, it should be possible to work backwards and determine what path to use in the "block" rule.

    Gary


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.