TinyWall icon indicating copy to clipboard operation
TinyWall copied to clipboard
verified publisher icon pylorak

Feature Request: option to ignore path on rule definition

Open mkauf8 opened this issue 2 years ago • 13 comments

issue there are apps which update quite frequently and while doing so, creating a new directory for the new version instead of using the old one. this leads to a slightly different path (mostly only version number changed) while using the same executable name. Since the path changed, the rule created within tinywall does not match anymore and the app is going to be blocked. This means after every app-update I have to adjust the rule again within tinywall which is tedious.

solution proposal add checkbox with the option to "ignore path" in the rule dialog so one can decide (and therefore accept the risks involved) to apply the rule only on the executable alone and adjust the rule evaluator accordingly.

examples of popular apps affected

  • google drive
  • cura slicer

mkauf8 avatar Mar 23 '23 06:03 mkauf8

It happens with WhatsApp desktop version too.

ninmba avatar Mar 24 '23 00:03 ninmba

If the affected app is a Windows Store app (like WhatsApp Desktop for example seems to be) and if it is also a UWP app, be sure to unblock it as a UWP app in TinyWall instead of unblocking its executable. Then TinyWall will automatically pick up new versions even if the directory changes.

For non-UWP apps things look different. The main reason a feature like this didn't get implemented in TinyWall for non-UWP apps is because it is a serious security risk. Such programs that change their directories upon each minor update are typically installed in non-protected user folders. All a malware would need to do, is to copy itself to a directory that looks like a new version of your application, and it would automatically get unblocked without requiring admin privileges or your consent.

pylorak avatar Mar 24 '23 13:03 pylorak

I understand what you're saying. But everything a user is configuring within an exception rule is adding to overwall risk by nature (if it is disabling access to hosts file or allowing an app to have public access, or even enabling learning mode, etc.) The question is, will you allow the user to make the decision what risk he is willing to accept for himself or do you dictate it by enforcing it trough the firewall app. I'd personally prefer the first option, since I'd like to be in control.

When a user allows an app in a non-protected folder, it would not be so hard for malware to replace those executables in an existing path as well, would it not?

Maybe one could mitigate the risks by

  • defaulting the switch "ignore path" to "disabled"
  • showing a security hint when enabling this switch to ensure risk awareness
  • even increasing security for dedicated apps by adding another checkbox "check/lock version of executable" to filter exe-version and only allow original allowed versions
  • if none of the above seem feasible, at least detect same exe blockings and show a friendly user dialog asking if he is willing to allow the new executable too

I really like the app and it's small footprint with a no-nonsense ui. Thank you for this piece of very usable software.

mkauf8 avatar Mar 24 '23 14:03 mkauf8

It is true that there is a similar risk in theory with the malware replacing/modifying the installed application itself. Still, there are a few key differences and important notes here:

  • Preventing applications in non-secure folders to get unblocked is not acceptable in practice. If we were to only allow whitelisting apps in Program Files (for example), the firewall would be basically unusable. So there is nothing we can do about this, we have no choice but to allow unblocking these apps. In contrast, we do have a real choice about automatically and silently whitelisting new apps in non-secure folders.
  • Just because there is an attack surface that we cannot avoid, it does not justify to open up new security holes where we do have a choice, even if they pose a similar risk.
  • If the malware modifies or replaces an installed application, its digital signature will be invalidated. This could be picked up by other security software, or if the software requires admin rights, the user will at least see the corrupted certificate at the next UAC prompt.
  • And lastly. many of the applications are long-running. Browsers, Google Drive, WhatsApp, etc. These are usually started shortly after the computer boots (either manually or even automatically) and run until the computer is shut down. The executables of running processes cannot be modified (though this is really not hard to circumvent).

Increasing the security of installed apps by locking down their version is, unfortunately, not possible in TinyWall. This would only work if the firewall could verify the hash and/or version and/or (best option) signature upon each communication attempt of unblocked apps. This is something that's only possible from a kernel driver, and TinyWall doesn't have any.

I can understand giving users more choice and leaving the responsibility to them. But that is the hardest part of UI design for me: Deciding what choices to give to the user. As an example, you have no idea how many users (even those with supposedly IT-affinity) misuse the Autolearning mode, practically invalidating any effect of a firewall. This happens despite the unavoidable lengthy explanation dialog you get each time you activate Autolearn mode. I've long regretted adding Autolearn to TinyWall. It could have been a useful feature, but in reality I see users shooting themselves in the foot way too often with it.

Anyway, these are just my personal views. If anybody wants to tackle the feature in this ticket, I won't stand in the way. The only requirements I'll pose are that of implementation quality:

  • Provide a way to define which parts of the path may be ignored (for example, by using wildcard characters)
  • The feature has to work reliably even for apps already unblocked
  • It has to work while TinyWall is already running (not just at startup)
  • It has to work efficiently, e.g. without periodic polling/scanning (for example, use directory watchers etc.)
  • Provide security clues to the user. At a minimum, warn them when enabling this feature. At best, warn them in a popup whenever a new app version gets automatically whitelisted.
  • What I think would be great is to allow this feature to only work with executable that have a valid digital signature. Then TinyWall could require new executables under different paths to be signed with the same signature, which I guess could make this feature acceptable security-wise.

I'll happily accept pull requests if they fulfill these criteria.

pylorak avatar Mar 25 '23 15:03 pylorak

The most annoying app related to this issue is Chrome Remote Desktop. When it updates you suddenly loose ability to connect to your remote PC. Of course, updates can be blocked, but it does not seem to be a good idea.

But Chrome Remote Desktop uses symlink "CurrentVersion", which points to current directory with latest "remoting_host.exe". TinyWall does not support such link and resolves path to real directory when trying to add "remoting_host.exe" via "CurrentVersion" symlink. Is it possible to fix somehow?

PKav89 avatar Nov 29 '23 10:11 PKav89

Any update on path ignore (I'd rather have .exe's in a path instead of path as a malicious app could move a malicious .exe in an existing path) Also can we add hash verification? If a .exe hash is changed then it should warn the user and prompt acceptance or something along those Ines

coopfidgets avatar Jul 31 '24 11:07 coopfidgets

As stated, I will accept PRs with this feature as long as it fulfills quality and efficiency constraints (see my comment above). I will not personally develop this feature however.

pylorak avatar Jul 31 '24 22:07 pylorak

Because of this issue, TinyWall is unusable if you have instantly-updating apps like Discord.

nikich340 avatar Apr 02 '25 09:04 nikich340

@pylorak It appears this feature is needed by many people (including myself), and without it, many are forced to look for alternatives.

Akiyamka avatar Apr 26 '25 22:04 Akiyamka

This also happens with github action runners, from time to time my runners get blocked because they`ve updated and changed the .exe name.

patric0889 avatar Aug 09 '25 14:08 patric0889

I'm not totally averse to this idea (with some sensical restriction to keep the feature relatively secure), but currently I cannot invest the necessary time to implement it. It might come in a future version, but please don't expect it to be soon, unfortunately. Leaving the issue open for myself as the feature request is neither denied nor implemented.

pylorak avatar Aug 14 '25 16:08 pylorak

I don't have a solution for this, but certainly either a whitelist by folder or allow automatically inherit rules in specific programs sharing the same name should be allowed. In my case for example Fusion360 needs to be allowed access everytime it updates, which is quite often.

kino13 avatar Aug 16 '25 20:08 kino13

I'm also facing the same issue and I'd be ok using this feature with regex as long as I can restrict the destination IP to a list that I'll add manually.

This way, even if malware matches the regex, it won't communicate with its server.

@pylorak Is this acceptable to you? Would you be ok implementing it like this?

pplupo avatar Oct 23 '25 15:10 pplupo