Windows防火墙是否有能力logging哪些exe被阻止?

我们想用我们的产品发布一个防火墙程序。

我可以configurationWindows防火墙阻止传出连接(默认情况下不会)

netsh advfirewall set allprofiles firewallpolicy blockinbound,blockoutbound

但是之后我需要知道什么时候被阻止,所以可以询问是否应该解除阻止。

我试着打开日志logging,但它没有logging到exe的path。 有没有办法得到这个logging?

我在StackOverflow上发布了一个问题来尝试一个事件检测方法 ,但是如果有一种方法可以打开日志logging到exe的path,我想知道它。 我希望留在事件检测有限的Java中。

我不介意调用任何命令行程序,也不介意使用vbscripts。 但是,我需要的是知道一个从EXE的传出连接被阻止,以及哪个EXE

我相信这是你正在寻找的: 应用程序日志logging

一旦configuration完成,它将被logging在系统日志中,应用程序名称将被列出。

正如链接所指出的,正确的来源是Windows过滤平台的审计事件。 我们可以用下面的cmd脚本输出需要的数据:

 @echo off for /f "tokens=2 delims==" %%s in ('wmic os get LocalDateTime /value') do set datetime=%%s auditpol /set /subcategory:{0CCE9225-69AE-11D9-BED3-505054503030} /failure:enable > nul pause wmic ntevent where "LogFile='security' AND EventCode = 5152 AND TimeGenerated > '%datetime%'" get InsertionStrings auditpol /set /subcategory:{0CCE9225-69AE-11D9-BED3-505054503030} /failure:disable > nul 

“{0CCE9225-69AE-11D9-BED3-505054503030}”是事件“过滤平台数据包丢弃”的GUID,5152是代码。 在pause时间运行感兴趣的程序/程序的动作,并在testing结束时恢复脚本。 示例输出:

 InsertionStrings {"504", "\device\harddiskvolume2\windows\system32\svchost.exe", "%%14592", "10.0 .0.254", "67", "255.255.255.255", "68", "17", "89509", "%%14610", "44"} {"3348", "\device\harddiskvolume2\another\program.exe", "%%14593", "10.0.0.1", " 52006", "123.123.123.123", "80", "6", "89523", "%%14611", "48"} 

使用wmic命令get Message /value而不是get InsertionStrings ,输出更具信息性,但也更长:

 Message=The Windows Filtering Platform has blocked a packet. Application Information: Process ID: 3128 Application Name: \device\harddiskvolume2\path\to\program.exe Network Information: Direction: Outbound Source Address: 10.0.0.1 Source Port: 50099 Destination Address: 1.2.3.4 Destination Port: 80 Protocol: 6 Filter Information: Filter Run-Time ID: 69203 Layer Name: Connect Layer Run-Time ID: 48 

这些只是安全日志的摘录,也可以在GUI中访问。

p0rkjello正确回答,但留下关键的东西,挣扎了几个小时后,我find了解决办法

  1. 打开具有pipe理员权限的CMD,粘贴命令auditpol /set /subcategory:"{0CCE9226-69AE-11D9-BED3-505054503030}" /success:disable /failure:enable
  2. 打开event viewer并转到Windows logs > Security
  3. 从右侧面板中selectFilter log > Keywords > Select "Audit failure"

可以在这里find的信息是应用程序名称,目标IP,连接方向等等

此vbscript将通过Windows防火墙规则设置进行枚举:

 ' This VBScript file includes sample code that enumerates ' Windows Firewall rules using the Microsoft Windows Firewall APIs. Option Explicit Dim CurrentProfiles Dim InterfaceArray Dim LowerBound Dim UpperBound Dim iterate Dim rule ' Profile Type Const NET_FW_PROFILE2_DOMAIN = 1 Const NET_FW_PROFILE2_PRIVATE = 2 Const NET_FW_PROFILE2_PUBLIC = 4 ' Protocol Const NET_FW_IP_PROTOCOL_TCP = 6 Const NET_FW_IP_PROTOCOL_UDP = 17 Const NET_FW_IP_PROTOCOL_ICMPv4 = 1 Const NET_FW_IP_PROTOCOL_ICMPv6 = 58 ' Direction Const NET_FW_RULE_DIR_IN = 1 Const NET_FW_RULE_DIR_OUT = 2 ' Action Const NET_FW_ACTION_BLOCK = 0 Const NET_FW_ACTION_ALLOW = 1 ' Create the FwPolicy2 object. Dim fwPolicy2 Set fwPolicy2 = CreateObject("HNetCfg.FwPolicy2") CurrentProfiles = fwPolicy2.CurrentProfileTypes '// The returned 'CurrentProfiles' bitmask can have more than 1 bit set if multiple profiles '// are active or current at the same time if ( CurrentProfiles AND NET_FW_PROFILE2_DOMAIN ) then WScript.Echo("Domain Firewall Profile is active") end if if ( CurrentProfiles AND NET_FW_PROFILE2_PRIVATE ) then WScript.Echo("Private Firewall Profile is active") end if if ( CurrentProfiles AND NET_FW_PROFILE2_PUBLIC ) then WScript.Echo("Public Firewall Profile is active") end if ' Get the Rules object Dim RulesObject Set RulesObject = fwPolicy2.Rules ' Print all the rules in currently active firewall profiles. WScript.Echo("Rules:") For Each rule In Rulesobject if rule.Profiles And CurrentProfiles then WScript.Echo(" Rule Name: " & rule.Name) WScript.Echo(" ----------------------------------------------") WScript.Echo(" Description: " & rule.Description) WScript.Echo(" Application Name: " & rule.ApplicationName) WScript.Echo(" Service Name: " & rule.ServiceName) Select Case rule.Protocol Case NET_FW_IP_PROTOCOL_TCP WScript.Echo(" IP Protocol: TCP.") Case NET_FW_IP_PROTOCOL_UDP WScript.Echo(" IP Protocol: UDP.") Case NET_FW_IP_PROTOCOL_ICMPv4 WScript.Echo(" IP Protocol: UDP.") Case NET_FW_IP_PROTOCOL_ICMPv6 WScript.Echo(" IP Protocol: UDP.") Case Else WScript.Echo(" IP Protocol: " & rule.Protocol) End Select if rule.Protocol = NET_FW_IP_PROTOCOL_TCP or rule.Protocol = NET_FW_IP_PROTOCOL_UDP then WScript.Echo(" Local Ports: " & rule.LocalPorts) WScript.Echo(" Remote Ports: " & rule.RemotePorts) WScript.Echo(" LocalAddresses: " & rule.LocalAddresses) WScript.Echo(" RemoteAddresses: " & rule.RemoteAddresses) end if if rule.Protocol = NET_FW_IP_PROTOCOL_ICMPv4 or rule.Protocol = NET_FW_IP_PROTOCOL_ICMPv6 then WScript.Echo(" ICMP Type and Code: " & rule.IcmpTypesAndCodes) end if Select Case rule.Direction Case NET_FW_RULE_DIR_IN WScript.Echo(" Direction: In") Case NET_FW_RULE_DIR_OUT WScript.Echo(" Direction: Out") End Select WScript.Echo(" Enabled: " & rule.Enabled) WScript.Echo(" Edge: " & rule.EdgeTraversal) Select Case rule.Action Case NET_FW_ACTION_ALLOW WScript.Echo(" Action: Allow") Case NET_FW_ACTION_BLOCk WScript.Echo(" Action: Block") End Select WScript.Echo(" Grouping: " & rule.Grouping) WScript.Echo(" Edge: " & rule.EdgeTraversal) WScript.Echo(" Interface Types: " & rule.InterfaceTypes) InterfaceArray = rule.Interfaces if IsEmpty(InterfaceArray) then WScript.Echo(" Interfaces: All") else LowerBound = LBound(InterfaceArray) UpperBound = UBound(InterfaceArray) WScript.Echo(" Interfaces: ") for iterate = LowerBound To UpperBound WScript.Echo(" " & InterfaceArray(iterate)) Next end if WScript.Echo("") end if Next 

它来自这里 ,应该使你走在正确的道路上。