Most of the time I’d like to be in firewall safe mode but sometimes when installing a new application I’d like to block it from internet access whether it’s on the safe list or not.
Is there a way to do that and if so how?
For example, if I add an application to the Application Rules list using the blocked application ruleset, will that take priority over the safe list while in safe mode? And how would I add the application if it’s not yet been installed and I don’t want it to ever connect to the internet?
Rules take priority over safe mode, but the application needs to be located somewhere because rules are based on the file path to the application. You could also set the firewall to block all mode temporary until you get the chance to add the application firewall rule.
Having thought about it a bit more I’m wondering if a better way could be to switch to Custom Ruleset, turn on notifications, install the app and block it when it attempts to connect, thus creating an application rule, then switch back to Safe Mode?
The moment you switch to Custom Ruleset, all normally “safe” applications will start creating firewall alerts. You’ll probably get dozens a minute until you create temporary or permanent rules for them. The alerts show up first come, first served… so you might have to click past many other applications’ alerts before you encounter the one you want to block with a permanent rule.
Theoretically, you could check “Create rules for safe applications” for a few minutes while in Safe Mode before switching to Custom Ruleset and unchecking that create rules option. This will save you from the alert onslaught, but you will need to clean up the extra “safe” rules that the checkbox created. Luckily they will appear at the top of the list.
If I temporarily block all internet activity as suggested by @futuretech will connection attempts by specific applications show in the log? That way I could temporarily block, install and run the application, check the logs to see exactly what executable(s) attempted to connect, create application rules for that/those, then return to safe mode.
No but you can enable Do not show alerts block requests in the firewall settings and you set the firewall to custom ruleset mode then it will logged the blocked attempts.