Today I ran into a big problem: someone (hacker or virus) tryed to access lsass.exe, a tipical backdoor check.
What I needed were some simple features that work togather:
- An option in the Application Network Process Control window to allow an automatic configuration change: if rule is fired from other IP than 127.0.0.1 or my current IP address, automatically create a custom rule for the inbound IP, based on my prefferences.
Here is how do I want to configure lsass.exe:
Block IP in/out from IP Any Where Protocol is Any
In the Network Control Rule page:
Check a (not yet existent) checkbox next to “Log as a firewall event…” named “Automatically Create New Network Rule…Configure”
Clicking “Automatically Create New Network Rule…Configure” I want it to open a window similar to the Network Control Rule, with the “Single IP” replaced by “Offender IP” or simmilar. There I want to block anny in/out connection to that IP on anny protcol.
-
An option in the main window to trigger a warning window whenewer a blocking rule has been fired, with the option to modify that rule.
-
In the “Firewall Events” and “View Active Connections” windows I would like a new feature:
double click an item and the responsible rule appears and can be modified.