locked
FWPM_FILTER 'OR' operator not working on windows 7 while the condition.fieldKey is FWPM_CONDITION_ALE_APP_ID RRS feed

  • Question

  • I'm blocking traffic at FWPM_LAYER_ALE_AUTH_CONNECT_V{4|6} layer.

    Here are my conditions capture by "netsh wfp show filter":

    <filterCondition numItems="2">
        <item>
            <fieldKey>FWPM_CONDITION_ALE_APP_ID</fieldKey>
            <matchType>FWP_MATCH_EQUAL</matchType>
            <conditionValue>
                <type>FWP_BYTE_BLOB_TYPE</type>
                <byteBlob>
                    <data>5c006400650076006900630065005c0068006100720064006400690073006b0076006f006c0075006d00650031005c00700072006f006700720061006d002000660069006c00650073002000280078003800360029005c0069006e007400650072006e006500740020006500780070006c006f007200650072005c0069006500780070006c006f00720065002e006500780065000000</data>
                    <asString>\device\harddiskvolume1\program files (x86)\internet explorer\iexplore.exe</asString>
                </byteBlob>
            </conditionValue>
        </item>
        <item>
            <fieldKey>FWPM_CONDITION_ALE_APP_ID</fieldKey>
            <matchType>FWP_MATCH_EQUAL</matchType>
            <conditionValue>
                <type>FWP_BYTE_BLOB_TYPE</type>
                <byteBlob>
                    <data>5c006400650076006900630065005c0068006100720064006400690073006b0076006f006c0075006d00650031005c00700072006f006700720061006d002000660069006c00650073002000280078003800360029005c0067006f006f0067006c0065005c006300680072006f006d0065005c006100700070006c00690063006100740069006f006e005c006300680072006f006d0065002e006500780065000000</data>
                    <asString>\device\harddiskvolume1\program files (x86)\google\chrome\application\chrome.exe</asString>
                </byteBlob>
            </conditionValue>
        </item>
    </filterCondition>

    On Win7, it block IE success but chrome still can access network. (Unexpected)

    The same code run on Win10, both IE and chrome can not access network. (Expected)



    • Edited by Joke Huang Thursday, February 21, 2019 8:59 AM
    Thursday, February 21, 2019 8:55 AM