我不知所措,试图对Windows防火墙拒绝的这一特定程序进行故障排除,尽管它有应明确允许的规则。 Windows事件(XML格式)是这样:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
<EventID>5157</EventID>
<Version>1</Version>
<Level>0</Level>
<Task>12810</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2019-11-14T05:07:52.434064200Z" />
<EventRecordID>20650621</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="8896" />
<Channel>Security</Channel>
<Computer>BROWNER87</Computer>
<Security />
</System>
- <EventData>
<Data Name="ProcessID">1512</Data>
<Data Name="Application">\device\harddiskvolume6\users\browner87\appdata\roaming\insync\app\insync.exe</Data>
<Data Name="Direction">%%14593</Data>
<Data Name="SourceAddress">192.168.5.88</Data>
<Data Name="SourcePort">56149</Data>
<Data Name="DestAddress">172.217.164.109</Data>
<Data Name="DestPort">443</Data>
<Data Name="Protocol">6</Data>
<Data Name="FilterRTID">74826</Data>
<Data Name="LayerName">%%14611</Data>
<Data Name="LayerRTID">48</Data>
<Data Name="RemoteUserID">S-1-0-0</Data>
<Data Name="RemoteMachineID">S-1-0-0</Data>
</EventData>
</Event>
(据我所知)应该捕获此事件的规则是:
<item>
<filterKey>{aa650ea0-b2ee-47cb-83c8-fdccd3389200}</filterKey>
<displayData>
<name>Insync</name>
<description/>
</displayData>
<flags numItems="1">
<item>FWPM_FILTER_FLAG_INDEXED</item>
</flags>
<providerKey>{decc16ca-3f33-4346-be1e-8fb4ae0f3d62}</providerKey>
<providerData>
<data>c708000000000000</data>
<asString>........</asString>
</providerData>
<layerKey>FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6</layerKey>
<subLayerKey>{b3cdd441-af90-41ba-a745-7c6008ff2301}</subLayerKey>
<weight>
<type>FWP_UINT8</type>
<uint8>9</uint8>
</weight>
<filterCondition numItems="2">
<item>
<fieldKey>FWPM_CONDITION_ALE_APP_ID</fieldKey>
<matchType>FWP_MATCH_EQUAL</matchType>
<conditionValue>
<type>FWP_BYTE_BLOB_TYPE</type>
<byteBlob>
<data>5c006400650076006900630065005c0068006100720064006400690073006b0076006f006c0075006d00650036005c00750073006500720073005c00620072006f0077006e0065007200380037005c0061007000700064006100740061005c0072006f0061006d0069006e0067005c0069006e00730079006e0063005c006100700070005c0069006e00730079006e0063002e006500780065000000</data>
<asString>\device\harddiskvolume6\users\browner87\appdata\roaming\insync\app\insync.exe</asString>
</byteBlob>
</conditionValue>
</item>
<item>
<fieldKey>FWPM_CONDITION_IP_PROTOCOL</fieldKey>
<matchType>FWP_MATCH_EQUAL</matchType>
<conditionValue>
<type>FWP_UINT8</type>
<uint8>6</uint8>
</conditionValue>
</item>
</filterCondition>
<action>
<type>FWP_ACTION_PERMIT</type>
<filterType/>
</action>
<rawContext>0</rawContext>
<reserved/>
<filterId>75650</filterId>
<effectiveWeight>
<type>FWP_UINT64</type>
<uint64>10376716303682502656</uint64>
</effectiveWeight>
</item>
应用程序路径似乎完全匹配,协议匹配,并且这是规则中仅有的两个条件。相反,它被以下规则拒绝:
<item>
<filterKey>{86f28a60-f01f-499b-a830-a5914e24dfec}</filterKey>
<displayData>
<name>Default Outbound</name>
<description>Default Outbound</description>
</displayData>
<flags/>
<providerKey>{decc16ca-3f33-4346-be1e-8fb4ae0f3d62}</providerKey>
<providerData>
<data>4108000000000000</data>
<asString>A.......</asString>
</providerData>
<layerKey>FWPM_LAYER_ALE_AUTH_CONNECT_V4</layerKey>
<subLayerKey>{b3cdd441-af90-41ba-a745-7c6008ff2301}</subLayerKey>
<weight>
<type>FWP_UINT8</type>
<uint8>8</uint8>
</weight>
<filterCondition numItems="1">
<item>
<fieldKey>FWPM_CONDITION_ORIGINAL_PROFILE_ID</fieldKey>
<matchType>FWP_MATCH_EQUAL</matchType>
<conditionValue>
<type>FWP_UINT32</type>
<uint32>2</uint32>
</conditionValue>
</item>
</filterCondition>
<action>
<type>FWP_ACTION_BLOCK</type>
<filterType/>
</action>
<rawContext>0</rawContext>
<reserved/>
<filterId>74826</filterId>
<effectiveWeight>
<type>FWP_UINT64</type>
<uint64>9223372036854791168</uint64>
</effectiveWeight>
</item>
两个规则都声称是同一子层,并且允许规则的权重高于拒绝。该规则以前的路径为
\device\harddiskvolume6\windows\serviceprofiles\localservice\appdata\roaming\insync\app\insync.exe
哪个事件与活动不完全匹配,所以我对其进行了更新,并且如您所见,它们似乎现在完全匹配。
我找不到默认拒绝捕获此连接的原因。