Windows Firewall: Logging/Notifying on outgoing request attempts
I'm trying to configure Windows firewall with Advanced Security to log and tell me when programs are trying to make outbound requests. I previously tried installing ZoneAlarm, which worked wonders for me with this in Windows XP. But now, I'm unable to install ZoneAlarm on Windows 7.
Is it possible to somehow monitor a log or get notifications when a program tries to do that if I set all outbound connections to auto-block, so that I can then create a specific rule for the program and block it?
Update
I've enabled all the logging options available through the properties windows of the Windows Firewall with Advanced Security Console. But I'm only seeing logs in the %systemroot%\system32\LogFiles\Firewall\pfirewall.log
file, not in the Event Viewer, as the first answer suggested.
However, the logs that I can see only tell me the requests or response's destination IP and whether the connection was allowed or blocked. But it doesn't tell me what executable it comes from. I want to find out the file path of the executable that each blocked request comes from. So far, I haven't been able to.
You should be able to see this in Event Viewer. First you'll need to tweak the logging options in the Advanced Settings Console:
In the Event Viewer's left pane, expand to Applications and Services Log -> Microsoft -> Windows -> Windows Firewall with Advanced Security:
There, you can create a custom view and filter the log to only outbound connection attempts.
In Windows 7 & 8 you need to first enable Auditing of failed connections.
Local Computer Policy (Run:
GPEdit.msc
) > Computer Configuration > Windows Settings > Security Settings > Local Policies > Audit Policy > Audit object access : Failure
Now dropped connections along with the corresponding executable name should show at:
Event log > Windows Logs > Security:
- The Windows Filtering Platform has blocked a packet : [Event Id: 5152]
- The Windows Filtering Platform has blocked a connection : [Event Id: 5157]
Here, you will find:
Application Name: \device\harddiskvolume2\program files\xyz.exe