You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Add Windows 7 and Windows 8.1 hosts and firewall rules (Issue #1)
Add Wireshark script to extract log and generate CSV (Issue #6)
Bug spy rule blocking Windows update (Issue #14)
Add diff script to compare current firewall rules / hosts with generated CSVs
New hosts and firewall rules
Copy file name to clipboardExpand all lines: README.md
+57-21
Original file line number
Diff line number
Diff line change
@@ -8,13 +8,15 @@
8
8
9
9
-[About](#about)
10
10
-[How ?](#how-)
11
-
-[Requirements](#requirements)
12
11
-[Usage](#usage)
13
-
-[Hosts](#hosts)
14
-
-[Firewall](#firewall)
15
-
-[NCSI (Network Connectivity Status Indicator)](#ncsi-network-connectivity-status-indicator)
16
-
-[DNSCrypt](#dnscrypt)
17
-
-[Proxifier](#proxifier)
12
+
-[Data](#data)
13
+
-[Hosts](#hosts)
14
+
-[Firewall](#firewall)
15
+
-[NCSI (Network Connectivity Status Indicator)](#ncsi-network-connectivity-status-indicator)
16
+
-[DNSCrypt](#dnscrypt)
17
+
-[Proxifier](#proxifier)
18
+
-[Logs](#logs)
19
+
-[Scripts](#scripts)
18
20
-[Projects using WindowsSpyBlocker](#projects-using-windowsspyblocker)
19
21
-[License](#license)
20
22
@@ -27,53 +29,69 @@ To be notified of new releases you can subscribe to this [Atom feed](https://git
27
29
28
30
## How ?
29
31
30
-
I use a QEMU virtual machine on the server virtualization management platform [Proxmox VE](https://www.proxmox.com/en/) based on Windows 10 Pro 64bits with automatic updates enabled.<br />
31
-
I clean traffic dumps every day and compare results with the current rules to add / remove some hosts or firewall rules (need to automate the process...).
32
+
I use a QEMU virtual machines on the server virtualization management platform [Proxmox VE](https://www.proxmox.com/en/) based on :
33
+
34
+
* Windows 10 Pro 64bits with automatic updates enabled.
35
+
* Windows 8.1 Pro 64bits with automatic updates enabled.
36
+
* Windows 7 SP1 Pro 64bits with automatic updates enabled.
37
+
38
+
I clean traffic dumps every day and compare results with the current rules to add / remove some hosts or firewall rules.
All traffic logs are available in the `logs` folder.
40
-
41
-
## Requirements
42
-
43
-
* Scripts required [Visual C++ Redistributable for Visual Studio 2012](https://www.microsoft.com/en-us/download/details.aspx?id=30679) (vcredist_x86.exe).
46
+
All traffic events are available in the [logs](#logs) folder.
44
47
45
48
## Usage
46
49
50
+
### Data
51
+
52
+
`data` is the master folder of this project. It contains the blocking rules based on domain names or IPs addresses detected during the capture process.
47
53
*`data/<type>/winX/spy.txt` : Block Windows Spy / Telemetry
48
54
*`data/<type>/winX/update.txt` : Block Windows Update
49
55
*`data/<type>/winX/extra.txt` : Block third party applications
50
56
51
-
### Hosts
57
+
####Hosts
52
58
53
59
Copy / paste the content of the files in `data/hosts` in your Windows hosts file located in `C:\Windows\System32\drivers\etc\hosts`.<br />
54
60
55
61
You can use the [HostsMan](http://www.abelhadigital.com/hostsman) freeware to keep update your hosts file.<br />
56
62
I have created a git hook to publish the hosts files to my personal website :
Some queries use IP addresses but you can stop them with your Firewall.<br />
64
-
All relative information about these IP addresses are listed in the CSV files `firewall-` in the [logs folder](tree/master/firewall/logs).<br />
82
+
All relative information about these IP addresses are listed in the CSV files `firewall-` in the [logs folder](firewall/logs).<br />
65
83
To add / remove firewall rules or test IPs, read the instructions in [scripts/firewall folder](scripts/firewall).
66
84
67
-
### NCSI (Network Connectivity Status Indicator)
85
+
####NCSI (Network Connectivity Status Indicator)
68
86
69
87
Windows check a Microsoft site for connectivity, using the Network Connectivity Status Indicator site.<br />
70
88
NCSI performs a DNS lookup on `www.msftncsi.com` and sends a DNS lookup request for `dns.msftncsi.com`.<br />
71
-
You can block this probe by adding the content of the `windowsX_extra.txt` hosts file.<br />
89
+
You can block this probe by adding the content of the `data/<type>/winX/extra.txt` hosts file.<br />
72
90
73
91
But you will have a ["No Internet access" warning in your system tray](../../wiki/FAQ#no-internet-access-on-my-network-card).<br />
74
-
To solve this problem read the instructions in [scripts/ncsi folder](scripts/ncsi).
92
+
To solve this problem you can use the alternative WindowsSpyBlcoker NCSI. Read the instructions in [scripts/ncsi folder](scripts/ncsi).
75
93
76
-
### DNSCrypt
94
+
####DNSCrypt
77
95
78
96
[DNSCrypt](https://dnscrypt.org/) is a protocol for securing communications between a client and a DNS resolver. With this tool you can blacklist some domains with the plugin [libdcplugin_example_ldns_blocking](https://github.com/jedisct1/dnscrypt-proxy#plugins) and add domains with leading and trailing wildcards.<br />
79
97
To install DNSCrypt on Windows, read the [README-WINDOWS](https://github.com/jedisct1/dnscrypt-proxy/blob/master/README-WINDOWS.markdown) on the official GitHub repository.<br />
Replace `<name>` with a [public DNS resolvers supporting DNSCrypt](https://github.com/jedisct1/dnscrypt-proxy/blob/master/dnscrypt-resolvers.csv) you want to use. Note its name, in the first column (for example: `dnscrypt.org-fr`).
87
105
88
-
### Proxifier
106
+
####Proxifier
89
107
90
108
Some hosts are not blocked and required a top level application.<br />
91
109
For example you can use [Proxifier](https://www.proxifier.com/) software to block Microsoft spy.<br />
92
110
Copy the content of the proxifier files in `data/proxifier` in a blocked rule :
93
111
94
112
95
113
114
+
### Logs
115
+
116
+
Logs of tools used to capture traffic and resolution of firewall rules in CSV format available in the [logs folder](firewall/logs).
117
+
*`*-all.csv` : all events
118
+
*`*-hosts-count.csv` : number of events per host
119
+
*`*-unique.csv` : first trigger of an event per host / process / destination port
120
+
121
+
### Scripts
122
+
123
+
Several scripts are used to ease implementation of rules and contribution. To use these scripts you have to download and install the [Visual C++ Redistributable for Visual Studio 2012](https://www.microsoft.com/en-us/download/details.aspx?id=30679) (vcredist_x86.exe).
124
+
*`diff.bat` : Generate a diff log based on CSV logs and data for Sysmon, Proxifier and Wireshark.
125
+
*`firewall.bat` : Add / remove rules and resolve IPs adresses
126
+
*`ncsi.bat` : Apply an alternate NCSI and test your internet connection the Micrososft way. More info on the [FAQ Wiki page](../../wiki/FAQ#what-is-ncsi-).
127
+
*`proxifier.bat` : Extract events from log and generate CSV files. More info on the [Proxifier Wiki page](../../wiki/captureProxifier)
128
+
*`sysmon.bat` : Install / uninstall Sysmon and extract events log then generate CSV files. More info on the [Sysmon Wiki page](../../wiki/captureSysmon)
129
+
*`wireshark.bat` : Extract events log then generate CSV files based on IPv4 hosts. More info on the [Wireshark Wiki page](../../wiki/captureWireshark)
130
+
96
131
## Projects using WindowsSpyBlocker
97
132
98
133
*[pi-hole](https://pi-hole.net/) : A black hole for Internet advertisements (designed for Raspberry Pi).
99
134
*[StopAd](http://stopad.generate.club/) : Service for MikroTik routers made to block "advertising" and more.
135
+
*[OpenWrt adblock package](https://github.com/openwrt/packages/tree/master/net/adblock/files) : DNS based ad/abuse domain blocking
0 commit comments