Add Sysmon, Proxifier, Wireshark capture method in the Wiki (Issue #11)

Enhancement for firewall script (Issue #2)
Separate rules and scripts in distinct folders
New hosts and firewall rules
Add capture logs in CSV files
Add Sysmon script (install / uninstall / extract event log)
Add Proxifier script (extract log)

CHANGELOG.md

@@ -1,5 +1,15 @@
 # Changelog
 
+## 3.0 (2016/06/03)
+
+* Add Sysmon, Proxifier, Wireshark capture method in the [Wiki](../../wiki) (Issue #11)
+* Enhancement for firewall script (Issue #2)
+* Separate rules and scripts in distinct folders
+* New hosts and firewall rules
+* Add capture logs in CSV files
+* Add Sysmon script (install / uninstall / extract event log)
+* Add Proxifier script (extract log)
+
 ## 2.7 (2016/05/27)
 
 * Add NCSI alternative probe (Issue #9)

README.md

@@ -1,13 +1,12 @@
 # Windows Spy Blocker [![Donate Paypal](https://img.shields.io/badge/donate-paypal-blue.svg)](https://www.paypal.me/crazyws)
 
-Rules to block Windows spy / telemetry.
-
 ![](../../wiki/img/logo-20160521.png)
 
 <!-- START doctoc generated TOC please keep comment here to allow auto update -->
 <!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE -->
 
 
+- [About](#about)
 - [How ?](#how-)
 - [Usage](#usage)
   - [Hosts](#hosts)
@@ -20,42 +19,45 @@ Rules to block Windows spy / telemetry.
 
 <!-- END doctoc generated TOC please keep comment here to allow auto update -->
 
+## About
+
+**WindowsSpyBlocker** is a set of rules to block Windows spy / telemetry based on multiple tools to [capture traffic](../../wiki/Capture%20traffic). It is open for everyone and if you want to contribute, take a look at the [Wiki](../../wiki).<br />
+To be notified of new releases you can subscribe to this [Atom feed](https://github.com/crazy-max/WindowsSpyBlocker/releases.atom).
+
 ## How ?
 
 I use a QEMU virtual machine on the server virtualization management platform [Proxmox VE](https://www.proxmox.com/en/) based on Windows 10 Pro 64bits with automatic updates enabled.<br />
 I clean traffic dumps every day and compare results with the current rules to add / remove some hosts or firewall rules (need to automate the process...).
 
 Tools used to capture traffic :
-* qemu -net dump
-* Wireshark
+* **qemu -net dump** : capture
+* **[Wireshark](../../wiki/captureWireshark)** : capture + logs
+* **[Sysmon](../../wiki/captureSysmon)** : capture + logs
+* **[Proxifier](../../wiki/captureProxifier)** : logs
+
+All traffic logs are available in the `logs` folder.
 
 ## Usage
 
-### Hosts
+* `data/<type>/winX/spy.txt` : Block Windows Spy / Telemetry
+* `data/<type>/winX/update.txt` : Block Windows Update
+* `data/<type>/winX/extra.txt` : Block third party applications
 
-* `windowsX_spy.txt` : Block Windows Spy / Telemetry
-* `windowsX_update.txt` : Block Windows Update
-* `windowsX_extra.txt` : Block third party applications
+### Hosts
 
-Copy / paste the content of the above files in your Windows hosts file located in `C:\Windows\System32\drivers\etc\hosts`.<br />
+Copy / paste the content of the files in `data/hosts` in your Windows hosts file located in `C:\Windows\System32\drivers\etc\hosts`.<br />
 
 You can use the [HostsMan](http://www.abelhadigital.com/hostsman) freeware to keep update your hosts file.<br />
 I have created a git hook to publish the hosts files to my personal website :
-* [http://www.crazyws.fr/WindowsSpyBlocker/hosts/windows10_spy.txt](http://www.crazyws.fr/WindowsSpyBlocker/hosts/windows10_spy.txt)
-* [http://www.crazyws.fr/WindowsSpyBlocker/hosts/windows10_update.txt](http://www.crazyws.fr/WindowsSpyBlocker/hosts/windows10_update.txt)
-* [http://www.crazyws.fr/WindowsSpyBlocker/hosts/windows10_extra.txt](http://www.crazyws.fr/WindowsSpyBlocker/hosts/windows10_extra.txt)
+* [http://www.crazyws.fr/WindowsSpyBlocker/hosts/win10/spy.txt](http://www.crazyws.fr/WindowsSpyBlocker/hosts/win10/spy.txt)
+* [http://www.crazyws.fr/WindowsSpyBlocker/hosts/win10/update.txt](http://www.crazyws.fr/WindowsSpyBlocker/hosts/win10/update.txt)
+* [http://www.crazyws.fr/WindowsSpyBlocker/hosts/win10/extra.txt](http://www.crazyws.fr/WindowsSpyBlocker/hosts/win10/extra.txt)
 
 ### Firewall
 
 Some queries use IP addresses but you can stop them with your Firewall.<br />
-All relative information about these IP addresses are listed in the CSV file [firewallTestIPs.csv](https://github.com/crazy-max/WindowsSpyBlocker/blob/master/firewall/firewallTestIPs.csv).<br />
-[Download](https://github.com/crazy-max/WindowsSpyBlocker/archive/master.zip) or clone the repository, execute `firewall\firewallBlockWindowsSpy.bat` and choose an option :<br />
-
-![](../../wiki/img/firewallMenu-20160516.png)
-
-IPs are added in the Windows Firewall as outbound rules :<br />
-
-![](../../wiki/img/firewallRules-20160516.png)
+All relative information about these IP addresses are listed in the CSV files `firewall-` in the [logs folder](tree/master/firewall/logs).<br />
+To add / remove firewall rules or test IPs, read the instructions in [scripts/firewall folder](tree/master/scripts/firewall).
 
 ### NCSI (Network Connectivity Status Indicator)
 
@@ -64,9 +66,7 @@ NCSI performs a DNS lookup on `www.msftncsi.com` and sends a DNS lookup request
 You can block this probe by adding the content of the `windowsX_extra.txt` hosts file.<br />
 
 But you will have a ["No Internet access" warning in your system tray](../../wiki/FAQ#no-internet-access-on-my-network-card).<br />
-To solve this problem you can use the alternative WindowsSpyBlocker NCSI by executing `ncsi\ncsi.bat` :<br />
-
-![](../../wiki/img/ncsiMenu-20160527.png)
+To solve this problem read the instructions in [scripts/ncsi folder](tree/master/scripts/ncsi).
 
 ### DNSCrypt
 
@@ -84,7 +84,7 @@ Replace `<name>` with a [public DNS resolvers supporting DNSCrypt](https://githu
 
 Some hosts are not blocked and required a top level application.<br />
 For example you can use [Proxifier](https://www.proxifier.com/) software to block Microsoft spy.<br />
-Copy the content of the proxifier files in the repository in a blocked rule :
+Copy the content of the proxifier files in `data/proxifier` in a blocked rule :
 
 ![](../../wiki/img/proxifierRules-20160516.png)
 

data/.gitignore

@@ -0,0 +1 @@
+*.tmp

dnscrypt/windows10_extra.txt → data/dnscrypt/win10/extra.txt

@@ -1,5 +1,8 @@
+*.2mdn.net
+2mdn.net
 *.akamaitechnologies.com
 akamaitechnologies.com
+apps.skype.com
 *.bing.net
 bing.net
 *.hotmail.com
@@ -12,8 +15,10 @@ live.net
 msftncsi.com
 *.msn.com
 msn.com
-*.nsatc.net
-nsatc.net
-*.microsoft.com.nstac.net
+oneclient.sfx.ms
 pricelist.skype.com
 ui.skype.com
+*.weather.microsoft.com
+weather.microsoft.com
+*.xboxlive.com
+xboxlive.com

dnscrypt/windows10_spy.txt → data/dnscrypt/win10/spy.txt

@@ -1,5 +1,3 @@
-*.2mdn.net
-2mdn.net
 *.a-msedge.net
 a-msedge.net
 *.adnexus.net
@@ -13,8 +11,6 @@ schemas.microsoft.akadns.net
 *.atdmt.com
 atdmt.com
 compatexchange.cloudapp.net
-*.doubleclick.net
-doubleclick.net
 secure.flashtalking.com
 pre.footprintpredict.com
 clients2.google.com

firewall/windows10_extra.txt → data/firewall/win10/extra.txt

@@ -1,10 +1,9 @@
-### firewall_windows10_extra
+### firewall win10 extra
 ### More info: https://github.com/crazy-max/WindowsSpyBlocker
 
 65.52.100.11
 65.52.100.93
 191.232.139.253
-204.79.197.200
 207.46.194.25
 207.46.223.94
 207.68.166.254

firewall/windows10_spy.txt → data/firewall/win10/spy.txt

@@ -1,4 +1,4 @@
-### firewall_windows10_spy
+### firewall win10 spy
 ### More info: https://github.com/crazy-max/WindowsSpyBlocker
 
 2.22.61.43
@@ -21,6 +21,7 @@
 40.113.8.255
 40.113.14.159
 40.113.22.47
+40.114.241.141
 40.117.151.29
 64.4.6.100
 64.4.23.0-64.4.23.255
@@ -125,7 +126,23 @@
 191.237.208.126
 191.239.54.52
 195.138.255.0-195.138.255.255
+204.79.197.197
+204.79.197.199
 204.79.197.200
+204.79.197.201
+204.79.197.202
+204.79.197.203
+204.79.197.204
+204.79.197.205
+204.79.197.206
+204.79.197.207
+204.79.197.208
+204.79.197.209
+204.79.197.210
+204.79.197.211
+204.79.197.212
+204.79.197.213
+204.79.197.214
 207.46.7.252
 207.46.101.29
 207.46.114.58

firewall/windows10_update.txt → data/firewall/win10/update.txt

@@ -1,4 +1,4 @@
-### firewall_windows10_update
+### firewall win10 update
 ### More info: https://github.com/crazy-max/WindowsSpyBlocker
 
 23.103.189.158

data/hosts/win10/extra.txt

@@ -0,0 +1,26 @@
+### hosts win10 extra
+### More info: https://github.com/crazy-max/WindowsSpyBlocker
+
+0.0.0.0 akamaitechnologies.com
+0.0.0.0 apps.skype.com
+0.0.0.0 cdn.content.prod.cms.msn.com
+0.0.0.0	choice.microsoft.com.nstac.net
+0.0.0.0 client-s.gateway.messenger.live.com
+0.0.0.0 deploy.static.akamaitechnologies.com
+0.0.0.0 device.auth.xboxlive.com
+0.0.0.0 dl.delivery.mp.microsoft.com
+0.0.0.0 dns.msftncsi.com
+0.0.0.0 msftncsi.com
+0.0.0.0 oneclient.sfx.ms
+0.0.0.0 pricelist.skype.com
+0.0.0.0 s.gateway.messenger.live.com
+0.0.0.0 s0.2mdn.net
+0.0.0.0 sO.2mdn.net
+0.0.0.0 search.msn.com
+0.0.0.0 static.2mdn.net
+0.0.0.0 tile-service.weather.microsoft.com
+0.0.0.0 tk2.plt.msn.com
+0.0.0.0 tlu.dl.delivery.mp.microsoft.com
+0.0.0.0 ui.skype.com
+0.0.0.0 view.atdmt.com
+0.0.0.0 www.msftncsi.com

hosts/windows10_spy.txt → data/hosts/win10/spy.txt

@@ -1,13 +1,24 @@
-### hosts_windows10_spy
+### hosts win10 spy
 ### More info: https://github.com/crazy-max/WindowsSpyBlocker
 
+0.0.0.0	a-0001.a-msedge.net
+0.0.0.0	a-0002.a-msedge.net
+0.0.0.0	a-0003.a-msedge.net
+0.0.0.0	a-0004.a-msedge.net
+0.0.0.0	a-0005.a-msedge.net
+0.0.0.0	a-0006.a-msedge.net
+0.0.0.0	a-0007.a-msedge.net
+0.0.0.0	a-0008.a-msedge.net
+0.0.0.0	a-0009.a-msedge.net
+0.0.0.0	a-0010.a-msedge.net
+0.0.0.0	a-0011.a-msedge.net
+0.0.0.0	a-0012.a-msedge.net
 0.0.0.0 a-msedge.net
 0.0.0.0 a.ads1.msn.com
 0.0.0.0 a.ads2.msads.net
 0.0.0.0 a.ads2.msn.com
 0.0.0.0 a.rad.msn.com
 0.0.0.0 ac3.msn.com
-0.0.0.0 ad.doubleclick.net
 0.0.0.0 adnexus.net
 0.0.0.0 adnxs.com
 0.0.0.0 ads.msn.com
@@ -46,6 +57,7 @@
 0.0.0.0 ecn.dev.virtualearth.net
 0.0.0.0 eu.vortex.data.microsoft.com
 0.0.0.0 fe3.delivery.dsp.mp.microsoft.com.nsatc.net
+0.0.0.0 fe3.delivery.mp.microsoft.com
 0.0.0.0 feedback.microsoft-hohm.com
 0.0.0.0 feedback.search.microsoft.com
 0.0.0.0 feedback.windows.com
@@ -90,16 +102,17 @@
 0.0.0.0 sqm.telemetry.microsoft.com
 0.0.0.0 sqm.telemetry.microsoft.com.nsatc.net
 0.0.0.0 ssw.live.com
-0.0.0.0 static.2mdn.net
 0.0.0.0 statsfe1.ws.microsoft.com
 0.0.0.0 statsfe2.ws.microsoft.com
+0.0.0.0 survey.watson.microsoft.com
 0.0.0.0 t0.ssl.ak.dynamic.tiles.virtualearth.net
 0.0.0.0 t0.ssl.ak.tiles.virtualearth.net
 0.0.0.0 telecommand.telemetry.microsoft.com
 0.0.0.0 telecommand.telemetry.microsoft.com.nsatc.net
 0.0.0.0 telemetry.appex.bing.net
 0.0.0.0 telemetry.microsoft.com
 0.0.0.0 telemetry.urs.microsoft.com
+0.0.0.0 tsfe.trafficshaping.dsp.mp.microsoft.com
 0.0.0.0 v10.vortex-win.data.metron.live.com.nsatc.net
 0.0.0.0 v10.vortex-win.data.microsoft.com
 0.0.0.0 version.hybrid.api.here.com
@@ -114,5 +127,12 @@
 0.0.0.0 vortex.data.glbdns2.microsoft.com
 0.0.0.0 vortex.data.metron.live.com.nsatc.net
 0.0.0.0 vortex.data.microsoft.com
+0.0.0.0 watson.live.com
+0.0.0.0 watson.microsoft.com
+0.0.0.0 watson.ppe.telemetry.microsoft.com
+0.0.0.0 watson.telemetry.microsoft.com
+0.0.0.0 watson.telemetry.microsoft.com.nsatc.net
 0.0.0.0 web.vortex.data.microsoft.com
+0.0.0.0 wes.df.telemetry.microsoft.com
 0.0.0.0 win10.ipv6.microsoft.com
+0.0.0.0 www.msedge.net

hosts/windows10_update.txt → data/hosts/win10/update.txt

@@ -1,6 +1,7 @@
-### hosts_windows10_update
+### hosts win10 update
 ### More info: https://github.com/crazy-max/WindowsSpyBlocker
 
+0.0.0.0 au.v4.download.windowsupdate.com
 0.0.0.0 ctldl.windowsupdate.com
 0.0.0.0 fe2.update.microsoft.com
 0.0.0.0 fe2.update.microsoft.com.akadns.net

proxifier/windows10_extra.txt → data/proxifier/win10/extra.txt

@@ -1,5 +1,8 @@
+*.2mdn.net;
+2mdn.net;
 *.akamaitechnologies.com;
 akamaitechnologies.com;
+apps.skype.com;
 *.bing.net;
 bing.net;
 *.hotmail.com;
@@ -12,15 +15,16 @@ live.net;
 msftncsi.com;
 *.msn.com;
 msn.com;
-*.nsatc.net;
-nsatc.net;
-*.microsoft.com.nstac.net;
+oneclient.sfx.ms;
 pricelist.skype.com;
 ui.skype.com;
+*.weather.microsoft.com;
+weather.microsoft.com;
+*.xboxlive.com;
+xboxlive.com;
 65.52.100.11;
 65.52.100.93;
 191.232.139.253;
-204.79.197.200;
 207.46.194.25;
 207.46.223.94;
 207.68.166.254;

proxifier/windows10_spy.txt → data/proxifier/win10/spy.txt

@@ -1,5 +1,3 @@
-*.2mdn.net;
-2mdn.net;
 *.a-msedge.net;
 a-msedge.net;
 *.adnexus.net;
@@ -13,8 +11,6 @@ schemas.microsoft.akadns.net;
 *.atdmt.com;
 atdmt.com;
 compatexchange.cloudapp.net;
-*.doubleclick.net;
-doubleclick.net;
 secure.flashtalking.com;
 pre.footprintpredict.com;
 clients2.google.com;
@@ -84,6 +80,7 @@ feedback.windows.com;
 40.113.8.255;
 40.113.14.159;
 40.113.22.47;
+40.114.241.141;
 40.117.151.29;
 64.4.6.100;
 64.4.23.0-64.4.23.255;
@@ -188,7 +185,23 @@ feedback.windows.com;
 191.237.208.126;
 191.239.54.52;
 195.138.255.0-195.138.255.255;
+204.79.197.197;
+204.79.197.199;
 204.79.197.200;
+204.79.197.201;
+204.79.197.202;
+204.79.197.203;
+204.79.197.204;
+204.79.197.205;
+204.79.197.206;
+204.79.197.207;
+204.79.197.208;
+204.79.197.209;
+204.79.197.210;
+204.79.197.211;
+204.79.197.212;
+204.79.197.213;
+204.79.197.214;
 207.46.7.252;
 207.46.101.29;
 207.46.114.58;