Skip to content

elgab/WindowsSpyBlocker

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

38 Commits
.github
.github
 
 
data
data
 
 
logs
logs
 
 
scripts
scripts
 
 
.gitignore
.gitignore
 
 
CHANGELOG.md
CHANGELOG.md
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

Windows Spy Blocker Donate Paypal

About

WindowsSpyBlocker is a set of rules to block Windows spy / telemetry based on multiple tools to capture traffic. It is open for everyone and if you want to contribute, take a look at the Wiki.
To be notified of new releases you can subscribe to this Atom feed.

How ?

I use a QEMU virtual machines on the server virtualization management platform Proxmox VE based on :

  • Windows 10 Pro 64bits with automatic updates enabled.
  • Windows 8.1 Pro 64bits with automatic updates enabled.
  • Windows 7 SP1 Pro 64bits with automatic updates enabled.

I clean traffic dumps every day and compare results with the current rules to add / remove some hosts or firewall rules.

Tools used to capture traffic :

All traffic events are available in the logs folder.

Usage

Data

data is the master folder of this project. It contains the blocking rules based on domain names or IPs addresses detected during the capture process.

  • data/<type>/winX/spy.txt : Block Windows Spy / Telemetry
  • data/<type>/winX/update.txt : Block Windows Update
  • data/<type>/winX/extra.txt : Block third party applications

Hosts

Copy / paste the content of the files in data/hosts in your Windows hosts file located in C:\Windows\System32\drivers\etc\hosts.

You can use the HostsMan freeware to keep update your hosts file.
I have created a git hook to publish the hosts files to my personal website :

Windows 7
Windows 8.1
Windows 10

Firewall

Some queries use IP addresses but you can stop them with your Firewall.
All relative information about these IP addresses are listed in the CSV files firewall- in the logs folder.
To add / remove firewall rules or test IPs, read the instructions in scripts/firewall folder.

NCSI (Network Connectivity Status Indicator)

Windows check a Microsoft site for connectivity, using the Network Connectivity Status Indicator site.
NCSI performs a DNS lookup on www.msftncsi.com and sends a DNS lookup request for dns.msftncsi.com.
You can block this probe by adding the content of the data/<type>/winX/extra.txt hosts file.

But you will have a "No Internet access" warning in your system tray.
To solve this problem you can use the alternative WindowsSpyBlcoker NCSI. Read the instructions in scripts/ncsi folder.

DNSCrypt

DNSCrypt is a protocol for securing communications between a client and a DNS resolver. With this tool you can blacklist some domains with the plugin libdcplugin_example_ldns_blocking and add domains with leading and trailing wildcards.
To install DNSCrypt on Windows, read the README-WINDOWS on the official GitHub repository.
Copy the content of the dnscrypt files in the repository in a file called for example C:\blacklisted-domains.txt and enter this command :

dnscrypt-proxy -R <name> --plugin=libdcplugin_example_ldns_blocking.dll,--domains=C:\blacklisted-domains.txt

Replace <name> with a public DNS resolvers supporting DNSCrypt you want to use. Note its name, in the first column (for example: dnscrypt.org-fr).

Proxifier

Some hosts are not blocked and required a top level application.
For example you can use Proxifier software to block Microsoft spy.
Copy the content of the proxifier files in data/proxifier in a blocked rule :

Logs

Logs of tools used to capture traffic and resolution of firewall rules in CSV format available in the logs folder.

  • *-all.csv : all events
  • *-hosts-count.csv : number of events per host
  • *-unique.csv : first trigger of an event per host / process / destination port

Scripts

Several scripts are used to ease implementation of rules and contribution. To use these scripts you have to download and install the Visual C++ Redistributable for Visual Studio 2012 (vcredist_x86.exe).

  • diff.bat : Generate a diff log based on CSV logs and data for Sysmon, Proxifier and Wireshark.
  • firewall.bat : Add / remove rules and resolve IPs adresses
  • ncsi.bat : Apply an alternate NCSI and test your internet connection the Micrososft way. More info on the FAQ Wiki page.
  • proxifier.bat : Extract events from log and generate CSV files. More info on the Proxifier Wiki page
  • sysmon.bat : Install / uninstall Sysmon and extract events log then generate CSV files. More info on the Sysmon Wiki page
  • wireshark.bat : Extract events log then generate CSV files based on IPv4 hosts. More info on the Wireshark Wiki page

Projects using WindowsSpyBlocker

  • pi-hole : A black hole for Internet advertisements (designed for Raspberry Pi).
  • StopAd : Service for MikroTik routers made to block "advertising" and more.
  • OpenWrt adblock package : DNS based ad/abuse domain blocking

License

MIT. See LICENSE for more details.

About

Rules to block Windows spy / telemetry

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases

11 tags

Packages

No packages published

Languages

  • PHP 85.7%
  • Batchfile 14.3%