Windows defender Firewall sometimes reports CefSharp.BrowserSubprocess

[ptesar-xyndata]

Hello,

we are getting strange issue, that sometimes by the start of our application the CefSharp is blocked by Windows Defender Firewall while accessing the network.

Does anybody know how to prevent this?

Thx

Patrik

[amaitland]

CEF now supports the Chromium Network Service which brings a huge number of breaking API changes, please make sure you read #2743 for details if you are upgrading from a version prior to 75.1.x.

As per the Release Notes. All networking is now done by a seperate process (in this case the default CefSharp.BrowserSubprocess.exe with --type=utility).

For additional information

• https://bitbucket.org/chromiumembedded/cef/issues/2622/implement-support-for-networkservice
• https://bugs.chromium.org/p/chromium/issues/detail?id=598073

we are getting strange issue, that sometimes by the start of our application the CefSharp is blocked by Windows Defender Firewall while accessing the network.

This is not unexpected as all Networking is now done via a separate process.

Other than suggesting you white-list CefSharp.BrowserSubprocess.exe I don't have any further comment at this time.

[mokkymiah]

I am having this issue when two cefSharp instances are trying to establish a webrtc peer to peer connection. When one is Chrome browser the connection works fine and no prompts.

[dmcgloin]

To circle back on this, it appears that the reason for this prompt is unrelated to the fact that CefSharp.BrowserSubprocess.exe is executing in a separate process. In our case, we have confirmed WebRTC usage is causing this prompt. cc: @mokkymiah

[amaitland]

WebRTC uses mDNS by default to prevent leaking your IP address. From what I can tell this was enabled by default in Chrome M76.

https://groups.google.com/g/discuss-webrtc/c/6stQXi72BEU
https://bugs.chromium.org/p/chromium/issues/detail?id=878465

Adding a inbound rule to allow mDNS (UDP port 5353) is likely required. (If Chrome is installed on your machine there should be a inbound Google Chrome mDNS rule which you can use as reference).

See also:

https://bloggeek.me/psa-mdns-and-local-ice-candidates-are-coming/
https://tools.ietf.org/html/draft-ietf-rtcweb-mdns-ice-candidates-04

If you don't allow mDNS then WebRTC will likely still work, there are security/privacy concerns if it's blocked/disabled.

---

Switching to using the Network Service in process won't prevent the dialogue from being displayed.

[mokkymiah]

@amaitland Thanks, in my case I am still not able to establish peer to peer connection with two instances of cefSharp. It works fine on Chrome, or if one peer is using chrome.

I even tried allowing any application access to all ports via firewall just to test it out. Still no joy.

[amaitland]

I even tried allowing any application access to all ports via firewall just to test it out. Still no joy.

@mokkymiah That's likely totally unrelated to the this issue. See https://github.com/cefsharp/CefSharp/blob/master/CONTRIBUTING.md#cefsharp-vs-chromium-embedded-frameworkcef

Test with cefclient, then discuss on https://magpcss.org/ceforum/index.php

[amaitland]

Further discussion at https://magpcss.org/ceforum/viewtopic.php?f=6&t=17854

[dmcgloin]

For my use case, since WebRTC was not technically required on the web page, I was able to disable the firewall prompt by including this code:

settings.CefCommandLineArgs.Add("disable-features", "WebRtcHideLocalIpsWithMdns");

Thanks again, @amaitland !