zlacker

I guess my habit of running a firewall and not allowing programs to access the internet unless they actually need it is helpful for stuff like this.

Absolutely no reason a text editor needs internet access.

I only update stuff through winget, which fetches the installer from github in a lot of cases, and changing a package requires a PR to the winget repo AFAIK. Not foolproof of course though.

>>Saris+(OP)
Checking for updates and pulling in plug-ins. Both are valid.

>>Pet_An+1a
A browser can download updates and plugins to be installed locally. I too do not want all my apps making internet connections. Sandboxes / namespaces can help a little.

>>Pet_An+1a
It's because of issues like these that I do not agree with your statement of validity. It's also cheaper code wise to not have these contraptions.

>>Saris+(OP)
Which firewall software do you use? I should probably start using firewalls in my computers as well...

>>Saris+(OP)
LittleSnitch is great for MacOS; it is easily configured to alert you every time your machine makes ip/domain connections, which can then be accepted, denied, or rules made

>>scienc+ju
> LittleSnitch is great for MacOS; it is easily configured to alert you every time your machine makes ip/domain connections, which can then be accepted, denied, or rules made

For an open-source alternative, consider checking out - Lulu [0]. It's not as feature rich nor has impressive UI like the former but gets the main work done.

[0] https://github.com/objective-see/LuLu

>>just_t+gt
I've been using Fort: https://github.com/tnodir/fort

It's the best one I found after trying a few, because it's pretty easy to use, and lets me disable notification popups which is a part that always frustrates me about other options.

>>scienc+ju
Yeah I've been using Fort on windows, it's easy to use and not closed source and full of bloat like the commonly suggested windows firewalls from various security companies.

>>Pet_An+1a
I think these days updates through the OS package manager is a better option, windows has had winget for 5+ years now, and obviously linux and macos both have their own established systems.

>>np1810+pB
I use LuLu, it works great. Its kept my older versions of Photoshop and Acrobat from complaining and showing me ads for newer versions for the last couple years!

>>noname+lG
Tossing in a suggestion for Vallum[0] here. It's not FOSS but very polished and a fraction of the cost of Little Snitch.

[0]: https://vallumfirewall.com/

>>Saris+CC
Why am I hearing about that specific FW in year 2026, this seems really good, at least the features written if it really supports rules based on parent processes, wildcards, SvcHost granularity without gotchas. Been wrangling with Windows FW for ages, trying to get some badly behaved programs to update like Discord, Teams and others that change install paths or updater executable names or hiddenly use msedgewebview2. PolicyAppId and tagging based rules have given some success but Windows FW is still really broken. Definitely giving Fort a try.

>>valbu+mt1
It's quite good! It definitely deserves to be more popular, I hope it gets some more recognition.

Wildcards are great, like you said for those apps that change the directory name every single update.

>>Pet_An+1a
As for updates - my OS has a built-in package management system, which is responsible for installing and updating packages. Why should notepad++ bypass that and do its own independent update process?

>>scienc+ju
Binisoft WFC for Windows is a free outbound firewall. It was acquired by MalwareBytes awhile back, but they have not interfered with development so far.

https://www.binisoft.org/wfc.php

It has some areas where improvement is needed, but the fundamentals work and the user interface design is decent.

I am surprised it's not more popular for Windows users. All of the alternatives I've tried have critical issues which made me dismiss them as unserious.

>>np1810+pB
It's not open source, but I can also recommend Vallum[0] as a cheaper alternative to LittleSnitch.

[0] https://www.vallumfirewall.com/

>>Pet_An+1a
> Checking for updates

Why ? CADT ?

>>just_t+gt
It doesn't matter really because nowadays all of them are just a front-ends to Windows Firewall.

Also legitimate software (i.e. firewall/AV) cannot use "oldschool" tricks like system service descriptor table hooks to obtain godlike privileges these days, while malware sometimes can do this by exploiting vulnerabilities, so in such cases it may be an unequal fight.

>>valbu+mt1
> A "Core Isolation: Memory Integrity" feature of Windows 10+ prevents creating such memory area (leading to BSOD).

> We tried to attestation sign the driver via new EV certificate by MS to fix the driver's limitation, but failed (see #108).

> So for now users have to disable the "Core Isolation: Memory Integrity" feature

Disabling HVCI doesn't sound like a good idea honestly. I mean they abuse kernel memory protection to bypass EV Certificate restrictions leaving the system in a state where another driver can mess with FW's internal structures using the same trick.

>>thegri+Z72
Because other OSs do not and the notepad++ team wants all users to have a similar experience.

If you don’t need auto updates, just disable them.

More importantly, notepad++ being able to update itself is not the exploit here. Your OS’ package manager would download the same compromised binary as notepad++’s built in updater.

>>np1810+pB
Are you for realy using apple products? Yuh...

>>Saris+(OP)
Malwarebytes Windows Firewall Control may annoy me sometimes, but this is exactly why I run it.

>>drumtt+kO4
It shouldn't! Fort just flashes the tray icon if there's a new connection request and you can click it whenever you want, instead of a popup in your face in the middle of something.