If anyone is interested on Agnitum's take on firewall leak tests & their importance, you may want to read this.

http://www.securityteacher.com/2008/10/29/all-you-need-to-know-about-security-leak-tests/

They are all for leaktests, but thats not surprising given their bias.

does not sound to bias,but have not found a leaktest
that can penetrate Outpost's newest version!

-{ Quote: "Conclusion
We hope this article has shed some light on the concept of leaktests and their relevance in testing the ability of a security product to prevent unauthorized outbound data leakage. Leaktests serve as a practical and effective tool in measuring the quality and scope of protection against the kinds of advanced breaches that are used to carry out actual attacks" }-

-{ Quote: "does not sound to bias,but have not found a leaktest
that can penetrate Outpost's newest version!" }-

Let us wait for Matousec new set of tests. It just seems that nobody coded new tests for some time and the old well-known tests are surely "fixed". And that is to say the main OP competitors (OA and Comodo) didn't update their results since spring. May be they just lost interest. I'm not sure about Comodo, but OA released v3 which definitely takes 100% (I checked it against those tests that v2 failed). And I have a feeling Matou is in process of prepareing some surprise. He can't stand ratings over 95 in his research for too long :)

Agnitum has obviously gone in this direction, so they will probably promote the whole issue and their features.. The question that all this raises with me every time is, at what point does the firewall cease to be a firewall and become a HIPS, with some firewall capabilities? When you decide to trod down that leak-test road with your firewall, you can pretty much bet you will end up with a HIPS product, as the "leaks" will be ever evolving and changing, requiring more and more code to catch them. Eventually, what started as a firewall, is no longer a firewall at all...

-{ Quote: "Agnitum has obviously gone in this direction, so they will probably promote the whole issue and their features.. The question that all this raises with me every time is, at what point does the firewall cease to be a firewall and become a HIPS, with some firewall capabilities? When you decide to trod down that leak-test road with your firewall, you can pretty much bet you will end up with a HIPS product, as the "leaks" will be ever evolving and changing, requiring more and more code to catch them. Eventually, what started as a firewall, is no longer a firewall at all..." }-

You are completely right in the terms of the "old good days" :)

I think the current trand follows the current market. For one most people (outside Wilders) prefer all in one pack to a troublesome set of different programs. A few people like to play and test and setup a lot of programs. For two the definition of firewall itself and most requested firewall functionality changed essentially, I think. Who is now avarage PC user ? In most cases this is non-tech person (opposite to the old good days). He needs to play games, write mails, visit forums etc etc and in the same time he wants to spend as little time to IT education as possible and feel himself as much secure as possible.

We can like or dislike it, but we can do nothing about it (IMHO).

-{ Quote: " Eventually, what started as a firewall, is no longer a firewall at all..." }-
... and with that, the early firewalls -- essentially packet filters, some of which are still around -- find themselves in the position of being criticized for failing to do what they weren't designed to do in the first place.

In our earlier discussions of Kerio 2 some years ago, you may remember when I proclaimed that Kerio 2 didn't fail any of the tests at firewalleaktester.com. Of course, I cheated, because my security in place wouldn't let the test executable files download unless I disabled security, so the tests couldn't run.

My point was, to consider under what circumstances a user could imagine a malicious trojan getting onto the computer in the first place. As someone is fond of saying, If it can't execute, it can't infect.

Also, what about the prevalence of leaktest exploits in malware? gkweb offers his opinion:

http://www.firewallleaktester.com/malwares.htm
-{ Quote: "In fact, I do not believe that tomorrow will see an explosion of leaktest exploits use in ITW malwares, because why to try to do something rather hard, when almost all of the computers on the Internet are running with Administrator privileges, and often do not have any personal firewall ?

...

There is so easier ways for now to leak data out, that the leaktest exploits seems to not be for now a premium choice for the malwares writters.

However, even if the possibility to be attacked with such exploit is rather slim, these exploits still exist and are fully functional and working" }-He has a list of 4 malware he has discovered which use techniques to bypass firewalls. Here is a brief summary of them, and thoughts on prevention:

W32.Welchia.Worm
http://www.symantec.com/security_response/writeup.jsp?docid=2003-081815-2308-99
-{ Quote: "Risk Level 2: Low
Discovered: August 18, 2003
As of February 26, 2004, due to a decreased rate of submissions, Symantec Security Response has downgraded this threat to a Category 2 from a Category 3. " }-Microsoft analyzes: "To exploit this vulnerability, the attacker would require the ability to send a specially crafted request to port 135, 139, 445 or 593 or any other specifically configured RPC port on the remote machine."

Obvious prevention: this exploit is blocked with properly configured firewall inbound rules.
_______________________________________________________________________

W32.Vivael@mm
http://www.symantec.com/security_response/writeup.jsp?docid=2003-062813-0620-99
-{ Quote: "Risk Level 2: Low
Discovered: June 28, 2003
Updated: February 13, 2007 12:03:04 PM

W32.Vivael@mm is a mass-mailing worm...
Attachment: hotmailpass.exe" }-Prevention: Is it obvious?
_________________________________________________________________

[Dshield] The Beast
http://lists.virus.org/dshield-0310/msg00337.html
Date: Fri, 17 Oct 2003 06:56:38 -0400
-{ Quote: "Has anyone heard of Beast, a trojan with different variables? I came across it while reading about it in the Support Alert newsletter.

Once The Beast has infected your PC the attacker essentially has complete control." }-The only reference to an attack that I could find is a Microsoft email spoof:

-{ Quote: "Attackers are exploiting naive users by masquerading as a patch from Microsoft. The subject line of the email reads, "Microsoft WinLogon Service - Vulnerability Issue". The body of the email claims, "A new vulnerability has been discovered in the Microsoft WinLogon Service , that would allow an attacker to gain access to an unpatched computer."

The email then instructs recipients to click a link contained in the email to "protect your computer against WinLogon attacks."" }-Prevention: Is it obvious?
_______________________________________________________________________

Flux spreads wider
http://www.emsisoft.com/en/kb/articles/news041104/
11/6/2004
-{ Quote: "Flux is the name of a new pest spreading covertly through the internet. Flux is a trojan that is making the life of most anti malware vendors much harder.

Flux is a reverse backdoor type of trojan. Reverse means that rather than the infected machine waiting for a connection to be made from outside, the infected machine trys to make the connection itself." }-Nothing mentioned about the attack method.

This reference from Microsoft, 2006:

-{ Quote: ""In order for this attack to be carried out, a user must first open a malicious Excel document
that is sent as an email attachment or otherwise provided to them by an attacker,"
Mike Reavey, operations manager for the Microsoft Security Response Center,...

and comment:

It's a lot like the former Word issue in May 2006. This results in a downloader event which then installs the Flux backdoor Trojan horse. " }-Your thoughts on prevention? I can think of two...
_________________________________________________________

In the current article, Igor Pankov writes,

-{ Quote: "Much has changed since those days, and today’s leaktests are way more sophisticated, using advanced interaction mechanisms and network properties to simulate the data mining capabilities typical of today’s malware." }-It would be useful if he could present a list of current malware which exploit the leaktest scenarios he mentions, to see if different attack methods are being used.

Providing security for computers is like acquiring insurance, and risk assessment plays an important part in the decisions one makes.

One should ask, Do I know the various ways malware can download/execute on my computer? Do I feel secure about blocking these attack vectors so that the malware cannot download and execute?

Those who consider malware that uses leaktest exploits to be of sufficient risk that their computer could be infiltrated,will, of course, need to provide necessary protection.

----