Hi all,

The official 2.05 releases are available here:
En: http://www.looknstop.com/En/LooknStop_Setup_205.exe
Fr: http://www.looknstop.com/Fr/Installation_LooknStop_205.exe

No real change compared to the 2.05b3, it is just to officialize it (expiration removal, help file updates, file versions...).

No need to uninstall the 2.05b3 first. A reboot will be required after the update.

The official 2.05 content is the following:

Features Added:
DLL Filtering (Windows 2000-XP only)
Port & IP selection for the Application Filtering
Plug-in interface for localization, rule creation and log analysis by third party applications.
Detection of troyans that are using DLL injection or DNS request through svchost/services.
Detection of non-standard protocols and drivers under Win2000/XP.
Internet Filtering: addition of a context menu to Duplicate/Cut/Copy/Paste a rule


Changes:

Signature verification improvements (Windows 2000-XP only).
New attribute in Application Filtering to have only blocking access in the log or all access.
TCP Stateful Packet Inspection: the maximum number of monitored TCP connections has been set to 128 (instead of 64).
All miscellaneous options in one list in the Advanced Options dialog box.
if the Automatic Selection is enabled for the Network Adapter, no selection occurs until the PC is considered as connected (instead of filtering by default the 1st adapter of the list)
In the "U/D #" column addition of a '-' or '+' information to know if the packet has been blocked or allowed.
In the Application Filtering, it is now possible to sort the lines by clicking on the column headers.
Addition of the 'TCP or UDP' selection to the list of protocols in the rule edition dialog box
Automatic log entries removal when reaching a limit (configurable by the user)
Application filtering: automatic removal of applications which no longer exist
Addition of GB (Giga-Bytes) unit for statistic display in the Welcome page (however there is still the 4 GB limitation)


Fixes:

Compatibility with Hyper-Threading.
In the rule edition dialog box reset of some hidden fields when the protocol has been changed (in particular TCP Flags when changing from TCP to UDP).
in some particular cases (reserved field not set to 0) the TCP Stateful Packet Inspection could reject some valid incoming connections requests
Problem in the Data display zone in the Message Content dialog box (sometime the number of displayed bytes was wrong).
in case of a quick disconnection and reconnection a new IP address was not updated in the ruleset (for rules using "equal my @")
it was possible to create a rule with a right click on log items even when the configuration was locked with a password
Under some 2003 Server configuration, the network interface wasn't correctly detected.
The field "IP to exclude for auto-detection" was sometimes badly interpreted.
The rule names in the log are now correct even if some rule have been added without applied yet.
Crash when the maximum number of Internet Filtering rules was reached.


Regards,

The Look 'n' Stop Team

hi,

will there be a new 1.05 lite version coming out as well?

-{ Quote: "hi,

will there be a new 1.05 lite version coming out as well?" }-
Hi,

No, sorry, there is no plan to update this version at this time.
Most of the 2.05 content is extensions of features which are not present in the Lite version (like Application Filtering, Advanced Options,...). So this new 2.05 content doesn't apply to the Lite version

Frederic

i am disappointed of this version
in pcflank they wrote
"We contacted the developers (Soft4Ever) and they confirmed those results, but reported their beta version (2.04p2) should pass both Thermit and Atelier Web Firewall Tester. That’s good news for users of L’n’S firewall!"

i did some testing with this version and it failed
Thermit
Copycat
and only passed 2 of the 10 AWFT tests

just like in the original test for 2.0.4

Hi,

Copycat is currently passed by no firewalls, so you can forget it.

About Thermite and AWFT, Look'n'Stop 2.05 detects them without any problem,
if it is configured correctly in the option (advanced mode, control thread injection, etc...).

regards,

gkweb.

thank you, you are correct of course

thermite claimed success, but i think lns detected it so i guess the success msg is automated

i thought CopyCat is pretty much the same as thermite, what makes CopyCa invincible?

Hi,

Copycat uses an _existing_ thread in the target process and add this code in it,
whereas Thermite _add_ a thread into the process.

Copycat is much more harder to detect :-\

regards,

gkweb.

EDIT : below Look'n'Stop detecting Thermite.

and thermite failing :

this is not the case in my computer :/
Thermite announced success before i even clicked the block button in look n stop's msg.
even when lns is already configured to block it, Thermite still announces success

when thermite is not already configured to be block, i can see that small "can't connect" msg box, but only for half a second and ofter that the only thing left on the screen is the success message

Hi,

yes, Thermite first display it success, then the error popup appears :)

if Thermite success, it simply download an HTML webpage on his folder, if nothing happens, then Thermite was blocked ;)

regards,

gkweb.

Thermite seems to be aimed specifically at IE. At least, it wasn't able to perform its tricks with MYie (it reported IE should be started first).



Quote:"Copycat uses an _existing_ thread in the target process and add this code in it,
whereas Thermite _add_ a thread into the process.
Copycat is much more harder to detect"


It may be difficult, but it is not impossible. Look at the message from System Safety Monitor while trying to run Copycat:

"The call to API function "NtOpenThread" was successfully intercepted. This function allows to gain total control over a thread in another process, and may be used in "DLL Injection"."

Without willing to dive into the arcana of leaktests, SSM is not a firewall, and a firewall intercepting any "NtOpenThread" API call whithout knowing if it will
follow an internet access afterwards or not (at this step you can't tell), will be full of false positives and will warn of any of such API call and will be more annoying than efficient.

API hooking is a _proactive_ defense (you don't know what will follow but you block it anyway), while in the meantime leaktests detection must begin by the end, the network access, and is so _reactive_.

If i do a program which just does an API call like the one above just to display a popup, am I still a malware trying to hijack a software to access the network ? :)

regards,

gkweb.

Process Guard writes "copycat tried to gain write/terminate/set info/suspend access on...." and it makes Copycat write "process memory is not accessible"

outbound protection is the most important for me because of my router's firewall

i disabled the internet filtering in lns because of that, can lns add to my router's firewall when it comes to inbound protection?

-{ Quote: "Without willing to dive into the arcana of leaktests, SSM is not a firewall, and a firewall intercepting any "NtOpenThread" API call whithout knowing if it will
follow an internet access afterwards or not (at this step you can't tell), will be full of false positives and will warn of any of such API call and will be more annoying than efficient." }-


You are probably right, apart from the "full of false positives" part. I have been using SSM for quite some time and the warning message I mentioned may have popped up before, but I can't remember if it did. It doesn't occur often.
So, until there is a better way of dealing with this "problem", it's probably better to be save than sorry. Just deny permission with SSM. If a trusted program doesn't work after that you can simply adapt the appropriate rule.

-{ Quote: "
You are probably right, apart from the "full of false positives" part.
" }-

I disagree, it is not because you didn't notice it a lot that it doesn't happens more :)

You, may be didn't see often such API call occurs, but I see it every day using various security softwares, I have already used "sandboxe like" firewalls, and they do produce many false positive.

-{ Quote: "
So, until there is a better way of dealing with this "problem", it's probably better to be save than sorry. Just deny permission with SSM.
" }-

Here we go :)

Take a look at my website, advises part, and you will see that it's exactly my point.

I perfectly agree sandboxe and API hooking are efficient and needed, but a firewall relying only on that is a nonsense, I expect my firewall to warn me about network accesses, not about possible system malicious activities which might probably lead to a network access attempt if afterwards an other API is called and if... you get my point, if there is a network access then I expect my firewall to warn me, if they is a suspicious API call then I expect my sandboxe to warn me, not my firewall.

@yair
-{ Quote: "
Process Guard writes "copycat tried to gain write/terminate/set info/suspend access on...." and it makes Copycat write "process memory is not accessible"

outbound protection is the most important for me because of my router's firewall

i disabled the internet filtering in lns because of that, can lns add to my router's firewall when it comes to inbound protection?
" }-

For inbound may be nothing valuable if your router is well configured, but for outbound you can at least enable it and allow all normal protocols like IP/TCP/UDP/ICMP and block others. Enable too network driver protection to block other than winsock based malwares, like those using WinPcap.
This one of the new feature of Look'n'Stop 2.05


regards,

gkweb.

well configured? it's a simple open a port for incoming connections, or leave it closed


i will work on what you suggested tomorrow (it's 00:50 in my time right now)

-{ Quote: "I disagree, it is not because you didn't notice it a lot that it doesn't happens more :)

You, may be didn't see often such API call occurs, but I see it every day using various security softwares, I have already used "sandboxe like" firewalls, and they do produce many false positive.



Here we go :)

Take a look at my website, advises part, and you will see that it's exactly my point.

I perfectly agree sandboxe and API hooking are efficient and needed, but a firewall relying only on that is a nonsense, I expect my firewall to warn me about network accesses, not about possible system malicious activities which might probably lead to a network access attempt if afterwards an other API is called and if... you get my point, if there is a network access then I expect my firewall to warn me, if they is a suspicious API call then I expect my sandboxe to warn me, not my firewall." }-


Okidoki, point taken.
If I understand you correctly it is (almost) impossible to detect and warn about these events accurately (when a "bad guy" tries to access the internet this way).
If that's right, the question is how big this problem is. Does it leave a big hole in any firewall that Trojans can use at will and actually do something with it, or is it just a theoretical problem?

-{ Quote: "
it is (almost) impossible to detect and warn about these events accurately
" }-

Indeed :-\
I think it's possible anyway, but it ask a lot of work just to accuratly detect one leaktest.
May be, I don't know, Copycat is only detectable by sandboxes.

When sudently a connection occurs, you have to be able to track back the real source, it is possible, but very hard in the case of copycat for instance.

Look'n'Stop 2.05 succesfully detect Thermite, it isn't that easy :)

In the meantime, softwares like SSM or Process Guard works very well with your firewall.

@yair
-{ Quote: "
well configured? it's a simple open a port for incoming connections, or leave it closed
" }-

I just know that there is routers which by default forward ports or have a default weak administration password, or again has the Telrnet port open, etc...

But glad you perfectly know how to configure your router, I couldn't know ;)

regards,

gkweb.

-{ Quote: "Hi all,

The official 2.05 releases are available here:
En: http://www.looknstop.com/En/LooknStop_Setup_205.exe
Fr: http://www.looknstop.com/Fr/Installation_LooknStop_205.exe

No real change compared to the 2.05b3, it is just to officialize it (expiration removal, help file updates, file versions...).

No need to uninstall the 2.05b3 first. A reboot will be required after the update.

The official 2.05 content is the following:

Features Added:[list]
DLL Filtering (Windows 2000-XP only)
Detection of non-standard protocols and drivers under Win2000/XP.
Signature verification improvements (Windows 2000-XP only).

Being a novice and still using 98(se),please could you explain about the above improvements for XP/2000 and whether they are relevant to 98? .As a 98 user im wondering whether support and features for older operating systems may be limited?
TIA
ellison

Why the website hasn't been updated to the latest version 2.05? Someone unaware
of this forum won't have the slightest of idea of a new version having been released.
Please update the website and provide direct links to plugins, rules (rie files) and also
beta version straight from the website.

Regards,
AgentX

Hi AgentX,

the website seems to have been updated today or yesteday :

http://www.looknstop.com/En/index2.htm

regards,

gkweb.

-{ Quote: "Hi AgentX,

the website seems to have been updated today or yesteday :

http://www.looknstop.com/En/index2.htm

regards,

gkweb." }-


sorry but I don't see any update ...
the downlonable version is the 2.04

may be you need to empty your web browser cache, it shows 2.05 here, and the download link offers the 2.05.

I have attached what i see in my browser.

regards,

gkweb.

Hi gkweb,
Yes, the website is up-to-date now, but it wasn't when I typed my last message.
It's nice to see the latest information posted on the website, which took no less than
two weeks. But, I still don't see direct links to all the plugins and rule files nicely
arranged with description.

Regards,
AgentX

Hello... something sounds strange to me...

It seems the last beta release is very similar to the final release. So why le beta one can be downloaded freely ?

PS: sorry for my english that is not very good

Hi,

you shouldn't post in the both french and english forum the same question, I have answered inthe french one.

regards,

gkweb.

-{ Quote: "I think it's possible anyway, but it ask a lot of work just to accuratly detect one leaktest.
May be, I don't know, Copycat is only detectable by sandboxes.
When sudently a connection occurs, you have to be able to track back the real source, it is possible, but very hard in the case of copycat for instance.
" }-
Further chewing on the old bone: The firewall could store a "tamper history" for processes, and if they attempt a network connection, it could alarm, and list the other processes which tampered with it in the past.
-hojtsy-