With Kaspersky's new AntiHacker program with stealth mode activated I am failing PC Flanks Stealth-Test!!!! All 5 mini-tests are all coming up negative - ' all non-stealthed' and the recommendation is to switch to another firewall!!!! :'(

The site is recognising my correct IP address and AntiHacker passed all the other tests on the site and the two tests on 'Shields Up'. I have not tried more extensive testing as I was quite alarmed by the negative results at Flank. The WinXP firewall is switched off.

Is the stealth testing procedure over at PC Flank reliable or is it simply something I am doing wrong? Overall can people suggest testing sites they would recommend for testing of the reliability of their firewalls?

OOPS!!!!! The PC Flank site is not reporting my IP address correctly ( did not have my glasses on ); so it looks like it is this testing site and not my firewall. ;D

Would still like recommendations to more reliable sites. Why is PC Flank not reporting my correct IP address?

-{ Quote: " quoting: Blackcat link=board=23;threadid=5627;start=0#36932 date=1040409576]
OOPS!!!!! The PC Flank site is not reporting my IP address correctly ( did not have my glasses on ); so it looks like it is this testing site and not my firewall. ;D
" }-

Hi ;)
Because your are behind a proxy :)

Maybe from your ISP by default when installing your connexion with your ISP 's CD.

Rgds,

I've been having trouble finding a scan site that can pick up my IP since my ISP installed a proxy. Even thought the proxy is transparent and most proxy checkers see my real IP rather easily, most of the scan sites can't.
I found out tonight that Blackcode sees my real IP thru the proxy and does a very thorough scan. It reports closed instead of stealth, but I believe thats the same thing as the results say congratulations, you have no open ports and la de da.
Can be found here:
http://www.blackcode.com/scan/

When I get time, I'll try to find more that can see my IP. Right now PC Flank and Kalish can't see my IP I know for sure.

-{ Quote: " quoting: root link=board=23;threadid=5627;start=0#36995 date=1040437149]
I've been having trouble finding a scan site that can pick up my IP since my ISP installed a proxy. Even thought the proxy is transparent and most proxy checkers see my real IP rather easily, most of the scan sites can't.
I found out tonight that Blackcode sees my real IP thru the proxy and does a very thorough scan. It reports closed instead of stealth, but I believe thats the same thing as the results say congratulations, you have no open ports and la de da.
Can be found here:
http://www.blackcode.com/scan/

When I get time, I'll try to find more that can see my IP. Right now PC Flank and Kalish can't see my IP I know for sure.
" }-

Hi Root,

This scan give CLOSED if the ports are not OPEN and don't
notify you whether they are BLOCKED instead of CLOSED.

Not a big issue : several online scanners are working that way.

Anyway, BLOCKED is not more secure than CLOSED.

What's is important is not to be OPEN in fact if your only concern is about security.

Rgds,

-{ Quote: " quoting: Blackcat link=board=23;threadid=5627;start=0#36932 date=1040409576]
OOPS!!!!! The PC Flank site is not reporting my IP address correctly ( did not have my glasses on ); so it looks like it is this testing site and not my firewall. ;D

Would still like recommendations to more reliable sites. Why is PC Flank not reporting my correct IP address?
" }-

Hi Blackcat:

Sooo, you want some sites to test hey!

How about this lot for ya mate. Keep ya busy for a while.

Not only Firewall tests, but heaps of others for general test/info.

have fun!


ONLINE SCANNER TESTS FOR AV:

Trend Micro's free online [Housecall] virus scanner: http://housecall.trendmicro.com/

BitDefender Free Online Virus Scan: http://www.bitdefender.com/scan/licence.php

Panda ActiveScan Online Virus Scan: http://www.pandasoftware.es/activescan/activescan-com.asp

PCPitstop AntiVirus Online Scan: http://www.pcpitstop.com/antivirus/avload.asp

Symantec's Online Scan: http://security2.norton.com/

Eicar virus tests [EXCELLENT. Try to download the virus 'test files' and see if your AV stops it before it downloads. Mine does :-) ]:
http://www.eicar.org/anti_virus_test_file.htm



email EXPLOITS TESTS:

Declude email tests: http://www.declude.com/tools/mailsend.html

GFI Email Security Testing Zone: http://www.gfi.com/emailsecuritytest/



FIREWALL / SYSTEMS TESTS: [Some of these sites you may have to "Register", just fill in a UserName and password or email for verification. No personal details needed, all sites listed below are trustworthy]

NOTE: Make sure you read each page/site carefully, as you MUST make sure it is scanning YOUR IP, NOT your ISP's IP. Some sites you will have no choice to alter the setting if you are behind a 'Proxy IP' that your ISP provides. I personally cannot be scanned by one or two of the sites most of the time, as they only detect my ISP's Proxy address, therefore waste of time and your ISP may get cranky if you keep probing their ports]

Blackcode [EXCELLENT]: http://www.blackcode.com/scan/index.php

HackerWhacker: http://hackerwhacker.com/newindex.dyn

AuditMyPC.com: http://www.auditmypc.com/freescan/prefcan.asp

Broadband Reports.com [EXCELLENT, DO THE SLOW SCAN]: http://www.dslreports.com/scan/

Computer Cops Security Professionals: http://www.computercops.biz/index.php

HackerWatch.org: http://www.hackerwatch.org/probe/

Security Space.com: http://www.securityspace.com/sspace/index.html

PC Flank Complete Check [EXCELLENT]: http://www.pcflank.com/

PCPitStop Checks/TuneUp: http://pcpitstop.com/

Qualys' Free Browser Checkup: http://browsercheck.qualys.com/

Sygate Online Services [EXCELLENT]: http://scan.sygate.com/

Steve Gibons's ShieldsUP [GRC-Gibson Research Centre]: http://grc.com/x/ne.dll?rh1bi2l2=wzngrojn



SECURITY NEWS/INFO:

For GREAT info on Internet Explorer, AOL [You may have to cut and paste this entire address, as link looks broken in preview I just did, but copy/paste works]: http://www.staff.uiuc.edu/~ehowes/btw/ie/ie-opts.htm

Wayne's Windows Administrator Support site for Windows NT / Windows 2000 / Windows XP / Penetration Testing / Firewalls: LOTS of links inside....
http://is-it-true.org/

Outlook Express Security Related Info: Lots of troubleshooting, etc: http://www.mvps.org/inetexplorer/outlook_express.htm OR: http://www.mvps.org to Home Page with lots extra info various flavours.

SecurityFocus: http://www.securityfocus.org/

Microsoft Setting up Security Zones IE: http://www.microsoft.com/windows/ie/using/howto/security/setup.asp#activex

StormRanger Computer Security: http://www.stormranger.net/pages/590300/index.htm

my | NETWATCHMAN Attacks Info: http://www.mynetwatchman.com/

Distributed Intrusion Detection System
DShield.org: http://www.dshield.org/index.html

Many Thanks for all this great information. At least I have an excuse now to leave all the Xmas shopping until the last minute. I will be too busy testing ;D

Happy Xmas to you in Australia and try and let us Poms at least draw one of the last Test matches coming up. Total humiliation is not nice :'(

Hi Blackcat:

In the matter of security/help I am only too happy to help.

In the matter of cricket. No bleeding way mate. It's 'owsdat' to ya!

lol..... [Bring out ya dead, bring out ya...... ashes]

Hi Jack in reply re blackcode.com's site tests and the "Closed" ports results. This is the same as either "blocked" or "stealthed" from other sites. Each site has it's own way of saying if you are safe or not.
Usually, of course, they do say "Blocked" like Sygate's site and "Stealthed" like GRC's.

I did have one site [forgotten the damn addy] which said "All Ports Secure" and would only report any 'Open' ones.

I too have some trouble sometimes getting a couple of sites to work as my ISP is behind a proxy. Sometimes they work, sometimes they don't. Go figure. Majority of the times they are OK though.

-{ Quote: " quoting: Tassie_Devils link=board=23;threadid=5627;start=0#37047 date=1040472104]

Hi Jack in reply re blackcode.com's site tests and the "Closed" ports results. This is the same as either "blocked" or "stealthed" from other sites. Each site has it's own way of saying if you are safe or not.
Usually, of course, they do say "Blocked" like Sygate's site and "Stealthed" like GRC's.

I did have one site [forgotten the damn addy] which said "All Ports Secure" and would only report any 'Open' ones.

I too have some trouble sometimes getting a couple of sites to work as my ISP is behind a proxy. Sometimes they work, sometimes they don't. Go figure. Majority of the times they are OK though.


" }-

Hi Tassie Devils ,

You get me wrong :)

No test sites will give you a good result with a single port OPEN of course.

But mosts sites like grc or sygate have 3 differents respons :

OPEN (bad)

STEALTH (or BLOCKED)

CLOSED

What I mean is that blackcode.com

Has only to :

OPEN

and CLOSED whenever the port is BLOCKED or CLOSED : it does not made the difference between both.

So if you port is BLOCKED (STEALTH) it notifies you CLOSED too.

Best regards,

Hi Tassie_Devils !
Very nice post and thanks for the many useful links ! ;)

regards,
bill :)

Before you use mynetwatchman, know that visiting these scan sites will register as an attack and the ISP will be notified – it does not matter if you gave them permission or not, the service will still file a complaint.

It will also look at your log files from the start – meaning last months activity will be reported. And note that ALL OF YOUR ACTIVITY will be reported; this includes every site you visit, etc.

It also assumes the user will not modify their log files and add or change entries. A malicious user could make it appear that activity is coming from an IP that is actually innocent.

Use a packet sniffer (ethereal.com) and look at what their program transmits ;)

I’m using XP and XP’s firewall.

Just a word of caution!

-{ Quote: "Before you use mynetwatchman, know that visiting these scan sites will register as an attack and the ISP will be notified – it does not matter if you gave them permission or not, the service will still file a complaint." }-

Do you recall what responses you saw come back from the server? There are several IPs that are excluded based on information we've received from dialog with ISPs. I've seen my ISP's fairly feeble security scan return a status of: "mNWStatus: EXCLUDED - Source IP Address exists in exclusion database."

Gibson Research's Shields Up is an example of something like that -- and an example of a site that has changed IPs recently due to one of the latest DDoS attacks on that site. It's possible that this isn't reflected yet in the exclusion list, but communicating with the ISP would also bring issues like IP changes to our attention.

-{ Quote: "It will also look at your log files from the start – meaning last months activity will be reported. And note that ALL OF YOUR ACTIVITY will be reported; this includes every site you visit, etc." }-

What agent configuration did you look at?

Logs can be and should be "prefiltered" since we are only interested in inbound data (intrusion attempts). The prefilter string for the XP firewall is "DROP" -- only events in which a packet was dropped should be uploaded. If the agent is not using prefilters, then extraneous information would be uploaded, which will be ignored by the server, usually with a status of "mNWStatus: REPORT_FILTERED."

Not only is extraneous information useless to us, but it takes up unnecessary bandwidth to transmit to the server and then server resources for the server to process and reject the data. Both of these reasons were part of the motivation to add some filtering on the client side...

Some personal software firewalls do log more than just intrusions. For example, Zone Alarm reports all sorts of events besides just intrusions:

http://robertpanderson.homestead.com/files/zonealarm1.html

We're only interested in the FWIN or FWROUTE events -- which are the two prefilter strings for the Zone Alarm log format.

-{ Quote: "It also assumes the user will not modify their log files and add or change entries. A malicious user could make it appear that activity is coming from an IP that is actually innocent." }-

That's mitigated by the scoring algorithms used to filter out "false positives"; I've had several probes to my broadband IP not escalated because my IP was the only one targeted. In the case of "noisy" worms like Opaserv or the new Lioten one or things like Winpopup spam messages, it usually takes reports from two or three (and sometimes more) independent agents for an incident to be escalated despite the fact that -- in those cases -- the signature of a single probe is sufficient to determine its intent.

Additionally, most ISPs are unlikely to act based on an escalation. An escalation is just that -- just like an abuse incident that was manually reported, we're asking the ISP to look into an event. Given how hard it is to get many ISPs to do anything even after presented with incident information, I would be surprised at this point in time to find that they don't verify/validate the event in their logs before taking an action with respect to one of their customers.

Philip Sloss

Welcome, Philip, and compliments for doing a very fine job overall.

regards.

paul

-{ Quote: " quoting: Forum Admin link=board=23;threadid=5627;start=0#37178 date=1040585252]
Welcome, Philip, and compliments for doing a very fine job overall.

regards.

paul
" }-
Thanks, Paul. I hope to take a longer look around here after the holidays...

Happy Holidays,

Philip Sloss

-{ Quote: "I hope to take a longer look around here after the holidays..." }-

Be our guest!

-{ Quote: "Happy Holidays" }-

Happy times as well,

regards.

paul