as a betatester of outpost v1 i have now been given access to outpost 2 beta and ive been using it for 2 days now. here are my views:

- protection against dll-injections (new feature) - works perfectly. its brilliant
- the rest: not much new here, just updates and minor enhancements, better interface (or worse if ur a minimalist)

-seems to be a bit mroe heavy on resources, and also a bit slow responding at times (ive got an athlon 1.2 ghz and 768 mb of ram) but this may be sorted as it approaches a final release

- test results: stealth everywhere, just like op1

- no errors, crashes, bluescreens (xp pro)

so basically, altho its just a beta i will never ever change back to something else, as far as i can see its just 100% perfect already, and the dll-injection guard in my opinion now makes op2 the best product out there

Do you use fast user switching in XP? if so, is it working well?

Is ICS now working under Win2000/XP ?

sorry guys, im not using either and cant tell :/ ill let u know if i find out

Please do. Outpost 2 is shaping up to be a very exciting product.

Still vulnerable to ACK streaming attacks ...
Nice blue screen if you flood the wall with random packets ...
Still vulnerable to code injection ...

Security holes known since some early betas of Outpost 1.0 - but still not fixed. I think should give up searching for security holes ;D.

And you are an expert on Outpost because......?
All firewalls are vulnerable to code injection in a number of ways. It is a Windows problem and there are numerous ways to get around firewalls that have not yet been released as leak tests. It is my understanding that a sandbox approach is the only way to completely solve this problem. Agnitum is aware of the last two exploits that were released and considering the best approach.
Are you a beta tester? If you are, then have you reported these Problems? If not, how are you so familiar with the beta version?

-{ Quote: " quoting: root link=board=23;threadid=8172;start=0#53270 date=1049122590]
And you are an expert on Outpost because......?

Are you a beta tester? If you are, then have you reported these Problems? If not, how are you so familiar with the beta version?
" }-
Hi root,

Till yet no reply from Angelo, so I guess he is just blowing some hot air around... ;)

To answer some previous questions, ICS is working fine for me with XP and Win2K SP3.
I have heard no complaints about fast user switching yet.
I do believe the problems that plagued XP users before have pretty much been taken care of.
I have even got Kaspersky working on my machine now, which was a problem.
I think most will be very pleased with the new version.

Hi Smokey. Who knows? If there are any serious problems with Outpost, I would hope whoever discovers them would take the approved approach and notify the vendor first to give them a chance to fix it, before going public with any information that might cause a serious security problem.

That is great news indeed root. Please keep us informed about both the good and bad things you find in version 2.

You'll be pleased to hear that the logging and log viewing system is very much enhanced.

V2 feels very stable. The bugs I'm aware of are not very serious (this systems feels better that the latest V1 beta's :) ).

>Till yet no reply from Angelo, so I guess he is just blowing some hot
>air around... ;)

No, have to prepare my "Matura". Its compareable to A levels or "Abitur". Not much time :(.

>And you are an expert on Outpost because......?

I am not an expert of anything. Just posted some bugs that are there since some early Outpost 1 Betas.

>All firewalls are vulnerable to code injection in a number of ways.

Meeeep. There are several methods to block code injection. DLL injection is easy to detect - just trace the call back to the calling module.

Code Injection can be easyly blocked using Process Memory checksums.

>It is a Windows problem and there are numerous ways to get
>around firewalls that have not yet been released as leak tests.

Thats why i won't recommend ANY personal firewall. Most time they are abused as an application filter. But as application filters they are nearly useless. They can't even block spy ware.

>It is my understanding that a sandbox approach is the only way to
>completely solve this problem.

Exactly. Its my opinion, too.

>Agnitum is aware of the last two exploits that were released and
>considering the best approach.

*rofl* ... i mentioned bugs that are VERY VERY old and still not fixed in current beta.

>Are you a beta tester? If you are, then have you reported these
>Problems? If not, how are you so familiar with the beta version?

Well ... in austria you would say: "Vitamin B". It means that i have enough connections to get the outpost 2 beta without being a beta tester.

I reported the bugs many months ago. As i said ... found it in a outpost 1 beta and the version 2 is still vulnerable to them.

-{ Quote: " quoting: Angelo Bachmayr link=board=23;threadid=8172;start=0#53251 date=1049101464]
Still vulnerable to ACK streaming attacks ...
Nice blue screen if you flood the wall with random packets ...
" }-

Can you describe better this two tests? With this vague description it's difficult to figure and I want to test it with both v1.x and beta 2 and also with other firewalls.

TIA

ACK streaming:
Generate several thousand ACK packets and send them as fast as possible to a client "protected" with Outpost. The firewall driver (well, not exactly, the integrated IDS) will produce a nice blue screen.

Random UDP flood:
Get an upd flooder of your choice and generate a huge number of udp packets (including spoofed and illegal packets). After that send them as fast as possible to the Outpost "protected" client.

Just so you don't lose any sleep over this, I have contacted Agnitum about this and if there is a problem it will be fixed.

Angelo

Could you try the same experiment using Hacker Iliminator 1.2 and post the results here?

Thank You

controler

Angelo B

Please advise which in your opinion is the best firewall for Windows 98SE and XP Pro ?

Thanks for your time !

SKA

For a normal home user? No firewall is recommended. I am strictly against the usage of firewalls on a workstation. I will say you why ...

1. As more software you install as higher is the probability of bugs inside the code. An error on the application level is "quite harmless". But an error on kernel level/ring0 is very dangerous. So i think it is highly recommended to keep the "code" running on kernel level/ring0 (mostly drivers, firewalls mostly using drivers) as little as possible.

2. Firewalls have to trust its basis. The basis on workstations is mostly Windows. Windows is a quite unsecure operating system. There are many ways to manipulate firewalls. You can easyly manipulate the firewall rulesets or the firewall processes itself. You can inject code of your choice into any process of your wish and so on.

It would better if you say what you would like to do and what you would use a firewall for. That would make it much easier ;D.

Far out So you are saying what the wizard was saying , another day, that as long as ones ports are closed the average home user who may not be on line 24/7 might as well not bother with a firewall . For instance im on dial up and are not on 24 hrs of the day so I really do not need a firewall ? Interesting as I noticed in the news letter from Kaspersky today they vaguely echoed that comment too , but stressed the need for anti virus etc.

-{ Quote: " quoting: Angelo Bachmayr link=board=23;threadid=8172;start=15#54356 date=1049957604]
For a normal home user? No firewall is recommended. I am strictly against the usage of firewalls on a workstation. I will say you why ...

" }-

And I am against the use of Trojans and worms and ddos tools.

I agree that in normal dial up cases the use of a firewall is hardly needed. But given the rise of always on connections other measures can be taken. Using a software firewall i not the best, but it's far more easy and affordable than using an extra box.

-{ Quote: "
1. As more software you install as higher is the probability of bugs inside the code. An error on the application level is "quite harmless". But an error on kernel level/ring0 is very dangerous. So i think it is highly recommended to keep the "code" running on kernel level/ring0 (mostly drivers, firewalls mostly using drivers) as little as possible.
" }-

Not only firewalls bugs exploit kernel mode holes. There are plenty of bugs in other kernel level software. The last one still isn't found. So adding a firewall hardly is a greater risk.

-{ Quote: "
2. Firewalls have to trust its basis. The basis on workstations is mostly Windows. Windows is a quite unsecure operating system. There are many ways to manipulate firewalls. You can easyly manipulate the firewall rulesets or the firewall processes itself. You can inject code of your choice into any process of your wish and so on.
" }-


Yes Windows is not very secure, but to say that thus you can manipulate a firewall is not your best affort sofar ;)
Besides, by testing firewalls (that's what this thread is about) you can see how realistic these threats are. I's like to see more evidence on the Outpost issue.

-{ Quote: "
It would better if you say what you would like to do and what you would use a firewall for. That would make it much easier ;D.
" }-

Couln't agree more. But many users are so scared of the internet that helping them lessen the fear by installing a firewall an av-software is a nice point too.

Firewalls on a workstation are in fact placebos. There is no danger they can protect a home user for. They cannot block trojans/backdoors or spyware. Its just unneeded code and a waste of system ressources in my opinion.

-{ Quote: " quoting: Angelo Bachmayr link=board=23;threadid=8172;start=15#54371 date=1049973934]
Its just unneeded code and a waste of system ressources in my opinion.
" }-

I confess I'm not understanding this emphasis on resources. I'm sitting here on a used computer, a lowly Pentium ll, 350 Mhz, 128 ram.
In the background I'm running Spider guard,SpiderMail, LnS, TH Guard, SpeedFan, NotesArea, RegProtect, AutoSizer, plus the necessary tasks.
And yet CPU usage is hovering around 3-6%, and I have 44 MB of free ram.

Douglas

EDIT: Re-reading this post, it sounds like an attack. It's not. I'm wondering if I'm not understanding something about resources.

@Angelo
-{ Quote: "They cannot block trojans/backdoors or spyware." }-

That's funny, because I have been "playing" with a lot of (backdoor-)trojans and, apart from the few "famous" firewall-bypass trojans, none could even pass the very basic firewall 'Kerio2' without my knowledge (note: Kerio2 has a feature which blocks all traffic, when the firewall process is shut down.)
More advanced firewalls (Sygate, ZA, Outpost 2,...) or additional security software will even be able to block the currently "available" FW-bypass trojans.

So, what "trojans/backdoors" are you actually talking about (examples, please... ;) )
Or are you only talking in theoretical terms and not about "real", current dangers? This way, you could "smash" every security software, especially AVs (packing/crypting, patching...) ::)

Anyway, your general statement made above is quite doubtable or needs detailed explanation (which I am sure you are aware of... ;) )

Then, I wonder why you are developing a "system firewall" like a², if you have this opinion about personal "network firewalls":
1. from what I understand, a² will probably be a perfect addition to simple firewalls (similar to SSM), because it can block many of the known bypass methods and process termination.
So most of your arguments _against_ firewalls will become obsolete by the use of your own product!? :o ::)
2. a² will suffer from the same weaknesses as firewalls:
it runs on the same system as the malware (a² can be terminated/modified, buttons can be clicked by malware,...); the unexperienced user won't always know what to block and what to allow; possibility of bypassing a²;...

Still, I think a² will be useful for many users - as well as desktop firewalls... ;)

>So, what "trojans/backdoors" are you actually talking about (examples, please...
>;) )

Optix Lite Firewall ByPass, MoSucker 3.0 with several Firewall PlugIn etc. .

>Or are you only talking in theoretical terms and not about "real", current
>dangers? This way, you could "smash" every security software, especially AVs
>(packing/crypting, patching...) ::)

Well - there is a solution for nearly every "attack" against anti malware protection.

>Anyway, your general statement made above is quite doubtable or needs
>detailed explanation (which I am sure you are aware of... ;) )

Just say what you want to know.

>Then, I wonder why you are developing a "system firewall" like a², if you have
>this opinion about personal "network firewalls":

Well, i am not a developer of a². I will just do the "public" stuff. Its developed by Andreas Haak and Jens Hornung.

>1. from what I understand, a² will probably be a perfect addition to simple
>firewalls (similar to SSM), because it can block many of the known bypass
>methods and process termination.

A² is much more powerfull than SSM. It can block anything you want.

>So most of your arguments _against_ firewalls will become obsolete by the use
>of your own product!? :o ::)

Right - but we are talking about firewalls as stand alone - esspecially outpost 2.

>it runs on the same system as the malware (a² can be terminated/modified,
>buttons can be clicked by malware,...); the unexperienced user won't always
>know what to block and what to allow; possibility of bypassing a²;...

Its wrong. Its hard to manipulate a² and in my opinion nearly impossible. I will try to explain you why. Windows has several layers. Application layer, where the applications are running; Service layer where system services are running; Kernel mode where drivers are running and so on.

A² will add a completly new layer. A² adds a layer after the kernel at the same layer as the APIs are exported to the rest of the system. All programs and services beside drivers uses this functions - even if it runs in a DOS box (the DOS interrupts are emulated by the API).

A² can prevent any attempt to manipulate its own configuration by simply deny the access to his ressources. It denys that ANY process can modify the layer a² has installed and it simply denys any try to access the a² configuration. A² has a powerfull tracing engine that can prevent any abuse of the a² internal routines to be called from outside the a² routines and so on.

Even if someone finds a way to circumwent a² protection layer a² can simply add the new circumwent method and won't be vulnerable any more.

>Still, I think a² will be useful for many users - as well as desktop firewalls... ;)

Well - you can not compare it.

-{ Quote: " quoting: Angelo Bachmayr link=board=23;threadid=8172;start=15#56619 date=1051267359]
Well - you can not compare it.
" }-

Of course : there is nothing to compare : nothing is done till now : just praising a product which don't exist till now.

Wait and see : remember Ants v3 ;)

>Of course : there is nothing to compare : nothing is done till now : just praising a
>product which don't exist till now.

It exists. But i think you don't know Andreas very well. I will ask him if i can send you the latest version i have, ok? And if not i will just post some screenshoots.

Andreas is a little bit "own" concering his software. Mostly he just do all the things to learn something and he has many ideas (in my opinion too many ;D). Every time he solved one problem a better solutions comes into his mind and he start the whole thing from scratch. Its a little bit strange ... But i will take care you will see a little bit more as soon as possible.

-{ Quote: " quoting: Angelo Bachmayr link=board=23;threadid=8172;start=15#56637 date=1051274694]
>Of course : there is nothing to compare : nothing is done till now : just praising a
>product which don't exist till now.

It exists. But i think you don't know Andreas very well. I will ask him if i can send you the latest version i have, ok? And if not i will just post some screenshoots.

Andreas is a little bit "own" concering his software. Mostly he just do all the things to learn something and he has many ideas (in my opinion too many ;D). Every time he solved one problem a better solutions comes into his mind and he start the whole thing from scratch. Its a little bit strange ... But i will take care you will see a little bit more as soon as possible.
" }-

Hullo,

TIA : if it's not a pre-beta, I would be glad to install it on a test machine.

Best regards,

-{ Quote: " quoting: Angelo Bachmayr link=board=23;threadid=8172;start=15#56637 date=1051274694]It exists. But i think you don't know Andreas very well. I will ask him if i can send you the latest version i have, ok? And if not i will just post some screenshoots." }-

Angelo, feel free to distribute a2 copies to anyone asking for it. As for screen shots: please post them over on the a2 board, and post a link if you feel like it.

regards.

paul

Will do it so ... ;D.

Thanks.

regards.

paul

@Angelo

-{ Quote: "Optix Lite Firewall ByPass, MoSucker 3.0 with several Firewall PlugIn etc. ." }-

Yes, and I could add _a few_ more (as stated above) - but do these few FWB trojans (which actually are blocked by 'modern' firewalls!) justify a statement like "they cannot block trojans/backdoors or spyware"?
No, and that's why I asked for (general) explanation... ::)

I would more agree to something like "they cannot block _all_ trojans/backdoors or spyware" or "there are still many ways to bypass firewalls."

Well, your 'a² advertising' ( ;D ) sounds impressive and I'd be happy to take a look at it - but, as JacK said, it still has to come...

Now guys !!!!!! you know I would love a chance to take a peek at
A 2 and my e-mail address is even stll up here. Can always send a message here too.

Thanks

con

Edit: Let's try and keep things on topic and not personal. CrazyM

>Yes, and I could add _a few_ more (as stated above) - but do these few FWB trojans (which
>actually are blocked by 'modern' firewalls!) justify a statement like "they cannot block
>trojans/backdoors or spyware"?

Well ... of course they are able to block a NetBus backdoor. But most script kiddies are using "modern" backdoors as mosucker. And by the way. Modern firewalls are not vulnerable to dll injections any more. But code injection is still possible. For MoSucker 3.0 there is an inofficial PlugIn using a direct code injection without using a DLL. But well ... Firewalls of the current generation are able to block malware form about one year. Would you recommend any virus scanner that detects now finally the malware that was up to date last year? Why would you recommend a "modern" firewall that is only able to block malware that uses very old techniques introduced by trojans a year or more ago?

You will agree that most script kiddies would use the latest malware version. And this malware is still "undetected" by any firewall without a sandbox component.

Spyware works most time as a part of a browser (PlugIn etc.) and they communicate using the browser (WinInet or internal routines). If the browser is allowed the spyware is it too. So the firewall is in fact not able to block it. Ok ... you can block your internet browser, but well ... its not such a good idea *g*.

>Well, your 'a² advertising' ( ;D ) sounds impressive and I'd be happy to take a look at it - but,
>as JacK said, it still has to come...

I asked Andreas. He said he will a link to a daily snapshoot of a² to the a² board ;D.

-{ Quote: " quoting: Angelo Bachmayr link=board=23;threadid=8172;start=30#56899 date=1051349651]

Spyware works most time as a part of a browser (PlugIn etc.) and they communicate using the browser (WinInet or internal routines). If the browser is allowed the spyware is it too. So the firewall is in fact not able to block it. Ok ... you can block your internet browser, but well ... its not such a good idea *g*.
There are multiple ways for blocking ad-spywares, with or without FW ...

>Well, your 'a² advertising' ( ;D ) sounds impressive and I'd be happy to take a look at it - but,
>as JacK said, it still has to come...

I asked Andreas. He said he will a link to a daily snapshoot of a² to the a² board ;D.
" }-
I Might post a bunch of snapshots about any program : it does not proof it works as advertised.... See KAH FW for instance ;)

When I shall run the program I will have an opinion : I am in advertisment biz and I know there is a big difference between ad and reality 8)
Till now that remains virtual possibilities, no effectiveness.

Best regards,

I didn't mean screenshoot. I talked about current developer versions (called snapshoots). He will code a little script and every evening the latest version of a² is uploaded so everyone can try them out ;D.

Hi Angelo,

spent some time to 'validate' some of your comments, that's why I'm replying late... ;)

-{ Quote: " But most script kiddies are using "modern" backdoors as mosucker." }-

That's true, as well as OptixPro(1.3) and Assasin(2), according to DCS (http://tds.diamondcs.com.au/index.php?page=mainthreats) - but all three are blocked by 'modern' firewalls, and only one of them has FWB capabilities to bypass 'old' FWs... 8)

-{ Quote: "Modern firewalls are not vulnerable to dll injections any more. But code injection is still possible. " }-

The firewall Look'n'Stop (as well as SSM) can obviosly even block code injection - at least some (new) leaktests show this.
I suppose, other firewall vendors will follow, if there are more nasties using this technique. :)

-{ Quote: "For MoSucker 3.0 there is an inofficial PlugIn using a direct code injection without using a DLL." }-

I weren't able to find this plugin on several Mosucker websites; so I assume, it isn't widely distributed!? ::)
Can you give me a hint where I can find it? Just want to see if it can bypass Look'n'Stop and SSM.

-{ Quote: "Firewalls of the current generation are able to block malware form about one year." }-

As already said above, this is not really true.
Although I have no numbers, everything indicates, that most new backdoors are still 'conventional' and can be easily blocked even by old, simple firewalls.
FWB trojans are rare, and the few ones are normally blocked by 'modern' firewalls. :)

-{ Quote: "You will agree that most script kiddies would use the latest malware version." }-

Agreed, but note, that FWB trojans aren't that easy to use for simple-minded script-kiddies, so many of them will stick to 'simple' port-listening backdoors.

-{ Quote: "And this malware is still "undetected" by any firewall without a sandbox component." }-

Yes, but 'modern' firewalls have sandbox components, with steadily growing functionality (see Look'n'Stop.)
An alternative would of course be a simple firewall + a² or SSM. ;)

-{ Quote: "Spyware works most time as a part of a browser (PlugIn etc.) and they communicate using the browser (WinInet or internal routines)." }-

I am no expert in browser plugins, so: is it really so easy to 'plug' a software unnoticed in _any_ browser? Doesn't this normally need some kind of 'confirmation'?

-{ Quote: "I asked Andreas. He said he will a link to a daily snapshoot of a² to the a² board ." }-

I'm looking forward to it. :)

-{ Quote: " quoting: _anvil link=board=23;threadid=8172;start=30#57639 date=1051617015]
I am no expert in browser plugins, so: is it really so easy to 'plug' a software unnoticed in _any_ browser? Doesn't this normally need some kind of 'confirmation'?
" }-

Hi _anvil,

In IE it is easy. Especially when using BHO's.
Here is a list of known legit and spyware BHO's: http://www.spywareinfoforum.com/bhos/
If you want to check if you have any that you are not aware of, you can use BHODemon (http://www.definitivesolutions.com/bhodemon.htm)

Regards,

Pieter