Hello people,

o.k., we continue with this thread over here. This is the right forum for it. For those who are interested in the topic, see how everything started:

http://www.wilderssecurity.com/showthread.php?t=8585;start=30

The question is, if the firewall Outpost passes the Leak Tests (inside-outside protection) now, which it didn't pass some months before (March 27, 2002):

http://www.pcflank.com/art21.htm

QSection will be the one who will test this on his machine, others are welcome as well. Here are the Leak Tests which the firewall has to pass:

http://grc.com/lt/leaktest.htm (LeakTest)

http://www.soft4ever.com/security_test/En/index.htm (Yalta)

http://tooleaky.zensoft.com/ (TooLeaky)

http://keir.net/firehole.html (FireHole)

http://www.hackbusters.net/ob.html (Outbound)

http://www3.sympatico.ca/oliver.lavery/za-hole.zip (Thermite)

So, then let's wait for the results. Now it's up to you QSection, may you prove me wrong. ;)

Best regards,

Patrice

P.S. Let us also know the version of your firewall installed.

I can’t really speak a lot about Outpost but Look ‘n’ Stop Personal Firewall passes all “9” Leaktests no sweat. And only by hearing others over these forums can I say that these other Software Firewalls got reputation of failing these Leaktests. ;)

Lots of links to try :)

Few weeks ago I tested v2beta on most wel known leak tests (grc, firehole, tooleaky) with good results. So, I'm optimistic ;D

Yep you cant really say much bad about look n stop Its a really cool firewall :)

WOW, now that’s pathetic!
I’ve had this idea possibly that pcFlanks “Firewalls VS Leak tests” chart was irreverent now, but when I downloaded/Installed and Tested Agnitum Outpost Firewall Pro ver. 1.0.1817.1645… *NEWS FLASH* I personally found it pathetically lame how even such OLD Leaktests was capable of bypassing the most recent Officially released PRO versions Application Filtering Layer, And Lack of necessary Features not to mention even the windows “?’ help file was not found ("Cannot find the C:\Program Files\Agnitum\Outpost Firewall 1.0\opst_ui.HLP Help file. Check to see that file exists on your disk. If it doesn't, you need to reinstall it."). And I had no other 3rd party files running up Installation procedure…

I sure hope Agnitum Outpost Firewall up-coming version 2.0 Official release finally resolves these outdated issues for its Customers sake!

Btw: I’m more then happy to have had Uninstalled that * off my HDD after thorough testing, man what *!

Outpost version 2 addresses the leak tests.
You also will not find any other firewall that has the ability to make rules as easy and comprehensive as Outpost.
Nothing is ever accomplished by getting into the my blah blah blah is better than yours arguements. People should try the different security programs before making judgements, and choose the one that suits them best.
Outpost version 2 has been rebuilt from the bottom up. When it is released, I will do a write up on it to try to give the people an idea of what has been changed and what it can do.
As for leak tests. There are several ways to produce "leaks" that have not even been explored yet. It would be an endless battle for firewall makers to keep coming up with fixes for leak after leak. That is why a sandbox approach is the best way to go in my opinion. For the time being, SSM is an excellent addition to ones security arsenal to deal with such exploits. It's free. ;D
I think in the future, all firewalls will want to use a sandbox approach to deal with new exploits being developed.
The bad news is, that by the time firewall makers get a handle on all possible exploits, Longhorn will be released and we'll have to throw away all or Windows programs. >:(

FWIW . . .

Ph33r_ comments at 5:30 a.m. that "I can't really speak a lot about Outpost . . . ."

However, only a few hours later, Ph33r_ declares:

"Btw: I?m more then [sic] happy to have had Uninstalled that [Outpost] * off my HDD after thorough testing, man what *!"

"Thorough testing," eh?

Oh well, we must treat all guests with courtesy.

Regards,
Jim
;D

Hi jmschwartz,

If you knew Ph33r_ then you would believe what he said. Yes, indeed it was thorough testing. Let's say he has knowledge about firewalls which is far over the average level... ;)

Best regards,

Patrice

P.S. Anyone has done these Leak Tests with the Version 2 of Outpost (Beta)?

Hi root,
-{ Quote: " quoting: root link=board=23;threadid=9276;start=0#60754 date=1053092567]
Outpost version 2 addresses the leak tests.
You also will not find any other firewall that has the ability to make rules as easy and comprehensive as Outpost.
Nothing is ever accomplished by getting into the my blah blah blah is better than yours arguements. People should try the different security programs before making judgements, and choose the one that suits them best.
Outpost version 2 has been rebuilt from the bottom up. When it is released, I will do a write up on it to try to give the people an idea of what has been changed and what it can do.
As for leak tests. There are several ways to produce "leaks" that have not even been explored yet. It would be an endless battle for firewall makers to keep coming up with fixes for leak after leak. That is why a sandbox approach is the best way to go in my opinion. For the time being, SSM is an excellent addition to ones security arsenal to deal with such exploits. It's free. ;D
I think in the future, all firewalls will want to use a sandbox approach to deal with new exploits being developed.
" }-

Thanks for your opinion, your view is always appreciated! Yes indeed, you're right what you're saying in your post. But we want to know if Outpost fails in these special tests, which should be quite well known among the developers of firewalls. We don't wanna talk about the rules-making ability nor the outside-inside protection of this firewall. They are surely good or even better than other firewalls! I also agree with your statement about SSM, the future will show where we are heading. The main goal of this thread is to find out if Agnitum did their homework or not. ;)

Best regards,

Patrice

-{ Quote: " quoting: Patrice link=board=23;threadid=9276;start=0#60763 date=1053097260]
P.S. Anyone has done these Leak Tests with the Version 2 of Outpost (Beta)?
" }-

psssst, Patrice.... read what I wrote earlier in this thread...


And this is what I wrote in the Outpost betatesters forum:

-{ Quote: "
04-03-2003 08:11 PM
This is fun, seeing this activity blocked. As you may have guessed, OP passed the tests.
And as I mentioned before: I love it
" }-

Jmschwartz

I’ve Downloaded and Installed Agnitum Outpost Firewall v1.0.1817.1645 and tested it thoroughly before commenting, unlike most I don’t need to have a Software Firewall Installed for more then few seconds to comprehend it and its Features. I’ve been testing Software Firewalls since day #1, but as of year or two now I’ve been too busy elsewhere to be testing out a lot of today’s popular Software Firewalls, but I do keep an watchful eye on what majority of the folks says and not to mention thoroughly reading through Firewalls Official products websites. And I had kept Outpost installed on my HDD for hours to run thorough tests on-it.

I’m not offended by your post because I do know where you coming from, many people who made up their mind about something who gives something other-than a try?!?!?!? You know right there and then people going Install and Quickly Uninstall before giving a thing a chance, my mono is keep something Installed for at least an week to allow yourself to adapt to it and it’s Features before basing an Judgement on that.

Though would you debate what I had said was not accurate? That Agnitum Outpost Firewall v1.0.1817.1645 or lower or it’s Free Versions (HAH) does in fact contain no Leaktests issues?


Hey root

-{ Quote: " Outpost version 2 addresses the leak tests. " }-
Yea I’ve heard that Agnitum Outpost Firewall v2 addresses the Leaktests issues, I’ve not yet tested their beta version but if one could be so kind to send me the Installation file through E-mail or give me the direct download URL for it I would be more then happy to test it out and give my opinions to whomever is interested…

-{ Quote: " You also will not find any other firewall that has the ability to make rules as easy and comprehensive as Outpost. " }-
Though this is true for you may not be true from another’s view, like use Look ‘n’ Stop for an Example; I find it extremely easy and comprehensive, in fact little too easy and comprehensive. However would you agree with me? Just like user _Tat_ finds Sygate Personal Firewall incredibly easy and comprehensive then something other-than, mainly because you focus on a thing and you determine to comprehend the basics or for the most part depending who you are. But when it comes to something else in its field you aren’t so determined because you already have something you found easy and comprehensive that appears to be an effective solution.

-{ Quote: " Nothing is ever accomplished by getting into the my blah blah blah is better than yours arguements. People should try the different security programs before making judgements, and choose the one that suits them best. " }-
You are absolutely right, but come-on you know it wasn’t quite so under these circumstances? I didn’t give comparison did I? Please tell me if I’m mistaking so I can learn from it…

-{ Quote: " Outpost version 2 has been rebuilt from the bottom up. When it is released, I will do a write up on it to try to give the people an idea of what has been changed and what it can do." }-
You quite fond of Outpost I can see, I apologize if I trampled on some toes.

-{ Quote: " As for leak tests. There are several ways to produce "leaks" that have not even been explored yet. It would be an endless battle for firewall makers to keep coming up with fixes for leak after leak." }-
This is debatable; if such several ways was known to you don’t you think it would be known to others? And don’t you think there would have been some effort into producing such Leak-tests?

Currently all 9 Leak-tests I know of my Firewall passes, is there other Leak-tests out there I don’t know of? If so you got the URLS?

Remember everything has limitations, How much water can you drink, how much food can you eat, how far can you run, how fast you can go, how many push-ups can you do, how fast the Wind is blowing, how hard the Wind is blowing,

-{ Quote: " It would be an endless battle for firewall makers to keep coming up with fixes for leak after leak. That is why a sandbox approach is the best way to go in my opinion. For the time being, SSM is an excellent addition to ones security arsenal to deal with such exploits. It's free.
I think in the future, all firewalls will want to use a sandbox approach to deal with new exploits being developed.
The bad news is, that by the time firewall makers get a handle on all possible exploits, Longhorn will be released and we'll have to throw away all or Windows programs. " }-
I’m not looking for Software Firewalls with Sandbox like Features, and I doubt many would enjoy Software Firewalls containing Sandbox like Features once they see how much resources it’ll be needed to feed those types of Software Firewalls…

As for Longhorn, well lets just say people going to have to-do a lot of Computer upgrading. And I don’t think them going like the idea about ditching all their current Windows Software any time soon…

Regards,

A lot of people have been waiting a long time for Outpost 2 so I don't think I'll be giving out copies. ;D
I was using Look N Stop before I used Outpost, and found I did not like the way rules are made and that's why I switched. LNS is a good firewall and I never speak badly of it. I just prefer Outpost and what I do is help people that may need help with Outpost and other security issues when I can.
To date, I have not had one person come to the support board and say they had been compromised by a leak test type exploit.
When version 2 is released. it will solve a lot of problems that were issues with the users, such as ICS support and Fast User switching.
I am not touchy or sensitive about Outpost or any other program, but I have invested a lot of time and effort in helping people that do choose to use Outpost.
What I like, what I find easy and convenient may not be the same as the next guys, but that's why there's choices.
Outpost version 1 was released with some bugs. Most version 1's do get released with bugs. Version 2 is a vast improvement, but will not be perfect. Outpost is going to be a work in progress for some time as new features are added. Meanwhile, users can rest assured the firewall is doing the job it is supposed to.
As for sandboxing, SSM works well for me. I personally think that is the safest approach. If others here don't think so - Ok.
I am long past trying to convince others that any one program is the best for them. I have my preference, and I will recommend from time to time.
I like Outpost, and I support it. I work with the Agnitum team to make it better and to find whats broke so it can be fixed.
Sorry if I did not respond tit for tat, but I am pressed for time and not inclined to be arguementative.
Have a nice day and enjoy your chosen products. I like to have a little fun on the net and I hope everyone else does too.

Hey root

That was beautiful; if you don’t mind me saying though unlike many Look ‘n’ Stop’s Rule Editing Feature uses proper Source/Destination notions for information accuracy, I agree it’s a bit confusing for even the average skilled fella but if you understand the proper Source/Destination notions then you should not have any problems.

I made my first Look ‘n’ Stop Help guide called “What? Where? v1.1”, goal is to help needy folks in these areas.

-{ Quote: " Look ‘n’ Stop – What? Where? v1.1 (NEW)

Look ‘n’ Stop Personal Firewall is a terrific Rule-base Software Firewall.
It offers many new and exciting Features, some Features built up with different designs then that of some Software Firewalls for Informational accuracy. Look ‘n’ Stop’s “Rule Editing” Dialog for Rule Creating/Modifying needs a basic usage introduction for the newcomers.

Guide Title: Look 'n' Stop - What? Where?
Guide Version: 1.1
File-name: Look_'n'_Stop.chm
File-size: 117KB (120, 089 bytes)
+

Type of File: Compiled HTML Help file (Look ‘n’ Stop’s own Help File is in this particular Windows Help format)
Download: http://looknstop.soft4ever.com/Tools/External%20Resources/Look_'n'_Stop.chm

Any Feedback are more then Welcomed. " }-

And like you I love to assist Look ‘n’ Stop Customers with bugs/issues and so on, and I love assisting Frederic the Author in bugs/issues & Suggestions and so on… I even own an Un-Official Look ‘n’ Stop Personal Firewall Forum. And soon I’ll have an Alternative Look ‘n’ Stop website up for the public to view and hopefully seek answers they looking for.

I admire people like you who have dedication to particular products, and provide their assistance any way possible.

Best Regards,
Phant0m``

Seems like an uphill battle sometimes, trying to get users interested in security, but all we can do is keep trying. It's not so hard helping people that want to learn. That's fun.
If I can get just one more person to start using an AV, an AT or firewall, then that's one less person spreading bugs around the internet.
Since I got involved with Outpost, I have learned a lot and am still learning. You have to learn when you're trying to help someone else understand how something works.
It's been a long day and I need some food.
;)

Like I said it doesn’t take me more then a few seconds to comprehend products especially Software Firewall products and its Features. ;)

-{ Quote: " quoting: Ph33r_ link=board=23;threadid=9276;start=0#60727 date=1053077435]
I can’t really speak a lot about Outpost but Look ‘n’ Stop Personal Firewall passes all “9” Leaktests no sweat. And only by hearing others over these forums can I say that these other Software Firewalls got reputation of failing these Leaktests. ;)
" }-

"Hearing others" is no well argument to compare firewalls or other security product in one word and to claim and say in another word that product "x" would do the job better then all others, only the own real experiences counts.

Huh?

-{ Quote: " quoting: Patrice link=board=23;threadid=9276;start=0#60718 date=1053072253]
Hello people,

o.k., we continue with this thread over here. This is the right forum for it. For those who are interested in the topic, see how everything started:

http://www.wilderssecurity.com/showthread.php?t=8585;start=30

The question is, if the firewall Outpost passes the Leak Tests (inside-outside protection) now, which it didn't pass some months before (March 27, 2002):

http://www.pcflank.com/art21.htm

QSection will be the one who will test this on his machine, others are welcome as well. Here are the Leak Tests which the firewall has to pass:

http://grc.com/lt/leaktest.htm (LeakTest)

http://www.soft4ever.com/security_test/En/index.htm (Yalta)

http://tooleaky.zensoft.com/ (TooLeaky)

http://keir.net/firehole.html (FireHole)

http://www.hackbusters.net/ob.html (Outbound)

http://www3.sympatico.ca/oliver.lavery/za-hole.zip (Thermite)

So, then let's wait for the results. Now it's up to you QSection, may you prove me wrong. ;)

Best regards,

Patrice

P.S. Let us also know the version of your firewall installed.
" }-

Hi Patrice,
I can't speak for Qsection but Outpost passed all of them. As I said in a previous post, I am beta testing version 2. Thanks, BTW for the list of leaktests. There were a couple I didn't know about. I know version 1 doesn't pass the tests but V2 will be out very soon. I can't tell you the date. :) ( I promised)
Chris

Hi chrisclu,

would be nice if you could do these tests with Outpost version 2 (beta). I would like to know the results of these tests. Ph33r_ can give you even more links about Leak Tests. He was talking about 9 known Leak Tests. Ph33r_ can you add the links to those Leak Tests as well?

Regards,

Patrice

Yalta (Yet another LeakTest Application) by Soft4ever
LeakTest v1.2 by GRC
TooLeaky by Bob Sundling
FireHole v1.01 by Robin Keir
Outbound by HackBusters
AWFT (Atelier Web Firewall Tester) v3.0 by Atelier
Thermite by Oliver Lavery
Oops v2 by Tom Liston
pcAudit v3.0.0.9 by _

Thanks Phant0m! Now the Leak Test list is more complete! :D

;)

Hmm, when I just tested Look'n'Stop against PCAudit, it failed. Am I doing something wrong? ;)
(BTW: SSM fails, too, but not as "complete" as L'n'S...)

-{ Quote: " quoting: _anvil link=board=23;threadid=9276;start=15#60982 date=1053194377]
Hmm, when I just tested Look'n'Stop against PCAudit, it failed. Am I doing something wrong? ;)
(BTW: SSM fails, too, but not as "complete" as L'n'S...)
" }-

Hello,

Don't know ofr L n S but no problem at all with SSM ?

@Jack

Doesn't pcAudit at least make your shell (explorer.exe) connect to their website? :o
Or do you block pcAudit "so hard", that it isn't even able to start? (I noticed, that this is possible, but it is probably not the way the leaktest should be performed... ;) )

-{ Quote: " quoting: _anvil link=board=23;threadid=9276;start=15#60986 date=1053195307]
@Jack

Doesn't pcAudit at least make your shell (explorer.exe) connect to their website? :o
Or do you block pcAudit "so hard", that it isn't even able to start? (I noticed, that this is possible, but it is probably not the way the leaktest should be performed... ;) )
" }-
Hello,

I don't need SSM to block explorer.exe : it as no access to the W3 with a rule in my FW. Why should I give it access to the W3, anyway ? It's no browser of mine ?

When I try to run PC Audit, I have a warning from SSM , I just say NO 8)

Anyway, if I allow it, and let it run, I get a the message your PC is well protected :) (running OPv2b)

Regards,

These exploits that such 'leaktests' take advantage of, does LnS actually block the general exploit or just the 'leaktest' itself?
(I'm aware my question is is a bit vague but its tricky to word)

@Jack

I tested a little bit more, and now I also think, that SSM blocks pcAudit completely. :)
It was just a bit confusing...

But what about Look'n'Stop? Can someone confirm, that it does _not_ block pcAudit?


@Tinribs

Well, it would be really a shame, if L'n'S _only_ stops the leaktests and not the 'methods' in general... so, I don't think so. 8)

Thats what I hoped Anvil, but I was wondering if maybe the same situation as when Steve Gibson reported how Blackice had started detecting his 'Leaktest' had reared its ugly head again (no offence Look N Stop programmers) :)

-{ Quote: "Well, it would be really a shame, if L'n'S _only_ stops the leaktests and not the 'methods' in general... so, I don't think so" }-
This has been a question in my own mind and I suppose it differs from firewall to firewall. That's why I said before, I think you need to use a sandbox approach to deal with the method and not the leaktest itself.
Now, before some one jumps in here to argue the point, let me say, I only have a very vague idea of what sandboxing is and does. I have had some pretty sharp guys tell me this is the best way to go, so I am not speaking from my personal knowledge.
I understand part of the approach to blocking some leak tests has to do with DLL injection. I don't think that is the only thing that is involved though.

Just to give you an idea of my approach to the whole thing, I was able to pass most leak tests with Outpost 1. First I do not allow IE, OE, explorer.exe access to the net. Second, I do not download test programs and execute them any more than I do trojans or worms. One test wont work because I don't have the needed files on my computer.
So, right or wrong, it is just my opinion that when I see an exploit announced and it says if your hair is green, and the moon is full and there are no kids playing in your back yard, and on and on, then you have a problem. Leak tests are no more dangerous than any other exploit that requires user action.
My biggest concern has always been with two things. First is the bad guys that can fry your CMOS. Second is any exploit that does not require me to do something stupid. An example is the js.xxx exploits that you can get from just surfing to a website. I keep js disabled for that.
Just my opinion and not meant to be put in anyones bible. ;D

pcAudit is unique Leak-test, far superior than AWFT when it comes right to the point “Bypassing Application Filtering Layers”. And it sort-of gives meaning to usage of SSM, for insurance purposes… Look ‘n’ Stop doesn’t exclude Leaktests itself unlike some other Software Firewalls I’ve seen do or did, it fixes the issue at global scale for all which uses same particular method(s) of attempting to bypass Application Filtering Layer.

Doesn’t quite answer your questions though does it?
Perhaps I already had previously though :P

Riddle me what, Riddle me that...

In simple terms Sandbox Feature covers all aspects (normally) of Microsoft Windows and gives you full control to ensure your safety on the Computer & the Internet. And I don’t debate one bit that people shouldn’t use Sandbox Featured Applications, and I would definitely recommend it until we are sure that ALL Leak possibilities are covered by a Software Firewall.

However, Sandbox Featured Applications takes quite a bit of Resources, and on different machines and with different Operating Systems thee amount could be quite more worse then another’s readings. And people like me who are poor right down to the bone aren’t capable of affording to spend out money upgrading the Computers 24/7, a never ending battle…

And my opinion is I don’t see anymore Leak-tests for Windows9x& WinNT/2K/XP capable of accessing anymore Client Environments to access the Internet Resources without being malicious.

But hey i'm open minded :)

Hi Phant0m. I like SSM and it does not seem to use many resources on my Win2kSP3 machine. At least its free and I understand everyone can't keep spending more and more on security software. I am on disability with a not so large income and I have to watch where I spend my money.
I don't remember if you said you have tried it before or not.

One nice thing about SSM is that Max, the developer, is always anxious to help people that have problems with his product. I understand that some do have serious problems with it though and I know how difficult it is to get a program like that to work with everything from 95 to XP.

I don't know if any more leaks are going to show up, but Mikhail did tell me one time that there were similar exploits possible that have not been published yet. He did not explain further. I suppose we will see soon enough what the next round of exploits will bring.

When I was in the Navy, I was an Electronic Counter Measures technician, and we were constantly getting new equipment to counter the new equipment the other side had, and then they would get new equipment to counter our new equipment and it still just goes on and on. The same thing is happening on the net with the bad guys coming up with new exploits and the good guys coming up with new protection and it keeps repeating,, over and over. It is interesting, but as you said, it also can get very costly.

Fortunately we can still use our brains for the first line of defense and there are some good security programs available today. All is not lost. ;D

An open mind is a tremendous asset. I hope mine never locks up. ;)

LOL

We shouldn't be focused too much on leaktests. There are surely several (many?) more ways to bypass firewalls, which haven't been 'introduced' by leaktests, yet. :P

There is already _at least_ one keylogging trojan, which can bypass both Look'n'Stop and SSM (not to mention any other firewall...)

So we should always have in mind, that firewalls (even sandboxes) can hardly be absolute secure. You should definetely not _rely_ on tools like this! ::)

I’m sure if you In Reference to it being malicious like Terminating Firewall processes and deleting its Application files… If not then give me the Keylogging Trojan name which you claim can bypass Application Filtering Layers without being malicious.

As for you claiming there’s definite several many more ways to bypass Application Filtering Layers, why comes you aren’t coding them up since only you are aware of these?

And if there were any known possibilities don’t you think they would be more Leaktests released? Surely anyone with such kn0wledge would like credits for such a difficult achievements.

Many of you guys can’t seem to grasp there’s Limitations to how many ways to exploit Client Environments to gain Internet Access…

Anyways that’s yo guy’s problems; I’m not looking for excuses to be paranoid. I have more intelligence then that to know all has limitations, and I comprehended just how many more possibilities there are to exploit Client Environments to bypass Application Filtering Layers in Software Firewall without becoming malicious to access Internet Resources…

-{ Quote: " quoting: _anvil link=board=23;threadid=9276;start=30#61139 date=1053265440]

There is already _at least_ one keylogging trojan, which can bypass both Look'n'Stop and SSM (not to mention any other firewall...)

" }-

Hello,

Would you be kind enough to give the name and/or the link to d/l it please ?
If a trojan : don't post the link on the forum but PM please.

Rgds,

I am not aware on any concerning SSM

SSM detects the Executions unlike Application Filtering Layer in Software Firewalls which detects not the Applications Executions but the calls to Client Environments. And I personally don’t think it could bypass SSM at least without being malicious. ;)

-{ Quote: " quoting: Ph33r_ link=board=23;threadid=9276;start=30#61158 date=1053271483]
SSM detects the Executions unlike Application Filtering Layer in Software Firewalls which detects not the Applications Executions but the calls to Client Environments. And I personally don’t think it could bypass SSM at least without being malicious. ;)
" }-
Hello ph33r ;)

Agreed, that's why I would like to verify by myself and not taking any assertion for granted 8)

Rgds,

-{ Quote: "I?m sure if you In Reference to it being malicious like Terminating Firewall processes and deleting its Application files? If not then give me the Keylogging Trojan name which you claim can bypass Application Filtering Layers without being malicious." }-

Believe me, if I was talking about terminating processes, I would have said so. ;)
(BTW: is L'n'S protected against this?)

The trojan I am referring to is called "GOD 2." Hope you can find it...

-{ Quote: "As for you claiming there?s definite several many more ways to bypass Application Filtering Layers, why comes you aren?t coding them up since only you are aware of these?" }-

Have I ever said, that I'd be able to do so...? ::)

-{ Quote: "And if there were any known possibilities don?t you think they would be more Leaktests released?" }-

Look at the last few months: AWFT, Thermite, Oops,... and there is no need to publish new leaktests, as long as the old ones aren't passed by most FW's, yet... 8)

Found it :)

I have to add something: SSM will 'alert' you a few times during and after the trojans 'installation' (as it does with _every_ application... ;) ) - but the important parts of the firewall bypass (injection into explorer.exe and the browser) remain unnoticed...

That's why I doubt, that anyone will suspect a trojan when installing GOD 2. ::)

Heh you describing the same encounters I had with pcAudit v3.0.0.3 & SSM v? while back….

-{ Quote: " quoting: Ph33r_ link=board=23;threadid=9276;start=30#61182 date=1053277290]
Heh you describing the same encounters I had with pcAudit v3.0.0.3 & SSM v? while back….
" }-

Hello,

Problem solved for quite a while with SSM.

As you grabed it, you can test it.

If you deny at first alert, nothing is installed and no leak, i presume.

Why should I allow the install of something if a get a warning and I don't trust de progy ?

Heh I know I had remembered testing again afterwards with newer version of SSM…
I don’t use SSM, I don’t really have a need for it… But it is a small impressive somewhat Sandbox like Utility...

Hi _anvil,
-{ Quote: " quoting: _anvil link=board=23;threadid=9276;start=30#61176 date=1053276565]
I have to add something: SSM will 'alert' you a few times during and after the trojans 'installation' (as it does with _every_ application... ;) ) - but the important parts of the firewall bypass (injection into explorer.exe and the browser) remain unnoticed...

That's why I doubt, that anyone will suspect a trojan when installing GOD 2. ::)
" }-

That's why you need TDS-3 and its new Advanced Process Manipulation tool. Did you already check that out? ;)

Regards,

Patrice

OK, I got GOD2, it a generator, I generated one keylogger, added my e-mail address, then went to it's log file which is located in windows, I filled it up, So it would launch and try to send me the log file, McAfee caught it and killed it dead.

Just an IE injection nothing more, if McAfee can stop it surely LNS can?

Packet Sniffer verified, nothing got out, I also received no e-mail with the log file, had it got out, GOD2 would have sent me the log.

So GOD 2 is smoke, I guess if you give IE full permission, to access the Internet anyway it wants, then this keylogger could get out.

Here is a pic of GOD 2.

Hi SmackDown,
-{ Quote: " quoting: SmackDown link=board=23;threadid=9276;start=45#61208 date=1053283625]Just an IE injection nothing more, if McAfee can stop it surely LNS can?" }-

It detects it as well. I still think that the inside-outside security of Look'n'Stop is the best so far.

Regards,

Patrice

Patrice has the same results as i had :P

Hey _anvil

I don’t debate that this possibly had been a problem for Look ‘n’ Stop previous Drivers and/or Versions back but surely hasn’t been for a long while now…

All goes to show you should quickly verify something before posting assumptions about something; we all made that mistake time to time. One can only learn from his/her mistakes... Like i'm doing everyday, shhhhhh don't tell no-one though :-X

Not so quick. ;)

@SmackDown
-{ Quote: "So GOD 2 is smoke, I guess if you give IE full permission, to access the Internet anyway it wants, then this keylogger could get out." }-

Yes, that's the point! Your picture shows, that McAfee could block it _only_ because the browser isn't allowed to communicate via port 110/25. There is no alert like "GOD2 tries to communicate via Internet Explorer" or something like that. What if the trojan would go over port 80 or use your mail client instead? ::)
(soory, I thought this would be obvious...)


@Patrice and Ph33r_

What did L'n'S say _exactly_ as alert?
I tested it just today with the newest version I could download (ver. 2.04).

I do have Internet Explorer Authorized to my Application Filtering, of course that parts obvious…. ;)

“* This software has started the following application which connects to internet. Do you authorize it to do that ? *"

@Ph33r_

As I wrote before, I didn't get this message... :o

Which "software" (name of file) did start your browser?

Is the version (2.04) I used for testing the most recent one?

Look 'n' Stop v2.04p2 with most recent Application Filtering driver...


Regards,

-{ Quote: " quoting: _anvil link=board=23;threadid=9276;start=45#61225 date=1053287170]
Not so quick. ;)

@SmackDown
-{ Quote: "So GOD 2 is smoke, I guess if you give IE full permission, to access the Internet anyway it wants, then this keylogger could get out." }-

Yes, that's the point! Your picture shows, that McAfee could block it _only_ because the browser isn't allowed to communicate via port 110/25. There is no alert like "GOD2 tries to communicate via Internet Explorer" or something like that. What if the trojan would go over port 80 or use your mail client instead? ::)
(soory, I thought this would be obvious...)


@Patrice and Ph33r_

What did L'n'S say _exactly_ as alert?
I tested it just today with the newest version I could download (ver. 2.04).
" }-


Hi, it would make no difference, SSM would catch it, but that's neither here nor there, IE has no need to connect to any port unless, I authorize it.

If one just lets their applications connect to every port, Why have a firewall at all? One's security is only as good as the weakest link, which is the operator, see how easy it was for me to catch it?

The operator here is just a little bit smarter than the average Joe, these kinds of programs, only get by people who don't take the time to secure their PC.

Hi _anvil,
-{ Quote: " quoting: _anvil link=board=23;threadid=9276;start=45#61225 date=1053287170]There is no alert like "GOD2 tries to communicate via Internet Explorer" or something like that. What if the trojan would go over port 80 or use your mail client instead? ::) (soory, I thought this would be obvious...)" }-

No problem, because the firewall would warn me again. Every change of a program which has the rights to access the internet is registered (even if you just add some letters in the exe file). So, no problem even if the trojan is hidden. ;)

Regards,

Patrice

-{ Quote: "Look 'n' Stop v2.04p2 with most recent Application Filtering driver..." }-

I redid the test with the version you mentioned, and installed the driver, you can find here: http://looknstop.soft4ever.com/Beta/OopsThermite/LNSFW1.SYS

I have WinXP and Opera7 as default browser.

I didn't change much on L'n'S's default config (only some options, not rules), and I allowed Opera to access the internet.

Well, GOD2 got through and sent me mails without any "peep" from L'n'S... :o
There wasn't a single hint about a "god2.exe" or one of the dll's.

Again, Ph33r_, which "software" (name of file) did start your browser at that moment, according to L'n'S?


@SmackDown
-{ Quote: "Hi, it would make no difference, SSM would catch it" }-

As I wrote before, my tests showed another result (SSM missed the 'important' part.) Did your tests show something else?

-{ Quote: "these kinds of programs, only get by people who don't take the time to secure their PC. " }-

You missed the point I made above: the trojan could easily use port 80 (ok, not for sending mail, but something similar ;) ) or your mail client - McAfee would not alert you.


@Patrice
-{ Quote: "Every change of a program which has the rights to access the internet is registered (even if you just add some letters in the exe file)." }-

Not the file is changed, but the running trusted process. ::)

-{ Quote: " quoting: _anvil link=board=23;threadid=9276;start=45#61255 date=1053293158]
As I wrote before, my tests showed another result (SSM missed the 'important' part.) Did your tests show something else?

" }-
Hello,

I install it and let my 2 browsers open and sniffer Pro to watch.

Easily caught by SSM - I did not try to see if OP v2b catches it without SSM for sure somebody else will try. No outbounds at all.

Furthermore, you must install willingly the proggy : no user on my PCs has those rights but administrator ( WinXP Pro) an I never connect to the W3 as Admin when not needed, just this time to see what this keylogger was able to do : just nothing on my system 8)

Rgds,

Sure here are pics of SSM busting GOD 2, How much more evidence does one need? SSM names GOD 2 and it's location, plus It shows my name trying to be add to Registry.

Here is second pic, How could anyone miss these? ::) ::) ::) ::)

@JacK and SmackDown

SmackDown, your pics show exactly what I got (thanks for verification...now we can discuss... ;) )

You both don't seem to understand, what I mean when saying: "SSM missed the 'important' part." (I didn't doubt, that SSM _does_ alert you a few times - read carefully, SmackDown ;) )

So, what is the 'important part'?
Look at the pics: how can it be, that the 'explorer.exe' does something malicious, like starting a trojan from time to time (pic 1) and attaching a keylogging module to another process (pic 2)?! *
The answer is: GOD2 has injected itself somehow into 'explorer.exe' (it hijacked your shell!), which happened _unnoticed_ by SSM!
The second point: SmackDown, I miss the pic, showing how SSM detects the injection of "log-sender.dll" into the browser process. The reason is simple: SSM does _not_ detect it...

These are the 'important parts' which I was talking about. You probably see now, that there _is_ a problem. Look, we are not talking about GOD2 in the first place, but about ways to bypass Firewalls and Sandboxes - and obviously, there _are_ ways to do so. ::)
If GOD2 would be modified only _a bit_, SSM would probably fail completely...

Sorry for causing some confusion before, but I had assumed you would go more into the details yourselves... ;)

* (BTW: SSM doesn't really 'block' the injection of keylog.dll into 'explorer.exe' :o - verify it with APM or ProcessExplorer! Dunno, what's wrong here...)

I don’t use SSM :/

@Phant0m/Ph33r_ (or whatever ;) )

Still I'd like to know, why "my" L'n'S doesn't block GOD2 _at all_... ???
Would you please read again (and perhaps reply to) my previous postings about that topic? :)

Have I forgotten to set a special option? Might there be a hole in the (default-) ruleset?

If there was a hole in your Rule-set that still wouldn’t be valid as we are discussing the Application Filtering Layer having detection/blocking capabilities and not the Packet Layer having detection/blocking capabilities. ;)

Because of the .DLL Injection you are right; Look ‘n’ Stop doesn’t provide a whole lot of protection in this area. No concern as I was telling another last night that because Frederic spent so much time fixing the main areas which counted the most before implementing DLL Module Filtering that only perfection would come out of this. Use Sygate Personal Firewall for an example with its DLL Module Filtering and it’s poor Leaktest handling… ;)

-{ Quote: "If there was a hole in your Rule-set that still wouldn?t be valid as we are discussing the Application Filtering Layer having detection/blocking capabilities and not the Packet Layer having detection/blocking capabilities." }-

Yes, that is what I had presumed - but I am not too familiar with L'n'S, so I want to 'check' everything. ;)


-{ Quote: "Because of the .DLL Injection you are right; Look ?n? Stop doesn?t provide a whole lot of protection in this area." }-

Not sure, if I understand you correctly: do you now confirm my test results (L'n'S does _not_ block GOD2), contradictory to what you and Patrice wrote before? ???
If not: help me to find, what is wrong with 'my' L'n'S, please. ;)

What I wrote was accurate; just doesn’t necessary mean at a global scale :)

You aren't on court here, Ph33r_. ;)
Please just answer my simple question: do you confirm my test results with GOD2 and L'n'S? Or haven't you tested it, yet?

And if you have other results, please tell me how you got them - it can't be that hard...

(forgive me, if you have already given the answer to my question, and I just don't get it... my english isn't the best ::) )

So, what is the 'important part'?

Hullo _anvil

AFM the important part is does GO2 phone home without I can prevent it or been alerted : no outbounds (checked with SnifferPro)

Definitely NO.

I looked with HijackThis if Explorer.exe or any other app was hijacked : NO if I don't allow it.

Does GOD2 makes a log about the keystrokes NO if I don't allow it.

It's only simple dll injection.

Of course there are ways and there will always be to bypass a FW.
GOD2 cannot bypass SSM (and I reckon it could not even bypass OPv2 without SSM)

Anvil, could you please email me at #@%$# .
Thanks.

@JacK
-{ Quote: "AFM the important part is does GO2 phone home without I can prevent it or been alerted " }-

Again: I am not just talking about this special trojan 'GOD2', which indeed can be blocked by SSM at certain states - I am talking about some of the methods, GOD2 uses to _successfully_ bypass SSM, L'n'S (?) and probably any other 'outbound protector.'


-{ Quote: "I looked with HijackThis if Explorer.exe or any other app was hijacked : NO if I don't allow it." }-

Sorry, I was talking about another kind of hijacking. Read again my comments on SmackDown's pics, please.
Do you think it is 'normal behaviour' of explorer.exe to attach keylogging modules to other processes? And why does your browser suddenly send mail?! ::) ;)
(both unnoticed by SSM - look at SmackDowns pics)


-{ Quote: "It's only simple dll injection." }-

Yes, it is dll injection - but too much for SSM (and L'n'S?) at the moment...


-{ Quote: "Of course there are ways and there will always be to bypass a FW." }-

Yes, that's (basically) all I wanted to say! :D
And GOD2 shows an example for one of these ways. Why do we discuss? ;)

Hello, I'm a SSM developer.

_anvil was right, GOD 2 was really lucky to hijack explorer.exe. This was because of slight glitch in SSM. SSM was aware that "GOD 2" wanted to create a remote thread in some process, but due to this bug, SSM didn't know the name of this process and because of current policy, SSM allowed this action without asking a user.

Thanks for this notice. ;)
The hotfix already available. You just need to get the following file (about 30kb):
http://mc.webm.ru/mchooknt.dll

Best regards,
Max

_anvil!!!!

Way to go, i knew you had it all down pack! ;)

Hi Max,

great news! :D
Now SSM can really block the injection into explorer.exe _and_ the browser (the both 'important parts', which it missed before ;) .)

Still two more (little) things, Max:
1. when GOD2 tries to inject itself into the browser, SSM does only show the browser's filename (e.g. opera.exe) in the alert box, but nor its symbol, neither the whole pathname (which would be normal)... although not a real prob, there might perhaps still be a little glitch...
2. as I mentioned above, SSM doesn't really block the injection of the keylog.dll into explorer.exe - the dll is always loaded into explorer.exe, no matter if you block it, or not. In spite of that, the keylogging function does _not_ work, when you chose to block it. Again no real prob, but still... ;)

Well, after all another confirmation for me to carry on using SSM. :)

Now, we still have to fix this problem in L'n'S - if there is a problem... Ph33r_?! ;)

Hey _anvil

You didn’t need me to confirm this, you absolutely on the correct path.
But like I said what I had mentioned was accurate, just didn’t apply at a global scale… ;)

Regards,

_anvil

I'm not familar enough with this "GOD 2" thing. When it injects code into a browser? And what browser should be opened (should it?) (I have 2 Operas and 1 IE. Opera 6.0 seems to be default, while the 7.0 is the on I use :) )

Anyway it appears to be a full-path-extraction problem...

#2. SSM really blocks DLL injection, if you answer "no" in this dialog:
(sorry for Russian. Here SSM asks about creating a remote thread)
http://duesouth.webm.ru/tmp/1.gif

After, I have checked explorer using "TaskInfo 2003" and noticed no "keylogger.dll" in explorer.exe
http://duesouth.webm.ru/tmp/2.gif

Perhaps you should terminate/start explorer again (since a malicious thread still exists in it)?

_anvil, thanks for the help with this. ;)
When there is a weakness in a program, it is always a good thing to help the author make it right.

@Max

I'll try to reconstruct, what GOD2 does (in my understanding), and where SSM has little probs:

1. copies and starts exe-file (e.g. 'god2.exe'; is then autostarted with windows) in win-dir, and copies two dll-files ('keylog.dll' and 'log-sender.dll') in sys-dir.

2. injects itself (without dll) in 'explorer.exe'; 'explorer.exe' now is 'hijacked' (-> see Max's first pic; SSM has no prob to block this. :) ), and 'god2.exe' from win-dir does _not_ run anylonger at that moment (so you don't see any trojan process!)

3. the hijacked 'explorer.exe' then injects 'keylog.dll' in itself(!?), so that all keystrokes are stored in a 'log.txt' in win-dir (this is the point, when SSM partly fails: 'keylog.dll' is _always_ loaded in 'explorer.exe', even if SSM tries to block it... still, keylogging will only work, if SSM allows it)

4. GOD2 does not start the (default-)browser itself, but waits until the user does it. After the browser is started, 'explorer.exe' starts 'god2.exe' from win-dir (again), and 'god2.exe' creates remote thread in browser and injects 'log-sender.dll' in it (here, SSM has the prob with missing browser symbol and pathname.)
The 'hijacked' browser then sends the filled 'log.txt' to specified mail adress.

I think, that's it. Hope it helps. :)

Ah, and yes, 'explorer.exe' obviously has to be terminated/restarted to be 'cleared' of the trojan code...

Hi _anvil,

-{ Quote: " quoting: _anvil link=board=23;threadid=9276;start=75#msg61773 date=1053439544]
Ah, and yes, 'explorer.exe' obviously has to be terminated/restarted to be 'cleared' of the trojan code...
" }-

Not quite, use Advanced Process Manipulation from DiamondsCS to unload the DLL. Have a look at this software, it's pretty cool. ;)

Regards,

Patrice

Hi Patrice,

I have already used APM (and other tools) to find out, what GOD2 actually does. Nice app indeed. :D

But in this case, APM wouldn't help. Look, what I wrote above: "2. injects itself (without dll) in 'explorer.exe' "
So _this_ part is obviously not "dll-injection", but direct "code-injection."

Anyway, if you unload the "keylog.dll" from explorer.exe with APM, the explorer will crash and then restart - so after all, it _will_ be cleared. ;D

Ah, o.k. now I got what you meant! ;)

Nice work by the way!

Regards,

Patrice

_anvil
I still have to say, that when you block code injection, your shell is NOT hijacked, and DLL is NOT loaded at all. Have you checked your "HKLM\...\Run" registry key? Perhaps there is a malicious entry left?

BTW: the source code of GOD 2 is available, so if you want - you can inspect it (if you haven't done it already, of course) ;)

Can someone please tell me where you find all this information about GOD 2??? ???

-{ Quote: " quoting: _anvil link=board=23;threadid=9276;start=60#msg61536 date=1053368494]
@JacK
-{ Quote: "AFM the important part is does GO2 phone home without I can prevent it or been alerted " }-

Again: I am not just talking about this special trojan 'GOD2', which indeed can be blocked by SSM at certain states - I am talking about some of the methods, GOD2 uses to _successfully_ bypass SSM, L'n'S (?) and probably any other 'outbound protector.'


-{ Quote: "I looked with HijackThis if Explorer.exe or any other app was hijacked : NO if I don't allow it." }-

Sorry, I was talking about another kind of hijacking. Read again my comments on SmackDown's pics, please.
Do you think it is 'normal behaviour' of explorer.exe to attach keylogging modules to other processes? And why does your browser suddenly send mail?! ::) ;)
(both unnoticed by SSM - look at SmackDowns pics)


-{ Quote: "It's only simple dll injection." }-

Yes, it is dll injection - but too much for SSM (and L'n'S?) at the moment...


-{ Quote: "Of course there are ways and there will always be to bypass a FW." }-

Yes, that's (basically) all I wanted to say! :D
And GOD2 shows an example for one of these ways. Why do we discuss? ;)
" }-

Hello _anvil,

Well seen and great job : I did not look as I saw there were no phoneing home.
tnx,

@Max

-{ Quote: "I still have to say, that when you block code injection, your shell is NOT hijacked, and DLL is NOT loaded at all." }-

Yes, if you block GOD2 at step 2 (see my post above), then there is no problem at all - no hijacking, no keylogging, no mail. :)
But if you let GOD2 "through" at step 2, then SSM will not block the injection of 'keylog.dll' at step 3 properly (at least on my PC) - again: not a real prob, but perhaps a hint to another tiny glitch in SSM... ::)


-{ Quote: "BTW: the source code of GOD 2 is available, so if you want - you can inspect it (if you haven't done it already, of course) " }-

Yes, I already noticed that just today. I will take a look, but unfortunately, I am not coding expert... :-\

Well, _anvil, now I see what do you mean. But I don't think that there is something wrong, because when you allow code-injection, explorer begins to make things on its own. In this case it (being infected) decides to load library keylog.dll. Since loading library is a normal activity of each process, SSM don't monitor it (you can imagine how many libraries MS Office or Adobe's products loads into themselves)

Of course, it's a nice thing - to watch wich libraries are loaded into processes, but SSM even now is too annoying for most of the users. Asking them to classify libraries will make SSM finally unusable. So I don't see obvious solution

-{ Quote: " quoting: Patrice link=board=23;threadid=9276;start=75#msg61801 date=1053448001]
Can someone please tell me where you find all this information about GOD 2??? ???
" }-

...elsewhere on the web, Patrice - no links allowed to this sort of nasties over here. Google around ;).

Gents,

This is a very interesting thread indeed 8).

regards.

paul

Hi Paul,

no problem, I have already found it!

Regards,

Patrice

@Max

Yes, I had similar thoughts as you. And of course, SSM should not monitor all the dll's, an app loads into itself. :)
(well, it could perhaps show the dll's in its process viewer... later ;) )

But then I wonder why SSM detects in this case, that explorer.exe wants to attach a dll (to itself.) It seems to be different to a 'normal' dll loading procedure... ::)

But after all, it shouldn't be much of a concern, since the result speaks for SSM, anyway. 8)

_anvil,

I redid the test with GOD 2 and I'm surprised a little bit. The first time GOD 2 came through (Look'n'Stop) didn't react. But as soon as I unloaded keylog.dll with APM and explorer.exe crashed, as you told me, Look'n'Stop gave an alert. From this time on, Look'n'Stop always gave an alert, that the explorer.exe has changed...

So I hope this clears things up! Nevertheless this GOD 2 is a beauty of a nastie! Countermeasures are untertaken, mails to several support sites (DiamondsCS, NAV, F-Secure, KAV,...) are under way.

Best regards,

Patrice

>_anvil,

Yes, I think that DLL listing functions will be included in the next release. BTW: SSM already can load/unload DLLs, so it's a kind-of-routine to make a thing like DiamondCS's "Advanced Process Manipulation" ;)

You are right, SSM detects the case, when Explorer not simply loads DLL into itself, but when it want's this DLL to be loaded in almost every process in your system

@Patrice

Hmm, interesting... and a bit strange, because it is not the 'explorer.exe' which injects a dll in the browser to hijack it, but the 'god2.exe' from win-dir.
If L'n'S would detect this correctly, the alert should sound different, I think.

So, I don't know, what L'n'S exactly 'detects' and alerts here... ???


@Max

Yes, that makes sense.
Looking forward to the next release of SSM. :)

Hey _anvil

I may be mistaking but assuming GOD2.exe is the name which user pre-defines, upon Execution of GOD2.exe it copies itself into %WINDIR% and creates keylog.dll (assuming on user pre-defines) into %WINDIR%, GOD2.exe Executable also injects that into the Explorer.exe Process. In Addition it creates log-send.dll (again, assuming on user pre-defines) in %WINDIR% which gets called by the keylog.dll to send its Log File and so forth via E-mail, also the Log.txt (…) which gets created into %WINDIR%. GOD2.exe also places itself into Current Users Start-up Group which injects keylog.dll into Explorer.exe Process upon Windows booting…

GOD2.exe only runs long enough to insert its DLL module (keylog.dll) into Explorer.exe process, keylog.dll checks for user-predefined Log size in KB and if matches calls the log-send.dll which sends the Log and whatever via E-mail.

Look ‘n’ Stop does not have DLL Module Filtering yet, until then these methods using DLL Modules will be undetectable by Look ‘n’ Stop Personal Firewall.

Regards,
Phant0m``

>Patrice
" From this time on, Look'n'Stop always gave an alert, that the explorer.exe has changed..."

OKay, and what about this test: httx://mc.webm.ru/copycat.exe?

URL changed - those who want to perform this test: revert the URL to "http". No offense, Rabbit - Forum Admin

Hmmm on Windows XP Pro there was no Look ‘n’ Stop Alert indicating any changes to Explorer.exe file.

Max,

what the hack is that!? Do you have any additional information about this tool? TDS-3 gave me an alert about it... I will test it and come back with the results.

Cheers,

Patrice

>
"TDS-3 gave me an alert about it"

Wow :). I'll try TDS3 :)

Actually it's a simple proggie (written by myself), wich injects it's code into application you select. I can provide a source code if you worried about TDS3 alert. The only problem I've noticed, is that process you will select to hack may crash, if you will perform this test twice. It will not affect on stability of your system and of course will not do anything bad.

No problem Max, I do trust you. I was just wondering if there is some more information about it. ;D

WOW! Need to shut down TDS-3...

Mhhh... came through. Only SSM did alert me! ;D LOL ;D

Need to talk to Frédéric...

THANKS Max!!

Patrice

Congratulations RabbitOnTheMoon ;)

Thanks for your appreciation :)

BTW: while trying TDS3 (build 3.2.1), I've encountered one problem in XP: it just can't scan anything, and when it tries, it eats 100% of my CPU, so I have to press "reset" button. That's rather strange for NT... I've tried switching off all available for limited-user profile tasks (so there were nothing except of TDS and task manager left), but I've got the almost freezed system again. The problem occured only with in-memory scans of started processes. I've restarted my PC ~8 times trying to figure out what's goin on, and finally gave up and tried TDS in Win98 SE. ???

Max,

why don't you ask your question in the appropriate forum? Go over to the TDS-3 forum, I'm sure they will help you out! ;)

Regards,

Patrice

Hey RabbitOnTheMoon

Is the source-code for copycat.exe available to anyone who wants it or was it just a moment thing? ???

Hey Phant0m,

I already asked you this question once, but why don't you register here at the Wilders Forum? It would be nice if we (I) could drop you an Instant Message or send you an email sometimes! ;)

Think about it again!

Best regards,

Patrice

Hey Patrice

Heh you don’t need me Registered up to Contact me bro, my E-mails I used to poster on here are valid… See the Mail folder pic below my nickname? ;)

Hi Phant0m,

good to know that this address is correct! If I need to send you an email in future I know how to do it! ;)

By the way, I would like to hear your answers about the threads in the firewall forum:

-Stress Testing Tools

Did you use such tools to check the firewalls or did you write those attacks yourself?

-CHX-I Stateful Packet Filter 2.4.1

What do you think about it, you tested this function for LnS as well, right?

Regards,

Patrice

Hey Patrice

-{ Quote: "-Stress Testing Tools

Did you use such tools to check the firewalls or did you write those attacks yourself?" }-
I don’t play with Winbl0wz Flooders. :)


-{ Quote: "-CHX-I Stateful Packet Filter 2.4.1

What do you think about it, you tested this function for LnS as well, right?" }-
You mean test this System along side with Look ‘n’ Stop to see if there’s any conflicts or you mean have I tested out the TCP SPI in Look ‘n’ Stop product?

-{ Quote: " quoting: Phant0m`` link=board=23;threadid=9276;start=105#msg62662 date=1053721951]You mean test this System along side with Look ‘n’ Stop to see if there’s any conflicts or you mean have I tested out the TCP SPI in Look ‘n’ Stop product?" }-

The latter

>Phant0m``

Source code:
http://mc.webm.ru/

Dedicated page. Will be available for a while.

Yea, I’ve tested Look ‘n’ Stop’s TCP SPI…
It’s fully functional and should be used by all Look ‘n’ Stop Customers for Additional Protection over TCP Protocols. ;)

Hey RabbitOnTheMoon!

Thanks, I appreciate that.
You doing a fine job, keep up the perfect work! :)