App Filtering not checking grandparent processes? (WallBreaker)

[Pete99]

It seems that Application Filtering is checking the calling process and its parent, but not the grandparent processes? I discovered this using WallBreaker v4.0. It seems that this would allow malware to leak through LnS.

I can reproduce this on my computer like this:

1) In LnS' settings, allow Internet Explorer, Windows Explorer, and cmd.exe to access the internet.

2) Run tests 1 and 3 in WallBreaker.exe (v4.0).

For what it's worth, here are my settings:

I have enabled "Watch Thread Injection".

In my Registry:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lnsfw1]
"Type"=dword:00000001
"Start"=dword:00000001
"ErrorControl"=dword:00000001
"Tag"=dword:0000000a
"ImagePath"=hex(2):73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,64,00,\
72,00,69,00,76,00,65,00,72,00,73,00,5c,00,6c,00,6e,00,73,00,66,00,77,00,31,\
00,2e,00,73,00,79,00,73,00,00,00
"DisplayName"="lnsfw1"
"Group"="PNP_TDI"
"DependOnService"=hex(7):54,00,63,00,70,00,69,00,70,00,00,00,00,00
"DependOnGroup"=hex(7):00,00
"ActivatedSoon"=dword:00000001
"CheckDNSQ"=dword:00000001
"CheckHSRE"=dword:00000001
"CheckVAEUDTF"=dword:00000001
"IPFragActive"=dword:00000001

In my driver logs:
Look 'n' Stop Version 2.05p3

Driver versions: 4.08 & 3.05
API Driver versions: 3.05 & 4.01
Service Mode.
[13:38:46] Internet Firewall Enabled
[13:38:46] Appli Firewall Enabled
[13:38:47] Computer isn't connected to Internet.
[13:38:47] Watch Failed
[13:38:49] Adapter modified
[13:38:49] Computer connected to Internet on: [...]
[13:38:52] Security Center registration Ok.
Intel(R) PRO/100 M Network Conn - [...]
WAN Miniport (IP) - Look 'n' St - [...]
WAN Miniport (Network Monitor) - [...]
FW:
Driver Entry Win2k/XP
WAN Miniport (Network Monitor) - Look 'n' Stop Driver
WAN Miniport (IP) - Look 'n' Stop Driver
Intel(R) PRO/100 M Network Connection - Look 'n' Stop Driver
FW1:
Driver Entry Win2k/XP.
[...]
FO2_Ok
FO2_2_Ok
[...]
FO4_Ok
FO3_Ok
[...]
FO5_Ok
[...]

[Pete99]

In other words, if process A calls process B calls process C calls process D calls process E,
I would expect LnS to check E then D then C then B then A until there are no more ancestor processes to check.

Also, if I've already allowed E and D in the past and I have no rules for C, B, or A, then:

1) If I block C then LnS should stop checking.

2) If I allow C then LnS should proceed to checking B and (depening on my choice for B) to checking A.

After thinking about it some more, maybe it would be more user-friendly if LnS prompted the user for A first, then B then C. This way the user would immediately know the name of the program that started everything.

The point, though, is that I think that the whole process chain should be checked.

[WSFuser]

rele i think this process checking is better suited to an HIPS like SSM.

[Pete99]

Thanks, WSFuser. After reading these forums for the past several days, I'm also beginning to believe that I need something besides a firewall and antivirus software.

I'm a longtime user of Norton Internet Security. I've wanted to replace it for many years but I could never find an "internet suite" that I liked (ZA Internet Security crashed over and over on my computer when I tried it).

I realized that the currently available internet suites are bad and that I was going to have to buy individual components from different companies. To make a long story short, I've decided to buy LnS for my firewall and to use the free Avast antivirus.

Now my only challenge is to find something that monitors processes. I'm already using Microsoft's "Windows Defender". I know that my trust in Microsoft is funny but on the other hand they are the people who wrote the operating system and they have access to all of the "internals". In a related note, Windows Defender notified me when I ran test 4 of WallBreaker that scheduled an AT job. Unfortunately Windows Defender allowed the AT job to run before giving me a chance to block it.

There are so many other programs that claim to be anti-spyware, anti-trojan, etc. It's so confusing. Unless I discover anything better, I'm going to limit my research to Anti-Hook, BOClean, CyberLink, Ewido, PG, and SSM.

Do you recommend SSM or do you have any recommendations for programs that I didn't list?

[TheQuest]

Hi, Pete99

Quote:

Do you recommend SSM or do you have any recommendations for programs that I didn't list?

You will be taking your thread very much off topic with that.

Take Care,
TheQuest