Firewar still able to terminate Outpost FW with PG

[aperkins]

Outpost Pro v2.0.238.3121 (290)
Process Guard v1.150
Firewar Standalone Edition http://www.paoloiorio.it/fw.htm

I have all the block flags selected for outpost.exe, both General Protection Options selected and CHM.

TaskMgr is unable to stop the process.

Upon execution, Firewar causes CHM to pop-up, I click cancel twice then receive an error from Outpost as it unloads.

Attached is a screen shot of the PG log, which doesn't report any attempt on outpost.exe from firewar.exe, the Outpost error, and Firewar showing that it has disabled Outpost.

[DolfTraanberg]

Hi aperkins and welcome,
This issue has been addressed in the DiamondCS General Forum and will be looked into
quote from Jason:

Quote:

We are just finishing tonights beta with a problem fixed, I think we can check on that soon. Actually something we changed might help.. do you know if this works on the DEMO version if there is one ? Something for us to test would be good..

quote from Pilli:

Quote:

Hi, I have been testing 1.15 against OP V2 on Server 2003 and, after some investigation, found that to make it work consistantly you have to first list OP then close procguard.exe, reboot and all is well.
I am not sure of the reason for this but it may be to do with OP having to be totally closed before being correctly listed and protected in PG.

Dolf

[redwolfe_98]

i never have worried about firewar, and considered it a gimmick.. i think diamondcs has the bases covered..

[aperkins]

Gimmick or not, I expect PG to protect the applications I assign to it, period. Anything less would put DiamondCS in the general, kinda works, utility catagory.

They have chosen to be the leaders in their field, so they must continue to perform above and beyond...

We should expect nothing less.

[DolfTraanberg]

They ARE the leaders in this field, because there is no competition for this program
But as you could have read: they are working on it
Dolf

[linney]

At least Outpost gives you a message that it has been tampered with. It would be worse if it just closed silently.

You can immediately restart the firewall afterwards, by clicking on the program shortcut in Start Menu Programs.

[peakaboo]

Quote:

quoting: aperkins link=board=40;threadid=17621;start=0#msg109685 date=1071254024]
Gimmick or not, I expect PG to protect the applications I assign to it, period. Anything less would put DiamondCS in the general, kinda works, utility catagory.

They have chosen to be the leaders in their field, so they must continue to perform above and beyond...

We should expect nothing less.

you are further ahead by using PG than not.

be interesting to see if SSM allows firewar to even execute - my guess is it will not...

just tried both firewar versions... html & .exe

the html page doesn't even make my browser burp, and the .exe can't start up with SSM in place

nice result for this insecure win9x system...

looks like a weak exploit, except if you have ur config...


probably isolated layer in some more defenses until PG handles...

[Gavin - DiamondCS]

Yes and on Win98 that is a reasonable solution

[redwolfe_98]

peakaboo, which version of system safety monitor do you recommend? which version are you using?

[peakaboo]

redwolfe, If you are running Win98/SE or above, I would recommend you try the latest version 1.9.4b1. If you have any problems look in the help file (help file should unpack when you run SSM.exe) and email the author. Max is very responsive.

If you are running below Win98/SE contact Max for special build.

I'm running a special build off the SSM 1.9.3 platform.

get the latest version here:

http://kormushkin.narod.ru/ssm.zip

also if you have any problem with the Html version of firewar you can defeat by taking away the activex...

either

1) turn off active x if you use IE or
2) use proxomitron with a filter which kills activex or
3) use a browser which doesn't support activex - Opera or Firebird

[redwolfe_98]

i installed the latest version of ssm.. ssm appeared to stop firewar from running, but it (firewar) still managed to shut down my kerio 2.15 firewall (somehow).

[peakaboo]

redwolfe,

With SSM running after you have allowed all trusted aps right click on SSM icon in systray and move from administrator mode to user mode

then try running firewar.exe

the .exe should not even start since it is not trusted ap; exploits can't fool it since it uses MD5 fingerprint

great discussion by gkweb on two different approaches sandboxing & process monitoring here:

http://perso.wanadoo.fr/jugesoftware/firewallleaktester/eng/pageweb/software.html

the point is if SSM will not allow the firewar.exe to run then it won't allow a trojan or any other program or Ap which is non trusted to run either...

contact Max via email if it does not work as you expected, or post to SSM thread, worked fine for me.

additional discussion re: SSM...

http://www.wilderssecurity.com/showthread.php?t=17132

[redwolfe_98]

thanks, peakaboo.. that worked, switching it from administrator to user mode.. now it is stopping firewar even in administator mode.. 'don't know why it wouldn't, before. ssm is running smoothly..