Gibson Leaktest can bypass Online Armor?

There is actually a thread about this but when i wanted to post there, it says "thread is too old, please start a new one", so.. here you go.

It is a fresh Windows Vista SP2 install. Using Avira Anti-Virus Premium and Onlina Armor 3.5.0.14 (paid version.) It is a "out of the box" install, changed nothing, except for the "firewall log" entry and unchecked "mail shield", which i don't need. I downloaded leaktest.exe (v.1.2) from GRC site.

When i tried to open the leaktest.exe, OA give me the warning about if i allow the program start or not. I clicked allow. (That is because it is a warning about program start, not creating a outbond connection. I expect that i must get another warning about leaktest when it tries to connect the internet. This is why OA has "program shield" and "firewall" options. In another words, if i uncheck the "program shield" and leave only "firewall" checked, i still must get a warning about programs trying to connect somewhere. At least i think this is what a firewall must do.) Anyway, program started. Voila! Some info about updating OASIS database and OA asked me if i allow it to connect internet or not. I clicked "block". And leaktest.exe said to me it succesfully connected to GRC..

Interesting. I repeated the test again. (At first time, i didn't check any of the "remember my decision" boxes.) OA asked again if i allow or not. I clicked yes. Leaktest.exe started. And connected to GRC once again and this time, OA didn't warned me.

For the next step, i unchecked "program shield" to see it will make any difference or not and tried the test. As i mentioned, even if the program shield isn't active, i expect a warning about outbond connections, still. Leaktest.exe started, connected to GRC, OA didn't reported anything..

Interesting? I thought there must be something wrong with my installation of OA or Wİndows. Tried to check carefully. Re-formatted Windows one week ago, so no bloaty Windows. Check. Using only Avira Antivirus, no conflicts. Check. Didn't change anything for OA install (except for the two things i mentioned above). Check. So? Something with the OASIS database maybe? I am really confused.

Here is my firewall log, if anyone wants to take a look. ( ı changed only my user name.)

Type,Date/Time,Action,Description
Program Guard,30.05.2009 13:08:12,Blocked,C:\Users\.....\Documents\Downloads\Programs\LeakTest.exe(404 wants to use C:\Windows\system32\svchost.exe(1540)
Program Guard,30.05.2009 13:08:06,Allowed,C:\Users\......\Documents\Downloads\Programs\LeakTest.exe
Program Guard,30.05.2009 13:06:41,Blocked,C:\Users\......\Documents\Downloads\Programs\LeakTest.exe(518 wants to use C:\Windows\system32\svchost.exe(1540)
Program Guard,30.05.2009 13:06:39,Allowed,C:\Users\.....\Documents\Downloads\Programs\LeakTest.exe
Program Guard,30.05.2009 13:05:58,Blocked,C:\Users\......\Documents\Downloads\Programs\LeakTest.exe(4116) wants to use C:\Windows\system32\svchost.exe(1540)
Firewall: User decision,30.05.2009 13:05:55,Blocked,"C:\Users\.....\Documents\Downloads\Programs\LeakTest.exe, Outgoing ICMP access blocked"
Program Guard,30.05.2009 13:05:43,Allowed,C:\Users\.....\Documents\Downloads\Programs\LeakTest.exe

And this is the screenshot, you can also see firewall automatically allowed leaktest.exe in the log view. (This can not be seen in the log above, i wanted to take a ss, started the leaktest.exe again, and seen that it has also granted access.)

http://img9.imageshack.us/img9/2269/grc1p.jpg

So;

1) Is this a bug?
2) Something wrong with my installation?
3) Or, when you allow a program to run in OA, it automatically grant internet access too? If this is the case, i think it is a really bad thing.

 

i don't think it is a bug nor is oa bypassed. the app was allowed to execute

 

Yes. That is the point. I wrote that very clear. App was allowed to execute. This is the "HIPS" part. But app was not allowed to create a connection. You can see this in the log too. In the end, OA gave automatic internet rights to leaktest.exe, as you can see in the ss. When i allow a application to run, it automatically gains rights to gain internet access too? If so, what is the meaning of "firewall"?

 

The Test is about controlling the app's behavior and preventing it from making outgoing connections, not about whether OA can prevent it from executing in the first place.



And Necropsie it looks like OA hasn't been configured properly. you have blocked it from using svchost but the app itself hasn't been blocked.

 

The pic shows svchost accessing IP 192.168.1.1. at Port 53...

However, with XP SP3 and default settings I get this prompt.



And if I block, I get this one.



Leaktest.exe is also Unknown at OASIS.
http://www.tallemu.com/oasis2/search/file_hash/206C0533CE9BF83ECDF904BEC2F3532D

Something went wrong, maybe with your tests, maybe it's because of Vista SP2, I'm not quite sure.

Cheers

 

Hi,

Leaktest seems to be proxied by Antivir's Webshield. To intercept this connection you need to intercept loopback interface in OA (options / firewall)

Regards,

MaB

 

I got the same screen at my first try too. But as i said, i choosed block and log shows it is blocked, but unfortunaletly, leaktest.exe itself reported it was succesful. When i tried the test again, i never get the same OA screen again.

Yes, that is because (i think) i choosed "block" at the first time. But again, leaktest was succesful to create a connection. Other than that, i am not sure how to configure OA. It was a out of the box install. I can send my configuration screens too if needed.

I searched TellEmu forums and found three threads about this. Exactly the same thing happened to some of the users. Allow the program to run, block when prompted, log shows blocked but program shows it penetrated.. A OA beta user said this may be caused if you use a proxy. I don't. Another one said this is how OA works, if you allow any program in HIPS, it grants access to internet too.

Still, i am confused why OA made a automated decision to allow acces for leaktest.exe.

 

That did the trick! I was about to get worried Thank you! Seems like i am using a proxy afterall, hehe.

http://img20.imageshack.us/img20/629/grc2.jpg

 

You are welcome Necropsie

MaB

 

so not a bug and OA was not bypassed unless you class misconfiguration as a bypass
as for the app being allowed to execute then you need to be prepared to have your defences tested (but hopefully not broken), was my point

 

On a second thought, can this be identified as a security hole? I mean, using Avira and not checking the necessary item in OA makes you vulnerable? Or you are still protected?

 

If you install a proxy server on your computer, and then grant it access to the internet , you have implicitly granted everything that is allowed to use that proxy internet access.

In OA we do not by default monitor loopback interface. We should do some testing to see if the default option should be changed on the basis that more and more AV/AS programs are now acting as proxies.

 

This time, the log showed grc leaktest.exe was blocked to tcp access out to the localhost loopback interface 127.0.0.1. How did you get it to this you did not get it before when leaktest.exe went through to the internet even though you got OA block it go out the internet. On my box, leaktest.exe asked to have tcp:80 out to the grc site, it failed when let OA block it.
My box has vmware-authd.exe is listening on local port 912:tcp, and lsass.exe listening on 1025:tcp and svchost.exe listening on 135:tcp - all are trusted in OA. Either loopback interface is checked in protection or not in OA.

Mike's respond was in corresponding to your OA default configurations of non-enable loopback interface protection.

Let see how OA logged the leaktest.exe on my box:

31/05/09 03:46:33 [TDI] TCP, Connect, 0.0.0.0:1597 -> 4.79.142.200:80, F:\leaktest.exe(1644/1796)
[TDI] Blocked by rule: TCP, --> leaktest.exe, [80], -(*)
31/05/09 03:46:33 [TDI] TCP, Connect, 0.0.0.0:1597 -> 4.79.142.200:80, F:\leaktest.exe(1644/1796)
[TDI] Blocked by rule: "TCP, --> leaktest.exe, [80], -(*)"
31/05/09 03:46:37 [TDI] TCP, Connect, 0.0.0.0:1598 -> 4.79.142.200:80, F:\leaktest.exe(1644/1992)
[TDI] Blocked by rule: "TCP, --> leaktest.exe, [80], -(*)"
31/05/09 03:47:06 [TDI] TCP, Connect, 0.0.0.0:1599 -> 4.79.142.200:80, F:\leaktest.exe(2120/1256)
[TDI] Blocked by rule: "TCP, --> leaktest.exe, [80], -(*)"
31/05/09 03:47:26 [TDI] TCP, Connect, 0.0.0.0:1600 -> 4.79.142.200:80, F:\leaktest.exe(2120/1592)
[TDI] Blocked by user.
31/05/09 03:47:31 [TDI] TCP, Connect, 0.0.0.0:1600 -> 4.79.142.200:80, F:\leaktest.exe(2120/1592)
[TDI] Blocked by user.
31/05/09 04:04:03 [TDI] TCP, Connect, 0.0.0.0:1604 -> 4.79.142.200:80, F:\leaktest.exe(2984/1412)
[TDI] Blocked by rule: TCP, --> leaktest.exe, [80], -(*)
31/05/09 04:04:03 [TDI] TCP, Connect, 0.0.0.0:1604 -> 4.79.142.200:80, F:\leaktest.exe(2984/1412)
[TDI] Blocked by rule: "TCP, --> leaktest.exe, [80], -(*)"
​

As seen, no localhost access was done by leaktest.exe anyway with non-enable loopback interface protection in OA.

 

I agree. The thing is, i am not aware that i installed a proxy server to my pc. Or, i am not aware that Avira can act like a proxy. I choose my security software from trusted sources, like this forum. Avira and OA was recommended in here and lots of other resources. But, i didn't know that when installed together, Avira can bypass OA (or any other firewall) protection. That is why i said a "security hole". Maybe it was the wrong term. What i really meant was, "can this be identified as a security risk?". (as you can see, English isn't my native language.) I am not a professional on security software, but not a amateur too. If i didn't post this on this forum, i will live my internet life happy, thinking i am protected. So.. i am happy

I don't know what to say. All i can say is, before checking interface loopback thingy, leaktest was succesful (as you can see in the screenshot, even it was shown as blocked in the log), after i checked the loopback option, it worked like a charm. If it is going to help anything, i can send more information. Just tell me what is needed.

 

It seems many Antivirus software now do this with their webshields. Sorry to be to off topic, but in regards to the leaktest do you guys know if in Comodo firewall if enabling alerts for loopback requests is what I want to enable to protect againt this sort of thing when I use avira webshield too?

update:
I just tested it and it seems that with Comodo with the setting to enable alerts for loopback requests then I get a Defense plus alert first about leaktest.exe trying to access the DNS/RPC client service, and if I do allow once on that alert I get a second alert from the firewall saying leaktest is trying to connect to the internet. If I disable alerst for loopback requests then I never get asked from the firewall for leaktest trying to connect to internet so I think I answered my own question. I keep that option enabled anyway and I think it is default too.

 

Can you remove the entry of leaktest.exe from OA program tab, then retest it with no loopback interface checked by OA, and post your captures of the OA firewall log?
Then you repeat the test with loopback interface checked and post the corresponding log.
On my box, I do not see anything as you said about leaktest.exe - it failed even with check/non-check loopback interface when I chose BLOCk to 3 messages asking leaktest.exe asking for dns, key logging, and tcp access on port 80.

 

Hi guys to be certain this problem only exists with the webshield of Avira right? I dont have to enable loopback interface if I am usinf Avira free right or have the webshield on avira paid disabled right?

 

This problem exists with any hooking proxy. When you deal with normal proxy this is you who enable or disable proxy, but hooking proxy is something that acts behind your back in most cases. And yes, this is intended to filter you traffic, but from the other side you lose control of where your programs are going to connect to.