FireHole Leak Test passed my fw

I tried it ( by: http://www.testmypcsecurity.com/securitytests/all_tests.html#AllTests ) with CIS. Defense+ detects it and alerts, but if I allow it and then I run, FireHole success to launch my browser and " to send " his message. My fw policy is " custom policy mode ", highly restricted, but FireHole use port 80.

Would someone try the test on his fw and then post the result ?

 

Firehole is a rather old leakdemo. Anyway, FireHole fails to connect out with ZA Extreme 9.1.507.000 (had to turn off the ZA cloud database of whitelisted/blacklisted applications before testing it).

 

I dont really mind those tests - i dont serve any confidental data on a server
nor do i use unsecure software on my host system.
Port 80 is used - so what?

>> FireHole success to launch my browser and " to send " his message.
This is the really important part. so my default browser is blocked completely.
and my trusted software can launch my favorite browser.
but clever malware can determine which browser is running (the main stream
browser are not many) and inject any crap. so you need to observe
the com-API and allow/deny rules - is D+ capable of that?
(Malware Defender can do)

 

First of all PEG blocks it



Allow and then ProcessGuard blocks it



if i don't allow, it doesn't launch, so i do. Then Zemana blocks it, same again. And also ZA alets me to allow/deny. Deny and even though IE6 is launched, it doesn't get out.



If i allow ProcessGuard blocks it another way



Even after putting ProcessGuard in learning mode and allowing Hooks etc, it still fails



This time by Prevx


View attachment 218063

If i exclude the test from Prevx and allow through ZA it still fails with the same FAILED message. Actually i'm not sure what finally blocks it, but it has to get through a lot of hoops on my comp

Try setting your FW to Always PROMPT as i do

-

Edit - Don't know why my 218063 Att hasn't shown ? from here https://www.wilderssecurity.com/attachment.php?attachmentid=218063&d=1274210174

 

@LowWaterMark

Ok thanks It's auto showing now, well logged in that is. Maybe you fixed this one ? If so

Please see here though https://www.wilderssecurity.com/showthread.php?t=272920

-

Return to topic

What news blacknight ?

 

To run Firehole (a.k.a "Hemorrhoids") I shut down all my security apps except OnlineArmor.

OA alerted when FH installed & again when it executed & again when it started Firefox. OA further alerted me when FH set global hooks & again when it added itself to start & again when FH did other nefarious things. I allowed ALL of those actions, even though OA's alerts made it abundantly clear that FH was doing some really nasty things.

In other words, I failed the test (on purpose) but OA fully accomplished its protective job & then some.

 

For those who were not computer users back when a firewall was just a firewall, this article by the author of FireHole will be of interest:

FireHole
http://keir.net/firehole.html

Of special note is this comment,

Assuming the code can execute, in order to stop it from doing anything, a firewall had to encompass other security measures, culminating in the "firewalls" and their suites that we have today, which easily catch these old exploits.

But in an interview, Keir noted the "race" condition always present:

Again, firewalls had to morph into something more than just a firewall, in order to stay in the "race."

(I notice that "race conditions" have returned in the latest Matoussec revelation. And so it goes...)

However, those of us who learned early on the importance of Default-Deny as a layer in one's security strategy, leaktests were given no thought, and many continued using simple firewall packet filters, knowing that the malicious program referred to above could not find its way onto the computer.

So, rather than download/run the LeakTests, several of us took all of the leakest executables and put them into various web-based exploits to demonstrate a real-world situation. Here is the Firehole executable in an old IE exploit:

​

Keir mentions Steve Gibson's Leak Test as the groundbreaking event that started all of this stuff. From this point forward, users fell into two broad camps:

1) Those who worked from the premise that all malicious code had the potential to execute on the system and bypass the firewall. This resulted in the never-ending cat and mouse game to "keep up with the latest leak test" and continues today.

2) Those who worked from the premise that malicious code could not install unawares, thereby negating playing the cat and mouse game.

Vendors, of course, have to play the game; otherwise, their product will fall into oblivion. They've become captives to the Leak Testers. Some Firewall "suites" have incorporated some type of execution protection.

There is nothing inherently good or bad in either of the above -- it's just the way things are.

Sadly, for those in the second group above, the result is that today, there are few (if any) choices for a simple, packet filter firewall in the old mode that will run on the newer Operating Systems.

Too bad.

----
rich

 

Sure there is. Right under your nose, already built into the O/S

 

In one sense you are correct. However, by "simple" I should elaborate, in that several who have compared configuring rules in Vista to the old Kerio, find Kerio simpler. See Stem's Vista Firewall tutorial:

https://www.wilderssecurity.com/showthread.php?t=239750

I haven't heard about Win 7.

But it's true that even if a bit more complicated than the simpler older firewalls, the OS firewall is a great alternative to the larger suites. Thanks for pointing that out.

----
rich

 

I was not worry, the HIPS ( Defense+ ) anyway blocked the test immediately, as I wrote. I only wanted know the behaviour, about this test, of other firewalls alone HIPS or not using the HIPS, as I tried.

 

The behavior without HIPS or the like, is as follows:

Allowing the executable to run, extracts the DLL as Keir describes in his article:

​

Permitting the test to continue shows my firewall bypassed successfully, since my Browser firewall rule grants the Browser unrestricted access to the internet via Port 80:

​

The only solution for a basic firewall is to set a rule for the browser to always prompt, again as Keir describes:

​

This is not very practical, as the user would have to make a judgment in every case of connecting to a web site!

The only practical solutions, then, are:

1) to block the executable from running in the first place (simulating a malware exploit as I show in my post above)

2) to have a HIPS-type program that prompts, as Cloneranger shows in his post.

The problem with HIPS is that the user has to make a decision (ALLOW - DENY). For experienced users, OK. But I would never be comfortable putting that setup in the average home system. How would Mr. and Mrs. Smith deal with those types of prompts?

Bellgamin writes,

but doesn't show a screenshot whether or not there is a ALLOW-DENY Prompt.

The most secure way, IMO, is Default-Deny: that executable (Firehole.exe) is not already installed (White Listed) therefore it has no permission to run. Period.

----
rich

 

Thanks for the complete answer Rmus. You confirm what I thought.

I add: using a program like GesWAll or Sandboxie the malicious action of the " malware " remains isolated form the system. GesWall for exemple would alert me if the result of FireHole action was a different action form use my - isolated - browser.

 

With the GUI of OA closed by via the taskbar icon OA becomes a default-deny AE. When you open the GUI up again OA will show a pop-up with any actions that were denied.
I ran first ran Firehole with OA in this configuration.
First was the pop-up in the first screen shot. I then opened the GUI for the second screenshot, Firehole had been blocked from running.

I then ran Firehole with the GUI open as Bellgamin did (next post)

 

Although it took me years to figure this out, I agree 100% with this statement The whitelist (Default Deny) approach is unbeatable imo.

 

Running Firehole with the Gui open so that I got all the pop-ups.

I started Firehole and answered 'Allow' to all the OA pop-ups until I got to the actual Firehole 'Start' pop-up which I started and allowed the subsequent OA pop-up. Eventually stopped when it could not connect out due to Sandboxie restrictions. Four screenshots in this post, the last two in the next post.

 

The last two screenshots.
Although you would have to be pretty dumb to allow all those red pop-ups a in real life scenario I also prefer the default - deny approach which is why I usually run with the OA GUI closed.

 

Thanks, Dark Star 72, for the screenshots. They always make explanations much clearer!

----
rich

 

nothing is running i my pc after executing the exe file. it just show the command prompt and terminate itself i do not know what is wrong in my pc. firewall is outpost firewall pro v7 RC and emsisoft antimalware realtime enabled.

 

You are welcome. You have good solutions in place!

----
rich

 

Defense+ in Paranoid Mode and setted to alert for every exe. file gives me one alert only for FireHole. If I allow FH as executable, as I said previous, no more alert by Defense.

 

See my previous post. Now I'm asking if OA has better ( more complete detection ) than Defense+ and if, eventually, happens only for FH or always.

 

Rich,


I like the simplicity of your explanation.

A firewall primary function is to filter out unwanted (packets) of data traffic. When you do not want to execute potentially deny (the right) to run it.

The above is not the lonely preference of a Wilders Veteran, like Rick, these ideas are the back bone of our ICT architecture (e.g. OSI model), communication infrastructure (e.g. TCP layers) and even how Operating Systems work (hardware -> kernel -> applications).

So option 2 really makes things easier because it matches the basic idea/architecture of all IT releated stuff surrounding us.

Regards Kees

 

Yes if all Wilder use this no more need to post may be! Took me about 2 year to figure it out since looking on Wilders. Pity no one listen.

 

Answer to your questions

1. Yes OA has

2. No, for more see Comodo part in https://www.wilderssecurity.com/showpost.php?p=1639116&postcount=20


Regards

 

Thanks for the linked post Kees. I read it in the past, but I use CIS 4 only as fw/HIPS: I disable immediately after the installation reboot the sandbox and I set Defense+ in a customer and highest level. The only thing that makes me regret it's to see that his alerts are less complete than OA; but, until now, I' d not problem of security.