AntiLeak racing insanity?

Discussion in 'other firewalls' started by pandlouk, Jun 18, 2008.

Thread Status:
Not open for further replies.
  1. Fajo
    Offline

    Fajo Registered Member

    Lol guess we could go rounds about this all night..

    Hips can also be bypassed under the right conditions. well solution for this would be simply. Unplug from the web.. ULTIMATE HIPS!
  2. SystemJunkie
    Offline

    SystemJunkie Resident Conspiracy Theorist

    haha:D :D :D true true but internet slipstream creates a juggernaut with huge gravity.:D :D :D
  3. Einsturzende
    Offline

    Einsturzende Registered Member

    Hmm... after some thinking o_O I figured out that in spite some of you guys thinking, keylogg tests should be in leak tests arsenal, simple, if there is no anti-keylogg prompt somebody will grant application to phone home because there is no suspicious activity, so in that scenario private data is compromised with huge leakage...

    Also, I still expect some rootkit tests to be added in leaktest suite from Matousec...at ring0 everything is possible :argh:
    Last edited: Sep 8, 2008
  4. noone_particular
    Online

    noone_particular Registered Member

    I don't have a problem with the leaktests themselves. They can be very useful for tightening firewall rules. I do have a problem with Matousec misusing them. Treating them as comparison tools in order to promote certain brands or for pushing the "latest and greatest" is a disservice to the users. He's promoting features at the expense of knowlege and good configuration. Too many times claims like "you need HIPS to pass that leaktest" are not true. Most users would do much better if they learned to properly configure what they have instead of getting caught up in this leaktest nonsense and being coerced into paying for features that do nothing that a good configuring wouldn't accomplish.
    Example: PCAUDIT V2.
    This test can be defeated without HIPS or any other app that blocks DLL injection, provided that your firewall is able to properly control loopback connections and is configured well. This "leaktest" is an excellent way for users to learn about loopback connections and what it takes to control them. The same holds true for quite a few of those "leaktests" he uses to promote HIPS and firewalls with every possible bell and whistle.
    That isn't the problem. The term "firewall" has a very muddy definition if it has one at all. What we call HIPS used to be called an application firewall. A standard traffic filtering app used to be called an internet firewall or packet filter. The term "firewall" now covers a wide range of security apps, many of which vary widely in what they're designed to do. Matousec is calling SSM a firewall? Kerio 2.1.5 is a firewall. They have nothing in common. Instead of wanting people to expand their definition of "firewall" to include almost any security app, qualify the term with something that actually describes the apps function(s), like application firewall, security suite, packet filter, etc. Not just "firewall". The average user has no way of realizing the range of apps that word is being used for.
  5. xtree
    Offline

    xtree Registered Member

    IMO you can reach the same level of security either by using a complex suite or several singles simultaneously.

    Anyway all dangerous methods arising in reality are always answered sooner or later by security app developers (suite or single, HIPS or firewall). The only thing what makes the difference among them is response time.
    Last edited: Sep 9, 2008
  6. pandlouk
    Offline

    pandlouk Registered Member

    I agree on this one. And since matousec is so worried and concerned about the security of the users how come he has not included a test about the ipv6 filtering? Is it or is it not a Firewall Challenge? If a vista firewall does not have filtering for Internet Protocol version 6 then it will not even notice the traffic leaks! :cautious:

    IPv6 insecurity is a clear and present danger

    Performing well over the various leaktests is nice, but should not become the primary target of a firewall! The filtering of the network traffic should be the top priority! The leaktests are about 50% of the total matousec tests, if not less....

    And for the record why should the user be concerned about kill/crash tests? A good firewall will continue to filter the traffic even if it's guide crashes!

    Panagiotis
  7. SystemJunkie
    Offline

    SystemJunkie Resident Conspiracy Theorist

    Agree this company is shady and I even assume that their idea of leak tests is not the root of their own thinking. I did all kind of security tests long before them on my own.

    IPv6 is indeed a real danger but at present not as widespread and you can disable this feature in windows if you like.

    Network properties -> disable or uninstall all tcpipv6 protocolls and disable all tcpipv6 related drivers and services.
  8. Stem
    Offline

    Stem Firewall Expert

    I have certainly mentioned that point before (and so have others) and can only think that is is just another biased test.

    As example:

    At one time I tested Jetico 2 (beta`s~ new releases (and before that V1)). They implemented (as some others) that if the UI was terminated then all rules where still active, it was just a case that any new rules could not be created, so, if malware was to terminate the firewall, then it would not be able to connect out unless there where already rules in place to allow, if so, no real need to terminate the firewall. Jetico 2 also had in place that if the main drivers where to be terminated then ALL traffic was then blocked (as if you pulled the plug), so again not much use in terminating the firewall if the intention was to make Internet connection or any Internet comms.
    That approach I liked, as even if a new termination technique came to light, then you would still be protected if the firewall was terminated. Instead, we see specific termination techniques being specified with some need to keep the firewall active, IMHO complete waste of time if the above was already implemented.


    - Stem
  9. Pedro
    Offline

    Pedro Registered Member

    That's why people dislike/hate Matousec.
    The influence it has on FW development. And not in the good way.

    Not the testing, but how he's ranking, and displaying the results.
  10. alex_s
    Offline

    alex_s Registered Member

    Yes, this particular test (and many others as well) can be defeated with custom FW rules, but this is what is called (to pass the test). While dll injection detection works with the whole concept. A dll, once injected, can connect you don't know where before it connects. And yes, after it has connected you can create custom rule for THIS only test. But it may be too late, because your ICQ number and password are already stolen.
    Last edited: Sep 9, 2008
  11. alex_s
    Offline

    alex_s Registered Member

    Just not to forget that a driver can be terminated/hacked also. I'd say to locate and unhook network driver is more easy task than to locate a service that operates it. Ideally the whole selfprotection engine should be implemented in driver (in a set of drivers), but kernel coding efforts are very expensive.
  12. Stem
    Offline

    Stem Firewall Expert

    I was being specific in the termination.

    We can look further at unhooking/ memory modification etc, and can end up in a circular look in which one broken chain can in effect collapse all protection, so where does that put us?

    I would still like to see a test that does not mean a user first needs to allow download, write to HD, allow to execute,...... as for that protection is down to the user sensibility. In other words, dont download/install crap on your PC.

    - Stem
  13. noone_particular
    Online

    noone_particular Registered Member

    True, it does defeat DLL injection at its source. That said, DLL injection is only one method of exploiting a legitimate process. There are also legitimate apps that use DLL injection, security apps for instance. It's a whole new game if such an app is what gets exploited. It has happened. We've also seen code that can blind HIPS, making their ability to control DLL injection ineffective. The existence of such code and other code that can terminate an AV or firewall directly is a good reason to use separate HIPS and internet firewalls instead of the combined suites Matousec keeps pushing. Single purpose can defend each other when both are standalone. Most of the better HIPS can control attempts by a process to terminate another. Apps like SSM free can be set to restart a process if it is terminated.

    For these and other reasons, I choose to use both methods to defeat that type of test/exploit. If one layer is defeated, the other still protects you. With code that attacks security apps combined with user mistakes in what they allow to run, IMO, one layer against a known method of attack is not enough, not when one dumb click can make a layer meaningless.

    Tight firewall rules can do more to protect you than most people realize. The PCAudit V2 test attempts to use every running process on your system to connect out, some directly, some via loopback connections.
    PC audit attempts.gif
    A firewall that doesn't control local connections properly is inferior, no matter what features and extra components it has. One could argue that the average user isn't knowledgeable enough to write firewall rules that tight. If that's true, how can the same users be expected to deal with prompts from HIPS?
    Totally agree. That's the biggest problem with these "leaktests". How many users would launch these if the files were unknown? Out of the ones that would, how many of them would then choose to block a hook, low level access, etc on a process they just allowed? I've often wondered just how many PCs I would control if I used a custom rootkit trojan, called it a leaktest and posted a link to it on security forums?
  14. alex_s
    Offline

    alex_s Registered Member

    1.)
    That will bring us to ideal protection implementation scheme :)

    For example this is quite obviouse for me that HIPS functionality is "must-be" in any protections scheme. This is like airbugs. You may repeat all the time "people, drive carefully, and everything will be OK". And if all the people drove carefully we'd had an order less accidents. But ... the same with computers ...

    2.)
    What does prevent you from doing those tests and publishing them ?
  15. alex_s
    Offline

    alex_s Registered Member

    Mistake is in definiton. One application can provide multilayered security and the chances to defeat several applications are the same as to defeat one multilayered. For example in case HIPS tries to protect FW and is defeated, then dll is injected and FW is useless. So you will end up in a two different HIPS (why not three or four ?).
  16. noone_particular
    Online

    noone_particular Registered Member

    When the firewall and HIPS are one program, a flaw or vulnerability in one shared file or component can defeat both. This is far less likely with standalone apps when the only shared components are parts of the OS itself. I've seen a malicious page defeat one component in a security suite, causing the whole thing to crash. That was the last time I've used a suite or installed one on someones PC.
    I don't see how this would even be possible other than multiple bad decisions by the user, or if a user is running 2 HIPS, a kernel level conflict could possibly cause such a problem. My firewall, Kerio 2.1.5 has no HIPS or similar components. One HIPS is all any system needs. On a system with one HIPS (SSM free in this example) and one internet firewall (not a security suite), for the scenario you describe to happen, the following failures would have to occur. They could be either flaws in the HIPS, poor configuration, or user mistakes.
    • The malicious process would have to be allowed to run.
    • The DLL injection would have to be allowed to proceed.
    • The malicious process would have to be given permission to terminate the firewall. Even the free version of SSM intercepts these requests.
    • The "keep process in memory" option which SSM uses to restart the app would have to fail.
    The only ways all of this would be possible would be total failure of the user or the OS was rootkitted before SSM was installed. In either case, multiple HIPS wouldn't help.
  17. alex_s
    Offline

    alex_s Registered Member

    Bad personal experience never makes a rule. There can be very different situations with different s/w sets, but generally, as long as EVERY PROGRAM has the bugs by definition a set is more vulnerable and incompatability risky. One incompatability with regular update may crash the whole system and make it unusable. The only way to overcome it is to get every program in a set ideal. This task is easier to achieve with a suit. I do not try to change your faith, but mine is just different.

    • the problem is you don't know either this is maliciouse or not before you allow it. Any new program from any trusted source can be malicious.
      No, first of all SSM will be deactivated. Then dll will be injected silently.
      No need to terminate firewall. Dll injected in your svchost will do the job. And SSM is already deactivated, do not forget it.
    The only thing user should do is to allow execution.
  18. Espresso
    Offline

    Espresso Registered Member

    What loopback rule will defeat the PCAudit test and what is the mode of operation? I just tried it with Windows Advanced Firewall only and it failed. I had IE, Opera and Firefox open (all were closed by the test).
  19. noone_particular
    Online

    noone_particular Registered Member

    The security apps are only as good as the security policy they're configured to enforce. On all my PCs except for a malware test unit, that security policy is default-deny. That piece of code will not get a chance to run. I perform full system backups before installing or updating anything. The entire install process is monitored and all security apps stay on, no "install mode" is used. New apps are tried out on a test unit, not my primary PC. IMO, once malicious code is allowed to run, there are no guarantees, no matter what you use. That default-deny policy enforced by SSM, Kerio, and Proxomitron has kept me clean for over 3 years without using an AV, AS, AT, etc. Total cost is $0. Their combined memory load is under 6MB and they use 16.5MB of disk space, which includes multiple rulesets and configuration files for each. IMO, their combined protection is superior to any security suite.

    Incompatibility and conflicts are not just problems for separate components. Norton for example has released updates that crashed their entire package, leaving their users with no defenses whatsoever. They're not the only ones that have had this problem. IMO, security suites are compromise packages. They try to do everything but excel at nothing. Their performance can be bettered with well chosen separate components, with less disk space, system resources, and monetary costs as additional benefits.

    Nothing in mysecurity package requires updating. Kerio 2.1.5 is unsupported but will remain effective until IPv6 takes over. SSM free needs no updates. The closest I get to updating my security package is improving the Proxomitron filters.
  20. Fajo
    Offline

    Fajo Registered Member

    The one sentence will protect you more then any filters, security, or Behavior systems ever could.
  21. Escalader
    Offline

    Escalader Registered Member


    Hi Diver:

    Really like your last 3 sentences as it supports what I have been working on over in privacy forum.

    Each user's NEED a Personal Security Policy written down and vetted by a trusted expert in security. Corporations have these. Then once I have that done I need a security system design for my policy to get implemented with/by (whatever words fit best)

    Then and only then, can I select the software AND hardware pieces that best fit my design. Ideally each piece should be tested independently before being trialled on my PC/Lan. So in my case, I start at the DSL and work inward so first comes the AlphaShiled , then the H/W router must be configured right these 2 pieces of H/W protect every PC on my Lan. Then the first layer on my own PC which is a 2 way FW hopfully properly configured. Since my SFW is imperfect and I assume all pieces of my design are, I need a method that can help me selectively block exe's, dll's etc that should never run! If that HIPS is based on a white list that suits me fine.

    Then if those pieces still have allowed a bad exe in (virus/trojan) I want my AV and my ASW software to find it and isolate it.

    Does the AntiLeak racing insanity help me with this ongoing design of my security system? Not that I can see. It is sponsored right?

    My thanks to the OP!:thumb:
  22. noone_particular
    Online

    noone_particular Registered Member

    Didn't see your question.
    I don't own or have access to an OS with windows advanced firewall. Running Windows 2000 and 98 here. I have no way to test what its abilities or limitations are.

    PCAudit v2 creates a randomly named DLL, then injects it into all running processes using a global hook, a common keylogger method. It then checks each running process, looking for one that has the internet access that's needed, first with a direct connection, then with a loopback connection. A datailed explanation of loopback is available at http://en.wikipedia.org/wiki/Loopback.
    Last edited: Sep 11, 2008
Thread Status:
Not open for further replies.