LnS didn't detect updated program

I just updated WinMX. After almost two years without news development has finally started again.
The strange thing is that LnS didn't warn about the new version (updated .exe). That usually works without a problem, why not now? The .exe doesn't even have the same size as the previous version, but LnS doesn't sound the alarm bell.

 

This is a known issue! It also happens on my system when updating Opera to a new version.

Thomas

 

Hi,

I don't know this issue ??

I think that the application filtering was disabled, try this patch to fix it :
http://looknstop.soft4ever.com/Tools/LnSRegPatch.exe

regards,

gkweb.

 

Hi gkweb,

Did you see this thread:
https://www.wilderssecurity.com/showthread.php?t=7579

While reading again this old thread I realized that it is not exactely the same issue... My apologies

Well, I will post some more information tomorrow, but the European Soccer cup will continue in 2 hours with Germany vs. The Netherlands!! This is a "Must see"

Regards,
Thomas

 

No, application filtering was and is enabled. It normally works fine (I suppose). However, after updating to the latest WinMX beta version, LnS failed to detect it yet again (two different, new WinMX versions in a row).

 

Hi,

if you "suppose", may be it would be a help to be sure.
For instance, if you remove IE from your list and that you launch it again, does Look'n'Stop asks you ?

If yes, then I don't know what does it mean, may be you can try to write to Look'n'Stop at this address : lnssupport@soft4ever.com

regards,

gkweb.

 

Martin Aston,
Did the update replace the previous *.exe file, or do you have now 2 parallel installations of WinMX on your system? I am asking, because I installed a parallel version of Opera on my computer and then I could run both Opera.exe files with the same one application rule in LnS 2.04

Thomas

 

The exe file has been replaced.

 

Hi,

if you want help from Look'n'Stop directly, write to the email address I have given above.

sorry to not be able to help you.

regards,

gkweb.

 

Bad news:

Using Win2k-SP4 and Lns2.05 I updated Opera (from Opera 7.51 to 7.52).

I checked the file Opera.exe has a new date/time indicating it was replaced during the update!

However, LnS application filtering did not alert me of the modified Opera.exe when starting the new version!

Before we discuss how much time Frederic should spend to implement full P2P support, the priority should be given to optimize the basal features of this firewall!

Thomas

 

Hi Thomas,

a file date means nearly nothing

but a MD5 fingerprint means a lot more, can you do a MD5 of the executable before the update, and another one after the update, and compare them ?
(you can use Cryptosuite for that or DigestIT 2004).

regards,

gkweb.

 

gkweb,
This is good news, so maybe the MD-5 fingerprint might be still the same. I will try to post the result as soon as I can. Unfortunately I am very busy until next Wednesday.

Is there maybe someone else out there using Opera, how can send the old Opera.exe to me (of course I do not have a backup of the old version...)

Thomas

 

I just checked the MD5 fingerprint for the old and new WinMX version. They are not the same.
f8eb7d9123ece160815edf919ba2c5cc
e46e2e6c48b4443e7be26ca5bc3a8111

and LnS never does anything. Not when replacing the old with the new or vice versa.

 

I've had the same issue when updating some programs. Most recently when updating FastSubmit and SpywareBlaster. Neither were recognized as existing but new programs.

Bill

 

Hi,

I think that they would like to be informed directly.
Can you send them couple of executables of both version (before/after update)
for analyse ?

Zip them, but if it's too big, upload them on your webspace and send them the link by email.

email : lnssupport@soft4ever.com

regards,

gkweb.

 

I have been experiencing the same problem. Today I updated my Opera from 7.52 to 7.53. No reaction from LnS! :-(

 

The reason for LnS not always detecting updated programs is because LnS only uses a 32-bit signature of the file (probably a simple checksum). This is way too small to avoid collisions (ie. different apps producing the same signature).

A much better option would be to use either Message Digest 5 (MD5 - a 128-bit signature, although this has been proven to have collisions sometimes) or the best option would be to use the Secure Hashing Algorithm (SHA-2 - this has 256-bit, 384-bit and 512-bit versions of the algorithm). The 256-bit SHA-2 algorithm should be sufficient.

Check out www.codeproject.com/tools/keepass.asp for a bit more info and also source code.

This would solve the problem of LnS not always detecting updated programs, and it would be very easy to implement.

 

Is that all that's wrong? Sounds like it's time for an update to LnS then.

 

I think above all it's time to _wait_ an official answer about the real problem, I don't even know how anyone can know what algorithm LNS uses, personally I don't know.

 

Admittedly I don't know exactly what algorithm is used in LnS, but if you look in the registry then only 32-bit DWORD values (the signature) are stored for each app. I do know for a fact that this is not large enough to avoid collisions in the signatures. The solution is simple as stated in my previous post.

However, it would be nice to have an official response on the matter.

 

If LnS can not detect a changed application, it's a lousy fire wall. I'll return to the good ole' ZoneAlarm.

 

Use the firewall you want, no need to tell us.

@others
I have sent an email to Frederic, hope he will come soon with an explanation.

regards,

gkweb.

 

Frederic hesitates to implement strong checksum like MD5 because it may have an impact on the System & Internet Performance.

 

With the speed of todays CPU's it really shouldn't be a problem. While the old hashing method may be faster, what's the point in having a feature that does not detect ALL file modifications ?! It nullifies the whole point of having it in the first place. I would rather have a slower (not by much), more secure method that detected all changes.

I have another suggestion to make: Do not just store the signatures in the registry without some way of verifying them. The reason, a malicious app could search for the relevant registry key and add another entry for itself along with signature. Or, it could change one of the current entries and substitute it's own signature. Both these methods would possibly allow the app access to the internet with no questions asked, if there are not already checks in place.

There may already be checks like this in LnS but I haven't checked, hence the suggestion. I only want LnS to become even more secure than it already is.

 

Hello,

to have an option to have the choice between MD5 and SHA-1 would be nice
I don't think SHA-256 or SHA-512 would be relevant, it's "too much" I think.
For now all the cheksums are handled by Process Guard that I use (MD5).

regards,

gkweb.