NEW SUPPORT FORUMS FOR ATELIER SECURITY PRODUCTS

Discussion in 'other software & services' started by MickeyTheMan, Feb 10, 2003.

Thread Status:
Not open for further replies.
  1. MickeyTheMan

    MickeyTheMan Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    1,016
  2. FanJ

    FanJ Guest

    Thanks Mickey :)

    I'm glad that Jose has now again his support forum; he deserves it!

    Cheers, Jan.

    PS: I fixed the link to the support-forum ;)
     
  3. controler

    controler Guest

    Thank You Mickey

    I tried the firewall check with Sygate and only pass number 3
    all the rest fail :(
     
  4. MickeyTheMan

    MickeyTheMan Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    1,016
    Controler, i don't use your firewall, but any good firewall should have no problem passing at least first 3.
    Try this : Set your default browser to be another one than the one you are actually using and block it's access to the net.


    Technique 1 Attempts to load a copy of the default browser and patch it in memory before it executes. Defeats the weakest PFs.

    Technique 2: Creates a thread on a loaded copy of the default browser. Old trick, but most firewalls still fail.

    Technique 3: Creates a thread on Windows Explorer. Another old trick, but almost every firewall still fail.

    Technique 4: Attempts to load a copy of the default browser from within Windows Explorer and patch it in memory before execution. Defeats PFs which require authorization for an application to load another one (succeeding on Technique 1) - Windows Explorer is normally authorized. This test usually succeeds, unless the default browser is blocked from accessing the Internet.

    Technique 5: Performs an heuristic search for proxies and other software authorized to access the Internet on port 80, loads a copy and patches it in memory before execution from within a thread on Windows Explorer. Very difficult test for PFWs!

    Technique 6: Performs an heuristic search for proxies and other software authorized to access the Internet on port 80, requests the user to select one of them, then creates a thread on the select process. Another difficult nut to crack for PFWs!
     
  5. JacK

    JacK Registered Member

    Joined:
    Jun 20, 2002
    Posts:
    737
    Location:
    Belgium -Li?ge
    Hi MtM,

    I think to be significant, the test has to be run in normal conditions and not "cheating" ;)

    BTW : OP says there is no way to pass #1 : OP 2 alpha passes the tests 10/10 according to Mikhail Zakhryapin.

    I think it could be a flaw in the test : I re-ran it and now I get 10/10 FW or no FW at all and no proxy :eek:

    Rgds,
     
  6. MickeyTheMan

    MickeyTheMan Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    1,016
    Jack, normal conditions for me is NOT to allow set default browser to access internet. Been like that way before advent of AWFT.
    MYIE is my browser and OPERA has been set as default.
    So if anything needs to access opera, i get alerted immeditely + access is denied.
     
  7. JacK

    JacK Registered Member

    Joined:
    Jun 20, 2002
    Posts:
    737
    Location:
    Belgium -Li?ge
    Hi Mickey ;)

    You are rather machiavelic lool

    One of the test needs IE open (# 2 I think).

    Take in consideration too that when a real trojan uses a trick (maskerading, dll injection, etc...) most of the time it would target IE and not you default browser (Opera or other) and MyIE which I use too when not using Opera 7.01 is just a layer on IE.

    Rgds,
     
  8. MickeyTheMan

    MickeyTheMan Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    1,016
    Test needs default browser open, which never is
     
  9. JacK

    JacK Registered Member

    Joined:
    Jun 20, 2002
    Posts:
    737
    Location:
    Belgium -Li?ge
    Hi Mickey,

    If you want to run "these" tests, you have to respect what the tests are done for "Test needs default browser open", otherwise no test is ran, you may get a 10/10 it has no meaning at all : the test is distorted and that says absolutely nothing about your FW capabilities.

    BTW : IMHO this test might or might not indicate some weaknesses in FWs but as nothing to do with real conditions, like all other leaktests.

    Rgds,
     
  10. MickeyTheMan

    MickeyTheMan Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    1,016
    In other words, i should change my usual security settings just to please a test ?... i don't think so.
    Would my firewall pass ? I don't know and i don't care either.
    A test is only valid for me as long as it can bypass my usual normal security settings. If it can, it wins, if not i do. As simple as that.
    If i altered my settings, then yes it would be cheating and defeating the purpose of testing in the first place.
    But when i get message from awft that it needs default browser opened for it's test, i just wink and say no thank you and know that in real life situation the same would apply.
     
  11. JacK

    JacK Registered Member

    Joined:
    Jun 20, 2002
    Posts:
    737
    Location:
    Belgium -Li?ge
    Hi MTH ;)

    Right : that's exactely why I added the remark "BTW" :cool:

    Same apply to some other leaktests : first you must install
    some *.dll only seldom used with some sniffers, would be stupid just install them to see if there is a leak when installed as there is no leak when you don't have those *.dll

    I ran the test just out of curiosity. It's rather an issue for FW developpers.
    I just got an answer from Sergey Podolsky (SSM) : it will be fixed in SSM2.

    I just meant if you want to see your FW capabilities about this tests, you need to play fair game, if you don't accept the test rules and apply your own ones, useless to run it : it gives no hints about your FW abilities ;)

    After running the test I rolled back to my usual settings and the test cannot be of any use (always 10/10), no harm done, no dangerous *.dll or drivers installed, but I know a bit more about OP Pro.

    No time to run the tests on other FWs, but I would be pleased to know their scores when compelling to the tests rules.

    Best regards,
     
Loading...
Thread Status:
Not open for further replies.