New tests from Matousec

There are several things to look at, and at the end i'm with wat0114.

You can take the problem apart by:
-what users can actually interpret and use these behavior alerts;
-how well does the tool report it, is it understandable;
-how well can the tool detect the various dangerous actions - Matousec's tests;
-if the user is on a LUA, the kernel is likely intact;

on a different note:
-tell me a story on why/how would i execute malware;
and oh so on.

The tests are interesting for who ever finds them interesting.
Interpreting the results like they prove xyz firewall is poor is the wrong way of looking at it. If the program doesn't aim to detect malware behavior, then the tests will only show that.

Of course, one can say that it's exactly that kind of conclusion the website suggests.
I don't think i can argue with that. It would be best to place a note everywhere on the website, or point out which products aren't built for all that. They have a more specific use.

On a side note, it seems no one noted the network performance impact tests.
I believe it was the main reason for the OP's post, but i could be wrong..

 

My firewall will not allow it to access the kernel. It will do it to be able to fulfil its main task -- to control network traffic. Cicle is closed. Concept is still correct.

 

A lot of reasons. Childrens, from email received by your Mom, from a flash drive with students' tasks you need to check. This is what did come to my mind immediately.

 

Well, are you saying the child will answer the prompts?
If you're thinking about password protection, why do you need anything other than execution control?

Take SSM free (or Kerio's HIPS, whatever). I use it just to have visible control on processes. I know, or i think i know, nothing will execute if i didn't say so.
I disconnect UI. Why does SSM need to monitor all those things, if it's about controlling children, e-mail attachments, etc?

I admit there's plenty i don't know, but so far no one has illustrated why simple execution control won't cut it, like other members say.

 

So, do you think there is no need in additonal security layers or do you want to say that IPS part must be separated from firewall ? In the latter case all the logic cries that separated applications will take more resources than a single one with a shared data and code for the different tasks.

 

One of the main tasks of the HIPS part is to prevent the kernel compromise. BTW, you miss some important point in the tests. The main part of many tests is to prove that unknown program (presumably malware) can compromise some system process (by dll inject or memory tampering, for example) and once this happened the way to the kernel is open. For example it is easy to catch unknown program attempt to lauch a kernel driver, but this is much harder in case the same action is executed by svchost or winlogon or system. Or to be fair it can be catched in any case, but alerting on every action of every program makes a system completely unusable. So I'd added to the score another parameter - the number and meaningfulness of the alerts. Though, this part is very difficult to formalize. Another lack of the tests is the absence of the rootkit teckniques (kernel intrusion). I think this will be added at some time. But even with all these lacks the tests are not completely meaningless, they are just not comprehensive. In any case there are not any comprehensive tests available currently. But extra information never harmed to thoughtful person to get more accurate picture than just based on pure speculations and very limited personal experience.

 

Hello,

And all your theories go to water when you put happy-click-joe in front of the computer and then he has to answer the prompts. OLE, DLLs, whatnots, happy happy click.

HIPS / Leaktests may be interesting to 0.019% of population, even less. And they are about as practical. You might as well use Linux and be done with it, if you want real control.

Mrk

 

The need for more security layers depends on the individual(s) using the machine. A knowledgeable, careful and responsible person really does not need too much in terms of security. I can say this simply based on my own experience. As for a separate application handling the IPS part of things, this would depend on the user's needs as well as the personal firewall being used. I have found the last 4.0 version of Outpost and the recent 2.0.x versions of Jetico 2 to be very good on their own, without the need to add a separate IPS layer. However, I have found the very recent version of Jetico 2 and the newer versions of Outpost to be too buggy to my liking, probably because they are trying to address too many leak POC exploits.

 

so in the end the safest thing is use your self coded kernel
and just hope noone develops kerneless malware able to infest any hw

 

Just instruct him to press "block" in case he doesn't inderstand the word

 

I think they have no choice. I can hardly imagine security vendor advocating security hole (which leaktest POCs demonstrate). Vendor should admit that either he is unable to treat the hole in secure way or he is unable to develop security software in a professional way.

 

Exactly!!!!
You don't need HIPS for that. That's exactly my point!
What doesn't get executed can't hurt you.
Mrk

 

I'm not ready to restrict myself from running everything unknown just not to get compromised ! I rely on my HIPS and my experience and feel myself safe to surf and download and start a lot of things. This is my way. I understand that other people may think other way. I do not argue _their_ way.

 

Vendors will probably never admit that, the latter part especially

Is there anyone who can honestly say there is a product out there that attempts to adhere to Matousec's requirements that isn't buggy in some way? There are some products out there such as Outpost, Comodo, Jetico and Online Armor that do a noble job of mirroring Matousec's requirements, but there seems to be no shortage of never-ending posts on these products from people who are encountering "bug-like" issues with them.

They're probably doing their best to develop a perfect, leakproof and stable product, but it's a very complex endeavor. There seems to always be some leaktest flavor of the month that gets past these products, then the patching continues once again. It's endless.

 

Yes, life is life. Everything moves and changes all the time. New code -- new bugs, etc etc

I would just added, that they not only try to pleasure Matousec. In the past I have sent every rootkit, keylogger, unhooker and malware I could get to bypass OA to Mike and all of them were addressed. Comodo issued new leaktests and they also were addressed. Apt kill7 was addressed. NiCM tests were addressed. Matousec just seems to be the most consistent and popular tester, this is why he "seems" to be most addressed (and bushed )

 

I agree with this 100%. I have tried most of the top firewalls and have been really disappointed with performance and stability. I think too much time has been spent trying to pass Matousec's tests and packing in as much functionality as possible and not enough on producing rock-solid , high performance, user-friendly software. I really wish that firewall vendors would concentrate on these issues rather than passing all the latest tests. Perhaps it would help if Alex would stop sending OA all his rootkits, keyloggers and malware. I would add a smile at this point but I think my firewall is playing up today!!

 

There is a lot of the old stable firewalls out there. Just take one of them.

No and never.

I'm ready to sacrifice some stability to the power. This is why I don't use old stable firewalls and this is why I use windows (and used to do it even when it was VERY VERY unstable and buggy)

 

Hi Alex,

The comment about not sending malware etc to OA was definitely tongue-in-cheek and thought it might be recognised as such. Carry on the good work.

Are you saying that if I want a stable firewall, I need to choose an old one? I am sure the modern firewall vendors aspire to producing high stability, high performance firewalls. They just haven't quite got there yet and the need for passing the latest leak test is a distraction.

 

Shame on me ! I have no justification