Outpost vs. Leak Tests

@Jack

Doesn't pcAudit at least make your shell (explorer.exe) connect to their website?
Or do you block pcAudit "so hard", that it isn't even able to start? (I noticed, that this is possible, but it is probably not the way the leaktest should be performed... )

 

Hello,

I don't need SSM to block explorer.exe : it as no access to the W3 with a rule in my FW. Why should I give it access to the W3, anyway ? It's no browser of mine ?

When I try to run PC Audit, I have a warning from SSM , I just say NO

Anyway, if I allow it, and let it run, I get a the message your PC is well protected (running OPv2b)

Regards,

 

These exploits that such 'leaktests' take advantage of, does LnS actually block the general exploit or just the 'leaktest' itself?
(I'm aware my question is is a bit vague but its tricky to word)

 

@Jack

I tested a little bit more, and now I also think, that SSM blocks pcAudit completely.
It was just a bit confusing...

But what about Look'n'Stop? Can someone confirm, that it does _not_ block pcAudit?


@Tinribs

Well, it would be really a shame, if L'n'S _only_ stops the leaktests and not the 'methods' in general... so, I don't think so.

 

Thats what I hoped Anvil, but I was wondering if maybe the same situation as when Steve Gibson reported how Blackice had started detecting his 'Leaktest' had reared its ugly head again (no offence Look N Stop programmers)

 

This has been a question in my own mind and I suppose it differs from firewall to firewall. That's why I said before, I think you need to use a sandbox approach to deal with the method and not the leaktest itself.
Now, before some one jumps in here to argue the point, let me say, I only have a very vague idea of what sandboxing is and does. I have had some pretty sharp guys tell me this is the best way to go, so I am not speaking from my personal knowledge.
I understand part of the approach to blocking some leak tests has to do with DLL injection. I don't think that is the only thing that is involved though.

Just to give you an idea of my approach to the whole thing, I was able to pass most leak tests with Outpost 1. First I do not allow IE, OE, explorer.exe access to the net. Second, I do not download test programs and execute them any more than I do trojans or worms. One test wont work because I don't have the needed files on my computer.
So, right or wrong, it is just my opinion that when I see an exploit announced and it says if your hair is green, and the moon is full and there are no kids playing in your back yard, and on and on, then you have a problem. Leak tests are no more dangerous than any other exploit that requires user action.
My biggest concern has always been with two things. First is the bad guys that can fry your CMOS. Second is any exploit that does not require me to do something stupid. An example is the js.xxx exploits that you can get from just surfing to a website. I keep js disabled for that.
Just my opinion and not meant to be put in anyones bible.

 

pcAudit is unique Leak-test, far superior than AWFT when it comes right to the point “Bypassing Application Filtering Layers”. And it sort-of gives meaning to usage of SSM, for insurance purposes… Look ‘n’ Stop doesn’t exclude Leaktests itself unlike some other Software Firewalls I’ve seen do or did, it fixes the issue at global scale for all which uses same particular method(s) of attempting to bypass Application Filtering Layer.

Doesn’t quite answer your questions though does it?
Perhaps I already had previously though

Riddle me what, Riddle me that...

 

In simple terms Sandbox Feature covers all aspects (normally) of Microsoft Windows and gives you full control to ensure your safety on the Computer & the Internet. And I don’t debate one bit that people shouldn’t use Sandbox Featured Applications, and I would definitely recommend it until we are sure that ALL Leak possibilities are covered by a Software Firewall.

However, Sandbox Featured Applications takes quite a bit of Resources, and on different machines and with different Operating Systems thee amount could be quite more worse then another’s readings. And people like me who are poor right down to the bone aren’t capable of affording to spend out money upgrading the Computers 24/7, a never ending battle…

And my opinion is I don’t see anymore Leak-tests for Windows9x[me=]& WinNT/2K/XP capable of accessing anymore Client Environments to access the Internet Resources without being malicious.[/me]

But hey i'm open minded

 

Hi Phant0m. I like SSM and it does not seem to use many resources on my Win2kSP3 machine. At least its free and I understand everyone can't keep spending more and more on security software. I am on disability with a not so large income and I have to watch where I spend my money.
I don't remember if you said you have tried it before or not.

One nice thing about SSM is that Max, the developer, is always anxious to help people that have problems with his product. I understand that some do have serious problems with it though and I know how difficult it is to get a program like that to work with everything from 95 to XP.

I don't know if any more leaks are going to show up, but Mikhail did tell me one time that there were similar exploits possible that have not been published yet. He did not explain further. I suppose we will see soon enough what the next round of exploits will bring.

When I was in the Navy, I was an Electronic Counter Measures technician, and we were constantly getting new equipment to counter the new equipment the other side had, and then they would get new equipment to counter our new equipment and it still just goes on and on. The same thing is happening on the net with the bad guys coming up with new exploits and the good guys coming up with new protection and it keeps repeating,, over and over. It is interesting, but as you said, it also can get very costly.

Fortunately we can still use our brains for the first line of defense and there are some good security programs available today. All is not lost.

An open mind is a tremendous asset. I hope mine never locks up.

 

LOL

 

We shouldn't be focused too much on leaktests. There are surely several (many?) more ways to bypass firewalls, which haven't been 'introduced' by leaktests, yet.

There is already _at least_ one keylogging trojan, which can bypass both Look'n'Stop and SSM (not to mention any other firewall...)

So we should always have in mind, that firewalls (even sandboxes) can hardly be absolute secure. You should definetely not _rely_ on tools like this!

 

I’m sure if you In Reference to it being malicious like Terminating Firewall processes and deleting its Application files… If not then give me the Keylogging Trojan name which you claim can bypass Application Filtering Layers without being malicious.

 

As for you claiming there’s definite several many more ways to bypass Application Filtering Layers, why comes you aren’t coding them up since only you are aware of these?

And if there were any known possibilities don’t you think they would be more Leaktests released? Surely anyone with such kn0wledge would like credits for such a difficult achievements.

Many of you guys can’t seem to grasp there’s Limitations to how many ways to exploit Client Environments to gain Internet Access…

Anyways that’s yo guy’s problems; I’m not looking for excuses to be paranoid. I have more intelligence then that to know all has limitations, and I comprehended just how many more possibilities there are to exploit Client Environments to bypass Application Filtering Layers in Software Firewall without becoming malicious to access Internet Resources…

 

Hello,

Would you be kind enough to give the name and/or the link to d/l it please ?
If a trojan : don't post the link on the forum but PM please.

Rgds,

I am not aware on any concerning SSM

 

SSM detects the Executions unlike Application Filtering Layer in Software Firewalls which detects not the Applications Executions but the calls to Client Environments. And I personally don’t think it could bypass SSM at least without being malicious.

 

Hello ph33r

Agreed, that's why I would like to verify by myself and not taking any assertion for granted

Rgds,

 

Believe me, if I was talking about terminating processes, I would have said so.
(BTW: is L'n'S protected against this?)

The trojan I am referring to is called "GOD 2." Hope you can find it...

Have I ever said, that I'd be able to do so...?

Look at the last few months: AWFT, Thermite, Oops,... and there is no need to publish new leaktests, as long as the old ones aren't passed by most FW's, yet...

 

Found it

 

I have to add something: SSM will 'alert' you a few times during and after the trojans 'installation' (as it does with _every_ application... ) - but the important parts of the firewall bypass (injection into explorer.exe and the browser) remain unnoticed...

That's why I doubt, that anyone will suspect a trojan when installing GOD 2.

 

Heh you describing the same encounters I had with pcAudit v3.0.0.3 & SSM v? while back….

 

Hello,

Problem solved for quite a while with SSM.

As you grabed it, you can test it.

If you deny at first alert, nothing is installed and no leak, i presume.

Why should I allow the install of something if a get a warning and I don't trust de progy ?

 

Heh I know I had remembered testing again afterwards with newer version of SSM…
I don’t use SSM, I don’t really have a need for it… But it is a small impressive somewhat Sandbox like Utility...

 

Hi _anvil,

That's why you need TDS-3 and its new Advanced Process Manipulation tool. Did you already check that out?

Regards,

Patrice

 

OK, I got GOD2, it a generator, I generated one keylogger, added my e-mail address, then went to it's log file which is located in windows, I filled it up, So it would launch and try to send me the log file, McAfee caught it and killed it dead.

Just an IE injection nothing more, if McAfee can stop it surely LNS can?

Packet Sniffer verified, nothing got out, I also received no e-mail with the log file, had it got out, GOD2 would have sent me the log.

So GOD 2 is smoke, I guess if you give IE full permission, to access the Internet anyway it wants, then this keylogger could get out.

 

Here is a pic of GOD 2.