PC AUDIT

Snowman, you are asking legitimate questions to which an answer cannot be provided at this point as once the answers become known, then the solution will also become easier to deal with.
As Naviscope is no longer being developed and support no longer offered either, it is not possible to find from them exactly how the user agent is handled by the proggie and what part it handles either.
Opera does not defeat the test acording to some opera users.
Do other proxies defeat it ? Maybe, then again users will need to come forward and say so if they do.
James Grant (visnetic) and Frédéric ( LNS ) are both aware of problem and looking if the application filtering module could deal with this and how.

So for now i know of SSM and Naviscope that can defeat the test.
Sorry, as much as i'd like to be more specific, i can't.
Anything more would be speculation and until more is known on this i will leave it at that.

 

Mickey

most appreciate your having given of your time in replieing......an your forthright honesty admired.
no broswer imo will defeat this exploit.....since a hostile script is involded injecting dll.
I downloaded LnS yesterday....an will be interested in Fedderic's handling of this.....an since its been a few years since I last used a rule based firewall this post alerted me to needing to update my knowledge of rules......in the mean time I'll use the enhance rulesettings..I would want it set in such a way that "all" needs to ask for access.
wishing you a most pleasent night

snowman

 

Which browser you use is irrelevant as the dll seems to be able to injects it's code into any app it can find that can access the net.

As for LNS, do not give blanket authorization to any app. Always answer this time only, except for browser and proxy which you will need to answer this session as browsing becomes almost impossible otherwise with multiple connections done at each site, as even a gif is considered a connection. Just coming to this site, would most likely get you to answer too many times for comfort.

 

Mickey....thanks.....will follow those instructions.....

snowman

 

Mickey

In case you drop by this thread.....if you care to do so...kick in Naviscope..then drop in on privacy .net for a scan (link in free services here) an see if User Agent is really being blocked......you may find it interesting


snowman

 

Hi, again i will not speculate as to what in Naviscope blocks PCAUDIT. The info has been given to both Frédéric and James for them to determine what it is and how to incorporate that in their products.
All i can tell you is that it's the feature HYDE SYSTEM INFORMATION (user agent).
http://mickeytheman.digitalrice.com/files/naviscopeblock.png
If that option is unchecked, then PCAUDIT succeeds. What exactly does it use and how, is for them to determine.
We now both know that you know what it's not, but if you can tell me what it is, then please do so

 

The Naviscope site of which TomCat referred as the "phone home" one for version 8.69 is still active, 216.157.91.36. They are still offering version 8.69 for download there. Mickey the Man is correct about support having been discontinued. The last posting on their Discussion Support site is dated 09/11/2001! However, I checked around and found links to download version 8.70. So far, there is no evidence of this one "phoning home." (Still Sniffing though.)

http://comunitel.tucows.com/preview/83.html

 

Thanks for that link.

BTW, i don't know if 8.69 could defeat PCAUDIT as i am using 8.70

SYGATE firewall can be added to the list of apps able to defeat PCAUDIT due to it's DLL AUTHENTIFICATION.
This option is not set by default, and should. I'm finishing my tests on that one, but every indication so far are that it is indeed successful, although a reboot seems to be needed to regain access to the net afterwards. .

Mike (VOP) a long term user of proxomitron confirmed it is not able to handle it.

 

I tested PC audit with

1. Kerio FW 2.1.4 + Internet Explorer 6 and this configuration failed the PC audit test!

2. Kerio FW 3.0.0 (the new Beta from Kerio) + Internet Explorer 6 and this configuration manage to catch the session.

I gave Ie6 full access to the net!

On both tests I'm behind my ISP's PROXY server but I have reconfigered my internet access so it not uses the PROXOMITRON. Whit proxo enabled I passes also with 2.1.4!

This is what I get from Kerio FW 3.0.0

Dst Addr: MY ISP's ADRESS
Src Port: 1085, Dst Port: 8080
Protocol: TCP

Application path: C:\WINDOWS\EXPLORER.EXE
Description: explorer
File version: 5.50.4134.100
Created: 2000/6/8, 15:00:00
Modified: 2000/6/8, 15:00:00
Accessed: 2002/8/3, 22:00:00

Afterwards the "bla, bla, bla You're well protected come up"

The funny thing is that I dont get prompted by the FW when starting the PCAUDIT.EXE but when it sets up the session via exlplorer.exe!

 

Mickey

Mic I have no idea "what it is" but if I were to speculate I would "guess" that its the Windows Operating System itself.............in fact...I would be highly interested in learning how a Linux system would re-act to the exploit
Mickey you have been relentlessly pursueing this for several days........my compliments.........
the posts by others have shown that prevention of the exploit itself is possible..........prevention of the exploit by a firewall.....perhaps I should say by ALL firewalls....is what appears to be the question. in recent months Fedderic has be on top of these issues...an no doubt will be again.
an like you...if you find an answer..please let me know. I am just as curious as anyone.


snowman

 

In consideration of my limited knowledge...the following is presented as a question to the more knowledgeable

by "protecting" the explorer.exe from being changed/altered........would this prevent ALL such exploits of such nature as the one in this thread?? Possibly include protecting iexplorer also

snowman

 

***Food For Thought***


Is it possible.....an I strongly suspect....that M$ uses an exploit just like this for "error reporting" at first glance this comment may appear off-topic......however, please consider the enormous leak provided by such an exploitation...a totally free ride outside.....if explorer is compromised

as stated...this is food for thought

snowman

 

snowman - Just thought I'd let you know - going to this page: http://www.gemal.dk/browserspy/basic.html will see right through Naviscope's blocking of UA.

Going to the privacy.net page you referred to: http://privacy.net/analyze/ didn't really specify what browser i was using, although it did pick up this: "Mozilla Default Plug-in - Default Plug-in - npnul32.dll" (I was using Mozilla for the check). The following fields there, though, looked just like this:

"You linked from here (if you linked from another web page):

Your Browser Type and Operating System: "

(No information). Pete

 

OK, I haven't tried PCAudit. I don't use Naviscope.
But I went to that site that Pete mentioned (gemal.dk).
Am I supposed that it shows info about my UA?
Am I understanding that right?
It does not show it (or I make a mistake).

 

Grrr!

 

Hey Pete,

On the other hand that other site (privacy net) showed my info at:
"Your Browser Type and Operating System".

 

Eh, changed a setting, and it is no longer displayed.

 

Pete

thank you very much..its alittle more difficult researching this issue without actually having the exploit.....which I wont install

my results were the same as FanJ....tryed all options....no info revealed
of further note.....I am of the belief that this is an os leak...my ounce of prevention at this point is to add all programs that require updating....plus all programs accessing the internet.....explorer.exe and ixeplore included...into file protection. "Before the Fact" protection instead of "After the Fact" protection......changes are prevented.....no questions asked...simply prevented.
this would only be workable on a system not already compromised. An really could only be fool-proof tested after the protection was added..... Personally I am satisfied . There may be other means of prevention but until they become known I have to go this route..........
as previously stated this is open to discussion....right now I am of the opinion that by protecting changes\alterations to certain os functions and programs with internet access.. such exploits can possibly be prevented.........I gladly and humbly bow to the more knowledgeable who can offer a better solution. Its already been stated by Jack that system safety monitor performs a like function.......
this does not plug the hole itself....the hole certainly should be the subject of some very serious discussion
Pete and FanJ..again thank you

snowman

it should also be noted that the adding of protection as stated above wont prevent an exploit from getting onto an os but simply prevent changes to the programs, etc listed or others added to protection.
If this theory is way off base than I offer an apology here and now.......so far I have not found any other.

 

Pete

Buddy your os was revealed!!! you can easily prevent that without the use of a proxy...recall the post I deleted yesterday You can make that info say: Jack and Jill went up the hill.......or whatever

snowman

 

Pete

just a real quick note.......if you had been using a branded version of a web broswer your isp name would have been revealed.

snowman

 

one further comment before I move on down the line.
as previously noted...a branded web browser can possibly reveal the name of the internet provider of the person using the branded broswer..... such information is sent to a remote web server.....an may be stored in the web server log files.....an possibly used to track branded versions of that web broswer.

further food for thought....the users of proxies may change the information User Agent reveals...however, lets for discussion say that information is changed to show FE: 123 456 789.......an then no further changes are ever made.......but the proxy user goes to a website....goes back again and again......has he not branded his own broswer?
imo he has done even worse....he is revealing who he is right down to the post name he uses
simply constantly changing the proxy to reveal something else would resolve this issue........an a group of people deciding to all use the same phony information works to confuse...............hummmm now who was that person

snowman

 

until the privacy leak that has been revealed in this thread is totally plugged......changing the broswer names...names of the os in use..etc., wont in any way prevent the leakage of other information....the information tha a broswer reveals when it contacts a website

snowman

 

One other interesting thing I noted yesterday was that a lot of the 'scanning' sites I went to could easily pick up the date and time your computer shows.

This (if nothing else) narrows your location down to a specific time zone.

Seems to me you could throw that off by at least however many time zones (possible locations) there are in your country by just changing your computer clock - if you wanted to get fancy, I suppose one could figure out how to change the date and the time to make it look like you were in a different country. (Of course, that wouldn't work if you let Naviscope - or any other program - do time automatic checks.

Snowman - yes, I thought about changing the OS info with that reg hack, to keep from having an identifying 'fingerprint' consisting of whatever information does get through every time you click to get a link, but (like you) I realized that all that stuff would have to be constantly changed to avoid winding up with the same fingerprint anyway!

Until/unless someone comes up with something that will accomplish that automatically (varying all the elements that can be read in a request), it's simply too time-consuming - although all the potential changes should be kept in mind for future use if needed. Pete

 

Hello,

No, it does not

If IE is open, it tries to use IE first. IF it's not open the test is passed with flying colours IF Explorer is not allowed to access the W3, depending your OS
(on win98SE, if I am right, you may not disallow Explorer to access the W3 or you are not able to accesss through IE).
If IE is already open when you run the test, you fail.
Rgds,

JacK