So what do I do to defend those network analysis tools?

Last time I heard from ailef it was v 119. Current release is 131. Current RC is 151. This is for one. For two when he was asked about a tool and testing conditions to replicate the issue he vanished. And since I know he is not too educated person I'm very hesitant about his results credibility. But you are welcome. You need just to send me a tool and in case I'm able to replicate the result it will be immediately sent to Mike and addressed. The problem is no one seconded ailef's claim, so no one faced this problem in a real life.

 

these results don't match mine
and if the vendor itself as well as u confess that OA does not protect against arp spoofing
how can OA "as u claim" hide the pc from arp poisoning
i think ur results are not real
they are just against ur previous words
so u oppose urself

finally and as a fact
on whatever lan and whatever pc
OA does NOT hide the pc from netcut "as a single example not to mention other spoofers and sniffers "

best regards

 

By dropping ARP packets. This is very easy having NDIS level filter. But to run the test you should understand some things. For example, to be completely hidden from a computer you should "distrust" it in a computer's list and untrust interface itself. Though, I'm not sure about 131 because I always run the latest beta which is 151 now.

 

too many connections like DDOS. .

 

In a trusted LAN ? No, it doesn't. And hardly will, because this is sensless fight. Here, for example, anybody who was catched trying to ARP-spoof (by gateway router) is immediately disconnected from the LAN. This is much more effective tool than any antiarp which in any case is just partial and sensless with a static ARP table and modern hw switches and routers. I think there are more called things than to fight "noncatchable Joe".

 

i know the flood
i just wanted to be sure about such issue
thanx any way

 

Colasoft Capsa is not based on ARP-spoofing, actually it is based on packet sniffing technology, that is to passively capture all network packets transmitted in the network and reconstruct these packets afterwards. Such network sniffer tool is usually deployed at the switch or proxy server and it will not send any packet into the network, so it is hard to be detected.

Encrypt everything you send to the internet.

Nothing, as long as you install Comodo on your PC. Wether or not you run a firewall on your PC, you still send packets to the network so Capsa can still collect your information.

 

Hi, Hany3!
I wanted to ask you something. How do you know that CFP 3.0's inbound protection is worse than Outpost's-just because it didn't warn on you on attack or because it didn't log the attack or something else?
If you enable protocol analysis, packet checksum verification, monitor other NDIS protocols than TCP/IP, block fragmented IP datagrams, you should have excellent protection!

http://news.softpedia.com/images/extra/WINDOWS/large/COMODOFirewallPro3_15large.png

Other screenshots:
http://www.softpedia.com/reviews/windows/Comodo-Firewall-Pro--Review-72979.shtml

And besides just because CFP 3.0 doesn't log blocked attacks it doesn't mean it didn't block, it did block them, it just didn't log them.

In this screenshot you can see that CFP 3.0 does protect against ARP cache:
http://news.softpedia.com/images/extra/WINDOWS/large/COMODOFirewallPro3_14large.png

I still don't understand why do you claim CFP 3.0's inbound protection is equal to windows firewall's inbound protection. So far, as far as I know it is at least as good as Outpost's inbound protection, if you turn those options on screenshots I showed you.

 

When I run Outpost in older days it always warned me about a lot of attacks. After I removed Outpost my computer was OK with build it firewall without protections of those "attacks". So I think those attacks were really FPs that didn't really affect computer.

 

Thanks for your infomation I needed!
I've been using Firefox with torbutton.

 

hi CoolWebSearch


i appreaciate ur kind reply and explanations
and here's my comment

1- i used comodo for long time and i know very well its functionality for inbound protection "all u mentioned above"

2-why i think it's weaker than outpost concerning outpost
because in real time protection it failed to block all the DOS attacks , spoofing , sniffers attacks from the netcut , switvhsniffer , winarp spoofer
so all its inbound functionality seems to be only theoritical
that's because the vendor give all its time to fight the stupid leak tests

more over it contains no inbound defense mechanisms for some attacks like :


1-fragmented IGMP
2-RPC DCOM attack
3-my address attack
4-overlapped fragements
5-winnuke attack
6-teardrop attack
7-nestea attack
8-iceping attack
9-opentear attack
10-Nuke attack
11-IGMP ttack
12-malformed ip attack


if there's some abilities in "the protocol analysis, packet checksum verification, monitor other NDIS protocols than TCP/IP, block fragmented IP datagrams" i repeat they are not effective in real time the spoofing anf DOS attacks and u can discover itself urself by generating some arp poisoning inside ur lan

turning one some functions does NOT mean that they will act as u expect
u should test in real time


this is the same as outbound control
not every firewall contains hips , will offer you antileak protection
some are excellent and some are so bad
the same here
presence of inbound functionality in the firewall does not mean it will be good in inbound protection


best regards

 

Where oh where to get NetCut from a reliable source.

 

1-fragmented IGMP

===
Microsoft Security Program: Microsoft Security Bulletin (MS99-034)
Patch Available for "Fragmented IGMP Packet" Vulnerability

Patch Availability Information Updated: March 21, 2003
===

2-RPC DCOM attack

===
WindowsXP-KB824146-x86-ENU.exe
===

3-my address attack

I failed to find info on this attack. May be it should be called in other way ?

I gave it up. So the question is which of these attacks are not yet fixed by MS ? I think they fixed all of them long ago, and there is not just a smallest sense to protect against them until you run something like w95.

 

if u run unpatched version of xp , u will be vulnerable to some of these attacks if ur firewall inbound protection does not cover them as well

other types of attacks like DOS attacks , spoofing attacks are due to vulnerabilitites in the Address Resolution Protocol (ARP) which is a protocol from the TCP/IP suite , and these vulnerabilities are not covered by ms yet


best regards

 

if i posted u a download link , i guess it will be deleted

 

The only sense to run unpatched version of XP is in case you use cracked XP. But in this case you will hardly buy Outpost. As for me I prefer to update Windows

 

A common attack aims to take over the local computer's IP address, then impersonate it on a network, and take over its connections to falsely assign the remote computer's activity to the local system

best regards

 

1st i dont use outpost
2nd a good top-ratted firewall should be able to protect ur computer from known and unknown system vulnerabilities

best regards

 

You are right. From known SYSTEM vulnerabilities. But since SYSTEM is not vulnerable (in other words since system vendor released a patch), there is not vulnerability any more. So protecting from non-vulnerability is just extra resources spending. This also may serve as a PR. Nothing more. Using outdated system is the same that is using outdated top-rated firewall. They both fail attack that was not invented/discovered at those old times.

 

how many user all over the world have not installed the sp3 ?
how many user all over the world have not updated their xp since sp1 or sp2 ?
how many user does not keep on updating his xp regularly?

in big words
the system can be considered not vulnerable only after the user updates it and NOT after the vendor releases the patch
i think ur previous comment contains a fatal mistake

by the way i have a genuine windows xp service pack 3

best regards

 

Does it really matter ? Those, who don't care about their system, do not care about protecting it by firewall as well. And those who do care, update their system in time. I hate the idea that FW vendors cared about those who don't care about themselves. This is silly and senseless task.

 

Hi, Hany3!
Thank you for your reply.
The reason why I asked you these questions are simply because Melih and Egemen want proof that Comodo's inbound protection is not enough.
Honestly, when it comes to inbound protection, only 3 firewalls I really do trust (I've been using 3 firewalls in these 3 years from now to exactly see how good they are, visiting all kinds of websites, crackers' websites, evil-ware websites and etc...):
ZoneAlarm Pro-some configuraton is needed, I truly never picked up anything on my computer, application-level firewall (OSFirewall) saved me from worms, Trojans and spywares several times-I had several these malware samples on my USB memory stick ZA Pro's OSFirewall stopped them from entering the computer system. So, OA is not the only HIPS that can really stop malware entering the system from another sources like CD, USB memory stick and etc...
What I'm sure is that once you configure ZA Pro well enough no spyware will enter, since you can block it with IP, Protocol

Outpost Firewall Pro-yes it does need some configuration, it has Block most mode which blocks everything inbound/outbound except the traffic, programs, processes that you want to be running on your computer/internet. In the Block most mode you can't even run a leak-test or malware can't execute itself (unless Outpost Pro learned it a safe program that has already been on your computer) to do the damage on your system.
This is why I love Outpost Pro.
And it has excellent logging ability.

Jetico2-the most configurable packet-filtering firewall (alongside with Look'N'Stop firewall), extremely hard for novices, but Stem convinced me that default protection is just enough to do its job, I didn't need some additional configuration-again Stem convinced me.
However, I must admit that I don't how does it fare against malicious websites. and the attacks you provided above.

Also, in the case you didn't see CFP 3.0 (with Defense+ activated) was worse in tests against real, active Trojans than ZA freeware. Not to mention that CFP 3.0 couldn't stop programs with stolen access rights to go online-ZA blocked them, CFP 3.0 with Defense+ activated failed to stop them and also failed to stop 8 of 10 real, active Trojans from phoning home, ZA freeware passed all the tests.
And since PC Welt tested this, I have no reason why should they lie about it.
This is quite weird for an HIPS.
Also, Alex_S said that OA's HIPS cought an unknown and and undetected malware by Kaspersky (OA uses Kaspersky's antivirus engine). That might be true, but my problem here is that he didn't try with real Kaspersky anti-virus.
I personally don't trust to any vendor that uses the anti-virus/firewall/anti-spyware/HIPS from another vendor since it's not the same security level and functionality.

Here is the entire list of websites where you can test how good is your firewall's inbound protection or HIPS against malicious websites:
http://feeds.dshield.org/top10-2.txt
http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080527
http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080514
http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080507

http://www.shadowserver.org/wiki/pmwiki.php?n=Main.HomePage?logdate=200804


Also, on these websites you should test how really good your inbound protection really is-we're not talking about leak-tests, we're talking about real malware here.

http://forums.zonealarm.com/zonelabs/board/message?board.id=cfg&message.id=51716
Some available information how to configure ZA Pro.

Cheers.

 

Database is the same. Kaspersky guarantees that their OEM engine knows the same number of "bad guys" their own version does. But as for me I never too believed in AVs. It doesn't matter how good is it, it always goes step back after malware. I use it just because it can save some time in case a known nastie tries to jump. But I do not regard it as most important part of my defence. "In HIPS we trust"

 

hi CoolWebSearch

in my opinion , all what u said is true
the 3 above mentioned firewall have good inbound protection
while other top-ratted firewalls like comodo which has some inbound functionality , while OA "which scored 98% according to the latest results from matousec firewall challenge" has inbound protection equals the builtin xp fiewall

and in the same ranking zonealarm ranked as a poor firewall

i think this is quite funny
to see hips applications offering no or little inbound protection like prosecurity , OA , safety system monitor , comodo , to have excellent ranking according to matousec

while other basic firewalls with excellent inbound conrol without the boring hips modules ranked as weak or poor firewalls

among the 3 firewalls with good inbound protection that u have mentioned above , only outpost has very good ranking according to matousec
while jetico and zonealarm has the worst ranking
so i think matousec which is nothing but a marketting tool is responsible for ignoring the inbound protection by most of the firewall vendors , and bloating the firewalls with others functions a way from the basic firewall responsibility

best regards

 

This is not quite true. ZAISS when tested had integrated Kaspersky antivirus inside itself (newest version-equal version at that time) with the same OEM and yet failed to block some macrovirus which Kaspersky succesfully blocked it and deleted it.
So, it's not the same. It's all "he said, she said".
Just a question, what malware your OA's antivirus couldn't detect, and did you update OA's antivirus before you checked USB memory stick (you said something about your wife checking student's USB memory stick)?
Did you perhaps find out what malware did student's USB memory stick had?

Also, Kaspersky antivirus updates every 15 minutes, how often OA's version of Kaspersky antivirus updates?

I simply don't believe that OA's antivirus didn't find it (but from the other hand if it was original Kaspersky antivirus that would have been a different story), my NOD32 always finds just about every malware I have on my USB memory stick (well, I had no rootkit in it so I can say only for Trojans, backdoor Trojans, spywares, worms and viruses).

Also, I have just re-checked these leak-tests technique and asked some security experts what they think about it.
They said to me that leak-tests that simulate malware execution tehniques in order to compromise your computer system's security and those who are trying to phone home, are worth leak-tests to pass. Malware's first step to compromise your computer security is to execute/run/avtivate itself.
Just about any HIPS now matter how good or bad is in leak-tests is should warn that this file or process is trying to execute itself, and any firewall should recognize this.
The baddest, poorest written leak-tests are those which you have to simply allow the action for execution, than this already modified part of OS your need to block it to phone home-this is really useless,because you simply already allowed to modify your computer system.
Anti-executation is the key.