Tested Firewalls & Leaktests

With no fewer than three alerts, Outpost easily blocked the "Internetconnection" test.

*EDIT*

sorry, I overwrote my previous post. My version of SSM is paid, 2.2.0.602

 

SSM 602 did intercept the HIPS test:

If SSM is not warning of this on your setup, then you may of found a conflict with SSM + Outpost

 

Okay Stem, no problems, SSM was intercepting the memory modification attempt. It was doing it "silently". I deleted explorer.exe from SSM's rules, then launched the ex-coat test and was immediately alerted by SSM on the memory mod attempt. Whew! I feel better now

 

Good to hear, I have installed OP4 to check on any possible conflict. I ran the test, and was given the alerts from SSM, I allowed these and then was given a popup from OP:-

 

im not DA, but ill explain. some people compensate for a leaky firewall by using a HIPS.

 

Thanks Stem. I get the alert from OP if I disable SSM (I guess SSM kicks in before Outpost does). However, take a look at the ss. Notice that excoat is able to write its code to the target process memory, before the test fails. SSM doesn't let excoat get quite that far. You can see the results on my earklier screenshots. Could you confirm how far PS and Jetico combination allow the test to go? Thanks again!

 

Sorry, forgot ss.

 

Interception / blocked O.K.

 

Excellent! Same result with SSM.

 

@ WSFuser

Yes I know but I wonder why DA says that HIPS are not able to stop leaktests? Or maybe he meant that HIPS can not stop ALL leaktests? In that case, well yes, I already knew about that. But I´ve checked it out myself and a lot of leaktests are stopped by HIPS, so my firewall does not have to be super advanced is my conclusion. But I may be wrong, I hope DA will respond.

 

About this link:

http://www.matousec.com/info/adviso...fication-serveral-personal-firewalls-HIPS.php

Another proof that programmers really have to be top notch, it´s a shame that these kind of mistakes are being made. Also, these advisories are proof that Matousec isn´t a fraud! Great job!

 

And that is what Stem and I tested. SSM and PS HIPS stop it dead in its tracks. I'm not certain, but it also looks as though Jetico stopped it as well.

 

Jetico (1 & 2) intercepts both the InfectProcess(for HIPS) and the InternetConnection test.