Ok, I just recently tried "Tooleaky" and I failed it, so, I'm wondering, what good is a firewall, if it has data leakage?
Syagte v5.0 Free edition I passed GRC.com's leak program... considering Sygate asked if I wanted to allow it..
The exploit that tooleaky takes advantage of is simply to piggyback on the access of another program that has already been given permission out to the Internet through your firewall. The dangers of allowing too many programs unlimited access to the Internet is that some other program will come along and call upon that program to access the Internet on its behalf. So, the best way to prevent such exploits is to either require permission for every new session of a network aware program that starts on your system, or to have a firewall that can see when a program calls another program to perform a function. I've written a number of posts here about tooleaky. Here are some of them... https://www.wilderssecurity.com/showthread.php?t=4556;start=msg29964#msg29964 https://www.wilderssecurity.com/showthread.php?t=5222;start=msg34025#msg34025 https://www.wilderssecurity.com/showthread.php?t=7419;start=msg49188#msg49188 https://www.wilderssecurity.com/showthread.php?t=8372;start=msg54303#msg54303 We'll need to here from other Sygate users regarding it's capabilities to intercept one program calling another for Internet access. I don't use Syagte, so I can't speak about it directly, however almost all Windows based software firewalls have added the protections required to defeat tooleaky.
Most Windows base Software Firewalls offers Link-Level Protection, it’s odd Sygate Personal Firewall would still not have Link-Level Protection…
Prevention against Application hijacking using dynamic link library (DLL) control hook as done by the "Firehole" and "Tooleaky" attacks.
Just for clarification I think the Pro version does offer DLL authentication. http://www.spfpro.com/products/comparison.htm "In addition to application checksum verification, Sygate Personal Firewall Pro 5.0 authenticates application DLLs, ensuring that a malicious program cannot use a trusted applications to execute an intrusion." http://www.spfpro.com/products/pro/whatsnew_pro.htm Hate to quote PC Mag ... "If you enable DLL authentication in Sygate's firewall, it prompts you to allow or block FireHole DLL hijacking." http://www.pcmag.com/article2/0,4149,648838,00.asp If you want to stick with sygate personal, maybe you can try another program like SSM to go with it.
Actually, the free version has that, also, I think I'm gonna enable it.. But, Not many programs are totatally trusted, (if any) I just recently moved Internet Explorer to "Ask" and currently, all my security update software is on ask, mIRC is on ask, MSN messenger is on ask, as is Trillian messenger, and Mozilla Firebird.
Tooleaky doesn't even use dll-injection - it just does something like start an IE process with a certain commandline parameter, containing the 'evil' url und your 'personal data.' That's why Sygate's dll-authentication should block Firehole (which indeed uses dll-injection), but will likely fail to block Tooleaky... You see, dll-authentication is not enough...
Sygate hasnt added anything to Prevent against it, I do, however, know somehwere, Sygate has a Beta version, that is suppose to be better, But, since I dont like being a Beta tester, I dont want to bother with it, since, as it seems, Software Firewalls are useless, they can be gotten around, the only "true" hacker protection, is a hardware firewall, i I believed thaat Software based firewalls were decent, due to the fact, it closes ports (Or 'stealths' them) and allows for control on outbound connections, but, this, however, remains untrue, considering Tooleaky can penetrate right through Sygate ... I put Internet Explorer on "ask" and I get no prompt, it just comes up saying my internet or computer are very slow, OR GRC.com is down.
I'm sorry Comp01 but you are making a global statement that all software firewalls are useless based upon the fact that the one product you are using, and the way you are using it, doesn't block one particular exploit demo. That is a major generalization that doesn't hold up as soon as you look at many other software firewalls, running in many different configurations. You say the only hacker protection is a hardware firewall based upon this tooleaky demo... Well, a hardware firewall won't stop tooleaky. tooleaky is just using a hidden Internet Explorer window to access a website on TCP port 80. A hardware firewall would allow that, so even with such a firewall you'd still fail the tooleaky test. Many software firewalls can intercept tooleaky along with a large number of other types of exploit demos. Actually, when you get that message from tooleaky, it means you passed the test. See image below. When there is no leak (ie. if your firewall blocked the access), tooleaky gives you the message box in this image. That's a good thing.
Hey Comp01 If you wanting something that passes this simple Tooleaky Leaktest take a gander at http://perso.wanadoo.fr/jugesoftware/firewallleaktester/eng/pageweb/test.html.
Well, According to that site, its Look'n'stop thats the best, and Zone Alarmro but, 1) I dont have enough money at the moment to buy ZAro or Look'n'stop and, 2) Look'n'stop is a rule based firewall, I dont really want a rule based firewall, I fell comfortable using Sygate, but, when its has a security flaw I guess I'll continue using it ... For the moment, anyways, might as well not have a firewall
Only way to have proper control of the Inbounds/Outbounds is with Rule-base Software Firewall. I suggest you don’t be so closed minded of other Software Firewalls especially Rule-base, Sygate Personal Firewall is Rule-base and you like that. You should explore and you just might come to find something your really comfortable with. Take advantage of Software Firewalls Trials, Look ‘n’ Stop Personal Firewall (PRO) which contains both Application Filtering Layer and Internet Filtering Layer has 30-Day Trial, after 30-Days Application Filtering Layer becomes non-functional. Then you can explore another Software Firewall if still wish so. Otherwise you don’t know what your missing out on and if ZoneAlarm or Sygate Personal Firewall is still the best to your opinion… You decide to Trial Look ‘n’ Stop don’t hesitate to poster on the Official Look ‘n’ Stop forums here at wilders with Questions to your heart desires, I’ll be around to assist as much as required and if you want to contact me via E-mail you may do so at will… I’ve also made a Look ‘n’ Stop website that you may explore http://www.wilderssecurity.info/, gets updates quite constantly… Hope everything does work out for you though, don’t like to see anyone without a Software Firewall of some type…
Well, I'll probably keep Sygate, As, theres nothing I really *need* to block, at the moment, and have Antitrojan software installed, and anti-spyware, and antivirus, I very seldom make advanced rules on Sygate, I mostly use it as a allow/block thing, if I do try another firewall, I might try Kerio, or Look'n'stop, maybe Outpost
And, Because I dont use Internet Explorer that much, anyways, I have put it on "Ask" so it asks on each new window I only use it for 1 site ... Also, I'm sure using Sygate is better then using no firewall at all, right?
The Adventures of exploring, doesn’t that sound even a bit interesting? I would suggest try exploring all those that you have listed, not Install/Uninstall with blink of an eye though. Try to understand how these Firewalls works and afterwards uninstall and install another and I’m sure you may find something else you like just as much if not more then Sygate Personal Firewall. Otherwise you aren’t experiencing first hand whether Sygate Personal Firewall is really the best, and just think of a lot you could possibly be missing out…
Yeah, I guess, just, at the moment, dont feel up-to downloading, and installing different firewalls, I have tried 3 firewalls before, I have tried: Zone Alarm, Zone Alarm Pro, (Didnt like how ZA handled memory) I tried Outpost free, (Didnt like the way the logs were kept) I got to sygate, I like it, logs are seperated (Unlike Outpost free) doesnt eat up my systems memory ... (Lower end system) I like the GUI, so, I really dont know
Yea i understand perfectly well, i'm extremely picky over the System Resource usage of a Software Firewall... I guess have been on 486/20mhz 8MB of ram for so long made me quite picky myself...
I'm actually looking at Kerio Firewall, right now, looks pretty good... It seems alot like Sygate (Well, for the configuration atleast) I like the fact where it can also just be a permit and deny (Like sygate offers) and also has the availability of Advanced rules.
Have read the posts by LowWaterMark, I was curious, so I downloaded Tooleaky. I am using Zone Alarm 4.0 Pro, and I have basically given IE access. Tooleaky first stumbled on my first line of defense, Abtrusion Protector. It wouldn't let it run. Once I allowed it and ran it ZA popped up an alert asking me if I want to allow Tooleaky access via IE. A no, put an end to that. I am happy.
I'm downloading System Safety Monitor right now, hoping to be able to block all malicous programs from ever running
Yea, that’s normally the most recommended approach. Since it deals with ALL Application Launchings and not just Client/Server base Applications, it should be something you’ll find interesting…
