What relevance leak tests??

I hear many (including myself) quoting leak test results; yet I've also heard some say such tests are meaningless.

Got to wonder: what, indeed, do leak tests reveal? Are they really important?? Seems that they only show what is going "out" from one's computer -- hence the emphasis on "outward" rules in firewalls to limit what is revealed about one's computer (browser info., other?).

My question is: does just being connected to the internet pose a threat *if* one's computer is "stealthed" by a firewall?? Or does "leakage" occur from one's computer even if it is "stealthed" by a firewall and one is making no outbound connection attempts?? (I can't see how that would be possible.)

It seems that the issue of "leakage" is only relevant when one is going *out* to make a connection -- surfing the web, for example. If one goes to a site which is ready to exploit one's computer there is danger, but if one is just going to CNN.com or other "friendly" websites, there's not too much danger (or is there?). If one's firewall is allowing too much information out, or allows for unwanted connections from outside to inside, then there's a potential problem, but, again, ONLY if one is surfing on hostile ground.

Am I understanding this right or am I missing something about "leakage"??

I've done a number of leak tests over the years, and it has always involved *me* initiating some kind of *outward* connecting, in the form of going to a website or initiating some kind of program that "asks" an outside source to attempt to connect with my computer. If I don't initiate and such action, and just sit behind my firewall-stealthed computer, there is no risk, right? Is there any way for some kind of hostile connection to force its way through my firewall if I do nothing to initiate any connection??


//

 

I am not a big proponent of leak tests and outbound protection. Where I think outbound protection is good is to prevent some applications (like svchost.exe, p2p when you aren't using them, etc.) so they can't phone home personal data and stuff. The problem with outbound protection for protecting from malware is that a user first has to allow the malware onto the pc. The user is already in deep water, and outbound protection, though it may help prevent complete disaster to the computer, won't solve the problem.

The job of preventing malware from doing damage is left IMO to HIPS, anti-whatever, properly configured browser, and a good inbound filtering firewall. The firewall helps prevent against network attacks, worms, hackers, etc. and if properly configured can't be beat, unless there is a security hole in the firewall.

Cheers,

Alphalutra1

 

OK, let's talk about svhost.exe for a minute: I know that there are a number of svhost.exe processes running on my computer at any given moment -- got six working right now, some with numerous connections -- and I know that malware tries to install fake svhost.exe processes. Preventing such malware from accomplishing this is obviously important.

So naturally some form(s) of prevention are vital. You mention HIPS and anti-malware.

So, the need exists for *both* inbound threats *and* the prevention of outbound communication, should such threats make their way into one's system, right? So, a solid anti-virus, accompanied by equally solid HIPS, and maybe also NIPS, and possibly also a Behavior analyzer-type app -- all these -- are of primary importance; then, as a last-ditch measure, the outward-bound "calling home" threats need to be stopped by anti-leak technology.

Does this sound like I've covered everything?

 

Ughh, I hate scvhost.exe, but if I were to use outbound protection, I would block any instances of it from accessing the internet accept when I run windows update, so I would manually change a rule.

Well, I don't really few it a a counter-measure, but some people do and find it very important. It can help prevent the download of a malware payload, the phoning of your data to a malware writer, etc. and help minimize the damage of an infection. However, it is not very difficult to bypass anti-leak technology if you install a driver, which a lot of malware could do and does currently . . .

So, since it is a losing battle with anti-leak technology(firewalls combat exploits after they are found), a firewall can never be on top of the game and there is always some way to bypass it. Only by utilizing other forms of prevention can malware be stopped and have its damage minimized.

Cheers,

Alphalutra1

 

How can you do that?? Isn't it necessary to make the connection? Isn't it a called process initiated by Windows via my web browser (Firefox)??

 

No, that shouldn't be needed, unless you have the DNS service running. It really doesn't serve any process and can be disabled with no ill affect. Just go Start->Run->Services.msc-> enter

Double click on the DNS Client, then set the startup to disabled.

Besides this, firefox should never need to call svchost.

Alphalutra1

 

Hi Sam,

check out this link A Guide to Producing a Secure Configuration for Outpost and see post #3 on the number of ways dns rules can be restricted. This excellent guide was created by Paranoid2000, a highly regarded security expert and member of this forum, for Outpost Pro fw, but the same principles apply to any software fw.

D1(b) in particular illustrates how svchost can be eliminated for dns querries.

EDIT

My goodness, I would be remiss not to include this one also Firewall Questions for Beginners

Recommended reading!

 

Thanks, Alpha. I'm going to have to read up on this.

"Don't need DNS"? I thought this is what translates the numeric designation of a website into its letter-based designation. Does disabling this leave you with only letter-based? or number-based?

Why does Windows employ these services if they are not really needed?? I've currently got a *ton* of memory tied up in several running svhost.exe processes and probably a fair chunk doing the dns service, also seemingly unnecessary.

 

Good stuff, cpr! I took a quick look at your first suggestion, but it's going to take more time than I have at the moment to implement it **properly**. Slowly but surely I'm getting pulled into this inner world of internet ops. Interesting stuff. I've got a full plate the next few days, but I will get back to this. Definitely.

 

Actually, DNS is required. It's just not required for svchost to do the lookups for you. Disabling DNS client service eliminates svchost from the equation and now puts the onus on every network-accessing application to do the dns lookups instead. This requires considerably more work configuring your fw rules because now you have to create a dns rule for all those apps, rather than only one rule for svchost. However, the benefit of this is that you reduce the possibility of svchost being exploited by a malicious process using the dns querries as an attack vector.

For your second question, svchost can not be disabled in Windows. It's needed to load Windows services, usually as a group. I have never been able to find a real good explanation of svchost, but there is an ok one here: http://www.bleepingcomputer.com/tutorials/tutorial83.html

 

Hello,
Leak tests are akin to a tank crew trying to see how vulnerable they are to a hand grenade they pop inside the turret. Firewalls are expected to keep unwanted traffic away from the computer - not battle the kernel and little programs running all over the place.
Mrk

 

Hello,

Leaktests are demonstrating facts (firewalls warning or not the user of an outbound access). Then, anyone is free to interpret the results.

I personally did two leaktests programs to demonstrate that a firewall alone cannot block everything and is not the super secure piece of security software some people were thinking. I did that to bring awarness about products claiming to be unbreakable and that some people thought to be invicible. I also added some explanations on my website to help tighting up your security (I'm promoting, for instance, HIPS softwares).

I don't really support the principle of "a malware is already in, so you are lost", because thinking this way, we can simply uninstall all of our current security software, including antivirus (I have seen trojans undetected by ALL antivirus at a given time for instance. I do not even talk about custom packed malware which cannot be detected.). Once the malware is in, nothing is lost yet. You can prevent it's execution, or you can control what it can do once launched, you can restrict network and kernel access, etc... But everyone has his own opinion about this, and I don't say at all others are wrong, this is just my point of view.

The conclusion is that a firewall is not enought by itself and cannot fight everything. As I say on my website : "The personal firewall is important, but is just a brick of the security wall.".

Just my opinion

Regards,
gkweb.

 

Hello,

I always refer to leaktests as something that happens after you download and execute something. Two active steps. While they might be useful in testing functionalities of firewalls, they are ... let's say redundant, because they rely on user's actions to do evil.

Think of something much simpler - boot from cd and delete all system files. No software can protect you from that. This is also something that requires active steps by users.

In their passive role, firewalls shuld monitor traffic. That's all. Everything else are idiotcountermeasures - "How to stop someone who wants to shoot himself in the foot from bleeding to death".

Testing firewalls against other software is problematic in that you can change the kernel so heavily that you can run software with its own hooks, sockets etc that the firewall won't even know it's running.

Firewall is there to stop traffic. Something else should be there to stop idiots.

Mrk

 

Although i'm not a technical-user lol, i would say if a company specializes in making a firewall and not attempting to control the outbound... is doing a poor job. Sure there will be numerous ways to avoid that, but at least it won't be that easy. Same goes for defending itself from termination. At least the malware has to be sofisticated enough to do these things.

Cheers

 

Leaktests are 'proof of concept', they demonstrate that something is possible but do not indicate that you are unsafe because malware may not be exploiting the leak at present. If malware does start using the exploit then I would hope the problem would be addressed smartly by the FW company.

If your FW passes a lot of leaktests it means theoretical gaps are being plugged before you have a problem. This inspires confidence in the FW but I would not base my selection of FW just on the basis of how many leaktests it passes. There are other factors and so long as the FW speedily plugs any genuine new holes that crop up that is more important than trying to plug every conceivable theoretical gap that may never even be a problem in real life.

Svchost.exe is just a means of running .dll based services, you have several versions of it running because different services are bundled up for convenience within each version. If you attempt to terminate an instance of svchost running a vital service then your system will prevent this (or crash!). However some instances will be running non-vital and unnecessary services, if you disable these then that instance of svchost will not run (I currently only have three instances running).

You can very easily determine what services each instance is running by looking in Process Explorer, or similar apps. Services running as an .exe run independently and do not require svchost of course.

 

My stance also. All I worry about is outside==>in. Well...lemme correct that...actually I "don't" worry about it..because I'm always behind NAT.

 

While they're often called firewall leaktests, they're more accurately described as system tests. When leaktests are used to help test and/or configure a users system or firewall to be resistant to those specific methods of attack, then they're useful. When they're misused as "firewall tests", usually to promote a firewall suites (usually one with a HIPS components) as superior to conventional firewalls, they're a disservice to the average user. Any firewall with a HIPS component that functions will pass most of those tests. By the same token, so will a packet filter firewall with separate HIPS software. Most of the leaktests use methods (like hooks) that conventional firewalls aren't intended to detect.

Several of the leaktests are very useful for tightening firewall rules. A conventional firewall can pass the PCAudit test for instance by tightening the firewall rules for loopback connections. Several of the other leaktests exploit Internet Explorer specifically and can usually be defeated by denying Internet Explorer access to the net.

Making tight firewall rules is always a good idea, whether the firewall or PC uses HIPS or not. Too often though, the leaktests are used like demonstrations and not to help users better secure their systems. When the average user sees a firewall pass a leaktest, thanks to the HIPS component, they don't see any need to improve the tightness of the actual firewall rules. Most users don't know how to write secure firewall rules anymore. Vendors and individuals misuse leaktests to promote their products or to over-emphasizing the additional features of the firewall suite while de-emphasizing the importance of internet traffic control, which is at the core of PC security. The results are PCs that are only marginally secured, with often a single plug-in or module preventing easy access to the core of the system. The basic principles of layered security disregarded.

Leaktests can be used to help tighten up conventional defenses, like your firewall. They can also be used to demonstrate how well HIPS components and the newer process controlling features can help provide additional protection. As long as the user understands that controlling traffic is the firewalls most important function, and the additional components are supplemental to that protection. They don't replace it or reduce its importance.
Rick

 

I fully understand it now with your post but still i think passing leaktests (depending on the "leaktest") should be a healthy exercise to firewall developers. To re-check the rules for outbound control. I understand that that's not the conventional task of the firewall (inbound). But it's good to have increasing tightened rules (for outbound). At least the effort is being made so it isn't that easy to go around the firewall. To increase control on what goes out my computer.
Do you understand what i meant? Knowing it's not the main task, it's good as long as it doesn't drag the computer, etc. Not the main selection criteria, got it.
What do you think?

 

No it is not.
Most people don't want any hips, and those that do, don't want any conflict from their firewall.
If they need to pass those tests as nowadays all demand, they become too complicated for the average user, with features disabled generally.

Would i install on my system something like Comodo, no

 

I you don't want that, click the off button. You can disable it if you like to keep a pure firewall. That way you can use HIPS to do that for you.
You have the choice

 

There is always the conflicting kernel lever driver installed. Disabling is not a solution.

 

Leaktests: you love them or you hate them
What do they mean in security terms? Basically, if you have been infected you keep the possibility of data safety and probably that malware can´t phone home or deliver its payload.
As herbalist said, people feels more secure if the firewall that they have chosen scores high in leaktests forgeting the really important thing: not being infected at first.
So, is of real importance that firewalls must pass leaktests with flying colours?? Definitively NO. The firewall´s job is discard unsolicited packets and connections