What is your security setup these days?

An old test, but it is still valid, it taught me, that DNS goes through svchost and apps sometimes check updates though it, so it might appear as a leak. I block UDP port 53, but since DNS is allowed, it does not matter much.
This is the reason I preferred to disable DNS Cache service, it prevents DNS poisoning and DNS leaks, since each app makes it's own requests. But if you use DoH or DoT, it is no longer possible without the service.

Code:

https://www.grc.com/lt/leaktest.htm

 

Hello,
I think you are right because I don't use a VPN and for testing purpose I disabled all connections (In and Out) both on Malwarebytes Windows Firewall Control and SphinxSoft Windows 11 Firewall control for the following KeyScrambler executables: KeyScrambler.exe (both 32-bit and 64-bit) and QFXUpdateService.exe (both 32-bit and 64-bit): Keyscrambler was able to make a successfully update check because it showed a popup window saying that I'm using the latest version instead of a window saying that I couldn't contact the Keyscrambler server, like I presume it should do.

 

I'm not sure what's up with your system, which firewall are you using? TinyWall and WFC had no problem blocking this quite simple leaktest.

Remember Matousec? Those leaktests were so much fun, they all tried to bypass the firewall via several advanced methods. ZoneAlarm, Comodo and Outpost were pretty good at passing those tests, because of their HIPS.

 

I did the Leak test too and both my firewalls blocked it without issues.

 

Hmm, I just checked the Malwarebytes WFC log and it shows the blocked outbound connections from Keyscrambler.exe when I did the update check, same with SphinxSoft W11 FC log. I wonder how KeyScrambler was able to make the update check successfully. If its outbound connections were allowed through DNS svchost they shouldn't appear as blocked in both firewalls' logs, I think

 

I think it's because I'm using custom builds, as branded PCs tend to be expensive. With that, Secure Boot and Core Isolation are not turned on unless I set the BIOS and make sure that the boot drive uses GPT. Also, if Core Isolation detects old drivers, I have to remove them using Drive Store Explorer or rename them.

 

Badly behaved programs can abuse BITS to 'phone home' too. The CEF component of Steam once tried to update its widevine module through BITS; only caught it because the attemps to connect were logged by the firewall.

 

OK I see, you're talking about Secure Boot and Core Isolation, I don't know if these features are turned on by default on Win 10/11, but I do know that Core Isolation gave problems with SpyShelter 12. But normally speaking these features should not improve detection rates of Win Defender.

I'm not sure what you mean, because those connections were blocked right? So of course they will show up in the logs? In other words, KeyScrambler could NOT check for updates, or am I misunderstanding?

Yes correct, forgot about BITS. You can disable this service, but Windows Update needs it. And badly behaved apps/malware can of course start this service themselves when it's in manual mode. So you needs HIPS to monitor this stuff.

 

Everytime I did KeyScrambler update check the keyscrambler.exe outbound connections appeared as blocked in both logs of Malwarebytes WFC and SphinxSoft W11 FC but KeyScrambler was able anyway to make a successfully update check. How is it possible ?
If KeyScrambler was using DNS svchost or BITS to bypass both firewalls I shouldn't get those entries saying "Blocked" in both firewall logs, I guess.

 

I just tried once more, same behavior like before

 

OK I see, then I misunderstood. So according to you, KeyScrambler was able to check for updates successfully?

Can you perhaps disconnect from the internet (unplug cable or disable WIFI) and what will KeyScrambler then say? And you might also want to use TCPView, to see if and how KeyScrambler is able to connect.

https://learn.microsoft.com/nl-nl/sysinternals/downloads/tcpview

 

I prefer not disconnect from Internet but later I'll try TCPView, thanks for your help.

 

I guess it it is judging form the KeyScrambler popup info saying that I'm using the latest version. I presume that if it failed the update check it should show a popup windows saying that it can't connect to KeyScrambler server or similar.

 

When I did the update check, keyscrambler.exe process didn't appear neither in TCPView or SphinxSoft W11 FC connections panel, I wrote "keyscrambler" in both filtering fields. Anyway it does appear in SphinxSoft W11 FC Events window, yet I get the message that I'm using the latest KeyScrambler version. Anyway it's not so important, it's more like curiosity and I wanted to share my experience as it seems another user in this thread had some issue with KeyScrambler update check. https://www.wilderssecurity.com/thr...etup-these-days.111264/page-1705#post-3247897

 

I'm on SpyShelter forum too (username Kaliban) but after the ending of 30-days trial period I didn't subscribed to it because in my opinion it's too expensive for what it offers. I'm aware of that post and I agree with you that's rather odd that enabling a VPN killswitch would completely disable SpyShelter. About Glasswire / VPN user I'm sorry but I would prefer not to mention another firewall in their official forum neither trying to convince her/him to install another firewall in her/his system. Furthermore the same user last post was a week ago and he/she didn't reply to other users suggesting to make some tests by disabling the VPN and/or by installing Glasswire portable version. Anyway if would be useful to know if TinyWall / VPN users had some issues in blocking some apps, here in Wilders Security Forum on the dedicated thread https://www.wilderssecurity.com/threads/tinywall-firewall.309739/page-95 as TinyWall official website doesn't have a users' forum.

 

Thanks!

I found out that there's a command that can be run from Powershell:

https://learn.microsoft.com/en-us/p...et-mpcomputerstatus?view=windowsserver2025-ps

Get-MpComputerStatus

that can determine the status of the antimalware used in the OS.

I'm currently using Avast Premium (got it for a few dollars in one online store), and decided to turn on those features (everything in App and Browser Control except for Smart App Control which is greyed out, and Device Security), then ran the Powershell command, and found that all of the Windows antimalware functions are marked "False" or turned off.

That means what one forum member told another in the Avast forum about whether or not he should turn on Windows Security features is correct: in general, a third party AV should take over, and many or all of those features should remain disabled even though the user toggles them on.

 

I don't follow that channel any more.
In meantime I returned to Eset Nod32 Antivirus.