What is your security setup these days?

An old test, but it is still valid, it taught me, that DNS goes through svchost and apps sometimes check updates though it, so it might appear as a leak. I block UDP port 53, but since DNS is allowed, it does not matter much.
This is the reason I preferred to disable DNS Cache service, it prevents DNS poisoning and DNS leaks, since each app makes it's own requests. But if you use DoH or DoT, it is no longer possible without the service.

Code:

https://www.grc.com/lt/leaktest.htm

 

Hello,
I think you are right because I don't use a VPN and for testing purpose I disabled all connections (In and Out) both on Malwarebytes Windows Firewall Control and SphinxSoft Windows 11 Firewall control for the following KeyScrambler executables: KeyScrambler.exe (both 32-bit and 64-bit) and QFXUpdateService.exe (both 32-bit and 64-bit): Keyscrambler was able to make a successfully update check because it showed a popup window saying that I'm using the latest version instead of a window saying that I couldn't contact the Keyscrambler server, like I presume it should do.

 

I'm not sure what's up with your system, which firewall are you using? TinyWall and WFC had no problem blocking this quite simple leaktest.

Remember Matousec? Those leaktests were so much fun, they all tried to bypass the firewall via several advanced methods. ZoneAlarm, Comodo and Outpost were pretty good at passing those tests, because of their HIPS.

 

I did the Leak test too and both my firewalls blocked it without issues.

 

Hmm, I just checked the Malwarebytes WFC log and it shows the blocked outbound connections from Keyscrambler.exe when I did the update check, same with SphinxSoft W11 FC log. I wonder how KeyScrambler was able to make the update check successfully. If its outbound connections were allowed through DNS svchost they shouldn't appear as blocked in both firewalls' logs, I think

 

I think it's because I'm using custom builds, as branded PCs tend to be expensive. With that, Secure Boot and Core Isolation are not turned on unless I set the BIOS and make sure that the boot drive uses GPT. Also, if Core Isolation detects old drivers, I have to remove them using Drive Store Explorer or rename them.

 

Badly behaved programs can abuse BITS to 'phone home' too. The CEF component of Steam once tried to update its widevine module through BITS; only caught it because the attemps to connect were logged by the firewall.

 

OK I see, you're talking about Secure Boot and Core Isolation, I don't know if these features are turned on by default on Win 10/11, but I do know that Core Isolation gave problems with SpyShelter 12. But normally speaking these features should not improve detection rates of Win Defender.

I'm not sure what you mean, because those connections were blocked right? So of course they will show up in the logs? In other words, KeyScrambler could NOT check for updates, or am I misunderstanding?

Yes correct, forgot about BITS. You can disable this service, but Windows Update needs it. And badly behaved apps/malware can of course start this service themselves when it's in manual mode. So you needs HIPS to monitor this stuff.

 

Everytime I did KeyScrambler update check the keyscrambler.exe outbound connections appeared as blocked in both logs of Malwarebytes WFC and SphinxSoft W11 FC but KeyScrambler was able anyway to make a successfully update check. How is it possible ?
If KeyScrambler was using DNS svchost or BITS to bypass both firewalls I shouldn't get those entries saying "Blocked" in both firewall logs, I guess.

 

I just tried once more, same behavior like before

 

OK I see, then I misunderstood. So according to you, KeyScrambler was able to check for updates successfully?

Can you perhaps disconnect from the internet (unplug cable or disable WIFI) and what will KeyScrambler then say? And you might also want to use TCPView, to see if and how KeyScrambler is able to connect.

https://learn.microsoft.com/nl-nl/sysinternals/downloads/tcpview

 

I prefer not disconnect from Internet but later I'll try TCPView, thanks for your help.

 

I guess it it is judging form the KeyScrambler popup info saying that I'm using the latest version. I presume that if it failed the update check it should show a popup windows saying that it can't connect to KeyScrambler server or similar.

 

When I did the update check, keyscrambler.exe process didn't appear neither in TCPView or SphinxSoft W11 FC connections panel, I wrote "keyscrambler" in both filtering fields. Anyway it does appear in SphinxSoft W11 FC Events window, yet I get the message that I'm using the latest KeyScrambler version. Anyway it's not so important, it's more like curiosity and I wanted to share my experience as it seems another user in this thread had some issue with KeyScrambler update check. https://www.wilderssecurity.com/thr...etup-these-days.111264/page-1705#post-3247897

 

I'm on SpyShelter forum too (username Kaliban) but after the ending of 30-days trial period I didn't subscribed to it because in my opinion it's too expensive for what it offers. I'm aware of that post and I agree with you that's rather odd that enabling a VPN killswitch would completely disable SpyShelter. About Glasswire / VPN user I'm sorry but I would prefer not to mention another firewall in their official forum neither trying to convince her/him to install another firewall in her/his system. Furthermore the same user last post was a week ago and he/she didn't reply to other users suggesting to make some tests by disabling the VPN and/or by installing Glasswire portable version. Anyway if would be useful to know if TinyWall / VPN users had some issues in blocking some apps, here in Wilders Security Forum on the dedicated thread https://www.wilderssecurity.com/threads/tinywall-firewall.309739/page-95 as TinyWall official website doesn't have a users' forum.

 

Thanks!

I found out that there's a command that can be run from Powershell:

https://learn.microsoft.com/en-us/p...et-mpcomputerstatus?view=windowsserver2025-ps

Get-MpComputerStatus

that can determine the status of the antimalware used in the OS.

I'm currently using Avast Premium (got it for a few dollars in one online store), and decided to turn on those features (everything in App and Browser Control except for Smart App Control which is greyed out, and Device Security), then ran the Powershell command, and found that all of the Windows antimalware functions are marked "False" or turned off.

That means what one forum member told another in the Avast forum about whether or not he should turn on Windows Security features is correct: in general, a third party AV should take over, and many or all of those features should remain disabled even though the user toggles them on.

 

I don't follow that channel any more.
In meantime I returned to Eset Nod32 Antivirus.

 

Yes. Every time I turn around, ESET NOD32 Antivirus keeps following me around.
For many years I have installed it on every computer I have owned.

 

Testing Avira Free + Fort Firewall
Avira is very strong against malware.exe files, strong against VBS/JS scripts, but not so strong against .bat/cmd/ps1 files. Especially obfuscated bat/cmd/ps1 scripts slippin thru a lot. I also noticed, although Avira also uses AMSI, but failed to protect some AMSI bypass methods. For example, McAfee instantly notified PS/Amsibypass and Sophos AMSI/Reflect-K.
Couple of days ago, someone uploaded Lockbit 5 ransomware to bazaar. Tested it against Emsisoft, system fully encrypted. Avira blocked it instantly(HEUR/APC).

As for Fort Firewall.
I especially like Fort Firewall feature to add programs to its block list. For example, i made a very simple outside connection block rule for powershell, somethin like this:
C:\**\powershe*.exe, and you can tweak it further to enable to block kill children processes of it or completely terminate it. I made the same simple block rule for common "lolbins". Curl, wscript/script, mshta, explorer.exe and even Control Panel (control.exe). Some malwares uses control.exe(process injection) to connect outside.
Hopefully @tnodir will implement that halt/stop feature, because some softwares, like Keyscrambler can connect outside(TCP to Port 80), but Fort Firewall react too late, so information sent.

 

Just set a filter mode to "Block, if not allowed" for now. So new apps will be blocked.

 

@tnodir
It does not work.
Install Keyscrambler free, during install it asks to check for updates. Allow it. Then Keyscrambler ask for reboot to install its keyboard "hooks" or something like that.
After reboot, open Fort Firewall. Go to "programs" and remove Keyscrambler from "allowed programs".
Then check for Keyscrambler updates, two TCP outside connections accepted to port 80. But Fort Firewall reacts too late. TCP Packets send, before Fort Firewall reacts.
That's why Fort Firewall needs that halt/stop feature, like for example Netlimiter's "blocker" does.
I don't know what kind of mechanism Keyscrambler does to connect outside(maybe bits or something like that).
So in security point of view, any malware can do the same, packets send to a C2 server, but Fort Firewall reacts too late.
Comodo and Netlimiter, maybe portmaster are the only ones that actually can do stop/halt.
Nevertheless, Fort Firewall is the best software firewall i've used.

 

Hello,
I experienced the same KeyScrambler update check behavior. Both my firewall, MalwareBytes
Windows Firewall Control and SphinxSoft Windows 11 Firewall Control blocked 2 outbound connections to download.qfxsoftware.com on port 443 but KeyScrambler was able to make a successfully update check.

What is your security setup these days?

 

@Serphis
Yes, what is a purpose of a software firewall, that cannot block outside connection(s)?
WFC, Glasswire etc based on the windows own firewall, fails, miserably. Comodo and Netlimiter's "Blocker" can do that. Maybe because they use their own kernel mode driver, rather than relying stupid silly windows own firewall.
I'm interested about Keyscrambler, what technique it uses to "bypass" Fort Firewall. For example, Resonic, my fav audioplayer, Fort Firewall blocks update checker.

Funny enough, years ago Revo Uninstaller was a nightmare...for crackers. It used some advanced methods to do online check, so bypassin firewall. Keygenners went nuts at that time.

 

Other softwares' updates check are blocked by my firewalls without issues so KeyScrambler seems to use a different technique, as you wrote. It could be DNS Cache service or BITS, like 2 forum users explained. But if that's the case, I still don't understand why the blocked connections from keyscrambler.exe appear in both my firewall logs. If KeyScrambler managed to bypass the firewalls using DNS cache service or BITS service, they shouldn't be visible, I think.

What is your security setup these days?
What is your security setup these days?

 

@Serphis
Yeah, what is a purpose of a software that can slip the ***** out. Fort Firewall runs on its on driver, not based on stupid windows own firewall.
Please @tnodir, we need that halt and stop feature, just like in Netlimiter "blocker" does have it.