new leaktest : WallBreaker

Hi

I just released my own leaktest, available on the site.
It works on Windows 9x/Millenium/2000/XP and seems not to be blocked by any firewall (following the "how to do test" of the results page).

=> http://www.firewallleaktester.fr.st

The only known way for now is SSM (while the issue is probably investigated).

Happy testing.
regards,

gkweb.

 

Nice Leak-test, however it failed to bypass Look ‘n’ Stop’s Application Filtering Layer…

 

no...

Look'n'Stop doesn't see WallBreaker.exe, just explorer.exe, iexplore.exe, or svchost.exe.

regards,

gkweb.

 

Once again i'm telling you what i see and what i see is Look 'n' Stop stealthing me at Application Filtering Layer from that utility hjacking attempts...

 

Yes Look ‘n’ Stop doesn’t see Wallbreaker.exe Launching another Application that will connect, however Look ‘n’ Stop is protecting me at Application Filtering Layer.

My Windows Explorer is configured to Launch only and no connection rights to the Internet, from the beginning Windows Explorer has always been DENIED from connecting rights as it’s obviously a security hazard…

 

i tested it on two comp : Win XP and Win 2000 all last update with LnS 2.04p2 with the lastest driver on both, if the configuration is not locked (which could prevent explorer.exe or svchost.exe to do anything) even at highest settings LnS failed, now it's me that said to you what i see

(may be you blocked a windows app ?)

regards,

gkweb.

EDIT : oups you just posted

yes, best guidance like block explorer.exe is a must to do, but not while testing leaktests

 

LOL when it comes to Leak-testing nothing new anyone can tell me…

 

Hi gkweb,

Nice tester app you got there. It certainly defeated my KAH 1.5!

This is precisely why I distrust Personal Firewalls by themselves. Using PE I could tell that something was going out to France (I know, the test is entirely safe!) even though it recorded the originating app as iexplore. Still this would be enough to tip that something was up.

I wonder, have you tried it against Tiny 4.5? If I were to rely on a PF exclusive to anything else it would be that one (Not that I have tried all the ones out there!)

Thx,

Dan

 

Phant0m``

I tried the Leaktest from gkweb..... now since explorer.exe is blocked by default.... it still bypasses... my LnS.... any idea ?

 

Yes most likely your Internet Explorer was currently running in the background of the time you executed that test…

Under few circumstances Look ‘n’ Stop will fail the test, and this is just another example why dealing with Leak-testing you must consider all factors..

 

What OS have you ? windows handles differently what WB do, even between 2000 and XP.

But at least on Win XP, to block explorer.exe prevent the test to work.

@Dan Perrez
I just tried application filtering of TPF 4.5, not sandboxe feature.

regards,

gkweb.

 

Current ZA+ defeats this .exe by unchecking one box:

Program Control-->
highlight Windows Explorer-->
Options-->
Security-->
Uncheck Advanced Program Control: "This program may use other programs to access the internet" box.

Whew!

 

I'm running WinXP Pro Sp1
LnS 2.04p2
And even with explorer.exe block in Application Filtering and Internet Explorer closed and running the test is still screws up.

Will have to find a way to stop that somehow will get back to ya later on if I do

 

Doh!

Not so fast, Jim...a "cannot find server" message isn't good!

Hmm. Maybe there's an end-around somewhere!

 

Hey FluxGFX

There are two Flags you set for each Application in the Application Filtering List, is Explorer.exe (Windows Explorer) configured to Deny Connecting rights to the Internet?

I’m running Microsoft Windows XP Pro with Service Pack 1 Installed and all the SP2 hotfixes… and using Look ‘n’ Stop v2.04p2 with most recent Application Filtering Driver.

 

I have set the two flags and added every explorer.exe on the system to be blocked and still... not working for me, but I'm not giving up, I'm sure there's a why to disable explorer.exe from accessing the net from within windows.

 

OHHH i C

 

Phant0m``
Honey you see what ?

 

Try removing all the Explorers and executing the Wallbreaker and then click DENY to Explorer.exe Launching Internet Explorer…

Also try terminating everything in the background except for Look ‘n’ Stop and then run Wallbreaker…

 

########### READ THIS #############

I suggest to everyone to read the "how to do tests" on the website results page.
Blocking a windows component to pass successfully a leaktest is not seen as a good results because the purpose is to test your firewall, his application filtering layer strength, so, you have to allow explorer.exe and iexplore to access the Internet.

For instance, With Look'n'Stop 2.04p2 with iexplore.exe and explorer.exe fully trusted, the leaktest "Tooleaky" is catched red handed by LnS with a beautiful warning "Tooleaky.exe try to launch iexplore.exe", even with the two app trusted, because he is not vulnerable to "Tooleaky".
The same way to test your firewall have to be followed to test it.

After that, to enhanced your protection and to cover firewall leaks, you can follow best guidance behaviour such as blocking explorer.exe to access the internet, add SSM, give filter rules per application, etc... but this "users enhancement" prevent to see if the firewall can handle or not the leaktest, in our example with WallBreaker, the firewall just see explorer.exe, and if you did tell it to block it, it blocks explorer.exe without have seen wallbreaker.exe

Keep in mind that all technique showned by all leaktest can in theory be applied to any trusted application on your system... and in this case, the only last shield is the firewall application filtering which should see that a malicious program launched an authorized one, if not, the test is failed.

Don't be confusing between that your firewall can really _see_ and between that it can really _do_
(it can block explorer.exe, but can't see wallbreaker.exe).

regards,

gkweb.

########### READ THIS #############

 

Phant0n``

Well I did remove all the explorer and closed everything and tried again with no succesfull results.

gkweb,

Would have a suggestion in mind that would help stoping wallbreaker ?

 

May be you didn't flushed IE cache ?

 

Trust me I did

 

Hey gkweb

I’m only here to state a fact that Look ‘n’ Stop has the capabilities of protecting, I never said Look ‘n’ Stop has the capabilities of detecting this Leaktest or not.

 

it's not for you, it's for the user who said passed the leaktest with ZA on checking "block explorer.exe"



@GFX
it's unbelievable

regards,

gkweb.