New application control.

May I say this thread says it all

https://www.wilderssecurity.com/showthread.php?t=42420

 

Certainly you may not : as Waine said, he does not know and does not try pcIP. That's not the way it works.

"Avec des si, on met Paris en bouteille...."

 

ok but I think he has a point when some application gets hijacked by a trojan and pcip gets closed down. what protection do you get then?

has it termination protection? I do not remember.

another thing if a trojan with the name scvhost.exe is on your system will it would be detected or blocked from writing / executing stuff (like processguard?) or does this process has to be in this database and therefor be recognized as malware? (just needed this info.)

thanx in advance.

 

Hello,

The trojan must be installed and you 'll get an alert box for its installation.
pcIP detects dll, code in process and handlers injections too.
As for any new PE, dll,etc... you get an alert box to submit for authentication, run or stop till authentication and disallow its execution.

No termination protection, I suggested to pwd protect in order to let only the admin to terminate it. As it runs as service you may (Admin tools\Services) determine an action when closed (restart, run any application, etc...)

Do you mean scvhost.exe (trojan) or svchost.exe (trojan or Windows) ?

As for any app run for the first time, you get an alert box.

I prefer SSM as blocker but pcIP is a good additional protection layer for lambda users who don't want or are unable to know wheather they must allow or refuse something. Further mor you see the involved components which is usefull for advanced users.

Regards,

 

Bedankt, no serious scvhost (the trojan) I was talking about. I was thinking if a trojan deletes a process or replace it like svchost (auth.) would be replacd by scvhost would we get a message?

quote:

The trojan must be installed and you 'll get an alert box for its installation.
pcIP detects dll, code in process and handlers injections too.
As for any new PE, dll,etc... you get an alert box to submit for authentication, run or stop till authentication and disallow its execution.


that was the answer I need. thanx for that. I do believe it has some real potential. I am just a little concerned but I do believe that if you believe in it, it would be OK for me. I was prejudging. sorry.

 

pcIP is an application firewall because it has the same goal as a
firewall - prevention of information theft. Also, pcIP has stealth port
capabilities, although port control, like many other pcIP’s features,
cannot be controlled by user and are invisible, until the moment they
are needed. But pcIP is addressing the information theft problem in
its own unique way. The only way that in our opinion provides real
protection against real problems. pcIP's philosophy is that the with some
rare exceptions (like NETBIOS that we stealth) an opened port is NOT a
vulnerability, unless it is opened by a malicious program:
http://www.pcinternetpatrol.com/products/index.php?product=stealth.

Therefore, pcIP is concerned with applications and not the ports.

Moreover, as you may know, Microsoft is releasing its Windows Firewall in
August. This will be a serious setback for all firewall vendors as the
main functionality of their products will become a mere duplication of a
part of an operating system. Also, seemingly small changes in the new
firewall - it will be turned on in its default configuration - will make
a big marketing impact: millions of www.shieldsup.com enthusiasts will
see that they are stealth without ZA.
On the other hand, Windows firewall will make virtually 100% of users
aware of the need for application control.
“Perhaps the biggest change with SP2 will be a host of new alerts the
user will suddenly get, offering more detailed information about what
programs are trying to contact the computer and giving the user more
chances to accept or decline.” CNN, Monday, July 19, 2004
Even more importantly, WF will make users realize that without expert’s
analysis their answer is merely guesswork.
pcIP the only system in a world that is positioned to offer a real
solution to this issue that suddenly made apparent.

 

Running ICF on WinXP you are already in stealth mode on any test online as it filters all INBOUND traffic. Even if I appreciate you app, I should not advise to run it stand alone, at least ICF or WF and AFM as long as pcIP does not offer all ports BLOCKED or STEALTH and applicative filtering by port I prefer considering it as an interesting add on to a decent firewall : NEVER put all own eggs in one basket

 

Good thinking Jack, that's why i lauched my initiative question.

I ran the app. also and several ports are not stealthed whitch is of great concern.
As you stated, any open port is a potentional threat.

rgds,
Martin

 

Opened port by itself was never a vulnerability. It became one only as a result of a massive and largely misleading marketing campaign. Read more about this here:

http://www.pcinternetpatrol.com/products/index.php?product=stealth

Port must be opened by an application that allows "browsing" of a target without user's permission or awareness or in other words, it must be opened by malicious application or an legitimate application with "browsing" capabilities like NETBIOS or Remote Desktop.

Patrol stealth NETBIOS. Remote desktop needs to be left alone and it is protected by a password.

WF stealth everything that is not used.

Patrol also takes care of any application or components that cannot prove that it has good intentions.

Why would you need anything else?

 

For instance in order to prevent OE to validate my addy as I receive a spam in htm, I need an Applicative FW by port

Regards,

 

The breakable password is a whole different story and since you do not know in a advance from which IP address you are going to connect to the Remote Desktop, the firewall would not help.

Do you already have WF? Normally it will only be available with SP2 some time in August.

Microsoft promised to stealth everything that is not in use.

Tell me how is the opened or closed port makes computer less secured than stealthed?

 

Jack,


Do not take me wrong. I am not teasing you and not trying to be a smart ass. Perhaps I am really missing something and I would like to know what you think


-----------
www.pcinternetpatrol.com

 

Hello Kec,

Yes, I do, like many others I a running SP2 RC2 for quite a while now, I am beta tester but it's public release and you may download it in English if you want or in different localizations if you are a MSDN customer.

I told you that CLOSED is not less secure than BLOCKED (Stealth), each has its own advantages. For instance with stealth mode, you escape random scans from SK but it does not change a dime if the attacker already know you IP: ad contrario it may help him
For instance if a port is CLOSED and you inherit the IP from a P2P user, it prevents your P2P ports (1214,4661, etc...) to be hammered for a while because they don't answer to the probes.

When a port is OPEN there are lots of ways to try "something" with specially crafted packets. Idealy, all ports should appear CLOSED or BLOCKED (unless you run some server) and only appear OPEN (listening) from the outside when the regular application(s) need it for data exchange. No raison for instance to let you port 110 OPEN (just an exemple, this port appears BLOCKED with pcIP).

You app (and I like it, don't take me wrong) is a good blocker but no firewall.

Regards,

PS : I did not get you wrong, no problem

[OT] I dont' use remote desktop, I prefer a VPN

 

We insist that a port opened by a legitimate, well written program is not a security problem.

How about putting your statement and ours to the test?

We open a port of you choice on a standard Windows XP installation and you get any file or data (beyond some generic or not-valuable info like an IP address) from that PC.

 

Tell me one "well written" program. For example is iexplorer "well written" or is it not? Do you fully trust iexplorer to defend itself from any attacks coming to the ports already opened by it? I am a software developer myself, and I do not fully trust any software - I only balance Effort and Risk. If I can lower the Risk with minimal Effort I will do it.

I don't think that is so simple. I suggest a different, more realistic scenario. You open different random ports, on thousands of computers running different Windows versions, operated by people of various experience level. These people continuously use the computer for browsing, gaming, chatting, etc. Then you can send some mail messages to them, with all kinds of links and attachments. Lets see if you one can get any file or data from at least one of those PCs.

 

What you suggest is indeed a realistic scenario. And you are essentially making our point, specifically is that application control and not ports state (opened, closed or stealth) is a decisive factor.

What you suggest is indeed a realistic scenario.

Essentially you are making a point that application control and not ports state (opened, closed or stealth) is a decisive factor.

If application is purely written, it is usually unprotectable. If, for example, remote desktop would be purely written, then there would be only 2 choices: stealth its port with a firewall or do not use it (uninstall). In both cases, it would be unusable. What is the advantage of using a firewall than?

The same applies to IE.

I grant you though that firewall routing rules can, in some very limited number of real life situations be useful. I will further agree, that closing outbound traffic to some ports would also be useful in some rare cases (not really for security, but rather annoyance reasons). But relative contribution of application control to ports control in overall PC security in real life is at least 10:1 or, probably even 100:1.

 

lol I am not a hacker

What are the conditions ? Let's say a stand alone workstation (no router) with an application of my choice running on the workstation and no ICF or any other firewall ? No other security app but pcIP and an AV ?

Of course the IP of the station must be known.

I don't know if this is the right place to discuss hacking

 

The problem with this statement is pcIP is ITSELF a computer program. Would you like to correct this statement or are you a wishful thinker?

So pcIP uses signatures. Since it appears to use no heuristics to identify threats, the user (using the programs default settings) could unintentionally allow a program to execute. If this is the case, where's the protection from malware using unpatched or zero-day exploits?

Last time I checked, ActiveX and Javascript can still exploit flaws in IE and Windows.


By the way, what's the guaranteed SLA of this product?

-Spiff5000

 

OK, I find 10:1 realistic, IF the computer is well-configured by a professional. Now let us be protected from BOTH the 10:9 portion of exploits and the 10:1 portion of exploits, by implementing a firewall which BOTH provides decent application controll and decent port controll. I agree with the importance of application controll, but how can you make positive marketing from the absence of decent port controll is beyond my understanding.
-hojtsy-

 

OK, I find 10:1 realistic, IF the computer is well-configured by a professional. Now let us be protected from BOTH the 10:9 portion of exploits and the 10:1 portion of exploits, by implementing a firewall which BOTH provides decent application controll and decent port controll. I agree with the importance of application controll, but how can you make positive marketing from the absence of decent port controll is beyond my understanding.
-hojtsy-

Before going any further, let me ask you this, have you tried pcAudit at www.pcinternetpatrol.com

Why wouldn't you try it and then I will make my next point.

 

1. I will clarify rather than correct it. The message is that a computer program acting on its own (using say behavior analysis or a database of known malicious programs) will not be able to protect users from the new unknown variant of, say Trojan. This is exactly why Firewalls offer you application control. But without you - an expert administrator - the application control is just a guesswork. 99% of users are not experts. Patrol is not just a software, it is directly connected to an "outsourced" expert, who will use all the power of modern Anti-Virus investigative tools and expertise to give an answer on user's behalf.

2. Our whole web site is dedicated to answering this question: www.pcinternetpatrol.com

3. There are certain things that can be only fixed by a manufacturer or by using different software.
__________________
http://www.pcinternetpatrol.com

 

Man, how can you ba a doctor and feel inappropriate to discuss the disease?
How can you be a doctor-scientist (and you surely are) and not to put your hypothesis to the test?


I am talking about a standard patched Win XP installation connected directly to the internet with real IP adress (that would be provided) and the program that we will write that will open any port you ask (we will rpovide a source code of that program). No pcIP and no Anti-Virus

 

Hello Kec,

In order to do it without waste of time (and not reverse engineering you program or study it thoroughly) I should know how you detect dll injection (with a driver ?) or code injection (hook de CreateRemoteThread ?)

How do you detect if the code doesn't use API Win32 fonction ? Just had a sig in you DB when a sample is submitted ?

We could discuss any further privately at you best convenience but I can understand if you prefer keep these informations for yourself.

I am not trying to bash your app but any app can be sheat one or another way

Best regards,

 

We are not trying to market the lack of versatile port control in pcIP. Rather, we are saying that the emphasis on ports is overblown for marketing purposes at the expense of true application control.

There are many excellent firewalls with all level of sophistication in ports control and traffic filtering. Many of them are free. We decided to focus on a "neglected" part - application control and position ourselves as an additional, important application security layer that is not provided in the same fashion by any other system.

 

Hello,

That seems to me a more realistic and correct statement than saying there is no need of an applicative filtering by port FW.

Yes it is important

Cheers,