Is Kerio 2.1.5 OK?

I read somewhere but can't remember that Kerio 2.1.5 lets svchost.exe out by its default rule this can be led NT-based Windows gets infected by some worms, is it true? if so how can I do or change default rule in order to be safe? and is its default rule OK?

Thanks for any advices.

 

kerio 2.1.5 is a very good firewall but it needs a bit of tweaking to really be very secure. I am useing it right now and it has never let me down.

you might want to look at these alternative settings for kerio 2.1.5 by Blitzenzuse here

bigc

 

The default rules are not secure, and even allow certain traffic by default to not cause problems on nt systems at first. This was one big reason I made the default replacement, and I included rules which are part of most FAQs so its easier to setup at first, however users still need to learn how to use it correctly.

Somebody has already linked to my default replacement, and I should note people should scroll down for the last update.

 

Note that even though Kerio 2.1.5 is light and well-tested, it was made a while ago, when OUTBOUND protection was not that big issue. Because of this it is not equipped with the features to stop trojans from using the firewall-bypassing technices demonstrated by multiple leaktests. If you consider this an acceptable risk, then Kerio 2.1.5 is simply the best a man can get.
-hojtsy-

 

The term 'firewall bypassing techniques' is bull, they are operating system exploits, and exploits in software like IE. In reality there are very few cases of them actually being used, and known malicious software is picked up by anti-virus/anti-trojan software also. Companies like Microsoft have known about them, however have not provided a real fix everyone can use, DEP in XP SP2 doesn't work on most systems, along with the newly aquired anti-spyware/anti-virus companies which will produce income for the software instead of fixing their damn software, in turn charging for software to cover holes in their existing software.

I'm careful about what I run, use safe practices, and use common sense most of all. Kerio 2x along with other software like it will still work until some operating system, or major changes in other things that effect it like a change in the tcp/ip kernel with the onset of IPv6.

If you want to download, and run p2p/warez all day, that is your choice, you better protect yourself from your bad habits.

 

While some techniques certainly do use Windows or IE/browser exploits, there are others (notably DNSTester) that use necessary network protocols knowing that almost any firewall will be configured to allow them. Whatever the cause, the effect is to get round a firewall so "firewall bypassing" is an accurate description of the result, whatever the method used.

While it is possible to debate whether Windows/browser loopholes should be covered by separate process control software (e.g. Process Guard/System Safety Monitor) and web filters (like Proxomitron) or the firewall itself, this really comes down to individual preference. However new users would probably find a suitably endowed firewall an easier starting point rather than having to set up and configure 3 or 4 new programs.

In other words, a properly configured Kerio 2.x should be perfectly suitable provided that other software is used to cover Windows and browser security issues.

 

DNS Tester was a false positive, so what if it contacted your assigned dns servers if that is what you wanted to allow anyway? It didn't try to contact anything else other than your assigned dns serves so what is the so-called bypass? None... false positive. As a matter of fact in my default replacement my dns rules when properly followed are restricted to their assign dns servers only, and there is no possible exploit in that.

DNS Tester didn't test what it really should have, dns tunneling, either programs trying to tunnel out through port 53 to ip addresses other than your assinged dns servers, or outside computers possibly trying to bypass firewall with a source port of 53. So its a false name, and a false positive.

I always put the blame on the source, not what it exploits. These are operating system exploits, and exploits in software like IE, period. I want Microsoft to fix the problem, not make people pay for software to cover up the problem Microsoft created.

 

DNS Tester sends data (encapsulated in DNS TXT RDATA fields) to a domain (and therefore a server) of the author's choosing, using recursive DNS to route it via your ISP DNS servers. It therefore is a valid tunneling exploit and restricting DNS access to the ISP servers only will not block it.

The best defense is to disable the Windows DNS Client service (forcing applications to make their own DNS queries) and set up per application DNS rules (a lot of extra work for most firewalls). Filtering DNS queries (to block TXT RDATA) or forcibly caching DNS results (by which I mean caching even results with a TTL value of 0 since this is what DNS Tester uses to avoid normal caching) could also prevent this.

 

I see, this is not really a bypass, just using rfc against the user in packets which are normally are allowed without any malicious use.

I agree that the nt dns client was a bad idea in the first place with invisibly redirecting traffic, just like the application layer gateway(alg.exe) used with ICS/XP Firewall allows ftp traffic without any restrictions which is even more dangerous.

Setting up dns per applciation can be a pain depending on how the program works, if even possible, however this appears to be one of the only legit ways to get traffic through a firewall without using an exploit in software/os, using rfc against the user.

 

Hi,

I am sorry but how do you call a program, which has never been run on your system, which sends data to the attacker via the network for the first time and that is not seen by your firewall

Just to take an example, if you try DNStester against ZoneAlarm, you will be prompted to allow or deny DNStester to use the network (with the dns client service enabled), which shows that it can be blocked. I don't think that it is too much hard to intercept, the firewall software just need to watch the DnsQuery() API in addition to the usual ones such as gethostbyname().

The fact is that DNStester attempts an unsolicited network access to leak data out, trying to hide inside an allowed traffic : if you are prompted then that's fine, if you are not then your firewall is bypassed (Kerio is not alone).

regards,

gkweb.

EDIT : to answer to the subject, I do not say that Kerio is bad, I join hojtsy's comments about that.

 

In all fairness, DNSTester's traffic is seen by the firewall - it however would be permitted with the vast majority of rules configurations. Perhaps the term "protocol exploit" best describes this one.

 

The firewall sees the traffic yes (as for almost all leaktests), but it thinks that it comes from svchost, it does not see DNStester, hence it does not prompt for it. That was my point.

regards,
gkweb.

 

Everytime I see a discussion of outbound application control and firewall leak testing, it seems to ignore that AV software is going to catch the offending program before it is operational. The group mantra is firewall leak protection is the first line of defense and AV's are worthless. Personally, I believe a lot of folks have this one backwards. Even though BlitzenZeus mentioned AV software as the solution, everyone else seems to ignore that point.

The reality is that the techniques used to sneak past firewalls are not actually being used by the trojan writers. I suspect the reason for this is they would be too easy for AV's to detect, too hard to slip past a user with any kind of awareness and not likely to achieve the profit objective that has taken over the malware business.

The sandbox solutions which can plug these leaks is a rather cumbersome and drastic solution for a problem that is really theoretical and will not get past a good AV.

By the way, if someone really wants to get you they can use a hardware keylogger and no software solution will tell you it is there.

 

I wasn't aware that we were ignoring AV, if you go to my website you'll see I recommend them as many other softwares.
The point you miss is that an AV can miss a malware, especially if it is mainly based on signatures, whereas a leak method prevented will block any malware using it, known or unknown from your AV.
That doesn' mean that AV are useless or worthless, never written that.

They exists and are used, as shown there :
http://www.firewallleaktester.com/malwares.htm

However as written on this page, they are not widely used, that's what I suppose. But I was told that these trojans was very popular on the trojan scene (I cannot confirm or not).

I'll left the point about how cumbersome can be a sandbox since it's a matter of personal preferences, but I can assure you that for instance, DLL injection has nothing theoritical and is working pretty well (and any program using DLL injecting is not at all detected by an AV, I have tested that).

Personally I wasn't saying that if someone want to get you he will use a trojan, that's IMO out of the scope of the discussion (then you can talk about steal, Tempest attack, sniffing, hardware loggers, kidnapping, etc...).
The point is that If a trojan/worm/spyware is on your computer, will your firewall will left it go out or not.

My point is that a firewall alone is not enought.

regards,
gkweb.

 

For starters, I have been to gkweb's site on leaktesting and it does indeed recommend the use of an AV. However, it is my view that the seriousness of the threat of a trojan that can both pass by a good AV and send private information over the web by any technique that defeats the typical application based firewall is being overstated. As gkweb says, these things are not widely used.

Just exactly which malicious program with dll injection is not detected by a good AV like KAV? Not a test concept, it has to be malicious.

I have not tried all of the various sandboxing utilities. My experience is limited to Jetico personal firewall. It was a bear to use. Somewhere on this site there is a thread that indicates SSM requires a lot of user intervention so it also seems quite likely that it could wind up misconfigured. It is easy for a nontechnical user to mess up many of the popular firewalls by giving permission to something they do not understand, even with something as easy as ZA free.

It just boils down to a cost benefit analysis. It is a lot of effort for the average person set up sandboxing or tight outbound application control. The resulting improvement in security over a good AV and either a NAT or the XP firewall is not that great in practice, no matter how wonderful it looks in theory. And I repeat, effectiveness of AV's is being greatly underestimated by many advocates of sandboxing and outbound application control, even if not ignored by some. Anyone is about 1000 times more likely to suffer a financial loss due to phishing than from some malware that is both undetectible by an AV and uses any of the techniques considered to be a firewall leak.

 

I was using Tiny Firewall here for the last few weeks and it's great for sandboxing and not a bad firewall either. All in one package. It CAN take a long time to configure everything if you want to get into all the available details, something which I didn't even do to any great extent. But if that's what you're looking for, then Tiny is perhaps the best solution. After a while, I found that it was overkill for my needs. I started to get annoyed when it was always stopping legitimate code injection and other system accesses. I probably could have configured everything to work as I wanted, but it would take quite a bit of work. I've since switched back to a more reasonable firewall that gets the firewalling job done without all the sandboxing. I'm using Outpost Pro right now...

Jetico was a little bit of a hassle, I agree. SSM wasn't too bad really, but I wasn't using the very latest beta, so perhaps it's more of a pain now.

 

I was almost ready to try SSm when I noticed that the betas are time limited. It seems that it is clearly the intent of the author to allow free use of SSM only for beta testing. You get to invest in creating a ruleset for SSM and one day it times out and you have to either invest in it or go somewhere else.

Outpost Pro starts out using an awful lot of memory, although many claim that it swaps out after a while. I have Kerio 2.15 up and running. I might try ZA Pro, if I can get a feel for how to set it up, but I have yet to find any kind of comprehensive set of rules for it.

 

Yep, the newer SSMs expire I think. If you can download the older 1.89 version (used to be on their site), I believe it doesn't expire, but of course it won't be the author's latest technology either. But it still catches apps before they execute and I think it watches some registry keys as well..

Edit: Just checked and they must have taken 1.89 down off their site. Can't find it anywhere else either, so you might be out of luck there.. Sorry...

I'd not bother with ZA Pro and rules, mostly because I had some trouble with them and found them buggy. I tried creating some rules and messed up, and then when I deleted them, I found that my internet connection was hosed. Had to reinstall ZA to fix it. And their implementation of rules was pretty weird and quirky anyway, not what you usually see.

Outpost Pro used to use 32 megs of ram in the previous version, but I haven't checked it yet in this new release from a few days ago. Hold on, let me see what it's using now after running for many hours...

Right now it's using 20 megs. I just opened the main GUI and then closed it, and now it's ram usage is down to 2 megs. Something weird there, but I don't worry about ram usage anyway really. I have 512 megs on W2k and for me that's plenty... As long as there aren't any memory leaks then I don't mind what it uses..

As for Kerio 2.1.5, that used to be my favorite. But it does seem to let fragmented packets thru, so be aware of that. Some say it's not really a problem because nobody could establish a 2 way connection that way anyway or do any harm, but it's something to be aware of anyway. I think there are a few old threads on this here and elsewhere...

 

K-

If you like Outpost Pro that's fine. I just think that one is not for me. So far as the fragmented packet issue goes with Kerio, I know about it and believe its not a serious problem for the reason you give: no possibility of 2 way communication. If it were some kind of enterprise gateway it would be a different story. As it is, large organizations do not place personal firewalls with app control on each machine due to the amount of effort involved to maintain such a setup. They use firewalls at various levels: gateways, domains, departments and so forth. I don't know what they do with their notebooks used by people that travel as I only have access to desktops (or notebooks that never leave the network) where I am.

 

To be honest, I like many of the firewalls, and I switch from one to another frequently. My favorites are CHX-I, 8Signs, Jetico, Kerio 2, Outpost and Tiny. I like them all for different reasons I guess.. Currently it's Outpost though..

 

8Signs is nice, but I would like something that keeps some of the media players and XP components from phoning home. That is less of a problem with W2K. CHX-I is a bit over my head. Jetico needs some work with their process table, including an easy way to shut it down when installing other software. Tiny sounds like it is seriously complex.

Some complain that Kerio 2.15 is old code, but lots of people use it without failure. The interface is perfect, in my opinion. BlitzenZeus makes a compelling case for it on a regular basis.

Perhaps the answer to the question is: Kerio 2.15 is OK.

 

For those who would like to use it, a link to my default replacement for Kerio 2x is in This Thread with information about other firewalls.

 

1) I just tried firehole.exe leaktest and my AV caught the initial "firedll.dll" as a win32 trojan gen. allowing me to delete it.

The .exe never got off the ground since I had SSM running.

2) Disabling these 2 defenses and Kerio kicked in with my ruleset to allow me to prevent the outbound.

____________________

Someone mentioned SSM 1.89, I last dld this program back Nov. '03 at webattack. It may take some digging if it is still there... GL

Also some of the older versions of SSM do not have the user kernel mechanism if that is the correct terminology.

 

The leaktests are detected by AV softwares because they were downloaded by them and added to their signatures database.

Kaspersky for instance detects my "Ghost" leaktest as a malware.
However I was able to rewrite it, still doing the same thing, but it was no more detected (in fact I was able to easily do 3 differents versions not detected, without using packers and such, just rewritting the code).

Same for FireHole, there's nothing hard to write a real trojan using DLL injection via SetWindowsHookEx() without being detected by any AV (until submitted to them).

I do not try to say that AVs are bad as it was assumed, but that to put all his eggs in the same basket is not good, that it be firewall or AV.

Good, a layered defence is what can block any leaktest
For anyone interested : http://www.firewallleaktester.com/advices.htm

regards,
gkweb.

 

Hi,

In my opinion, the primary criterion in order to choose a firewall is his capacity of packets filtering(incoming almost).
The first usefulness of a firewall is to protect the system against internet attacks and intrusions.
Therefore, penetration tests are more important than escape tests(leaktests).

Firewallleaktests of Gkweb's siteare very interesting to define a choice if someone hesitate between some firewalls.

These tests are also interesting because it demonstrates how advanced could be a malware.
But as often, the more advanced is the attack(malware/network), the less frequently it happens.


In any way, with any firewall(hardware+software ones) and with an IDS/IPS, there will always be a solution for advanced attackers to penetrate a system.
There's no software firewall who could underwrite that he is unbypassed.

Sandboxes and firewalls applications are interesting to prevent the execution of a malicious code.
Winsonar is like a procee filtering.There is no leaktest who could bypassed it.
By checking of "kill unknowned processes while connected to the internet", each leaktest is terminate.

Winsonar is free: http://digilander.libero.it/zancart/winsonar/odyframe.htm

Gkweb's site is a beguining of an answer to the boring questions (wich firewall is the best, kerio vs sygate...).
Only independant and rigourus penetration test is missing.

Each user his favourite firewall.

Regards