Opinions about pcInternet Patrol 2.0 Firewall!

Hi everyone! Have you got some experience about pcInternet Patrol 2.0 Firewall?

http://www.pcinternetpatrol.com/downloads/pcip.php

According to these Leak tests,

http://perso.wanadoo.fr/jugesoftware/firewallleaktester/eng/pageweb/test.html

my Outpost Pro 2.0 should pass the PCAudit test, but I couldn't pass that test when I used the "Component control level is MAXIMUM" position in my Outpost Pro 2.0.

I am now a bit of worried, because I am going to have a fast ADSL- internet connection (= continuous) today!

This PCAudit firewall test is made by the same company that makes the pcInternet Patrol Firewalls!


"The truth is out there, but it hurts!"

Best Regards,
Firefighter!

 

Re:Opinions about pc-Internet Patrol 2.0 Firewall!

Hello interesting question indeed.

But if you are going to have a fast connection to the net and not dial up.

Then you might consider a Hardware firewall.

I feel that with a super fast connection and speed you should worry more about hackers as they can hack you faster and in real time.

For dial up "fire wall software" is fine.

Some people have a hardware fire Wall and a software fire wall together.

Personally i think its over kill but better being safe then sorry.

So if you have some money to spend and a little time on your hands id check into a nice hardware fire wall.

 

I have to agree with OpenSource, either a hardware firewall or a dedicated host firewall is the preferred solution unless you have a laptop that you take around and even then I would recommend both the separate firewall as well as the Personal Firewall.

I've no experience with the product you mentioned so I have no input in that regard.

Hope this Helps and Drive Safe ,

Dan

 

Hello,

Basically, an hardware FW is just a gateway machine with a build in software firewall which control the inbound connexions, not always outbound ones.

If you have no LAN and are a home user, well set rules based software FW offers a fair protection.

On a LAN, I would suggest a dedicated LINUX server as gateway (IPtables and/or Freesco) for the clients AND a rule based FW on each client controling outbond .

An old PII 64 Mo RAM is enough.

Rgds,

 

For a dedicated Host firewall I am running OpenBSD's pf on a Pentium 90

 

A software firewall is still needed i think, at least to filter applications.

regards,

gkweb.

 

Hi,

I may be wrong but I think that Firefighter ask for advise regarding not only indbound protection but also outbound protection (PCAudit).

For that purpose, I think no hardware firewall is a solution.

regards,
Sisko

 

ZA 4 and OP 2 passes pcaudit, but it required max settings, hard to find indeed.

Those who wants OP2 screenshots of settings email me at gkweb@wanadoo.fr

regards,

gkweb.

 

Re:Opinions about pc-Internet Patrol 2.0 Firewall!

Yes pictures are always nice.

If you don't have a web site to remote link them from just attach the file when you post.

You will see attach file option when you post to-wards the bottom everytime you reply.

Just hit browse locate the picture on your pc then hit post

 

Those settings are an example to pass pcaudit.

Trusting application has nothing to do with the capability to block a leaktest or not, put them in "partially allowed" to tighten up your security:
http://perso.wanadoo.fr/jugesoftware/conf1.JPG

Component detection at MAX, but be sure to remove thel all in case that you allowed by mistake pcaudit dll :
http://perso.wanadoo.fr/jugesoftware/conf2.JPG

noting to do with pcaudit, but could be usefull if your are on LAN:
http://perso.wanadoo.fr/jugesoftware/conf3.JPG

Disable system global rules, prefer per application rules (in partially allowed)
http://perso.wanadoo.fr/jugesoftware/conf4.JPG

A very important thing !!
http://perso.wanadoo.fr/jugesoftware/conf5.JPG

I remove plugins to do tests, but i think of course that you can use it:
http://perso.wanadoo.fr/jugesoftware/conf6.JPG

just an example to show that OP2 can block leaktest but sometimes only log them, no popup warning:
http://perso.wanadoo.fr/jugesoftware/conf7.JPG

After that, i advice you to reboot, because it seems that OP2 doesn't apply all settings.

With this, when pcaudit will try to inject his DLL, OP2 will ask you if you want to update components for the application accessed or block it.

regards,

gkweb.

 

Re:Opinions about pc-Internet Patrol 2.0 Firewall!

Gkweb That was some great posting and very nice pictures.

I Applaud you.

We are lucky to have such a promising new member.

And thank you for that great post.

 

thanks you

 

To gkweb from Firefighter!

Thank you very, very, very much for those Outpost Pro 2.0 settings!


Best Regards,
Firefighter!

 

I just noticed something that I think needs an extra comment.
In the section with the pictures of Outpost where gkweb says

, this is very true. The picture shows all the applications in the Trusted applications section and that is something we always recommend against. The reason is that any application in the trusted applications section is not governed by the Outpost rules, it is in effect ignored.
It is sufficient in most cases to have your applications in the partially allowed section with the suggested preset rule list applied.
This is not meant to criticise gk, it is just to clarify to anyone not familiar with Outpost rules that applications should not be placed in the trusted applications if rules can be made for it.

 

absolutly, i just gave my settings while testing leaktests, but of course it's better to put them in partially allowed with per application rules, what i said here:

and

i agree

regards,

gkweb.

 

Hi gkweb,

Excellent work. The more people that try to find holes through the major software firewalls, the better. That is my opinion. I just wanted to write to tell you that I tested WallBreaker and PCAudit with Outpost V2 tonight. Of course, I am running the latest public version of the firewall. And, although I feel that you have given outstanding general advice on how to configure Outpost, my results differ from yours slightly. And, here they are:

PCAudit: Passes with Normal component control and default global rules.

WallBreaker: Passes with Normal component control and default global rules.

As I said, the advice you gave was very good. I just wanted to point out my experience with these two LeakTests. I keep a running scorecard at this URL:
http://www.outpostfirewall.com/forum/showthread.php?s=&threadid=7459

I am not sure if it allowable to post links to other forums here, but I have posted the link above in good faith rather than trying to promote the OutpostFirewall forum.

Lastly, I do want to say the following. ALL of my rules are custom made. I always choose 'Other' when a rules creation popup appears and create the proper rule. I say this because it is possible that users who have allowed rules to be auto-configured may not get the same results as I when performing the LeakTests. One of the major reasons for this is that explorer.exe is given TCP Outbound HTTP access by default and I have found this to be a problem in the past when performing some LeakTests. Currently, I have explorer.exe manually setup to ONLY communicate with ONE IP. That IP is associated with Windows Help. So, any user of Outpost may want to remove explorer.exe from their application list and manually choose when to allow or not allow access for this executable. In the case when a LeakTest is performed, it is sufficient to choose Block Once when a rules creation popup appears and to choose to Block when presented with a component control popup. This should take care of the Leak Test. In the case of a rule creation popup when using Windows Help, it would be OK to choose 'Other' and just create a rule for TCP Outbound HTTP to the SPECIFIC IP mentioned.

Agnitum has added some entries to their INI files that may further protect explorer.exe from being exploited by a Leak Test for a user who is using an auto-configured rule list. But, I have not had a chance to test whether this will make a difference yet. So, I recommend that users of Outpost follow the instructions regarding explorer.exe that I noted above. As I do further testing, I will faithfully update the thread that I listed above to ensure that it is as accurate as possible.

Thanks again gkweb and keep trying to poke holes in those firewalls.

Have a good day.

 

Thanks LowWaterMark,

By the way, I have checked out ZA4 and your posts regarding it here in the forum. You are right, ZA4 is a good comprimise between simplicity and configurability regarding rules configuration. At least, I hope it was you who said that. I used ZAP for years also recommend it to users on the OutpostFirewall forum having problems with Outpost. If I have learned anything in the past several years, it is that ALL firewalls do not work on ALL systems. It is really strange. And not being a developer, I do not understand all of the complexities. Anyway, I did not mean to ramble on too much here. I just wanted to say thanks for the reply and your thorough ZAP configuration threads.

Have a good day.

 

@DavidH

_How_ did OP2 block pcAudit?
Did you have a browser running (which is required for thorough pcAudit tests, although it isn't said by pcAudit... )?
(In gkweb's 'out of the box settings', the explorer.exe is allowed to communicate, so pcAudit should bypass OP2 in these settings, anyway.)

Same question: _How_ did OP2 block it? At this point, I really can't imagine, how OP2 could block Wallbreaker...

 

Thanks for your comments DavidH.

About leaktest, for highest settings results (on my site), i don't try to find from what settings it can block a leaktest, i just setting it at max, and look if it can or not

About WallBreaker, I tested OP2, like all other firewall that i'm testing, and no one blocks it.
But to do tests, i always fully trust explorer.exe and iexplore.exe, that is probably the difference, because an unvulnerable firewall should block it anyway, for instance "Tooleaky" (which launch IE) is detected even with IE fully trusted by most of firewall (OP2 too ).

This is just to test if the firewall is vulnerable to the exploit or not.

After of course, it's by far better to improve security to prevent such exploit like deny explorer.exe and to add per application rules... i'm working on a new page that i will add and will be about "best guidance settings and behaviour" to improve security and cover firewall leaks.

regards,

gkweb.

 

I just tested (again): 'explorer.exe' didn't need any rights for pcAudit ('normal' component control) and Wallbreaker to bypass OP2.
This is quite logical, because in both cases, it isn't 'explorer.exe' which communicates.

So the question to DavidH remains...

 

For WallBreaker, it is depending on which OS...
Indeed it doesn't have the same behaviour on XP and 2000 :
XP -> explorer.exe which access the Internet
2K -> iexplore.exe which access the Internet

in both case explorer is the start, and an IE window is the result, but the following is not handled in the same way by the two OS.

This is that I noticed.

regards,

gkweb.

 

Hmm, on 'my' WinXP machine, it is still iexplore.exe (IE), which connects...

 

lol

may be it's depend on services started or not, i will not try to define which
It's the same exploit for all OS, but they handle it as they want

regards,

gkweb.