Tiny Firewall

To avoid pop-ups for trusted apps simply copy the rule twice and change:

1st copy:
Application:
By ID: Trusted

General: Prefered

Access:
Load: Allow/Ignore


2nd copy:
Application:
By ID: TrustedServices

General: Prefered

Access:
Load: Allow/Ignore

 

is this version of tiny firewall any good its free? http://www.oldversion.com/program.php?n=tpfirewall

 

Scroll down to Tiny: http://www.321download.com/LastFreeware/page3.html

 

never knew that thanks for the info

 

Well, I have come to the conclusion that Tiny simply does not have what it takes to stop the SendMessage API. There is absolutely nothing you can do with the current version of Tiny to stop this attack (considering you actually do run the breakout program and dont blacklist it, which would be cheating).

The contact form at tinysoftware.com is no longer working, so I take it they don't care to hear about this and I am sure they already know of such problems unless they have been hiding under a rock (nope there not hiding under a rock, just from us users!).

 

SendMessage API is only one of the hundreds of function calls for application programs to 'communicate' with Windows kernel. It can be used to do good things, and bad things too. So such a function call itself is no good nor bad. To judge if such a function call is legitimate or not, we need to look at who makes the call and who is called. For the case of Breakout leaktest, the 'caller' is breakout.exe (whatever the name is), and as a result, iexplorer.exe (IE) is launched because of such a call.

To prevent such a leak, the unknown/untrusted application breakout.exe should be blocked from launching at the first place. To make a specific rule to block breakout.exe in order to pass the leaktest is no sense (as you said, is cheating). But to make a general rule to block unkown/untrusted application from launching is meaningful to system security, and will lead to the pass of leaktest by 'default'.

On the other hand, iexplorer.exe (Internet Explorer) is a 'dangerous' application. Only a few trusted applications should be allowed to launch it. If you have made such a rule, breakout.exe would not be able to lanuch iexplore.exe. And the leak would be prevented also.

Leaktest is a good tool for users to understand how system can be compromised. But I do not think it is much more than that.

 

Actually, Mensa was considering ditching their standard IQ test and asking the candidates to set up Tiny instead. LOL

 

How could this be possible? They were going to lose costumers! They were actually planning to ask the candidates to install ZoneAlarm Free instead - those who could install ZA Free would be classified as genius and given a score of 140; and those who did not know how to install ZA Free would still get a score of 100!

 

Actually Yahoo, breakout does not launch IE. There are a few variations of breakout. One variation is pre-configured to use the SendMessage API not to launch IE, but to make IE launch the chosen URL. This means the security risk is only applicable to IE when IE is open. I don't feel that leaving all applications that are allowed any internet access closed is a good choice. Another variation of it is the same, but pre-configured to work with FireFox. And the last variation of it that I know about uses different methods (using active desktop), which can be blocked if you feel like going through the trouble.

I obviously do not want to allow breakout access to IE, but as I said before there is no possibly way of preventing this with use of Tiny. If your aspect of leaktests is that they should not be launched in the first place then you already have decided that you only want to run any sort of application from completely trusted sources and you don't even need any sort of windows security like the one Tiny provides. A mere incoming packet filter such as the one provided in most routers and possibly some sort of web-filter should have you covered. This is great, but some of us choose to run applications that aren't always 100% guaranteed to be what they claim.

For the people that need windows security (whatever the sort of HIPS being used) and actually plan on being able to run risky files on their computer, or may even be worries about the possibility of a new vulnerability getting through their current security the ability to monitor access to such APIs as SendMessage is a necessity!

Just take a look at Anti-Hook's (infoprocess.com.au) upcoming 3.0 version. It has the ability to monitor access to APIs, which for some people is fantastic. APIs cannot be stopped by blocking access to files, they are a form of 'injecting' into memory processes that Tiny does not cover. If CA did not buy out Tiny Software, I am sure Kejn (the previous developer) would have supported this feature considering the last version of Tiny he released had the ability to monitor "Inject Code".

The purpose of leaktests is to show security 'leaks' found in the applications that are supposed to stop such problems in the first place. What is the point of blocking internet access to a program you want to run if it can still send information out the internet? If an API can be used to make IE load a webpage, Im sure there is the ability to make any application with even partial trusted internet access send data without you even knowing.

 

LMFAO

 

Oh, sorry. I was too stupid to realize that I have to launch IE by myself in order to fail the leaktest

I wish that I could use IE and be perfectly safe at the same time. I figured that I am not that skillful to keep my system safe enough with IE, so I switched to Opera. Only the shell (explorer.exe) is allowed to launch IE on my computer so far. Hopefully, there is no one that will write a leaktest for Opera. It is great to see people stick with IE though, at least Microsoft has not wasted their money in developing IE and malware/leaktest writers will not waste their efforts either.

I always wish that I can find 'completely' trusted sources for applications. Even for the 'trusted' applications, I wish that I can always read the source code line by line to make sure they are 'completely' safe too. If there is such 'completely' safe thing in the world, I agree with you that Tiny is not necessary for me. It is nice to find out that people still believe that there are 'completely' safe sources in the world, just as that Utopia is somewhere out there.

On the other hand, if one can keep the system safe while letting unknown applications be launched freely, he/she would defintely be a genius.

It is great that you have found something that can do what you want.

This is my first time to hear that "APIs are a form of 'injecting' into memory processes". Nice to hear though.

I hope so too. I figure it would be interesting to see popups for each API access and judge if it is legitimate even without knowing what API is.

 

Hi Yahoo ang AJohn,

I am also considering IE as a 'dangerous' application. It is too much tied with the system without any possibility of controll to be left loose. I don't allow it to do anything by default and use only for windows updates, in which case all action needed is approverd manually. My default browser is Opera, Firefox is secondary one. They are only allowed to be launched by some specified applications an may connect only to several common ports.

I am conscious that it's still insufficient in face of the API 'code injection' vulnerability that AJohn is talking about, but IMO the risk is minimal. Simply because to be vulnerable to this exploit, my system should have been already compromised before, ie. a rouge prog already installed and running. I consider it to be nearly (but not 100%) impossible.

Considering program launching restrictions, I use several simple rules. First, an unknown program cannot launch anything (it cannot start in the first place, but that's another rule). Dangerous group (including IE, DrWatson, etc) cannot launch anything or be started by anything. Next, more trusted groups are allowed to launch less trusted programs only in child security context. Inversely, less trusted ones may only launch trusted progs in the parent security context. This blocks any possibility of program rights escalation. Finally, spawning of system components and internet applications are defined using specific particular rules.
These are not the most strict settings possible, but work well in everyday use without any user interactions (no popups).

isnogood

 

How about memory usage?? Low/medium/high I use for the moment KASPERSKY AH 1.8 : low on mem,stable but.... apparently not as good as Tiny?

 

About 35-40 Mb RAM used on my system (Win2k) with all modules enabled. Not extremely light, but reasonable taking into account it's features.

isnogood

 

Hello,
I configured DNSTester in TPF as outlined.

The problem, I have is almost every application tries to launch dnsapi.dll- Is this bad?

When I deny it in TPF, I get a message that says that dnsapi.dll is a bad "windows image".

Ghost RegDefend won't load unless it launches dnsapi.dll.

Which applications should be allowed to launch dnsapi.dll?

Thankyou

 

Only those trusted applications which need network access should be allowed to launch dnsapi.dll.

However, I personally do not think this is the way should be. The condition for DNSTester to 'succeed' is to have DNS Client service enabled. However, unless your computer is on a network running Active Directory Domain Controllers, DNS Client service is not needed. If you do not know what an Active Directory Domain Controller is, or do no know any reason to keep DNS Client enabled, you probably can have DNS Client service disabled. By doing so, the system would no longer be compromised by DNSTester alike exploits. I do not quite understand why one should leave security holes in the system purposely or unpurposely (enable DNS Client service or run IE) in order to fail leaktests. To me, it is just like having the door wide open, but relying on high-tech motion detectors to stop thieves.

For some other firewalls/HIPS without application and service controls, there is nothing to prevent a malware from silently openning the 'door', i.e. starting a dangerous application (IE) or a dangerous service (DNS Client). For such firewalls/HIPS, leaktests may mean something. For TPF, I doubt the effectiveness of leaktests.

 

Please see my post above on how to create rules for trusted applications. I personally leave the DNS client enabled since Tiny now does a good job of monitoring it's access, but as stated above it is not needed. If you make the extra two rules I posted above you will only get the notice for very few applications.

 

I tried and failed Toolleaky.exe (leak tester). I put IE explorer in a "Dangerous Group"- What else do I need to do?

 

you sure its working, or is it just saying that? have IE open before you open it and if it works you will be sent to a webpage, if i am correct anyways...

 

Yesterday I installed the PRO version but I am not very good in tuning the app... can someone give me tips about what I should turn on/of to be on the safe side with this firewall ? It's complicated for me to understand everything (English is not my mother tongue). For example I saw 2 possibilities to make my computer invisible (stealth) but which one is good for me (I use a router) Maybe I have to turn ON other settings.... I don't know : I can use some help !

 

I meant that I failed the leak test- What do I need to do to keep Apps from launching IE?

 

the insider & Mr. Y

I believe that you can figure the problem out by reading the manual or trialing different options. If you still could not figure it out, you should consider dropping TPF and using other firewalls instead. IMHO, most of the firewalls nowadays are very good. It is not that worthwhile to waste time on TPF if it gives you hard time.

 

I have been using TPF for 3 years- I believe that Antihook is causing the latest strange occurances. I made changes in TPF that should have stopped Apps from launching IE yet the changes did not work and I was initially very puzzled. I observed some things about Antihook that could have accounted for this odd behavior (I have since made additional changes).

I may change to another firewall as I have been reading many posts on this forum. But I am not ready to do that yet.

 

Even if you pass TooLeaky, it will still say you failed. Don't you get a notice in the BR corner from Tiny when you run it (and choose default security/block)?

 

tooleaky walks over tiny default configuration.

I ran the tests and here are my results, the last one I didnt test because right now I cant have explorer crashing with the apps I got open.

note fail=good the exploit failed

1 - fail
2 - pass - fail after added trust group to allow loading other apps and changing default to deny, pass involved app going into loop tho
3 - pass then fail after change default to reject injection
4 - enhanced fail couldnt load vxd not sure why
5 - win9x only fail
6 - fail with changed default
7 - fail 10pts firewall with changed default only - on default 0 pts passed
8 - fail
9 - blocked by kaspersky
10 - not tested
11 - test 1 fail test 2 pass test 3 fail test 4 got msg saying task scheduled but then nothing on time of schedule so unsure
12 - fail - pass on default
13 - it got denied injection so i thought was going to fail but did pass
14 - not tested
15 - fail
16 - blocked by kaspersky
17 - not tested

on the occasions the firewall was responsible for blocking these leaks, by the author's defenition it would have got 0.5pts on the bulk of them because it was generic blocking and only as a result of me changing the default settings. I noticed tiny has no component control by default which is why tooleaky passes, when I enabled component control it then started blocking a ton of windows stuff which was set to trusted so I had to add trusted to allow starting of other apps and then setting the default to dissallow it worked, this then stopped tooleaky but it got itself into a loop because of the protection, tiny didnt actually say "hey this app is launching IE do you wish to allow net access". The injection protection was not useful by default also and I had to do some configuring to block inject attacks.

Some other comments, I found that a few times my network card used online kept putting itself into the safe zone (not good) but now seems to have stayed put for a while.

In terms of footprint size and performance hit, here is what I tallied up for all the binaries loaded.

42+17+27+47+42+98 and 71 for amon so almost 300meg of ram needed for tiny firewall on my pc after 2 days of uptime. There seems to be a noticeable cpu hit as well.

I am still looking for my ideal firewall have spent too much in the process but have been happy with kaspersky's anti virus so may try the new 6.0 internet security version of that when its released.