Agnitum take on leak tests

Discussion in 'other firewalls' started by markcc, Oct 31, 2008.

Thread Status:
Not open for further replies.
  1. markcc

    markcc Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    185
    Location:
    Michigan, usa
  2. jrmhng

    jrmhng Registered Member

    Joined:
    Nov 4, 2007
    Posts:
    1,268
    Location:
    Australia
    They are all for leaktests, but thats not surprising given their bias.
     
  3. hayc59

    hayc59 Updates Team

    Joined:
    Oct 29, 2008
    Posts:
    2,129
    Location:
    R.I.P. Roger(roddy32)
    does not sound to bias,but have not found a leaktest
    that can penetrate Outpost's newest version!

     
  4. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    Let us wait for Matousec new set of tests. It just seems that nobody coded new tests for some time and the old well-known tests are surely "fixed". And that is to say the main OP competitors (OA and Comodo) didn't update their results since spring. May be they just lost interest. I'm not sure about Comodo, but OA released v3 which definitely takes 100% (I checked it against those tests that v2 failed). And I have a feeling Matou is in process of prepareing some surprise. He can't stand ratings over 95 in his research for too long :)
     
  5. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,779
    Agnitum has obviously gone in this direction, so they will probably promote the whole issue and their features.. The question that all this raises with me every time is, at what point does the firewall cease to be a firewall and become a HIPS, with some firewall capabilities? When you decide to trod down that leak-test road with your firewall, you can pretty much bet you will end up with a HIPS product, as the "leaks" will be ever evolving and changing, requiring more and more code to catch them. Eventually, what started as a firewall, is no longer a firewall at all...
     
  6. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    You are completely right in the terms of the "old good days" :)

    I think the current trand follows the current market. For one most people (outside Wilders) prefer all in one pack to a troublesome set of different programs. A few people like to play and test and setup a lot of programs. For two the definition of firewall itself and most requested firewall functionality changed essentially, I think. Who is now avarage PC user ? In most cases this is non-tech person (opposite to the old good days). He needs to play games, write mails, visit forums etc etc and in the same time he wants to spend as little time to IT education as possible and feel himself as much secure as possible.

    We can like or dislike it, but we can do nothing about it (IMHO).
     
  7. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    ... and with that, the early firewalls -- essentially packet filters, some of which are still around -- find themselves in the position of being criticized for failing to do what they weren't designed to do in the first place.

    In our earlier discussions of Kerio 2 some years ago, you may remember when I proclaimed that Kerio 2 didn't fail any of the tests at firewalleaktester.com. Of course, I cheated, because my security in place wouldn't let the test executable files download unless I disabled security, so the tests couldn't run.

    My point was, to consider under what circumstances a user could imagine a malicious trojan getting onto the computer in the first place. As someone is fond of saying, If it can't execute, it can't infect.

    Also, what about the prevalence of leaktest exploits in malware? gkweb offers his opinion:

    http://www.firewallleaktester.com/malwares.htm
    He has a list of 4 malware he has discovered which use techniques to bypass firewalls. Here is a brief summary of them, and thoughts on prevention:

    W32.Welchia.Worm
    http://www.symantec.com/security_response/writeup.jsp?docid=2003-081815-2308-99
    Microsoft analyzes: "To exploit this vulnerability, the attacker would require the ability to send a specially crafted request to port 135, 139, 445 or 593 or any other specifically configured RPC port on the remote machine."

    Obvious prevention: this exploit is blocked with properly configured firewall inbound rules.
    _______________________________________________________________________

    W32.Vivael@mm
    http://www.symantec.com/security_response/writeup.jsp?docid=2003-062813-0620-99
    Prevention: Is it obvious?
    _________________________________________________________________

    [Dshield] The Beast
    http://lists.virus.org/dshield-0310/msg00337.html
    Date: Fri, 17 Oct 2003 06:56:38 -0400
    The only reference to an attack that I could find is a Microsoft email spoof:

    Prevention: Is it obvious?
    _______________________________________________________________________

    Flux spreads wider
    http://www.emsisoft.com/en/kb/articles/news041104/
    11/6/2004
    Nothing mentioned about the attack method.

    This reference from Microsoft, 2006:

    Your thoughts on prevention? I can think of two...
    _________________________________________________________

    In the current article, Igor Pankov writes,

    It would be useful if he could present a list of current malware which exploit the leaktest scenarios he mentions, to see if different attack methods are being used.

    Providing security for computers is like acquiring insurance, and risk assessment plays an important part in the decisions one makes.

    One should ask, Do I know the various ways malware can download/execute on my computer? Do I feel secure about blocking these attack vectors so that the malware cannot download and execute?

    Those who consider malware that uses leaktest exploits to be of sufficient risk that their computer could be infiltrated,will, of course, need to provide necessary protection.

    ----
     
Thread Status:
Not open for further replies.