All firewalls lack NDIS driver-no firewall is safe!!!

Discussion in 'other firewalls' started by CoolWebSearch, Apr 14, 2008.

Thread Status:
Not open for further replies.
  1. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,216
  2. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,216
    From this very website I gave you can download real rootkit samples-about 30 of them!!!
    Why doesn't someone please use Virtual Machines to test Comodo 3.0, ZA Pro, Outpost Firewall Pro and all other HIPS+firewall programs against these rootkits?
     
  3. Nebulus

    Nebulus Registered Member

    Joined:
    Jan 20, 2007
    Posts:
    1,582
    Location:
    European Union
    You seem to draw some wrong conclusions from that article. First of all, all firewalls have inbound protection. There is no good or bad inbound protection - any method that stops a packet from reaching the port on your computer, according to a rule you specified can be used for inbound protection. The article you are talking about reffers to the situation when a rootkit/malware/etc. is already installed on your system. In that case no matter what method you use for inbound protection, it can be bypassed. But the main reason for inbound protection is to stop the bad software to reach your computer...
    As for the title of the thread, it's true that no firewall is 100% safe, but if you will read the article carefully, then you will see that there are some firewalls using NDIS driver - so you should not spread wrong information.
     
  4. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    3,884
  5. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    The article says that it is theoretically possible to restore the fuctions most NDIS drivers hook in TCP/IP stack. But, to do it maliciouse code has to get into the kernel, and to prevent it there is HIPS. So until there is a POC it can be called groundless speculations.

    As for NDIS control, I can say for sure at least OA does have it:
    ===log
    [11:58:44] 564 Installing NDIS filter for:
    [11:58:44] 564 \DEVICE\{F5ABDA96-5D25-45DA-91CE-BA58EEB887F7}
    [11:58:44] 564 Address:
    [11:58:44] 564 192.168.187.1;192.168.186.1
    [11:58:44] 564 Installing NDIS filter for:
    [11:58:44] 564 \DEVICE\{1ED37CD1-1AD2-47FB-BF47-9C4C301D4110}
    [11:58:44] 564 Address:
    [11:58:44] 564 192.168.2.1
    ===
     
    Last edited: Apr 14, 2008
  6. Nebulus

    Nebulus Registered Member

    Joined:
    Jan 20, 2007
    Posts:
    1,582
    Location:
    European Union
    Just because there is no proof of concept code available, that doesn't make it "groundless speculations". But it's true that in order to function, that form of unhooking needs kernel access, and HIPS usually stops that.
     
  7. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    By groundless speculations I meant rather this line in the end of the post:

    ===
    Cool, there is not any trouble to write some **** in the kernel space, we can make a DoS or even a code execution. I just don’t want to dig deeper, hope that will be done by one of my colleagues ;)
    ===
     
  8. Mem

    Mem Registered Member

    Joined:
    Mar 7, 2005
    Posts:
    292
    Wow, I need to contact Kaspersky and see why they fake this entry in my Connection properties. :)
     

    Attached Files:

    • ndis.PNG
      ndis.PNG
      File size:
      34.4 KB
      Views:
      1,578
  9. 337

    337 Registered Member

    Joined:
    Nov 4, 2006
    Posts:
    232
    Location:
    Georgia, USA
  10. Nebulus

    Nebulus Registered Member

    Joined:
    Jan 20, 2007
    Posts:
    1,582
    Location:
    European Union
    I'm not sure the author of the article knows something about how firewalls are made or about the way they are fuctioning. Quote: "So... what does a 'personal firewall' actually do? Well, effectively it listens on all the ports on your system." Or: "What it does do is break standard network applications".
     
  11. Dwarden

    Dwarden Registered Member

    Joined:
    Apr 11, 2003
    Posts:
    176
    Location:
    Czech Republic
    why is so hard to provide exact software builds ?

    i wonder why test old Comodo PF 2.4 and not last v3, ZA 6 ? isnt 7 latest ? Kerio 4.3? isn't latest Sunbelt PF 4.5? and so on ?

    i mean it's quite easy to downplay products using obsolete builds or builds which were already abadoned as EOL (Tiny Firewall 6.5 unfinished,unfixed,abadoned) months ago

    or not test some like Kaspersky mentioned above ^^^ :)

    oh well ...

    p.s. i don't want to say TF 6.5 was bad , it was in many things far ahead of any product even today but lacks of finalizing and polishing the product and then CA takeover was 'dead end'
     
    Last edited: Apr 14, 2008
  12. subset

    subset Registered Member

    Joined:
    Nov 17, 2007
    Posts:
    825
    Location:
    Austria
    Hm,

    I like this one:
    MaD, reverse engineer and researcher

    Reliable empirical social research... :D

    Cheers
     
  13. 337

    337 Registered Member

    Joined:
    Nov 4, 2006
    Posts:
    232
    Location:
    Georgia, USA
    These articles make me wonder if all the add ons that firewalls have today is just a way to take up the slack in actual protection they really provide? Also I fear that I may install a third party firewall and actually have less protection than the built in Vista firewall, as far as inbound is concerned. Leak tests mean very little to me anyway.:thumb:
     
  14. nhamilton

    nhamilton Registered Member

    Joined:
    Jul 31, 2007
    Posts:
    61
    Once a rogue driver is loaded it is game over for security ... All this article is talking about it abusing an existing program (in this case firewalls) to get around them. It is no different then saying how to hook a function to hide files/processes.
     
Loading...
Thread Status:
Not open for further replies.