App Filtering not checking grandparent processes? (WallBreaker)

Discussion in 'LnS English Forum' started by Pete99, Apr 25, 2006.

Thread Status:
Not open for further replies.
  1. Pete99

    Pete99 Registered Member

    Joined:
    Apr 21, 2006
    Posts:
    47
    Location:
    U.S.
    It seems that Application Filtering is checking the calling process and its parent, but not the grandparent processes? I discovered this using WallBreaker v4.0. It seems that this would allow malware to leak through LnS.

    I can reproduce this on my computer like this:

    1) In LnS' settings, allow Internet Explorer, Windows Explorer, and cmd.exe to access the internet.

    2) Run tests 1 and 3 in WallBreaker.exe (v4.0).

    For what it's worth, here are my settings:

    I have enabled "Watch Thread Injection".

    In my Registry:
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lnsfw1]
    "Type"=dword:00000001
    "Start"=dword:00000001
    "ErrorControl"=dword:00000001
    "Tag"=dword:0000000a
    "ImagePath"=hex(2):73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,64,00,\
    72,00,69,00,76,00,65,00,72,00,73,00,5c,00,6c,00,6e,00,73,00,66,00,77,00,31,\
    00,2e,00,73,00,79,00,73,00,00,00
    "DisplayName"="lnsfw1"
    "Group"="PNP_TDI"
    "DependOnService"=hex(7):54,00,63,00,70,00,69,00,70,00,00,00,00,00
    "DependOnGroup"=hex(7):00,00
    "ActivatedSoon"=dword:00000001
    "CheckDNSQ"=dword:00000001
    "CheckHSRE"=dword:00000001
    "CheckVAEUDTF"=dword:00000001
    "IPFragActive"=dword:00000001

    In my driver logs:
    Look 'n' Stop Version 2.05p3

    Driver versions: 4.08 & 3.05
    API Driver versions: 3.05 & 4.01
    Service Mode.
    [13:38:46] Internet Firewall Enabled
    [13:38:46] Appli Firewall Enabled
    [13:38:47] Computer isn't connected to Internet.
    [13:38:47] Watch Failed
    [13:38:49] Adapter modified
    [13:38:49] Computer connected to Internet on: [...]
    [13:38:52] Security Center registration Ok.
    Intel(R) PRO/100 M Network Conn - [...]
    WAN Miniport (IP) - Look 'n' St - [...]
    WAN Miniport (Network Monitor) - [...]
    FW:
    Driver Entry Win2k/XP
    WAN Miniport (Network Monitor) - Look 'n' Stop Driver
    WAN Miniport (IP) - Look 'n' Stop Driver
    Intel(R) PRO/100 M Network Connection - Look 'n' Stop Driver
    FW1:
    Driver Entry Win2k/XP.
    [...]
    FO2_Ok
    FO2_2_Ok
    [...]
    FO4_Ok
    FO3_Ok
    [...]
    FO5_Ok
    [...]
     
  2. Pete99

    Pete99 Registered Member

    Joined:
    Apr 21, 2006
    Posts:
    47
    Location:
    U.S.
    In other words, if process A calls process B calls process C calls process D calls process E,
    I would expect LnS to check E then D then C then B then A until there are no more ancestor processes to check.

    Also, if I've already allowed E and D in the past and I have no rules for C, B, or A, then:

    1) If I block C then LnS should stop checking.

    2) If I allow C then LnS should proceed to checking B and (depening on my choice for B) to checking A.

    After thinking about it some more, maybe it would be more user-friendly if LnS prompted the user for A first, then B then C. This way the user would immediately know the name of the program that started everything.

    The point, though, is that I think that the whole process chain should be checked.
     
    Last edited: Apr 25, 2006
  3. WSFuser

    WSFuser Registered Member

    Joined:
    Oct 7, 2004
    Posts:
    10,632
    rele i think this process checking is better suited to an HIPS like SSM.
     
  4. Pete99

    Pete99 Registered Member

    Joined:
    Apr 21, 2006
    Posts:
    47
    Location:
    U.S.
    Thanks, WSFuser. After reading these forums for the past several days, I'm also beginning to believe that I need something besides a firewall and antivirus software.

    I'm a longtime user of Norton Internet Security. I've wanted to replace it for many years but I could never find an "internet suite" that I liked (ZA Internet Security crashed over and over on my computer when I tried it).

    I realized that the currently available internet suites are bad and that I was going to have to buy individual components from different companies. To make a long story short, I've decided to buy LnS for my firewall and to use the free Avast antivirus.

    Now my only challenge is to find something that monitors processes. I'm already using Microsoft's "Windows Defender". I know that my trust in Microsoft is funny but on the other hand they are the people who wrote the operating system and they have access to all of the "internals". In a related note, Windows Defender notified me when I ran test 4 of WallBreaker that scheduled an AT job. Unfortunately Windows Defender allowed the AT job to run before giving me a chance to block it.

    There are so many other programs that claim to be anti-spyware, anti-trojan, etc. It's so confusing. Unless I discover anything better, I'm going to limit my research to Anti-Hook, BOClean, CyberLink, Ewido, PG, and SSM.

    Do you recommend SSM or do you have any recommendations for programs that I didn't list?
     
  5. TheQuest

    TheQuest Registered Member

    Joined:
    Jun 9, 2003
    Posts:
    2,301
    Location:
    Kent. UK by the sea
    Hi, Pete99

    You will be taking your thread very much off topic with that.

    Take Care,
    TheQuest :cool:
     
Thread Status:
Not open for further replies.