BitGuard new version

new version of BitGuard firewall is now out. http://www.tryus.dk/bitguard.asp







- For the sake of future "search" executions, I corrected the spelling on the product name - LWM

 

Again a "firewall" including application monitoring and sandboxe features, and if i have already a sandboxe software i do what ?

When will we see firewalls making coffee in addition, i can't wait for that feature

Anyway i didn't try this firewall, may be the firewall part of this "security suite" is good i don't know.

 

Perhaps you could try it and then comment.

 

I think not

Why should he bother?

Just google the words 'bitguard', 'firewall' and 'leaktest' : you will find that this firewall has little or no outbound protection!

Bitguard works at a "low level". So what? Kerio and LnS are also supposed to work likewise, PLUS they also have leak protection - that of LnS overshadows by far that of Kerio, btw, as it also has good application-level leak protection (can block PCaudit1, Thermite, ...)


PS. gkweb:

There are plenty of firewalls that handle the coffee part as well.
They intercept phone calls before they reach the boss, thus protecting the boss from unwanted calls ("unsolicited connections").
AND they make coffee.
They are called SECRETARIES

 

non so wise as the elite . This was not put here for opinions of self created firewall gurus so much as a continuation of a thread that was started some time ago

This thread was added due to the interest generated at these .
http://www.wilderssecurity.com/showthread.php?t=9284
http://www.wilderssecurity.com/showthread.php?t=8780
http://www.wilderssecurity.com/showthread.php?t=8967

 

I don't really wish to talk with you... but just read that :

you are saying that a sandboxe is "passing" leaktests which means nothing at all, because leaktests was _never_ meant to bypass an overrall computer security nor sandboxes or application monitoring.

So let the "self created firewall gurus" author of two leaktests tell you that your "firewall" doesn't pass any leaktests.

cya.

 

Now now!
I am not a self-proclaimed fw guru (I wish I had their knowledge though) but only a very, very demanding USER, and my comments are made from the point of view of the average USER, simple as that...
what do users seek? Protection. Protection from what comes in and what leaks out. Protection from the various threats in which the Wild Wild Web abounds.

And when browsing through all the reviews, what does the user see? That all modern firewalls have equivalent inbound protection. So what makes a difference? OUTBOUND protection! That's the new battlefield for today's competing firewalls...

Trying to rekindle the fire, are we?

Tjhe review where I read about Bitguard failing basic leaktests may have been outdated. As U seem interested in this product, U might consider testing it yourself:

This link should provide you with all the necessary stuff - plenty of leaktests can be downloaded from there:
http://perso.wanadoo.fr/jugesoftware/firewallleaktester/eng/

Have fun

 

*extreme deep intake of breathe before starting on this one*

Good day people this is going to be a long one so get a cup of coffee

It is an unhappy state of affairs that people post here about this firewall without testing it fully.
So many news groups and blogs with people being so intolerant of one another without doing there homework first :O

As a side note the information on the website from TryUs is out of date
RE there text about what the Bitguard OEM version is actually all about.
So putting that text aside one moment, lets look at the actual firewall itself.

Bitguard OEM firewall is split into two parts.
An NDIS and a TDI.
There system is a process monitoring firewall, thus a process has to be authorised to run.
If a process is authorised it will, like most firewalls fail leak tests.

Now here is the but to this conversation all LEAK testing programs try to bypass any personal firewalls by either trying to use
and existing trusted process or program depending upon your definition.

I will run through the programs listed on this site http://perso.wanadoo.fr/jugesoftware/firewallleaktester/eng/
Leaktest, Tooleaky, FireHole, Yalta, Outbound, PCAudit, AWFT, Thermite, CopyCat, MBtest, WB, PCAudit2 and lastley Ghost.
Note test systems were windows XP SP1 no trust, not part of a domain and no trust to default gateway which is a no no...
and Windows ME and 98 2nd edition and 2000 SP4 Pro.

Please also note I ran the tests twice, once in standard mode of the Bitguard Firewall then I ran tests again and switched to run configured programs only (that is to say the firewall only permits programs defined in its list of authorised programs everthing else that is not in that list is Killed, as in the process is terminated before the process even gets a chance to get of the ground see end of my thoughts at bottom of page)

They range from minor silly programs such as Leaktest from Steve Gibson, to quite good solid tests.

(NOTE My own thoughts on Steve Gibson are are mixed media hyper or scare monger or just misguided, but people belive him thus I have mentioned his programe to start with.)

Leaktest: Bitguard catches leaktest without any problems.

Tooleaky: Oh please dont make me laff about this test. as a test for yourself pull your networkcable and run this test. I mean WOW this program connects to the internet with the need for a cable
If you look at the Bitguard monitor screen you will see this program attempts to launch IE Now if IE like many otherfirewalls is set to allow net access and not ask user this test appears to breach your firewall.
Mr Bob Sudling should revisit his own creation.

FireHole: This step up from tookleaky is a DLL injection and again relies on the fact of a trusted application. If the application is set to ask then Bitguard sees IE being launched.

Yalta: The moment this program was run the firewall caught this and asked what to do with it before it got to do its job.

Outbound: Only 98, ME and 2000 work with this test as XP version is not available. Plus you need to install WinCap not your everyday man tool here. Ok test results show the firewall saw this and did not allow any packets outbound as it was not a currently established connection, thus this program failed.

PCAudit: This simpley failed saying your PC is well protected, I do not rank this program but I will later in test for version 2
Note here IE and Mozilla were set to ask during tests

Atelier Web Firewall Tester (AWFT) 3.0: There are 6 tests within this program. the test results are in there program score
Firewall Points: 3
AWFT Points : 1
One: Attempts to load a copy of the default browser and patch it in memory before it executes. Defeats the weakest PFs.
Failed

Two: Creates a thread on a loaded copy of the default browser. Old trick, but most firewalls still fail.
Passed *note please see everyother firewall out there fails this one,old trick but good.*

Three: Creates a thread on Windows Explorer. Another old trick, but almost every firewall still fail.
Failed *firewall asked if explorer.exe should be granted access* (never let allow this people)

Four: Attempts to load a copy of the default browser from within Windows Explorer and patch it in memory before execution. Defeats PFs which require authorization for an application to load another one (succeeding on Technique 1) - Windows Explorer is normally authorized. This test usually succeeds, unless the default browser is blocked from accessing the Internet.
Failed. Even thought Mozilla and IE were running the firewall caught this and asked if access should be allowed.

Test 5 & 6 I am afraid all I got from these tests was the test programe asking me to surf a little and repeat the test, after surfing alot still nothing so this part is inconcusive.
Five: Performs an heuristic search for proxies and other software authorized to access the Internet on port 80, loads a copy and patches it in memory before execution from within a thread on Windows Explorer. Very difficult test for PFWs!
Six: Performs an heuristic search for proxies and other software authorized to access the Internet on port 80, requests the user to select one of them, then creates a thread on the select process. Another difficult nut to crack for PFWs!

Thermite: O first thing here, this programe asks you to run IE DUH, so it is a process injection baby.
Nice program but if IE is set to ask it fails, of course if set to allow it works.

CopyCat:Nice bit of code, writting a program to use an existing process ID Bitguard did not catch this but please note neither do other personal firewalls, again later I will show you that Bitguard can defeat this.

MBtest: Arrggg Ugly program, having had to hack this code to get test to work, I am happy to report it failed to get out of firewall. Please note by default this program bombs on any of the tested OS's with language as english.

Wallbreaker:
First test : WallBreaker uses explorer.exe to launch iexplore.exe and then access the Internet, so,
it's a windows application which launch another one, and not WallBreaker. Actual firewall can see
applications trying to access directly the Internet, application launching another one to access the
Internet, but not Wall Breaker which launch an application which launch again another one...
In Bitguard statistics you can see explorer is used to launch IE, but since IE was set to ask it failed, if IE was set to allow this test would have worked.

Second test : it's a trivial joke, it simply launches Internet Explorer directly, but in a way
not handled by firewalls, whereas it should, it's the simpliest way to escape. Current firewall
doesn't see it.
Again since IE was set to ask it was caught by firewall

Third test : it's a variant of the first test, this time it launches cmd.exe before, which
then launch explorer.exe, and finally iexplore.exe :
Wallbreaker -> cmd -> explorer -> iexplore
(Win 2000/XP only)
Again caught by ask and not allow.

PCAudit2: What can I say I am very impressed with this bit of code in this program.
If IE or Mozilla was denyed access you could see it run through list of running programs trying to find a route out.
By default the firewall.exe is allowed access and first time I saw this it meant it was tunneling through the firewall itself suing port 80, soon cured and firewall.exe was set to ask and not default allow.
Nice to see it also sniffed out Notepad, which is internet aware if you wish to phrase it that way and also tunnled out via port 80.
Conclusion is all personal firewalls will fail this one in someway or another.
but again I will say how Bitguard can stop this.

Ghost: again nice process ID program and if firewall set to ask it is caught and if set to allow it fails as do most firewalls

===============================
My thoughts on testing Bitguard it is a good firewall when set to Run only configured programs, it has no DLL injection as yet and process injection is also a weakness here, but here is the biggie Run only configured programs.

When the firewall is set to "Run only configured programs" None of the above tests work period!
Since they are not in the local encypted database there process is not know thus the process is teminated.
Configured programs included IE, Mozzila, ICQ, yahoo and Outlook.
Explorer.exe and notepad, excel etc were set to deny internet access.

Leaktest: failed Process Killed
Tooleaky: failed Process Killed
FireHole:failed Process Killed
Yalta:failed Process Killed
Outbound:failed Process Killed
PCAudit:failed Process Killed
AWFT:failed Process Killed
Thermite:failed Process Killed
CopyCat:failed Process Killed
MBtest:failed Process Killed
WB:failed Process Killed
PCAudit2:failed Process Killed
Ghost:failed Process Killed



Dudes contact me and I will demo this firewall to you to show you what it really is before you all go off on some rant without looking into it first. So gweb and morgith feel free to contact me about your doubts!

Red Dwarf

p.s. when tested with Nessus scanner the firewall is totally hidden and does not fail any test that nessus throws at it.

Also if you try to rename any of tha above files to an allowed process nice try but it still will not work due to internal security within the firewall.

Please try and add bitguard to this test sheet dude
http://perso.wanadoo.fr/jugesoftware/firewallleaktester/eng/pageweb/test.html

 

If anyone has his _own_ criteria, all results will be different.

In most of your tests you seem to say that "if i set IE to ASK" which sounds to me that you don't trust IE.
Leaktests are before all proof of concepts, ideas, against fully trusted apps, best firewalls even in this case detects the program hijacking and block it.
In _none_ of your answers you show me that BG detect the leaktest rather than to see that a common apps (IE) is just launching.

To "pass" leaktests based on my website criteria (which are the same for all firewalls) involve for most leaktests the detection of it over a fully trusted apps, which don't seem to be the case regarding your details.

If i am wrong about BG, pls give me more details or secreenshots of BG detecting and blocking leaktests at network layer (leaktests are not meant to pass sandbox or application monitoring layer, just outbound application filtering).

regards,

gkweb.

 

Mhhh I have reconsidered my post as a bit rantish and should have been clearer

Suffice to say my view is as follows.
And I hope you see what I am getting at by saying this.

Users are made to feel they need a firewall either from colleagues or Press etc.
Thus they go out and buy or download one.
They trust that software company to do what it says on the box.
Good people naturally test these firewalls to see if it does what it says on the box and when they find flaws these flaws are published.
In turn software vendors fix these flaws since it is in there interest and to not fall under a torrent of negative reviews.

Now we have Leaktests that home users rely on.
These programs mainly take advantage of the underlying OS security holes and not the actual Firewall itself.
* yes some Firewalls do have genuine problems that is not what I am saying *

The majority of these tests take advantage of a trusted app, that is to say an application the user is told do you wish 'X' to have access ot he internet?
And if this is IE for example the IE is allowed access and a rule is set to allow that app to access the net and probable the rule says never ask me this question again.

Thus these testing programs either use DLL or process control injection and curcumvent said Firewall and we are now left with the impression said Firewall is not good.

Now this is good in a way since it will make software vendors consider the way they handle or think in the way of coding a firewall.

Now for anything to run on a PC it must kick of a process for example the program Copycat itself is a process when you run it.

Consider we only allow authorised process like IE or Yahoo or MSN and of course the parts of the OS we need to boot, get net access and run its own programs.

Now back to the question of Bitguard failing Leaktests.

If you configure Bitguard to only allow Configured Programs then anything else that tries to run is terminated. and added to the database as Kill thus it can never run even if it tries to again.

Thus anything else than those authorised process may run and all leaktest programs previously listed do not run.

I am not saying Bitguard is the best in the world, it is very basic and not as many bells or whistles that all the others.

What I am saying is that this feature makes it a serious choice when considering purchasing a personal firewall.

Red Dwarf

p.s. I have not mentioned any other features in the Bitguard firewall such as allowed ports or protocols not to mention the realtime display of packets leaving or entering the PC to see what is really going on, I found this a great trouble shooting tool.

 

you got it, BitGuard is more a sandboxe than a firewall, and the feature involved to "block" leaktests aren't features that i am testing nor leaktests try to bypass.

such layer of defense _is_ advised, i personally strongly advise it on my website (take a look at the advices page), but it is not what leaktests are testing.

It isn't the first time that when i say "leaktests check your firewall outbound application filtering at network layer" (don't take it for you!) people answer me "my shoes block them all", notice the humor in my sentence

Finally we end to that without too much effort.

 

Hello

Red_Dwarf?

I have a couple questions.

1. When I right click on Bitguard and exit, IE won't access the internet.
Do you know why?

2.Why is the only default trusted IP 129.142.224.58 from Danware Security Service?

3. Why in Active Programs is there two Database buttons that do the same thing?
I am using XP Pro with built in firewall enabled on a Actiontec Gateway set to medium.

That's all for now

Thanks

con

 

Welcome to wilders Red _ Dwarf And thank you for taking the time , as you are doing, to clarify some of these things

 

Hello Controler,

*smiles* Red Dwarf UK tv series hence the name it is an old nic....

To answer your questions,
1.
I too noticed this about apps and closing the GUI.
When I looked into this and the APP is set to ask, and the gui is not open then the process is in a suspended state.
But when the GUI is reopened all pending questions popup.
*shock horror read the manual to verify this *
Of course not sure if this was your situation?
2.
Yeah that also seemed weird to me, I asked reseller about this one and it seems to be there for registration process.
3.
*smiles* yeah your asking questions here I had when I first started using Bitguard.
I noticed that > Database adds one item or multiple if you select more with CTRL key to the program configuration and the attribute is set to ask. >> Database adds all running process and set attribute to ask.

All in all I am fairly happy with Bitguard oem.

The configuration I use btw when I really started using this firewall was in basic settings I selected auto add running process to program configuration.
I booted my PC a couple of times to get everything in there, LOL I was surprised to see how much was added.

Then I ran my usual crap, Mozilla, Yahoo, ICQ, Dreamweaver MX 2004, SETI and various other little bits and bobs.
After I was sure everything was there that I needed I set it to run only configured apps and rebooted.

So now I have my system only running what I want. The only minor pain is adding **** either by hand or switching off run only get prompted and then switch run only back on, but that’s a minor quibble.

Red Dwarf


p.s. as a passing after thought when I posted this I remember one of the reasons I liked Bitguard, was the fact that if I shut exit the GUI the firewall is still running using the config I set up.

 

can i ask to any sandboxe software user (not necessarly BitGuard) what will happen when they will willingly allow something to run (unless you never download anything) thinking it's a legit apps, if in fact this executable is a trojan using a leaktests trick yo bypass your firewall ?

first case : you have a sandboxe and a firewall vulnerable, you will leak.

second case : you have a sandboxe and a firewall "passing" the leak, you won't leak and will identify the threat.

It is as simple as that, i like sandboxe too, i use it (SSM or AP), BitGuard seems another nice one, but be aware of what kind of security it provide.

 

Thanks Red_Dwarf ( I can't remember the Nick I know you by lol) for the clerafication on my questions and even though the system is still protected when you shut down the GUI, I am not sure it is a good idea. Why? well because when you right click on the tray icon you have two choices at the bottom. either exit the firewall or hide the firewall and even though you select exit, you are really doing the same as selecting HIDE lol
I know I should always read the dang Help section before posting but sometimes even though a program runs as stated in a help file, I still see quirks that bug me lol

I really think they should rename those two database buttons, even though they do differnt things. If I get you right, first button adds the only one that is highlighted. Same as right clicking. The second one does ALL
Still confusing to most users.


I do think it Bitguard is a nice firewall and for the most part, userfriendly


con

 

Hi Con,

Yep your right mate that what they do, as a side note I received a new build from them and will keep you posted about buttons

have a good one

Red Dwarf