ewido.leak test not detected

Discussion in 'other anti-trojan software' started by iceni60, Jul 17, 2004.

Thread Status:
Not open for further replies.
  1. iceni60

    iceni60 ( ^o^)

    Joined:
    Jun 29, 2004
    Posts:
    5,116
    i hope this isnt a stupid question.but with i last ran ewido i noticed that leak test wasnt detected.does ewido know leak test?or is leak test something an AV should pick up,and not something for ewido?
     
  2. o0--0o

    o0--0o Guest

    No AT/AT should pick up a leak test. That's cheating because it prevents the leak test from doing what it is supposed to do: to test the effectiveness of a firewall.

    A leak test is not a test virus/trojan. A leak test is not EICAR.

    Any AVs/ATs which detect leak tests are cheating!

    Got it?
     
  3. iceni60

    iceni60 ( ^o^)

    Joined:
    Jun 29, 2004
    Posts:
    5,116
    TrojanHunter picked it up.Plus other OD scanners i use often pick up tests i have
     
  4. iceni60

    iceni60 ( ^o^)

    Joined:
    Jun 29, 2004
    Posts:
    5,116
    no.i think ive seen the french firewalltester person.explain this afew times.
     
  5. o0--0o

    o0--0o Guest

    I am prepared to discuss this issue with gkweb if he said what you say.

    The purpose of a leak test is to test whether the filtering abilities of a firewall can be bypassed by trojans which cannot be detected by any AV/AT scanner.

    If you create a signature for a leak test you cannot test the firewall anymore (i.e., you are cheating because you pretend that a firewall has detected a leak test which was actually detected by an AV/AT scanner).

    Note: It is absolutely no problem to create a signature for a leak test, for notepad.exe, for iexplore.exe etc. And it does not make any sense at all. A signature for a leak test has only one purpose ... to fool stupid users.
     
  6. o0--0o

    o0--0o Guest

    Addendum:

    Some AV/AT software developers feel obliged to create signatures for leak tests. This is because stupid users demand such signatures.

    Therefore, I would not necessarily call Magnus etc. a cheater.
     
  7. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,727
    Location:
    Texas
    Why don't you register? We like to discuss security here. No sense calling anyone stupid. We are all here to learn. How about you?
     
  8. o0--0o

    o0--0o Guest

    I have not called anyone stupid. In particular, I did not call call iceni stupid. There is absolutely not reason to believe that you must be a stupid person because you do (yet) not understand AV/AT scanners, leak tests etc. Nobody knows everything.

    Nevertheless: it's stupid/it is cheating to create signatures for leak tests unless you a forced by your customer's to do so.
     
  9. iceni60

    iceni60 ( ^o^)

    Joined:
    Jun 29, 2004
    Posts:
    5,116
    theres no point in saying that,because it just shows you may be alittle unstable;and perhaps not to be trusted.i hope thats not true.
     
  10. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,727
    Location:
    Texas

    The vendors that add leaktest can explain that a particular file was added by public demand.
    Most scanners have an ignore list you can add to if desired.
     
  11. o0--0o

    o0--0o Guest

    @iceni

    See above. I do not call you stupid! I merely use such strong words because I want to discuss this issue with you.

    There are many people (including testers) who do not understand the concept of leak tests and, therefore, provide misleading information to others.
     
  12. iceni60

    iceni60 ( ^o^)

    Joined:
    Jun 29, 2004
    Posts:
    5,116
    here,here.well thought-out.
     
  13. o0--0o

    o0--0o Guest

    Addendum

    I have another example for you: it demonstrates what "stupid" users can do to an AV software developer. Due to a thread @ dslreports Kaspersky was forced to add a signature for avpoffset 0.17. This is a hacker tool which can extract signatures from KAV's signature database in order to make malware undetected. Of course the signature for avpoffset 0.17 will not help since a malicious hacker will simply disable KAV's monitor if s/he wants to extract a signature. Moreover, avpoffset 0.17 is outdated and does not work anymore. There is a newer version. And there is no signature for the new version. Sometimes, "stupid" users can really be a pain in the neck ... ask any AV/AT software developer.
     
  14. iceni60

    iceni60 ( ^o^)

    Joined:
    Jun 29, 2004
    Posts:
    5,116
    if you want to discuss this issue with me so-be-it.how can i trust what you say?.all i have to go on are your words.take your time,and go through what you have written;then tell me i should trust you
     
  15. iceni60

    iceni60 ( ^o^)

    Joined:
    Jun 29, 2004
    Posts:
    5,116
    when did i say you called me stupid?you are talking directly at me here,it says so at the top.
    :D ;) goodbye :-*
     
  16. o0--0o

    o0--0o Guest

    "how can i trust what you say?"

    There is absolutely no reason to trust me. Make up your own mind. Install a leak test. Play with it. Figure out what it does. Then you will understand.

    Alternatively, listen to other people. I am pretty sure that they will confirm what I said. If not: I am interested to listen to their arguments.
     
  17. iceni60

    iceni60 ( ^o^)

    Joined:
    Jun 29, 2004
    Posts:
    5,116
    i just reread this.i think i might have made mistakes,i wont edit my last post,was going to but i dont think it worked,so i wont try again.this isnt supposed to be horrible,but is english your first language,o0--0o if not,thanks for your help;if english is your first language,well just thanks...perhaps if you try and help me again,tone it down abit.
    ill go and read up on detection methods,see if you are right. :p
     
  18. peter.ewido

    peter.ewido former ewido team

    Joined:
    Nov 10, 2003
    Posts:
    737
    Location:
    Brno, Czech Republic
    a firewall leaktest is a program to test your firewall, it was made to help you - why should ANY av/at detect such a program as a malicious one?

    a firewall on the otherside should detect the "bad things" it tries to do and block them when the program is being run...
     
  19. TheWatcher

    TheWatcher Guest

    I wouldn't listen to anyone who calls people stupid for not understanding how leaktests work. Most people come here to learn, and at one time we were all beginners,(some still are) and knew little of leaktests or anything to do with computer security.

    How about you o0--0o, were you born knowing everything there is to know about computers? How would you feel if someone called you stupid, for not understanding something, while you were still learning about it?
     
  20. o0--0o

    o0--0o Guest

    @iceni

    Again ... it was never my intention to call you a stupid person. You may be a rocket scientist or something like that. I apologize for my language which could be easily misinterpreted.

    Listen to fish. He is one of ewido's developers. Please do not force ewido or anyone else to add signatures for leak tests or other harmless test software.

    @TheWatcher

    Sorry ... there will be no flame war ;-)
     
  21. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    Such testers shouldn't be detected under any circumstances.
    Only if they are picked heuristically(devs cannot control this) and they can only exclude it somehow as they do with false positives. If they are by signature,its something wrong with guys developing such program.
     
  22. sig

    sig Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    716
    There's no good reason IMO why an AT/AV should detect LeakTest. Some AT's did add GRC's LeakTest to their signature definitions since some of their customers complained that the products didn't detect it. This suggests these users rather missed the point of the LeakTest firewall demo exploit. The users downloaded the app to test their firewall, understanding that it was a demo exploit, not malware. Why then should they expect an AV/AT to detect what they should already know is a harmless test?

    And one problem with including detection: although these AT's usually include disclaimers that LeakTest is a demo exploit, not malware, I've seen some befuddled people actually post that since their security app detected LeakTest, LeakTest was a trojan and GRC.com was a bad site distributing malware, secretly exploiting its users. And amazingly other posters (including some who should have known better) believed it before someone could correct this misinformation. All this bad info did was to scare some people away from using GRC the site, which in fact is a good site for newbies to learn about security.

    Let's put it this way, why should any AV/AT detect a harmeless firewall tester app? What purpose does it serve? Detection proves nothing about the AV/AT's capabilities regarding true malware and may mislead people into believing the demo is indeed malware when it isn't. This serves no useful purpose that I can see and may only lead to more confusion.

    What concerns me is that some people now think this is some standard detection that AV/AT apps should have and then decide the app is lacking because a harmless firewall test is not detected. Again, detection or nondetection of harmless demo leaktests proves absolutely nothing about an app's capacity for detecting true malware.

    As RekZoR noted, detection by heuristics is another matter if an app has characteristics or behavior similar to known malware, but that would apply to any app that shared those charateristics or behaviors. But in the cases of which I'm aware the LeakTest is detected by signature definitions only because some customers wanted it, not because there was any merit to the detection itself.
     
  23. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,727
    Location:
    Texas
    I was trialing an anti-trojan app when this happened to me. There was a big stink over this with the users.

    Makes you wonder who the software builders are listening to.

    Steve Gibson, whether you agree with him and his methods, was one of the first out there to raise users awareness of security on the Web. For that, I will always be grateful.
     
  24. iceni60

    iceni60 ( ^o^)

    Joined:
    Jun 29, 2004
    Posts:
    5,116
    hello,i think what i was thinking was how some tests get flaged because of heuristics.and because TH had flaged ewido i though perhaps that was what had happened,potential dangerous code picked up.it never occured to me that a test would be detected on purpose.ive seen lots of posts from people saying that a test was picked up,so it must be bad.i dont know what to think.
    the thing im most confused about is,who is Magnus? :doubt:
     
  25. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,727
    Location:
    Texas
    He is the author of Trojan Hunter.

    http://www.trojanhunter.com/
     
Thread Status:
Not open for further replies.