FireHole Leak Test passed my fw

Blacknight,

When this PoC modifies the memory, you should have gotten at least one other warning of D+.

Could you check whether this might happen

1. Start of PoC causes "XYZ tries to execute" warning
2. You choose allow, a rule is created with the original 'loose' D+ setup (ignoring the modify process selection you made afterwards)

Happy hunting

Kees

 

For Kees too . Yes, Brummelchen, Defense+ can: I changed the rule for com-API and now Defense+ alerts me to all actions of FireHole.

 

Okay, so I will give screenshots of several of OA's numerous alerts.

OA had "Allow" & "Block" check boxes at the bottom of ALL these alerts. I have omitted those check boxes to save space.

Of course, I clicked "Allow" at every stage or else OA would have killed Trojdemo.exe from the get-go.

1-OA alerts about the install:


NOTE: I unchecked "Run Safer" before allowing this alert to pass. Otherwise, trojdemo would have been emasculated.
~~~~~~~~~~~~~~~~~~~~~~~~

2-OA alerts that trojdemo wants to create task mgr within system32 file (even a novice should start getting at least a little suspicious)

~~~~~~~~~~~~~~~~~~~~~~~~

3-OA alerts that trojdemo wants to create telnet within system32 file (I allowed this one, too. Good grief, I gotta quit smoking that stuff!)

~~~~~~~~~~~~~~~~~~~~~~~~

4-OA alerts that trojdemo wants to create ftp.exe within system32 file (I allowed this, too. After seeing this alert, only a total doofus would still be clueless that something smells VERY fishy.)


Continued on next post

 

continuation of OA's alerts

5-OA alerts that trojdemo wants to raid everything (*.*) in the MyDocuments file (Sure, go ahead -- Take me, I'm yours!)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

6-OA alerts that trojdemo wants to connect out

~~~~~~~~~~~~~~~~~~~~~~~~~~~

7-OA alerts that trojdemo wants to start my Firefox (Okay, why not? When rape is inevitable, relax & enjoy it)


NOTE: OA sets a default checkmark in "Terminate this Program". OA is trying sooo hard to save me from myself. Of course I unchecked that box because.... Wheee, go for broke, wot!!!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~

8-OA alerts that trojdemo wants to control Firefox (Take a close look at what OA shows as the "Internal Execution Path" for this alert. NO excuse if someone lets any nasty get this far. OA did its job -- fully!!!)

 

bellgamin,
Your illustrations are fabulous. Wonderful. Thank you for taking your time to document so nicely, as it is very educational, regardless of what system one uses.

 

bellgamin,
thanks for that screen shot sequence. That is why although I go off occasionally to play with the latest and greatest security apps I always come back to OA. Not perfect, but for me it's very close.

 

Actually, BIG THANKS to EVERYBODY in this thread who documented things so beautifully (... said after reading page1 )

Hey, long live Kerio 2.1.5 !

 

Thanks, bellgamin, for taking the time to post these screenshots!

----
rich

 

Bill,

Good to see you tried the Bufferzone test. I thought this would provide an answer to your questions. It is also nice to see how a limited resource company with smart design en team work can compete with a bigger company with heards of code slaves.

Regards Kees

 

Indeed excellent and informative presentation Bellgamin!

+1

 

Just to put something in context.

I have run for years kerio 2.1.5 or Sygate 5.5.2710 without a router, just my software firewall. I am a guy who does not install much, so I am not so much caring what goes out of my computer. Meaning what leaktests are all about.

Windows XP firewall is just ok for me if I used that. I use them old firewalls though just for the more interest. They are packet filters only and hassle free software. It is I use my computer for knowledge, communication some porn too once in a while inside Sandboxie, lol.

The paranoia reading these forums, I hope it does not get all you and keep your smart senses

It is easy so easy to make a PC work bad with too much security software.

Jarmo

 

Too much security software is a thing, multi layered scheme is another.

 

You might want to consider taking your own comment a bit more seriously. Per your signature, you are using kerio 2.1.5 or Sygate 5.5, Avira Antivir, ProcessGuard, SpywareBlaster, & Sandboxie.

All I can say is WOW, that's a really big bambucha you got there, Jarmo!

My only real-time security software is OnlineArmor & Prevx. That's all, & it's quite enough.