Firewall Tests V Winsonar !

Discussion in 'other firewalls' started by Spanner intheWorks, Mar 11, 2005.

Thread Status:
Not open for further replies.
  1. no13

    no13 Retired Major Resident Nutcase

    Joined:
    Sep 28, 2004
    Posts:
    1,327
    Location:
    Wouldn't YOU like to know?
    err...
    got a user guide for WinSonar?

    It's pretty confusing for me... the UI isn't really helpful, ya know.
     
  2. Yes Spanner intheWorks, Winsonar doen´t permit those tests to run in the memory, it is a very good program, in fact I have used a long time ago and it is a good program, the only thing I have seen it lacks is for dialers to run in memory, I use dialup connection and the only thing that stop them is CheckDialer, that acts like a modem firewall, winsonar is a good program indeed.
     
  3. Arup

    Arup Guest

    All the tests including Thermite, Tool Leaky, Leak Test, wall Breaker and AFT 301 were blocked by Winsonar, as a matter of fact, anything not in the approved list gets terminated right away, no questions asked. Cant have any better protection than that provided one has turned on the option of Kill Unknown Processes.
     
  4. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    ProcessGuard protects you against the following leaktests:-

    Copycat
    Thermite
    Atelier Web Firewall Tester v3.1 (all tests)
    Firehole
    PCAudit
    PCAudit v2

    Thus, if you run Zone Alarm Pro along with PG you are protected against all but WallBreaker. No need for extra progs to cover these; I can live with WallBreaker 'cos (unless I'm mistaken) it is only proof of concept.
     
  5. Arup

    Arup Guest

    Spanner,

    With ZA free, you really dont need another process guard as it has a very good outbound protection on its own but Winsonar will give you an extra layer of security for free.
     
  6. Hyperion

    Hyperion Registered Member

    Joined:
    Sep 29, 2003
    Posts:
    302
    WinSonar seems to operate a bit like Winpatrol.Probes on time intervalls,doesn't use hooks like process guard,that's why is a bit late on reaction.Set in "fast scan" ,it updates every 6 seconds approx.,which will warn you about a new process quite early,but the potentially malicious program will have time to execute in the meanwhile.Very low RAM usage on my system (2,5 MB) ,but everytime that scans,CPU goes to 7% (a bit high)
     
  7. Arup

    Arup Guest

    If you use the Kill Unknown process while connected tab, no program that is not on the list would be allowed to execute, sort of brute force apporach but pretty safe.
     
  8. no13

    no13 Retired Major Resident Nutcase

    Joined:
    Sep 28, 2004
    Posts:
    1,327
    Location:
    Wouldn't YOU like to know?
    So.. anyone has a manual or anything?

    I still can't get it to work... :(
     
  9. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,785
    Don't feel too bad. I couldn't either.. There doesn't seem to be too much documentation...
     
  10. Hyperion

    Hyperion Registered Member

    Joined:
    Sep 29, 2003
    Posts:
    302

    Well,there isn't much difficulty to it,but i suggest you tick the "fast" box so to understand the way it works.For example,after ticking it,try execute wallbreaker.A box will come out saying that unauthorised programme wants to execute.You go to the full gui and then click the "hand icon" you want (allow or stop).Also by clicking the name of the process in the left window you can add it to the safe list so that it won't ask you again.If you leave the "auto kill" option on,it ll create problems unless you put the programs you need in the safe list.For example,i went to internet and had the auto-kill and as soon as i launched Avant,it killed it(well,after 1 second)

    The probe button on the other hand does an on demand scan of running processes and shows memory usage and threads.Clicking the mem gives more info (so to help find memory leaks as it says in the small info that it's in the program).

    There is also a quick local port scan to see what ports are open from the inside (although they might be stealth from outside).

    If you give it 10 minutes you ll figure it out.There isn't much to do.There are only a few buttons and menus.It's like Winpatrol,with the difference,that currently Winpatrol allows as minimal interval between scans 1 minute while Winsonar's "fast scan" is about every 6 seconds.
     
  11. Hyperion

    Hyperion Registered Member

    Joined:
    Sep 29, 2003
    Posts:
    302
    I agree.The scanning intervall in fast makes it statistically probable to kill something very fast and it's sure better than nothing.Actually in Winpatrol's forum they promiced to improve exactly the response time to under a minute (like Winsonar),because the current delay of 1 minute can be considered too slow.These 2 applications have common concept,while Winsonar i think is more focused against malware (giving extra tools as port scan,memory usage and process dependance tree) ,Winpatrol is more oriented towards spyware/adaware giving cookies tools,lock host file option,bho items for the browser etc.

    From the 2 i d prefer Winsonar since i don't care about cookies and i don't remember the last time i ve had an adaware in my pc.Winpatrol has easier interface though and less resource usage (specially CPU).
     
  12. no13

    no13 Retired Major Resident Nutcase

    Joined:
    Sep 28, 2004
    Posts:
    1,327
    Location:
    Wouldn't YOU like to know?
    Thanks
    Thanks tonne! Metric and British!

    The only thing with testing using leaktests is... it DOES NOT cover me from process hijacks!
    And it doesn't stop the process temporarily while I can THINK what to do.

    But it seems like just an extra layer of protection, however feeble.
     
  13. Hyperion

    Hyperion Registered Member

    Joined:
    Sep 29, 2003
    Posts:
    302
    Yes,i don't think it ll catch everything,a dll injection would pass unnoticed(although in a brief explanation file-the one that explains what the various pannels do- i think it says that by viewing the memory info and proccess dependance tree one could guess a process hijacking but i don't know how exactly),but everything else that acts as independent process should be blocked even if not immediately.I think that for freeware it is very useful ,since most viruses don't do dll injection,they simply have their own processes.At least,the times i ve been infected,there was always a process from the virus running.So,maybe Winsonar won't catch it before it does some damage,but at least,you will be aware of its presence soon enough to start countermeasures with your antivirus/antitrojan and this is very helpful since the worst case of infection is the one you are unaware of its presence.I think together with a good antivirus and firewall,it offers maybe not a definitive solution against viruses ,since some damage can be done,but i think can provide early warning for many viruses that use their own processes and maybe it can stop them (with a bit of luck and quick decision-something that comes easier when you come to know well what executables exist in your pc) before doing all their potential damage.
    Currently i ve uninstalled it,but i may install it again in the future(specially if a new version lowers the CPU usage a bit :) ).

    Glad i could be of some help.If you play a bit with it ,you ll find all its features.There are 2 rudimentary help "articles" inside the program,one with a general prsentation and another with explanation of the pannel features.I think that ,with a bit of immagination ,can guide you to discover all functions of winsonar.If i well remember you click a button to see this 2nd guide.
     
  14. kareldjag

    kareldjag Registered Member

    Joined:
    Nov 13, 2004
    Posts:
    622
    Location:
    PARIS AND ITS SUBURBS
    Hi,

    I defend this free utility since one year.
    I've already send 2 or 3 emails to the team about some vulnerabilities.

    Well...Winsonar is great for anyone who doesn't have any Sandbox (Tiny), Infection prevention system (Process Guard, Abtrusion Protector...) or firewall application (SSM).

    This utility is easy to use and to configure.
    It just works with a withe list (safe and known process or application/program) and a black list (unsafe/unknown process).

    If leaktests (all) are run as unknown process, Winsonar will kill them all, with ("kill unknown...") or without ("off-line shield") a connection.

    But as i mentioned it, Winsonar is vulnerable.
    Specially against dll injection/process hijiacking and many others methods used by rootkits/worms or network backdoors to hide their presence in Win32 executables.

    For instance, a rootkit can create an autorun with one of your trusted application (like explorer.exe) and inject and hide itself in the process at the reboot.
    Winsonar will not be able to detect it because it does not use integrity features (like PG, Tiny, AbtrusionProtector,SSM, Viguard etc...).

    As many programs listed above (exept Viguard), Winsonar is also vulnerable to mobile code and script (like vbs).

    But in any case, it's a great and free tool for the user who wants to increase a basic line defense (AV+AT+AS+Firewall).

    Regards
     
  15. notageek

    notageek Registered Member

    Joined:
    Jun 3, 2002
    Posts:
    1,601
    Location:
    Ohio
    I been pondering the idea to use Winsonar for a while now. I'm running windows XP and use SSM on and off but it's a little too buggy for me. I tried PG liked it but didn't want to pay for it. My wife put a spending limit on me forbuying computer related items. She claims I spent too much over the last year. ;) Anyway anyone know how good winsonar runs on XP? Should I keep SSM running with Winsonar?
     
  16. Hyperion

    Hyperion Registered Member

    Joined:
    Sep 29, 2003
    Posts:
    302
    Well,i have always installed and uninstalled Winsonar ,so i can't speak for long experience,but i don't think it will give you any problems.Today that i tried it again it acted very well.Consider that it doesn't run in kernel mode like SSM for example,so it doesn't dig too deep into your OS and this should limit the bugs.Also it does a simpler task compared to SSM.

    I think you should try Winsonar and see for yourself.What i didn't like was that i had a CPU usage peak of 7% (on Athlon 2500+) every 6 seconds that performs the scan.It's a bit high for my taste.Other than this i saw no weird behaviour.
     
  17. notageek

    notageek Registered Member

    Joined:
    Jun 3, 2002
    Posts:
    1,601
    Location:
    Ohio
    Does it scan when you go into screensaver mode? It't not good with DLL injections is it?
     
  18. Arup

    Arup Guest

    Winsonar also monitors the registry in real time and will block any new entries unless allowed by the user. All in all, it is a pretty good effort for a freebie.
     
  19. Hyperion

    Hyperion Registered Member

    Joined:
    Sep 29, 2003
    Posts:
    302
    I don't see why it shouldn't scan when you have your screensaver on.The problem though is that unless you check the "auto kill" feature before the screensaver comes on,there will be nobody to tell it what to do with the unknown process untill you get back to your pc.

    As far as i can tell,judging from how it reacted to firewall leak tests,it doesn't detect dll injection,since i launched pcaudit successfully.

    But honestly,if you are careful with what you run on your pc,what's the probability you get a super duper trojan with dll injection?I remember reading about dll injection when i first put internet and i was terrified with the idea.Later read about the Beast which also kills avs and firewalls and got another chill and put Abtrusion Protector on,torturing myself each time i wanted to put a cd on the player,havign to see the pop up ,having trouble with installations of programs etc.
    Then one day i realised that all this is good for paranoid talk like we do in such forums,but in reality,what i do with the PC isn't likely to make me ever encounter such dangers that an av+firewall+something simple like winsonar or winpatrol won't handle.I always visit the same sites,i have activeX disabled,i kill all emails i don't know through poptray before they reach outlook,i don't download weird programs from unknown sources,i have 3 avs and Ewido,how will i be infected at the end with something terrible?If you have similar safe habbits,just put Winsonar or Winpatrol and forget about dll injections and stuff like that.SSM is nice,a control freak's heaven,but in the long run it is time consuming ,can break your nerves with false alarms and needs constant attention.At the end,the purpose of all security programmes is supposed to give you peace of mind,not make you even more paranoid than before.I remember when using SSM i would even select to see the baloon with every new program starting.If i ever get the beast or any other terrible trojan that will have the notorious dll injection,then i will return being paranoid.Till then i prefer something that doesn't need my constant vigilance.I think,try Winsonar.Once put all your programmes in the safe list,it should leave you alone to do what you are supposed to do,not guard the guardian.

    Just the opinion of an amateur.
     
  20. notageek

    notageek Registered Member

    Joined:
    Jun 3, 2002
    Posts:
    1,601
    Location:
    Ohio
    I tried it and I don't like it much. I keep getting window popping up asking if I want to terminate a program I'm running name Trayit!. I click no and it still pops up and asks me. That's rather annoying every few seconds.
     
  21. Hyperion

    Hyperion Registered Member

    Joined:
    Sep 29, 2003
    Posts:
    302
    That's because you haven't put it in the "safe programs" list.When it asks you and you say yes,then you must click on the name of the exe (trayit) on the left pannel and add it to the safe list (i don't remember how exactly but you should find it.Maybe one of the buttons in the lower part).In this way it won't ask you again.What it does right now it's what it's supposed to do.It will always ask you again for any program unless you put it in the safe list.If you don't ,you only allow it once to execute and since you ve put "fast" scan,every 6 seconds,winsonar finds again that trayit,a non "safe listed" application is running,so it asks you again.
     
  22. notageek

    notageek Registered Member

    Joined:
    Jun 3, 2002
    Posts:
    1,601
    Location:
    Ohio
    Ok I'll try it again. Thanks
     
  23. notageek

    notageek Registered Member

    Joined:
    Jun 3, 2002
    Posts:
    1,601
    Location:
    Ohio
    No I still get the pop up asking me if it wants me to terminate trayit!. It's rather annoying. They need to fix it so you can add programs to safe list like PG does with add to safe list button.
     
  24. Hyperion

    Hyperion Registered Member

    Joined:
    Sep 29, 2003
    Posts:
    302
    Well,it worked for me today.You might want to mail the developer and ask him about the problem you encounter.
     
  25. notageek

    notageek Registered Member

    Joined:
    Jun 3, 2002
    Posts:
    1,601
    Location:
    Ohio
    I will thanks.
     
Loading...
Thread Status:
Not open for further replies.