Firewar still able to terminate Outpost FW with PG

Discussion in 'ProcessGuard' started by aperkins, Dec 9, 2003.

Thread Status:
Not open for further replies.
  1. aperkins

    aperkins Registered Member

    Joined:
    Feb 28, 2003
    Posts:
    4
    Outpost Pro v2.0.238.3121 (290)
    Process Guard v1.150
    Firewar Standalone Edition http://www.paoloiorio.it/fw.htm

    I have all the block flags selected for outpost.exe, both General Protection Options selected and CHM.

    TaskMgr is unable to stop the process.

    Upon execution, Firewar causes CHM to pop-up, I click cancel twice then receive an error from Outpost as it unloads.

    Attached is a screen shot of the PG log, which doesn't report any attempt on outpost.exe from firewar.exe, the Outpost error, and Firewar showing that it has disabled Outpost.
     
  2. DolfTraanberg

    DolfTraanberg Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    676
    Location:
    Amsterdam
    Hi aperkins and welcome,
    This issue has been addressed in the DiamondCS General Forum and will be looked into
    quote from Jason:
    quote from Pilli:
    Dolf
     
  3. redwolfe_98

    redwolfe_98 Registered Member

    Joined:
    Feb 14, 2002
    Posts:
    581
    Location:
    South Carolina, USA
    i never have worried about firewar, and considered it a gimmick.. i think diamondcs has the bases covered..
     
  4. aperkins

    aperkins Registered Member

    Joined:
    Feb 28, 2003
    Posts:
    4
    Gimmick or not, I expect PG to protect the applications I assign to it, period. Anything less would put DiamondCS in the general, kinda works, utility catagory.

    They have chosen to be the leaders in their field, so they must continue to perform above and beyond...

    We should expect nothing less.
     
  5. DolfTraanberg

    DolfTraanberg Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    676
    Location:
    Amsterdam
    They ARE the leaders in this field, because there is no competition for this program :D
    But as you could have read: they are working on it
    Dolf
     
  6. linney

    linney Registered Member

    Joined:
    Feb 17, 2002
    Posts:
    174
    At least Outpost gives you a message that it has been tampered with. It would be worse if it just closed silently.

    You can immediately restart the firewall afterwards, by clicking on the program shortcut in Start Menu Programs.
     
  7. peakaboo

    peakaboo Registered Member

    Joined:
    Oct 20, 2002
    Posts:
    377
    you are further ahead by using PG than not.

    be interesting to see if SSM allows firewar to even execute - my guess is it will not...

    just tried both firewar versions... html & .exe

    the html page doesn't even make my browser burp, and the .exe can't start up with SSM in place

    nice result for this insecure win9x system...

    looks like a weak exploit, except if you have ur config...
    :eek:

    probably isolated o_O layer in some more defenses until PG handles...
     
  8. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Yes and on Win98 that is a reasonable solution :)
     
  9. redwolfe_98

    redwolfe_98 Registered Member

    Joined:
    Feb 14, 2002
    Posts:
    581
    Location:
    South Carolina, USA
    peakaboo, which version of system safety monitor do you recommend? which version are you using?
     
  10. peakaboo

    peakaboo Registered Member

    Joined:
    Oct 20, 2002
    Posts:
    377
    redwolfe, If you are running Win98/SE or above, I would recommend you try the latest version 1.9.4b1. If you have any problems look in the help file (help file should unpack when you run SSM.exe) and email the author. Max is very responsive.

    If you are running below Win98/SE contact Max for special build.

    I'm running a special build off the SSM 1.9.3 platform.

    get the latest version here:

    http://kormushkin.narod.ru/ssm.zip

    also if you have any problem with the Html version of firewar you can defeat by taking away the activex...

    either

    1) turn off active x if you use IE or
    2) use proxomitron with a filter which kills activex or
    3) use a browser which doesn't support activex - Opera or Firebird
     
  11. redwolfe_98

    redwolfe_98 Registered Member

    Joined:
    Feb 14, 2002
    Posts:
    581
    Location:
    South Carolina, USA
    i installed the latest version of ssm.. ssm appeared to stop firewar from running, but it (firewar) still managed to shut down my kerio 2.15 firewall (somehow).
     
  12. peakaboo

    peakaboo Registered Member

    Joined:
    Oct 20, 2002
    Posts:
    377
    redwolfe,

    With SSM running after you have allowed all trusted aps right click on SSM icon in systray and move from administrator mode to user mode

    then try running firewar.exe

    the .exe should not even start since it is not trusted ap; exploits can't fool it since it uses MD5 fingerprint

    great discussion by gkweb on two different approaches sandboxing & process monitoring here:

    http://perso.wanadoo.fr/jugesoftware/firewallleaktester/eng/pageweb/software.html

    the point is if SSM will not allow the firewar.exe to run then it won't allow a trojan or any other program or Ap which is non trusted to run either...

    contact Max via email if it does not work as you expected, or post to SSM thread, worked fine for me.

    additional discussion re: SSM...

    http://www.wilderssecurity.com/showthread.php?t=17132
     
  13. redwolfe_98

    redwolfe_98 Registered Member

    Joined:
    Feb 14, 2002
    Posts:
    581
    Location:
    South Carolina, USA
    thanks, peakaboo.. :) that worked, switching it from administrator to user mode.. now it is stopping firewar even in administator mode.. 'don't know why it wouldn't, before. ssm is running smoothly..
     
Thread Status:
Not open for further replies.