Interesting results - Process Guard vs 13 leaktests, blocked 6 of them!

Discussion in 'other firewalls' started by Wayne - DiamondCS, Jan 23, 2004.

Thread Status:
Not open for further replies.
  1. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    Just reporting some interesting test results from this morning. Process Guard wasn't designed as an "anti-leaktest" program, but due to the nature of its process-level protection it turned in some interesting results today when we tried it against 13 leaktests - 6 of the more advanced ones were actually blocked, including "Copycat" which apparently works against all personal firewalls:
    http://www.diamondcs.com.au/processguard/index.php?page=attack-leaktests
     
  2. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    I perfectly agree that Process Guard is by far for some help than any sandboxe or other security software suite.
    Even if you do a mistake to allow something to run, Process Guard protect your processes, and protect from half of leaktests method without any effort.

    Good job DiamondCS :)
     
  3. Aggressor

    Aggressor Registered Member

    Joined:
    Nov 21, 2003
    Posts:
    28
    Location:
    here
    hehe - so ? We're talking about process protection here - Process Guard just detects copycat trying to access another app, not trying to access another app to access the Net - this is simple application monitoring, and even firewalls like Kerio and ZA can do that. This is not "outbound protection" as we know it. And an app trying to access another app can be perfectly legitmate, as Gkweb explained it 2 me once ;)
     
  4. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    hey Morgott :)

    We are not here in the fact to "pass" a leaktest but just to be protected or not ;)
    The only software which can "pass" or "fail" the leaktest concept is the firewall.

    But here we start by saying that some firewall fails, so what to do to be protected (not to pass them).

    I hope to have shed some light :)
     
  5. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    According to the site that we located the 13 leaktests, _all_ firewalls are still vulnerable to the Copycat leaktest, so even Kerio and ZA appear to be vulnerable.
     
  6. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    No outbound protection of current firewall can pass Copycat.
    However firewalls like ZA has makeshift protection to warn about an "Open Process" attempt which isn't take in count in the site because at this state there isn't any clue that it is for an internet access or not.

    But now, from our point of view to be protected, PG is far better than the ZA makeshift because ZA will warn you or every OpenProcess whereas PG will simply blocks some termination attacks on protected processes, no false positive :)

    EDIT : the title is "blocked 6 of them" not "pass", so it is correct.


    EDIT2: which is very intesreting, is that PG isn't done for blocking leaktests, it is a nice side effect, and no firewalls has all PG features. Just take a look at all the new PG features :)
     
  7. Aggressor

    Aggressor Registered Member

    Joined:
    Nov 21, 2003
    Posts:
    28
    Location:
    here
    Hey gk

    It's Morgoth, not Morgott
    bah, never mind :D I'm a Tolkien fan, that's all



    Precisely! That's my point: PG may be somewhat more fine-tuned, but the fact is, BOTH ZA (and kerio?) AND PG block copycat from hijacking an app, but neither PG nor ZA detect copycat trying to ACCESS THE NET!

    Therefore, the leaktest as such is NOT detected by either ZA or PG, therefore is not blocked in the strictest sense of a leaktest. :cool:
     
  8. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    ok MorgotH :D

    as i have already stated in a old post, i don't remember which one, if copycat find another way to not do an openprocess or to make it done by another allowed apps, ZA will see nothing and block nothing, because it is a makeshift protection :)
    MOREOVER, ZA use this same meakshift against Thermite whereas real protection exist like Look'n'Stop show you !

    However, PG, whatever how copycat start his exploit, will always protect IE from beeing modified.

    About Kerio, it is the same to talk about SSM or AP, if you mistakenly allow
    the executable to run (what makeshift protection kerio offers) you are in a deep s***
    But PG doesn't care of that and finaly blocks the leaktests.

    We are agree that here we just want to be protected, not to pass the leaktest idea, and PG can protect you whatever is your firewall and better than any firewall or sandboxe software, in my opinion.


    indeed, but that has never been the point of PG ;)
     
  9. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    Process Guard was never designed to defeat any leaktests, its sole purpose is the integrity of your security processes (such as your firewall, antivirus, and so on), which it does by protecting against process termination, thread suspension, code modification, DLL/code injection, driver installation, and so on. Just the mere fact that it also stops 6 out of the 13 main leaktests is simply an added-but-unintentional bonus - a good example of the 'depths' of the protection that Process Guard provides :). Really it should be up to the firewall itself to provide protection against leaktests, but as history has shown this is never the case - personal firewalls always seem to be vulnerable against at least one or two of the more advanced leaktests, but it's those kind of leaktests that Process Guard is so easily able to block. :)
     
  10. anvil_

    anvil_ Guest

    Of course, SSM is also able to block Copycat (and others) _after_ it has been allowed to run. Otherwise, Max (author of SSM and Copycat) wouldn't have written CC, would he...? ;)

    PG and SSM are quite similar in some aspects, e.g. SSM is also able to block "terminate process" and some other ways of process termination. :)
    Still, PG has the advantage of its driver-based approach.
     
  11. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    hi anvil, it is a while i have seen you ;)

    i globally agree with you, i just want to say that both SSM and PG provides different protection, and i am not saying to use PG instead of SSM or any other firewall, but to use it concurrently with to add a strong layer to your security :)
     
  12. anvil_

    anvil_ Guest

    Heya gkweb, I've been around, but not posting very much... ;)

    Yep, using both apps (if it works...) offers quite a lot protection.
    I'd say, SSM has overall more features at this moment, but PG's basis (the driver) is stronger.


    BTW, for further reference regarding PG vs. Leaktest, see my reply #10 in this (old) thread:
    http://www.wilderssecurity.com/showthread.php?t=15503;start=0

    Taking into consideration that protection for "SetWindowsHookEx" (Firehole, PCAudit) has been added since then, our test results are exactly the same. :)
     
  13. noname7

    noname7 Guest

    @anvil

    How about a relatively short PG report /w screenshots (to be published on your website)? The report could demonstrate how PG protects against...

    1.
    rootkits (in particular: Hacker Defender, Fu Rootkit, Vanquish, Aphex DLL rootkit);

    2.
    leaktests (including Firehole, Blackstealth & others);

    3.
    DLL trojans (including Beast and ColdFusion);

    4.
    Set Windows Hook Keyloggers;

    5.
    Process Killers (including Kernel PS).

    Other issues which could be dealt with are "ease of use" and "non-resolved stability problems". Despite the outrageous & completely unexpected 25% price increase I feel that PG's latest version may deserve the verdict "highly recommended".

    In addition, such report would perfectly complement the article on DLL trojans.

    What do you think?
     
  14. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    Don't forget we also offer a FREE version, but @ US$24.95 (which is not 25% more than $19) it's still one of the most affordable security programs available anywhere, and for a program that has literally no competition - for a program that can literally protect you against rootkits, a lot of leaktests, global hooking/DLL injecting trojans, code modification, process termination, thread suspension ... that's a lot of bang for very few bucks, and once you've configured it you'll never have to worry about such issues for years to come :)
    You also have to consider the weak US$ and surging global economies that are pushing the US$ even lower, so US$24.95 is worth a LOT less now than it was just for example one year ago (there has never been a better time to buy things in US$) :)
     
  15. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    While the price increase might conceivably be "unexpected" I hardly think it is "outrageous"! The price was very low to begin with and since its initial release so much has been added. IMO, the current price is still very low given the degree of protection it offers that no other program can.
     
  16. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    Morgoth,
    PG doesn't NEED to detect Copycat trying to access the net because PG blocks Copycat WELL before it ever gets to the point that it CAN access the net ... it has to do it's little trick first, and that's what PG blocks, so I find your argument a bit strange as you're saying it's not detecting the net access, when of course it can't - the program won't get that far as it has blocked that :)

    So that's a good example of PG doing it's job by protecting processes from attack by other processes. If however, for whatever reason, the program did get out to the net, then that would be the job of your firewall - and not PG - to ensure that that data was indeed ok to go out, so although PG does prevent half of the leaktests, it's important to know what its roles are (process protection) as compared to those of your firewall (network traffic protection). :)

    Another example - your firewall wont offer much in the way of it preventing itself being terminated (try our freeware Advanced Process Termination tool's seven different kill methods and I'm sure you'll find that most if not all work against your firewall and other security processes), but Process Guard does offer that protection. On the other hand, Process Guard doesn't offer any protection in the way of network traffic coming towards those applications, but that's what your firewall is already comfortably doing, so it's somewhat a symbiotic mutual relationship :)
     
  17. noname7

    noname7 Guest

    1.
    @Wayne

    I was calculating with 19,95 USD ;-)

    19 USD + (19 USD * 25%) = 19 + 4,75 = 23,75 --> 25% was an understatement ;-)

    2.
    @Dan & Wayne

    Presumably, from a customer's perspective every price increase is "outrageous". Moreover, it's always fun complaining ... ;-)

    But I agree, there are many products which offer less for more. On the other hand, Tiny Personal Firewall (a complete firewall, sandbox and everything) costs 49 USD and System Safety Monitor costs nothing. It's DCS's responsibility to find the right price which maximizes their profits.

    I would think that 24,95 is a fair price. But it's not an absolute bargain anymore. European customers will have to pay 24,95 + VAT which is about 30 USD in total.


    3.
    Forget about 1. and 2. ;-) This one is serious:

    It appears to me that DCS cooperates with Regsoft. Please have a look at Regsoft's privacy policy ( http://regsoft.com/privacy%20statement.shtml ):

    "Except for credit card details, all the information we collect is forwarded to the appropriate product supplier"

    It's sad that you cannot anonymously purchase DCS products. But more importantly ...

    "RegSoft.com?s current policy is to not sell, rent or trade personal information to others not associated with a purchase transaction; however, RegSoft.com reserves the right to do so in the future. If RegSoft.com does decide to do this, RegSoft.com will email each customer and give each customer 30 days to inform us if he or she wishes for your information to remain private. At this time, RegSoft.com is not planning to sell this information."

    And this clause is really outrageous. It should be the other way round! What happens if the email address changes etc.? The customer should not be required to do anything in order to protect his/her personal data. Frankly speaking, the above policy is obscene. And it's a bad joke that such clause applies to the purchase of security software. Aren't there any other e-commerce services which have an acceptable privacy policy?

    4.
    @anvil

    A report could also include SFC (dynamic disabling and disabling via reboot, see XPLite).
     
  18. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    noname,
    I understand your concerns, but Regsoft are one of the most highly regarded ecommerce transaction providers and many security products, here's just a short list from a quick google search of some that you can buy through Regsoft other than our own that you may be familiar with:
    The Zend team ("The PHP Company") have worked a lot with the Regsoft team to integrate Regsoft and PHP
    iNetPrivacy Software's "Anonymity 4 Proxy"
    Hackerwacker
    Mischel Internet Security "Trojan Hunter"
    Yours is actually the first complaint we've had about Regsoft since we started selling our software through them about half a year or more ago, so that's a respectable ratio .. :). However, we will consider adding Clickbank as an alternative purchase location, as we've also been selling with them for over half a decade with virtually no complaints.

    Best regards,
    Wayne
     
  19. noname7

    noname7 Guest

    @Wayne

    1.
    Thank you for taking this so serious (my complaint did not relate to DCS but to Regsoft). I can imagine that it's not easy to find an e-commerce provider with an acceptable privacy policy. Many countries do not really care for data protection.

    2.
    "Yours is actually the first complaint we've had about Regsoft"

    Probably, I am the first one who has read their privacy policy ;-)

    3.
    I am wondering whether it is (or would be) possible to sell your products through an intermediary who does not retain any information (after the payment has been effected) or share information with third parties? I understand that I need a key file in order to use DCS products as a full version. Wouldn't it be possible to anonymously purchase such key files or would this facilitate software piracy? (You could still reserve the right to blacklist (or remove from a whitelist) any keyfiles which are shared via emule etc., right?)

    4.
    Actually, it seems to me that Clickbank ( http://www.keynetics.com/legal/privacy.html ) does not forward any information to third parties (not even to the product supplier). They also say: "We retain personally identifiable information only as long as necessary to complete a purchase, thwart fraud, provide customer service, or maintain your account with us."

    Maybe Clickbank is indeed a better choice which will allow for a semi-anonymous purchase.

    5.
    Do not dare to call me paranoid ;-)
     
  20. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    Your concerns are well founded in this day and age so I wouldn't call you paranoid at all - just sensibly concerned, and I for one respect that. However, if Regsoft ever did betray the privacy of its customers then they would quickly lose most of the vendors who sell their products through them which would probably put them out of business, so it's not in their interests to do that. For that reason you can feel relatively confident that your details are secure when purchasing through any well-known ecommerce vendor (Regsoft, Clickbank, Element9, etc etc), as it's in their best interests to keep your information as secure as possible. On top of that, there have never been any past reports of such security/privacy breaches that I'm aware of, so they all have a long and clean track record :)

    Enjoy the rest of the weekend,
    Wayne
     
  21. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    @Wayne

    about Morgoth,

    he was sitting to the leaktest testing point of view, which isn't to block or not a leaktest :)
    but i won't rewritte all my site here ;)

    To sume up on my site i check what firewall 'pass' or not pass

    the leaktest 'proof of concept'.
    To check if a leaktest 'executable'

    can be blocked is something else, that PG does very well.

    I hope to finish soon a paper about all of that, let me just enought time :)
     
  22. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    gkweb,
    Looking forward to your results! :) I had a feeling you'd be able to recognise Process Guard's anti-leaktest capabilities more than most people :)
     
  23. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
  24. Aggressor

    Aggressor Registered Member

    Joined:
    Nov 21, 2003
    Posts:
    28
    Location:
    here
    Wayne>
    Hey man, no offense but if I recall correctly (page 1), YOU brought up the subject about leaktests. And moreover, this is the 'firewalls' forum...

    Hence my intervention about leaks and thus firewalls :D

    Let me clarify: my point was, PG does perhaps block the leaktests as hijackers, but not as leaks. It sees the app trying to access the target app (which is what it's meant for) but NOT trying to access the target app to make it access the Net (which it's not meant for, I agree)! We're talking about process protection, not outbound protection.

    And as gk pointed out some time ago, an app trying to access another app, that can be perfectly legitimate (however, an app trying to access another app to access the Net, now THAT's suspicious). So since PG sees the app trying to access the target, but cannot see "why" it does so, then how to tell between a "good" app (which attempts a legal, legitimate access) and a "bad" app? ;)
     
  25. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    but there is no pb in our case morgoth, because legit process needing to access protected process can have allowances to do it, so all work like a charm :)
     
Loading...
Thread Status:
Not open for further replies.