I tried Tooleaky and it ran right through Kerio and said My firewall (kerio) is useless. If this is the case how do I fix it?
The current release version of Kerio (v2.14) does not handle this type of program hijacking or .dll injection. One related post I found from the Kerio forum at DSLR: http://www.dslreports.com/forum/remark,2823724~root=kerio~mode=flat The v3.0x betas introduced measures to deal with this kind of potential vulnerability, but development stopped. Kerio is currently working on a new v3.5 which may be out shortly for beta testing. I would suspect it will also have measures to deal with this sort of thing. For those not familiar with tooleaky: http://tooleaky.zensoft.com/ Regards, CrazyM
Hello, You might run System Safety Monitor in conjunction with your FW and pass all leaktests with flying colours. Rgds,
The beauty of "tooleaky" was not in its coding, but in the idea itself and its simplicity! If you look at the source code, there's really nothing to it, and yet, it can get by an awful lot of software firewalls. Or at least it could, until they started adding a lot of additional complex features to prevent this type of "exploit". Obviously, they never updated the old version of Kerio against this exploit, but most software firewalls have already or are addressing this and other exploit methods in their newer versions. The tooleaky concept depends entirely upon a piece of malware (tooleaky.exe in this case) being able to run a program that has been granted access out to the Internet through the firewall without the user knowing. You can defeat this type of exploit by not allowing any programs access out through the firewall without the user having to specifically allow them each time a new instance starts up. Well, that setup would defeat the simple tooleaky design, but, not the next thing someone thought up... Next they started having the malware program itself try to kill the software firewalls, or in some cases, have it "press" the confirmation buttons on the firewall alert pop-ups itself. And so went the attack mechanisms, and now the software firewall companies have to have protections from being killed from within the computer in them, protections against programs being able to click their buttons, and so on. There is of course one simple protection to all these types of exploits. They all require the user to download and execute a program. Safe computing habits make a formidable initial line of defense. After that, having the latest version of your software firewall, with all these special extra protections is what's needed, along side a safe configuration, of course.
Yes, tools like SSM and Tiny Trojan Trap are the best defenses against these various exploits because they monitor and control the behavior of programs, and how they interact with the OS and each other. Many software firewall vendors are simply trying to build ever higher walls and other layers of defense around themselves. But, I think with every defense they add, the other side will just find a way to circumvent that. It'll go back and forth forever. For anyone interested, here is what "tooleaky" itself does: That's all there is to it. It's a very simple attack considering how complex it is for the software firewall applications to defend against it.
I swictched to Kerio from Sygate cuz you're able to make a loopback rule. I didn't want progams piggybacking on Proxo. But now I see Kerio can't block this type of stuff. I wonder is McAfee firewall 4.0 will block piggybacks and tooleaky. Bloat up my computer to be safe. LOL I tried SSM and it gave me an error message. It don't work well with XP. I also tried LookNStop and it said something about a drive not installed. I don't know what that means but you know. Maybe I'll go back to Sygate and pray nothing piggybacks proxo will I'm online until they come up with a fix for it. Tanks guys for the help.
Hello, SSM is at its best with WinXP Don't hesitate to contact Max (bugsbunnyATe-mail.ru) if you encountered any problem. Rgds,
Kerio and Proxo foil Tooleaky etc... hi notageek - I use Kerio 2.13 and Proxo, and have always beaten tooleaky, leaktest and firehole, even when I used IE... Do you mean that you do not get an alert that Leaktest wants access out, or that it gets out 'secretly'? I have three simple rules that stop them all. I allow Opera/ Phoenix access to Proxo thru localhost:8080; I disallow any other apps any access to Proxo at all; and I allow Proxo full access out to any remote address; When I run Leaktest or Firehole, Opera opens up and connects to my homepage, then I get an alert that 'Firewall Leak Test Utlity wants to connect to GRC' and I deny it....thats it... Now, if you want it to be denyed, without any alert at all. then as I understand it you need the 'application blah blah filtering' that is supposed to be coming in the newer versions... Now I may be wrong, I'm a novice and no one ever believes that I have always foiled leaktest, tooleaky and firehole, but its always worked for me. I think Tooleaky is hard wired to use IE, as it nevers even opens a connection on my machine, as far as I know...haha... Good luck dmc
Tooleaky sneaks out without me knowing it. Kerio has a slight learning curve. Maybe the new Kerio (whenever it comes out) might be a little better. But right now I'me waiting for the new Sygate or Outpost. I'm going to jump on the first one that comes out.
For those of you using SSM - Does it automatically work on all user profiles in WinXP Pro? Or does it have to be configured to do so? I don't want to install it and then have the other users playing with it while I'm trying to learn what to do with it. Thanks. Pete
I haven't used it on XP, but it has a user mode, and can be password protected. Its a small free program, so I think there is minimal risk in installing it and checking it out. FWIW Pete, SSM is a must have in my security line up. If I had to choose between SSM and an AT, I would take SSM. The best thing about it is that there are several exploits, aka leak tests, that have not even been discovered or publicized yet, and while firewall vendors will have to react to block them, SSM is already able to.
What the defference between SSM and Abtrusion Protector? Does it use less resource than Abtrusion Protection?
SSM protects all users but only the user that logs on at bootup will get the prompts for new applications. so another user that tries to install a new application will have no idea why they cant because the prompt will be on the original users screen.
Hello, SSM uses about 6 Mo Ram on my system WinXP PRo, I don't remember how much for AP. SSM is compatible with non NT OS AP is not. The biggest issue with AP is that you must be ABSOLUTELY sure you OS is clean : when installing, it scans all exe and dll and everything is considered as trusted by default, as well an installed walware. Rgds,