Leak Tests

Discussion in 'other firewalls' started by f123, Jul 2, 2004.

Thread Status:
Not open for further replies.
  1. f123

    f123 Guest

  2. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    Hi guest,

    tests are not done just "like that", I am using a test protocol, which is explained there :
    http://www.firewallleaktester.com/documents.htm
    (pdf document)

    results will completly changed if you don't fully trust explorer or iexplore

    Do you understand the leaktest to claim you pass Copycat ?
    Do you know how ZA seems to pass Copycat ?
    ZA allows you to enable the OpenProcess API call hooking, and it only intercepts this API call from copycat to IE, there is no clue at this time of an internet access, it is not a pass, it is a makeshift, everything explained in the document (for instance an exe doing such a call without any network code in it will be caught by such protection, OpenProcess API is not necessarely malicious).

    Good reading.

    regards,

    gkweb.
     
  3. se7engreen

    se7engreen Registered Member

    Joined:
    Feb 6, 2004
    Posts:
    369
    Location:
    USA
    GKWeb-
    That is good reading. I haven't finished it yet but I read enough to have a better understanding of the makeshift protection some firewalls provide. Because of this I'll post my findings with Tiny firewall 5.5.1332 in a slightly different format: pass, fail, or blocked(low level access, api,...makeshift).
    PC Audit 1 - Pass
    PC Audit 2 - Blocked
    WallBreaker - Blocked all (Prevent WB from application spawning)
    DNSTester - Fail, I've heard TPF can catch this but I haven't figured out how
    Copycat - Blocked
    AWFT - Tiny scored all 10 points by denying app spawning & low level access

    I guess with tpf it's pretty easy to rely on it's IDS/sandboxing/process guarding abilities as opposed to true firewall protection.
     
  4. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    Hi se7engreen,

    happy you find the document interesting :)

    As you may know now, Tiny indeed can block more leaktests than bare personal firewalls because of his sandboxe components (API hooking, file access, registry access, file launching, etc...).

    About DNStester, I don't remember if TPF allows you to choose which API to monitor ? I know it can monitor API such as VirtualAllocEx needed to inject a thread for instance. If it has such feature, just monitor the DnsQuery API to block DNStester from calling out.

    I would say that generally, a sandboxe software is a very good addition to any personal firewall. Tiny is an "all in one" product.

    regards,

    gkweb.
     
  5. se7engreen

    se7engreen Registered Member

    Joined:
    Feb 6, 2004
    Posts:
    369
    Location:
    USA
    Thanks GKW,
    If it's there, they don't make it obvious, but that's a good idea.
     
  6. f123

    f123 Guest

    I like the cache cleaner and ID Lock features of ZA Pro. I'm using Firefox and MyIE2 browsers. Therefore, I disabled ACCESS and SERVER rights for both Windows and Internet Explorer.
     
  7. Socio

    Socio Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    168
    Mine was a three program approach, I have Kaspersky 5 AV, Outpost Pro 2.1 ( tweaked to my system) and Process Guard. Here is how my tests played out:

    pcaudit (Passed)-PG
    pcaudit2 (passed)-PG
    wallbreaker (passed)-PG
    DNS tester ( passed thanks to Paranoids guide on the official OutPost pro forum)-OP
    Toleaky (passed-OP
    Thermite (passed)-PG
    Yalta (passed)-OP
    AWFT (Oupost 10 AWFT 0)-OP
    Firehole(virus detected did not run)-KAV
    Copycat(virus detected did not run)-KAV
    Ghost (virus detected did not run)-KAV
    outbound- (unable to find packet.dll could not run)
    MB test ( unable to find packet.dll could not run)

    KAV would not even let me download three of the tests, as for thew others, what Outpost did not stop Process Guard did. The last two tests I am not sure what the packet.dll missng was about.
     
  8. lonewolf3367

    lonewolf3367 Guest

    Has anyone tested SSM against any of these leaktests? I was just wondering how many it will stop.
     
  9. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,038
    Location:
    The Netherlands
    I don't get it, I tried all the leaktests available from your site for Win98 SE and here are the results:

    When ZA was in medium mode it almost failed every test, when in High mode with components control it also almost failed every test, but when I turned components control off it passed every test! With passed I mean it will always notify me that an app is trying to connect to the net, and the app didn't manage to do so. So what's up with this component control thing? It actually didn't help a bit.

    Also, what I don't understand is why if I launch an app (IE for example) via let's say LaunchItNow! I will get asked a for permission, "will you allow this app to access the internet via Internet Explorer?" (which was the app that was launched). I don't get it, IE wants to connect and I already had permitted that, so why do I get notified?
     
  10. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    Hi,

    sounds weird, it should be the contrary. Are you sure you have just one firewall installed on your computer ? If you have another firewall installed, even if not launched, it can conflict with ZA.
    If not, I would guess a software conflicts.

    If i am a malware, and that I know that by directly connecting to the Internet I will be seen, then I 'll try to hijack a trusted app like IE.
    So if i launch IE with parameters to transmit information, it is better that your firewall warns you that an application is using IE, and ask you if it is allowed to do so or not.

    ZA is just doing it's job :)

    regards,

    gkweb.
     
  11. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,038
    Location:
    The Netherlands
    Hi,

    Thanks for the feedback, now that I think of it, I have installed Kerio and Jetico (not autoloading) but I did not like them, I think ZA is easier to use eventhough it uses a lot of resources, a lot more than Kerio.

    But anyway, I think I will keep it this way since ZA Pro does seem to work now, who knows what will happen, yesterday I was already testing it out for about 3 hours LOL.

    But about the second question, is it true that if I make LaunchitNow an trusted app, I won't get any questions anymore, if an app wants to access the net via this app?

    And since today when I start up my PC I will get a notification about afpansi.vxd, that it could not be found and maybe an app needs it. I searched for it on Google and I found this: http://www.pestpatrol.com/pestinfo/i/informer.asp

    So is it a trojan or is it maybe related to the leaktests? So far ZA didn't notify me about suspicious apps, but it is strange.
     
  12. JacK

    JacK Registered Member

    Joined:
    Jun 20, 2002
    Posts:
    737
    Location:
    Belgium -Li?ge
    all ;)
     
  13. mvdu

    mvdu Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    1,151
    Location:
    PA
    How do you make SSM stop DNSTester?
     
  14. tImEwArP

    tImEwArP Guest

    Not sure i understand you Mvdu, i tested Dnstester on my computer with SSM and it stopped it cold. How did you test it with SSM? Please give details on what you did.
     
  15. mvdu

    mvdu Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    1,151
    Location:
    PA
    Well, it told me that DNStester was opening, but when I let it open and executed it, SSM didn't stop it. Maybe I have to have some app out of the trusted list.
     
  16. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    For a fair test, you should tell SSM to allow DNSTester to execute (after all, you aren't going to know what applications are malware in advance so you cannot rely solely on SSM's program execution prompt). DNSTester should not attempt any DLL injection or other process hijackery so whether it works or not should then be up to your firewall...
     
Thread Status:
Not open for further replies.