LnS and leak tests

I'm evaluating LnS and I'm very pleased with it so far.

I tried most of the tests at http://www.firewallleaktester.com/tests.php

LnS failed a few of them. Most importantly:

Copycat
DNSTester
PCAudit2
Wallbreaker (tests 1 and 3 (test 4 not applicable))

My tests agree with the website which also says that LnS fails these tests. LnS passes Copycat if I choose a process without internet access, but fails if I choose my web browser. LnS does prompt me sometimes when I run PCAudit2, but as soon as PCAudit2 finds a process on my computer with internet access, there is no prompt from LnS and so the test fails.

I've read some posts by LnS users who say that LnS passes these tests. I don't disagree with them, but it seems to me that there must be a reason for this. Perhaps it's because of (1) their LnS internet rules, app rules, or settings, or (2) because they have installed other software on their computers that pass these leak tests (and makes it seem like LnS is passing the tests).

Personally, I did a clean install of LnS and I'm using the Enhanced ruleset. It seems that LnS does not pass these leak tests with its default settings. I am not currently using any software such as PG or SSM. The details of my settings are at App Filtering not checking grandparent processes? (WallBreaker)

As WSFuser suggested to me in that topic, I intend to start using additional software such as PG or SSM to protect against these leaks. However, since the authors of LnS are trying to pass these leak tests, I think that it's important for me to tell them that it's not working on my computer but that I hope that LnS will pass these leak tests in the future.

Even if I start using software such as PG or SSM, I think that it's important to have layers of protection, so it would be nice if I could trust LnS to pass these leak tests in case my other software fails.

 

Hi,

To pass these tests you need the 2.05p3 version, and you need to activate special beta features.
Information is there:
https://www.wilderssecurity.com/showthread.php?t=98973

This doesn't work if you have a PC with Nx Bit DEP protection.

Frederic

 

Thanks for the link, Frederic. However, I believe that I'm already using 2.05p3 and that I've enabled all of the beta features.

My current settings, driver logs, and Registry settings are in my signature and in:
App Filtering not checking grandparent processes? (WallBreaker)

As far as I know, my Intel p4 CPU from 2002 does not have "Nx Bit DEP protection" (and I've experienced no crashes after I enabled all of the beta features).

Also, in Windows control panel, "System", I'm using the default setting: use DEP for Microsoft's programs but not for any others.

In my boot.ini, I have /NoExecute=OptIn (which perhaps reflects my setting in Windows control panel).

 

Ok, if you don't have DEP then it should work for some leaktests at least.

The 2.05p3 with the activation of the beta features doesn't support WallBreaker, but Copycat/DNSTester/PCAudit2.

To check if it the features are properly enabled, look at the console and ask for the driver logs. Information about that is here:
https://www.wilderssecurity.com/showpost.php?p=311509&postcount=64

Frederic

 

Hi Frederic,

1) Copycat: I have inconsistent results with this. On any given day, LnS fails the copycat tests for a while, but then it suddenly prompts me. I answer "Block Just This Time". After that, LnS passes the copycat tests reliably (until I restart my computer maybe?).

However, after LnS begins to pass the tests, LnS does not prompt me anymore when I re-run the test (even though it blocks internet access). This seems wrong since I chose "just this time".

Also, I always fail Copycat if I specify the PID of Firefox.

2) DNSTester: LnS always fails this on my computer.

3) PCAudit2: During any given test, sometimes LnS prompts me, but nevertheless PCAudit2 always finds a way onto the internet.

Here are my settings and I'd be glad to send you any other settings.

I have enabled "Watch Thread Injection".

In my Registry:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lnsfw1]
"Type"=dword:00000001
"Start"=dword:00000001
"ErrorControl"=dword:00000001
"Tag"=dword:0000000a
"ImagePath"=hex(2):73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,64,00,\
72,00,69,00,76,00,65,00,72,00,73,00,5c,00,6c,00,6e,00,73,00,66,00,77,00,31,\
00,2e,00,73,00,79,00,73,00,00,00
"DisplayName"="lnsfw1"
"Group"="PNP_TDI"
"DependOnService"=hex(7):54,00,63,00,70,00,69,00,70,00,00,00,00,00
"DependOnGroup"=hex(7):00,00
"ActivatedSoon"=dword:00000001
"CheckDNSQ"=dword:00000001
"CheckHSRE"=dword:00000001
"CheckVAEUDTF"=dword:00000001
"IPFragActive"=dword:00000001

In my driver logs:
Look 'n' Stop Version 2.05p3

Driver versions: 4.08 & 3.05
API Driver versions: 3.05 & 4.01
Service Mode.
[13:38:46] Internet Firewall Enabled
[13:38:46] Appli Firewall Enabled
[13:38:47] Computer isn't connected to Internet.
[13:38:47] Watch Failed
[13:38:49] Adapter modified
[13:38:49] Computer connected to Internet on: [...]
[13:38:52] Security Center registration Ok.
Intel(R) PRO/100 M Network Conn - [...]
WAN Miniport (IP) - Look 'n' St - [...]
WAN Miniport (Network Monitor) - [...]
FW:
Driver Entry Win2k/XP
WAN Miniport (Network Monitor) - Look 'n' Stop Driver
WAN Miniport (IP) - Look 'n' Stop Driver
Intel(R) PRO/100 M Network Connection - Look 'n' Stop Driver
FW1:
Driver Entry Win2k/XP.
[...]
FO2_Ok
FO2_2_Ok
[...]
FO4_Ok
FO3_Ok
[...]
FO5_Ok
[...]

 

I have more information.

1) In the driver logs above, it says "Watch Failed". That message is not always in my logs. Since that version of the logs shows F02_OK through F05_OK, it seems that those are independent of the "Watch Failed" message.

2) I have discovered that LnS perfectly and reliably passes the Copycat, DNSTester, and PCAudit2 tests right after a reboot.

The problem, though, is that either after some event or after some amount of random time, LnS eventually fails the three tests.

The strange thing is that after some computer restarts, LnS fails copycat and dnstester first, but doesn't fail pcaudit2 until later. After other restarts, LnS fails only pcaudit2 first, but doesn't fail copycat and dnstester until later. It seems unpredictable.

I've tried so many different ways to reproduce this (including using fast user switching or not) but at this point it seems to be more related to time than to any particular thing that I'm doing.

3) After I run copycat and the DOS box closes, LnS does not prompt me until after I start or stop another app.

4) The LnS prompt for pcaudit2 does not tell me that pcaudit2 is trying to access the internet. Instead LnS tells me the names of all of the other apps that are currently running, one at a time. Since these are trusted apps, I would be easily deceived if this were a real trojan, and I would probably allow the internet access for the trojan.

Maybe LnS could show a different prompt in this situation because it seems that LnS should know that it's asking me to authorize an app that I've already authorized. Besides being safer, this might mean that I wouldn't have to click on all those prompts whenever I test pcaudit2.

 

Since this problem might be very difficult to solve, maybe LnS could offer to write debugging information to a special logfile during beta testing.

There doesn't seem to be enough history in the Driver Logs for this purpose.

By the way, I noticed this in my driver logs, but maybe it's okay:

[...]
UFW:
FW1:
.EXE
[...]

 

Hi Pete99,

Thanks for your report.

Here are some answers.

1.I suppose watch Failed appears only after "Computer isn't connected to Internet" which is normal. If just after you have "Computer connected to Internet on:". It's Ok.

2.This an interesting information. It is possible effectively after some times, some DLLs involved in the leaktest are unloaded and reloaded and Look 'n' Stop detection is no longer there. I will investigate that further.

3.I need to verify that. There is perhaps something special with copycat.

4. Yes, you should allow all standard exe to connect. But at one point Look 'n' Stop should prompt you for a special DLL used by PCAudit2 (something like winLnet.dll if I remember well), this is the special thing to be blocked, to get the test Pass.
Do you have the DLL detection enabled ?

About the logs, difficult to have log files when everything is handled in the drivers. However there are some logs, to be retrieved with Driver Logs button from the Console. Just do it after a test, and you may get some additional information, at least the application that were detected.

Otherwise you may also use DebugView, which can provide special information for these beta drivers when entering the condition of these leaktests.

Regards,

Frederic

 

Yes.

Also, I do not see the names of the leak-test executables in the driver logs a few minutes after LnS failed the tests. Also, I don't know if the following lines help you:

Code:

[1:25:56] 1 message Downlink
[13:06:25] 1 message Downlink
[14:45:53] 1 message Downlink
...
NCF:2115 80
NCF:2115 80
NCF:2115 80
...
SignDiff:C:\SYS\PROCESSGUARD\PROCGUARD.EXE

Actually, after the "downlink" and "NCF"s, there is a line that starts with SignDiff. LnS showed me the name of that executable when I ran pcaudit2. However, the executable's signature had not actually changed on my computer.

I started DebugView and ran the three leak tests (which failed this time) but I didn't receive any output from DebugView. For the filter I specified LnSSvc.exe;looknstop.exe

I also set the filter to the two driver files and ran the leak tests but again there was no output from DebugView.

 

Yes, the leaktest exe don't appear in the driver logs. But some special errors may be displayed when they occur.
However in debugview you should have some special strings, when the detection occured properly. Don't put any filter (normally you should not have a lot of display normally).

In driver the console window when asking for driver logs, there are two parts:
FW:
here are the lnsfw driver log (for the packet filter)
FW1:
here are the lnsfw1 driver log (for the application filtering)

NCF means (No Connection Found) and is in [FW:] part. This is a message from the TCP SPI which means there was no open connection for a packet. At the same you should have an SPI alert in Look 'n' Stop standard log.

SignDiff is not a signature change but a special event in the driver.
No link with the leaktest detection.

Frederic