LnS didn't detect updated program

Discussion in 'LnS English Forum' started by Martin Aston, Jun 14, 2004.

Thread Status:
Not open for further replies.
  1. Martin Aston

    Martin Aston Guest

    I just updated WinMX. After almost two years without news development has finally started again.
    The strange thing is that LnS didn't warn about the new version (updated .exe). That usually works without a problem, why not now? The .exe doesn't even have the same size as the previous version, but LnS doesn't sound the alarm bell.
     
  2. Thomas M

    Thomas M Registered Member

    Joined:
    Jan 12, 2003
    Posts:
    355
    This is a known issue! It also happens on my system when updating Opera to a new version.

    Thomas :)
     
  3. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
  4. Thomas M

    Thomas M Registered Member

    Joined:
    Jan 12, 2003
    Posts:
    355
    Hi gkweb,

    Did you see this thread:
    https://www.wilderssecurity.com/showthread.php?t=7579

    While reading again this old thread I realized that it is not exactely the same issue... My apologies :doubt:

    Well, I will post some more information tomorrow, but the European Soccer cup will continue in 2 hours with Germany vs. The Netherlands!! This is a "Must see" :D

    Regards,
    Thomas :)
     
    Last edited: Jun 15, 2004
  5. Martin Aston

    Martin Aston Guest


    No, application filtering was and is enabled. It normally works fine (I suppose). However, after updating to the latest WinMX beta version, LnS failed to detect it yet again (two different, new WinMX versions in a row).
     
  6. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    Hi,

    if you "suppose", may be it would be a help to be sure.
    For instance, if you remove IE from your list and that you launch it again, does Look'n'Stop asks you ?

    If yes, then I don't know what does it mean, may be you can try to write to Look'n'Stop at this address : lnssupport@soft4ever.com

    regards,

    gkweb.
     
  7. Thomas M

    Thomas M Registered Member

    Joined:
    Jan 12, 2003
    Posts:
    355
    Martin Aston,
    Did the update replace the previous *.exe file, or do you have now 2 parallel installations of WinMX on your system? I am asking, because I installed a parallel version of Opera on my computer and then I could run both Opera.exe files with the same one application rule in LnS 2.04

    Thomas :)
     
  8. Martin Aston

    Martin Aston Guest

    The exe file has been replaced.
     
  9. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    Hi,

    if you want help from Look'n'Stop directly, write to the email address I have given above.

    sorry to not be able to help you.

    regards,

    gkweb.
     
  10. Thomas M

    Thomas M Registered Member

    Joined:
    Jan 12, 2003
    Posts:
    355
    Bad news:

    Using Win2k-SP4 and Lns2.05 I updated Opera (from Opera 7.51 to 7.52).

    I checked the file Opera.exe has a new date/time indicating it was replaced during the update!

    However, LnS application filtering did not alert me of the modified Opera.exe when starting the new version!

    Before we discuss how much time Frederic should spend to implement full P2P support, the priority should be given to optimize the basal features of this firewall!

    Thomas
     
  11. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    Hi Thomas,

    a file date means nearly nothing :)

    but a MD5 fingerprint means a lot more, can you do a MD5 of the executable before the update, and another one after the update, and compare them ?
    (you can use Cryptosuite for that or DigestIT 2004).

    regards,

    gkweb.
     
  12. Thomas M

    Thomas M Registered Member

    Joined:
    Jan 12, 2003
    Posts:
    355
    gkweb,
    This is good news, so maybe the MD-5 fingerprint might be still the same. I will try to post the result as soon as I can. Unfortunately I am very busy until next Wednesday.

    Is there maybe someone else out there using Opera, how can send the old Opera.exe to me (of course I do not have a backup of the old version...)

    Thomas :)
     
  13. Martin Aston

    Martin Aston Guest

    I just checked the MD5 fingerprint for the old and new WinMX version. They are not the same.
    f8eb7d9123ece160815edf919ba2c5cc
    e46e2e6c48b4443e7be26ca5bc3a8111

    and LnS never does anything. Not when replacing the old with the new or vice versa.
     
  14. WYBaugh

    WYBaugh Registered Member

    Joined:
    Jan 23, 2003
    Posts:
    122
    Location:
    Florida
    I've had the same issue when updating some programs. Most recently when updating FastSubmit and SpywareBlaster. Neither were recognized as existing but new programs.

    Bill
     
  15. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    Hi,

    I think that they would like to be informed directly.
    Can you send them couple of executables of both version (before/after update)
    for analyse ?

    Zip them, but if it's too big, upload them on your webspace and send them the link by email.

    email : lnssupport@soft4ever.com

    regards,

    gkweb.
     
  16. jebstuart

    jebstuart Registered Member

    Joined:
    Jul 16, 2004
    Posts:
    6
    Location:
    Russia
    I have been experiencing the same problem. Today I updated my Opera from 7.52 to 7.53. No reaction from LnS! :-(
     
  17. Defenestration

    Defenestration Registered Member

    Joined:
    Jul 17, 2004
    Posts:
    1,086
    The reason for LnS not always detecting updated programs is because LnS only uses a 32-bit signature of the file (probably a simple checksum). This is way too small to avoid collisions (ie. different apps producing the same signature).

    A much better option would be to use either Message Digest 5 (MD5 - a 128-bit signature, although this has been proven to have collisions sometimes) or the best option would be to use the Secure Hashing Algorithm (SHA-2 - this has 256-bit, 384-bit and 512-bit versions of the algorithm). The 256-bit SHA-2 algorithm should be sufficient.

    Check out www.codeproject.com/tools/keepass.asp for a bit more info and also source code.

    This would solve the problem of LnS not always detecting updated programs, and it would be very easy to implement.
     
  18. Martin Aston

    Martin Aston Guest

    Is that all that's wrong? Sounds like it's time for an update to LnS then.
     
  19. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    I think above all it's time to _wait_ an official answer about the real problem, I don't even know how anyone can know what algorithm LNS uses, personally I don't know.
     
  20. Defenestration

    Defenestration Registered Member

    Joined:
    Jul 17, 2004
    Posts:
    1,086
    Admittedly I don't know exactly what algorithm is used in LnS, but if you look in the registry then only 32-bit DWORD values (the signature) are stored for each app. I do know for a fact that this is not large enough to avoid collisions in the signatures. The solution is simple as stated in my previous post.

    However, it would be nice to have an official response on the matter.
     
  21. jebstuart

    jebstuart Registered Member

    Joined:
    Jul 16, 2004
    Posts:
    6
    Location:
    Russia
    If LnS can not detect a changed application, it's a lousy fire wall. I'll return to the good ole' ZoneAlarm.
     
  22. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    Use the firewall you want, no need to tell us.

    @others
    I have sent an email to Frederic, hope he will come soon with an explanation.

    regards,

    gkweb.
     
  23. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    Frederic hesitates to implement strong checksum like MD5 because it may have an impact on the System & Internet Performance.
     
  24. Defenestration

    Defenestration Registered Member

    Joined:
    Jul 17, 2004
    Posts:
    1,086
    With the speed of todays CPU's it really shouldn't be a problem. While the old hashing method may be faster, what's the point in having a feature that does not detect ALL file modifications ?! It nullifies the whole point of having it in the first place. I would rather have a slower (not by much), more secure method that detected all changes.

    I have another suggestion to make: Do not just store the signatures in the registry without some way of verifying them. The reason, a malicious app could search for the relevant registry key and add another entry for itself along with signature. Or, it could change one of the current entries and substitute it's own signature. Both these methods would possibly allow the app access to the internet with no questions asked, if there are not already checks in place.

    There may already be checks like this in LnS but I haven't checked, hence the suggestion. I only want LnS to become even more secure than it already is.
     
  25. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    Hello,

    to have an option to have the choice between MD5 and SHA-1 would be nice :)
    I don't think SHA-256 or SHA-512 would be relevant, it's "too much" I think.
    For now all the cheksums are handled by Process Guard that I use (MD5).

    regards,

    gkweb.
     
    Last edited: Jul 22, 2004
Thread Status:
Not open for further replies.