More on Leak Testing

Discussion in 'other firewalls' started by Diver, Jan 24, 2008.

Thread Status:
Not open for further replies.
  1. Diver

    Diver Registered Member

    Joined:
    Feb 6, 2005
    Posts:
    1,444
    Location:
    Deep Underwater
    Down at the bottom of the results page on the well known Matousec site there is a reply from Sunbelt software that slams leak testing.

    The points raised are:

    The game is already lost after malware has executed and nothing on the box can be trusted anyway.

    Pop-up fatigue or as some others call it, lazy click syndrome.

    Reliance on simulator programs produces tests designed around the limitations of the simulator programs.

    I believe it is important to question the value of leak testing, as software firewalls have almost no value to the desktop computer behind a router user other than outbound control.

    Matousec leak tests HIPS programs, some of which are not monitoring network connections. I don't know how valid this is as it can be argued that simply running LUA/SRP will stop all leaks. After all, with LUA/SRP the user can write only to areas from which no file may be executed. This prevents accidental infections. IMO, there is no foolproof automated way to prevent infection by intentionally executing malware with administrative rights that is not in the user's AV signature database. Its possible to improve the odds with behavior based detection, but this is relatively new and untested. I don't consider HIPS to be automated.

    All of this makes me wonder what is an improvement. A program like Comodo 3 has a powerful HIPS but suffers from pop-up fatigue. Once any firewall starts to alert the user about events that are not network related pop-up fatigue sets in. Moreover, any firewall (or other security utility) that is not quiet produces the same bad result as an AV false alarm. In an office someone has to stop working and call the help desk.

    My thoughts for the morning. I would be out diving but for the rain here in paradise.
     
  2. tlu

    tlu Guest

    Well, this issue has been discussed in this forum in various threads before. IMHO, outbound control and leak testing are not that important if you practice safe computing, i.e.
    • only install trustworthy, well-known applications from trustworthy, well-known websites
    • keep your OS always updated (do NOT disable automatic updates!)
    • keep your applications always updated
    • do NOT use any software cracks (which are mostly contaminated with trojans)
    • disable ActiveX in Internet Explorer and - even better -
    • replace IE with Firefox or Opera and Outlook Express with, e.g., Thunderbird
    • do NOT execute any software/mail attachments you don't know
    • use an anti-virus software
    • use a limited user account that makes your computer much more secure.
    While I'm a convinced advocate of using a limited user account (see above), there are still some autostart areas left where malware that doesn't need admin rights can install itself if you, e.g., execute an infected mail attachment by accident - see post #25 in this thread. It's true that you are well protected against most types of malware, but this protection is not 100% waterproof. BTW: What do you mean with "areas from which no file may be executed"? Files may be executed from anywhere where you have write permission, e.g. from your temp-folder.

    Strange - CPF 3 works very well for me. I'm using the default settings, and I'm getting fewer pop-ups than with most other firewalls/HIPS.
     
  3. Diver

    Diver Registered Member

    Joined:
    Feb 6, 2005
    Posts:
    1,444
    Location:
    Deep Underwater
    tlu,

    This may have been discussed before, but available alternatives keep changing.

    With Software Restriction Policy a limited user may write to certain areas, but may not execute any program in the areas where the limited user may write. The exception is shortcuts, if so created, and usually needed.

    While it is possible to write to certain autostart locations, the malware will not be able to execute in the first place if it has not been moved to an area where user execution is allowed. To make such a move requires administrative privileges. However, it would be correct to say that LUA alone is not enough.

    Check this out for an explanation of SRP,

    http://www.mechbgon.com/srp/
     
  4. tlu

    tlu Guest

    I'm aware of SRP and I know the really good link provided by you. However, I'm afraid that most Windows users with versions where SRP is not applicable don't benefit. (I'm using XP Pro and Vista Ultimate but must confess that I haven't implemented SRP yet.)
     
  5. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Neither classical HIPS nor SPR are for ordinary users.

    IMO best is to have a simple FW combined with a behav blocker like TF( in a single package). I wonder why there is no FW like this except ZAP to some extent.
     
Thread Status:
Not open for further replies.