need someone to compare Outpost Pro 2 results (leaktests)

Discussion in 'other firewalls' started by gkweb, Dec 1, 2003.

Thread Status:
Not open for further replies.
  1. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    Hi there,

    in the past i had to do efforts to find Outpost highest settings, this why i want to check my results with someone else having OPP :)

    those i want to verify are :

    Thermite : failed
    Copycat : failed
    Wallbreaker : failed
    PCAudit version 2 : failed

    If someone want to try, leaktests are available here : http://firewallleaktester.webhop.net

    I need to know in his "Out of the Box" settings, results for AWFT
    (1/10 ? more ?)

    Thanks in advance to those who will give me their results :)
     
  2. rerun2

    rerun2 Registered Member

    Joined:
    Aug 27, 2003
    Posts:
    338
    Win2000 SP4 with latest patches
    Outpost Pro Trial 2.0.238

    Thermite - Fail
    CopyCat - Fail
    Wallbreaker - Fail
    PCAudit Version 2 - Fail (despite Outpost opening a dialog box asking for outbound permission for windows explorer)... I accepted and denyed outbound permission and it failed on both.

    AWFT - 4 points in first 4 tests. AWFT opens up an error dialog box on 5 and 6
     
  3. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    thanks you very much :)

    good, our results are the same.
    (for copycat, it copies a file exploited.txt on your C:\ directory).

    for AWFT OPP has 10/10 at highest settings.

    is your test of AWFT is with "out of the box" settings ?
     
  4. rerun2

    rerun2 Registered Member

    Joined:
    Aug 27, 2003
    Posts:
    338
    heh thanks, was a little hasty in running copycat the first time and didnt see the directions. Modified my post to reflect the results. And yes it was at default settings.
     
  5. Wallbreaker

    Wallbreaker Guest

    mmm, don't want to spoil the fun here, but:

    At highest settings, Outpost does pass all the AWFT tests, but there's a caveat though: since some tests use direct exe injection and Outpost can't detect such threats (yet), the 'explorer.exe' file has to be partially restricted regarding its right to call other internet applications, check out this thread: http://www.outpostfirewall.com/forum/showthread.php?s=&threadid=7459

    This provides a makeshift protection against code that might successfully inject itself in the explorer, but at the cost of not being able to use other applications such as Kazaa, eMule,... which explorer MUST be allowed to call for the P2P program to be able to function properly...

    Dont worry however, as Outpost is scheduled to release an upgrade that will provide "real" open process protection against this sort of threat ;) but the release date is of yet unknown..
     
  6. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    He ! you named yourself like my leaktest, i will charge you in court, call your lawyer :D

    thanks for the link, i lost it before.
    Hmm, as i said on my site results will be available in december 2003 or January 2004, and as you can see, more checking are needed :)
     
  7. Wallbreaker

    Wallbreaker Guest

    Or rather, you named your leaktest like myself ? :D
    I hope U don't reside in the USA, for if you do, then you have a serious chance of winning LOLOL

    More seriously, I have 2 questions :

    1) While we're at it, the first concerns the SECOND wallbreaker test, which ZA (and possibly LnS, never seen the result) passes - even without process protection, yet Outpost fails even at max security. It is mentionned that this second test calls IE directly, but "in a way not handled by (most) firewalls" - what in heaven do you mean by that? o_O

    2) I tested Pcaudit2 with ZA (the one I'm using for this week...). When Program Control was set to 'medium' (Component Control in 'learning mode'), even with 'process protection' and 'advanced program protection' enabled, firewall failed the test.
    BUT: with Program Control set to 'high', firewall apparently passed it, I got lots of ZA warnings about new OR modified components of EVERY application that was running on my system, trying to access the Net, each question to which I answered 'No'...
    Does this mean that the firewall passed the test ?(logically, I assume so, but I wanted to have the expert's confirmation ;))
     
  8. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    No i doesn't live in USA, you are lucky because indeed in USA you can win against such silly argue lol

    1)
    For Wallbreaker, i was surprised too when i tested my idea, when i got it, i never thought it could works, it was just in my mind that it "might" works.
    For answer you, like shown on the source code what i provide on my website, the normal way to call an url from an application (when the user for instance has clicked on the "about" link) is to use the following API in the following manner :

    ShellExecute (0, "open", URL, 0, 0, SW_SHOWNORMAL)

    It's a system call, where you say you want to "open" something, after the system see the type of "things to launch", see that it's an URL (because of "http://") and launch IE on it.
    => this line is well detected by any firewall.

    My idea was : if a firewall can check the parent which launched the application, could it see the parent of the parent ?
    So i tried the following :

    ShellExecute (0, "open", iexplore.exe, URL, 0, SW_SHOWNORMAL)

    This time i launch explicitly IE, and the URL isn't the main launched, but a parameters this time, and thanks to windows interpretation, IE is launch without accessing the internet (so WB doesn't have to be seen by firewalls) and it's like after IE launch itself the URL (may be creating another thread itself ?).

    Regarding the first launch : URL = IE -> URL
    Regarding the second : IE, URL = IE -> IE -> URL

    In fact it should be detected but it seems what Windows understand what it wants and do how it wants.
    Basicaly the two API calls are identical but ask Bill Gates why it isn't ;)

    (same idea with explorer -> IE -> URL).

    I saw many firewall blocking the second test, but not the two.


    2)
    Pcaudit v2 is a complex leaktest too, i'm still studying it.
    With ZA i found it failed it (as all other firewall) but i will do again this test when i will have time, i can't test all firewall at the same time (conflicts between drivers) ;)
    Basically you have before doing test to give full access to IE and Explorer,
    to allow normal dll/component (just surf as usual and answer yes to questions), and after do the test.
    Even other components monitoring capable firewalls which passed PCaudit v1 fails the v2, so i would be surprised that ZA pass it ( as i said i will test it again).

    I can't answer you from memory, i need to refresh it sometimes :)

    EDIT :
    In this thread we will try to stay focus on Outpost, but for any firewall vendors, Wallbreaker sources are available on my website, so they can studie it.
     
Loading...
Thread Status:
Not open for further replies.