New Beta Driver addressing additional vulnerabilities/Leaktests.

Discussion in 'LnS English Forum' started by Frederic, Nov 12, 2004.

Thread Status:
Not open for further replies.
  1. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    Hi All,

    Here is a new beta driver supposed to detect vulnerabilities demonstrated by PCAudit2, DNSTester and Copycat leaktests.

    Please note this is an experimental driver, no guarantee it will work (even though it was sucessfully tested on different computers), not sure that the way of detection will be the final one, and not sure it will work with future updates of Windows.
    At this time, only Windows 2000-SP4 and Windows XP-SP2 are supported. The new detection should not work on other versions of windows (but the new driver should not crash anyway).

    This is a beta version, so crashes may happen. If your PC Configuration is critical, it is better to not use the new driver immediately (even if normally coming back to the official lnsfw1.sys driver should solve any issue).
    It is also possible that some slowness appears, but not sure yet, this is the purpose of these beta tests to detect some possible problems.

    This new driver is available here:
    http://looknstop.soft4ever.com/Beta/lnsfw1/LNSFW1-d2.zip

    Pour l'installer:
    1- rename c:\winnt\system32\drivers\lnsfw1.sys to lnsfw1.old
    2- unzip the new driver into c:\winnt\system32\drivers
    3- To activate the new detection the following registry entries are required:
    Inside the key [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lnsfw1] add:
    "CheckDNSQ"=dword:00000001 => for Dnstester type detection
    "CheckHSRE"=dword:00000001 => for PCAudit type detection
    "CheckVAEUDTF"=dword:00000001 => for Copyact type detection
    You also need to activate the feature "Watch thread injection" in advanced options of Look 'n' Stop.
    On the other hand the feature "Watch DNS call" can be disabled (normally CheckDNSQ flag is supposed to replace it).
    4- reboot

    To improve the detection of PCAudit2, it may be required to also activate the following key (this key already exists since several versions, as an hidden feature):
    "ActivatedSoon"=dword:00000001

    In case of a big issue with the new driver, just come back to the official lnsfw1.sys (saved at step 1)
    In case of small trouble, you can deactivate one or several new detection flags (just set the value to 0 instead of 1).

    To report bugs and problems:
    - in case of crash => send us DrWatson Log or Minidumps (for BSOD)
    - in case of non-detection => send us the Look 'n' Stop console Window content after having pressed the "Driver Logs" button

    Thanks in advance to anyone that will take some time to test this new driver.

    Regards,

    Frederic
     
    Last edited: Sep 24, 2005
  2. nv 25

    nv 25 Guest

    wonderful news!
    it's work fine (neither crashes occur nor slowness appear)....now PCAudit2, DNSTester and Copycat leaktests are memoires of the past!
    it's sounds good!
    :)
     
  3. tosbsas

    tosbsas Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    789
    Location:
    Lima, Peru
    Same here - no problems

    Win2ksp4

    Ruben
     
  4. Edwin024

    Edwin024 Guest

    I've done all the things too but PCAudit still leaks through...

    WinXP pro with SP2 and the sp2 from LNS too.
     
  5. <>..<>

    <>..<> Guest

    Who cares if you pass these leaktests or not, besides having bragging rights & LNS using them as a marketing ploy - there a total waist of time. LNS should focus on more important things IMHO that have been brought in the past. https://www.wilderssecurity.com/showthread.php?t=10712
     
  6. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    Hi Edwin024,

    Could you confirm:
    - the DLL detection is enabled (PCAudit2 try to connect through a DLL with a filename which looks like a system one)
    - you put the ActivatedSoon flag in the registry

    Thanks,

    Frederic
     
  7. nv 25

    nv 25 Guest

    to succeed in surpassing these vulnerabilities for ME is very important..infact,Copycat simulates direct code injection into a web browser like some true trojan.
    Then, if LNS uses this goal as a marketing ploy, where is the problem?..the same occur in Agnitum Outpost Home page ...(see also http://agnitum.net/22e18df1136a5dad0236026c94bb41bb/download/OFPvsLeakTests.pdf
    ).
    Finally, the fact that the effort of LnS developers shouldn't only focus on these things, it's another talk.

    Sorry for my english !
     
  8. <>..<>

    <>..<> Guest

    How many trojans out there do you know of actually use the methods shown by this leaktest or any of the others?


    The problem is that LNS could be using the time on more productive things such as working on the Many suggestions in the thread I linked to above. Instead they have gotten put on the back burner so that LNS can say that they can handle leaktests. :(
     
  9. AJohn

    AJohn Registered Member

    Joined:
    Sep 29, 2004
    Posts:
    935
    Good job Frederic. Works fine on my PC. I am running Win XP SP2.
     
  10. Edwin024

    Edwin024 Guest

    I have the DLL detection enabled and the ActiatedSoon is in the registry where the other three dwords are. Is that good or not?
     
  11. Edwin024

    Edwin024 Guest

    I have tried it again and I now see what happens. If you dont watch out you say yes to dll's which are malicious. In case of the PCAudit2 brings up a LNS screen whcih talks about, in mycase, if I want to give a AnyDVD dll permission to talk. And in that there is a third line about PCAudit2.

    What I find strange is that after that all other programs come up too to ask for dll authorization.

    Is this how PCAudit2 kind of leaks behave?

    And to <<..>>: I don't care perse. But if LNS stops these leaktest than it's probably also stopping attacks, isn't it?

    Furthermore I agree that LNS could bring some more info in their system. Maybe something for LNS 3.0?

    I now have bought LNS and enjoy it. It's small and it seems to be doing what a firewall should do. I don't need all the bells and whistles of Outpost and such, I guess.Other programns can do the job. I now have LNS, NOD32 and Ewido.
     
  12. AJohn

    AJohn Registered Member

    Joined:
    Sep 29, 2004
    Posts:
    935
    Currently the only things I know of getting by L 'n' S are tests 1,3 and 4 of Wallbreaker v4.0
     
  13. Edwin024

    Edwin024 Guest

    And that makes LNS the best firewall, I think. All the others let more things go through, isn't it?
     
  14. AJohn

    AJohn Registered Member

    Joined:
    Sep 29, 2004
    Posts:
    935
    I would not say it is the "best", but maybe would say it has the best application control. Frederic has probably been putting a lot of time into it since L 'n' S is the only one to stop Copycat out of 7 other companies listed at firewallleaktester.com and probably out of a lot more companies that are not listed.
     
  15. Edwin024

    Edwin024 Registered Member

    Joined:
    Nov 14, 2004
    Posts:
    1,000
    I named it the best because of it's overall impression, more leaktest proff, low on CPU. Outpost is, I guess better, but also far heavier on the CPU and not so good as LNS when it comes to leaks.
     
  16. AJohn

    AJohn Registered Member

    Joined:
    Sep 29, 2004
    Posts:
    935
    I do not consider Outpost better, but that is me. If I had to choose one firewall, I would choose L 'n' S, but I dont and I can use combinations :D
     
  17. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    Yes this is normal, PCAudit2 tries to inject the connecting DLL in all programs, until it works for one of them (and Look 'n' Stop indicates first that a program is connecting before asking for the DLL).
    However, this is not specific to this kind of leak, this is specific to PCAudit2. Another troyan can choose to make only one attempt in a particular program (for instance in iexplore.exe only).

    Frederic
     
  18. AJohn

    AJohn Registered Member

    Joined:
    Sep 29, 2004
    Posts:
    935
    Hey Frederic, do you think you could make L 'n' S log the attemps that do not notify the user?

    Also this is from my Driver logs:

    FW:
    OID KO1!
    OID KO1!
    FW1:
    FW:
    OID KO1!
    OID KO1!
    OID KO1!
    OID KO1!
    OID KO1!
    OID KO1!
    OID KO1!
    OID KO1!
    FW1:
    FW:
    FW1:
    FW:
    OID KO1!
    OID KO1!
    FW1:


    What is OID KO1!?
     
  19. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    And how many online scanners, or incoming threats, or only demo do you know of passing Look 'n' Stop (and other firewalls) ?

    For me there are three levels of vulnerability:
    1. A known method used by real troyans or incoming packets
    2. A known method only demonstrated by Leaktests or Online scans
    3. Unknown/hypothetic methods not yet demonstrated

    It is normal to address the problems in the order 1, 2, 3.

    Let's take one of the suggestions discussed on the link above: UDP/ICMP SPI (and anyway many suggestions are about better log, GUI improvements,... I don't discard them but this is not the discussion here).
    As soon as an evidence will show that UDP or ICMP pseudo-Stateful Packet Inspection feature is able to block a method that is in category 2, this will become a priority.
    But at this time, except if someone brings to me a demo program or scanner, this kind of feature blocks hypothetic threats.

    I understand that for network gurus it is interesting to get all anomalies about the incoming traffic, but as long as these anomalies are not linked to a vulnerability, this is not a priority (this doesn't mean Look 'n' Stop will never be improved in this area).

    Frederic
     
  20. Edwin024

    Edwin024 Registered Member

    Joined:
    Nov 14, 2004
    Posts:
    1,000
    This all sounds very plausable!
     
  21. nv 25

    nv 25 Guest

    thank you again for your effort, Frederic :)

    ... a fan of L'n'S :)

    Only a thing again: does SPI architecture incorporated in L'n'S act also like IDS?
     
  22. AJohn

    AJohn Registered Member

    Joined:
    Sep 29, 2004
    Posts:
    935
    OID KO1!
    ?
     
  23. birdie

    birdie Registered Member

    Joined:
    Nov 14, 2004
    Posts:
    8
    Hi Frederic,
    Compliments for your great product!
    I applied the instructions in the topic, but the pcaudit2 test reports that my pc leaks.

    I´m using 2.05p2 w/ the new beta dll and the flags added to the registry.
     
  24. birdie

    birdie Registered Member

    Joined:
    Nov 14, 2004
    Posts:
    8
    Hmm, strange. I activated protocol filtering, restarted and now it works.
     
  25. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    Normally if you play with the log attributes (! column, or log column in DLLs settings) this is possible for already known programs and DLLs.
    However since PCAudit2 creates a new DLL name each time it is used, it is not possible for this case to log without prompting the user.
    Perhaps in a future version, we will add a special mode to block & log without notifying for any new application & DLL that tries to connect. But this is dangerous because you may block normal activity.

    This is an error occuring in the Packet Filter driver indicating there is a memory access problem during an OID request/response (I let you search on Internet what is an OID request :).
    I noticed this problem with the linksys WUSB54G wifi adapter, and I added a specific code to avoid a crash in the Look 'n' Stop driver.
    Not sure where the problem is exactly (Lns or other), but so far, I've seen this issue only with this adapter.
    What are your network adapters ? (not only the one you are filtering, the problem can occur also for non-filtered adapters).

    Frederic
     
Thread Status:
Not open for further replies.