New Beta Driver addressing additional vulnerabilities/Leaktests.

Yes, this is strange, protocol filtering is not involved in this process.
Did you activate DLL detection ? and the ActivatedSoon flag is also important.

Frederic

 

I followed Frederic's directions to the letter, but I get this whenever launching Look 'n' Stop upon boot:

This is on WinXP Pro SP-2, with LNS 2.05p2.

Edit: Never mind, I had done something stupid. (I had the driver disabled in Device Manager, for other reasons... and forgot!)

 

Are you sure the file c:\winnt\system32\drivers\lnsfw1.sys is there ?
What does happen if you come back to the official lnsfw1.sys file ?
If you never used the ActivatedSoon flag before, there is perhaps a problem with this mode on your system and the driver get unloaded.

Frederic

 

Very sorry, Frederic--I edited my post after realizing I had caused my own problem. (I had the driver disabled in order to diagnose some problems I've been emailing you about.)

 

No problem. I prefer that instead of a real issue

Frederic

 

This argument doesn't make much sense to me. I am not aware of all attack methods used by trojans. But if there is a proven way to obtain outbound communication, that means a trojan could use that method. Why wait until the leak is actually used by a trojan before addressing the problem by way of catch-up?

If you know the lock on your front door fails if you wiggle it just right, you fix it, even if you don't yet know of any burglars who have gained entry using that method. Right?

 

But is that what is happening with LnS? I think that the leaktests show what is out there on the market nowadays. And if a firewall can stop those I am quite satisfied. You not?

 

Are you addressing me? If so, please understand that my message was intended to support, not criticize, what Frederic is doing with LNS with this beta driver. I do want my firewall to block all known leak methods.

Even if a trojan doesn't use one of the known leak methods, some other crapware may (be it spyware or something else).

LNS is the market leader for outbound protection. And outbound protection is all I use LNS for, since I have a hardware firewall. If someone has other priorities, maybe they should use something else.

 

I guess I misunderstood you. Sorry for that! Maybe it's handy that we know where we all come from... I'm from Holland, so English is not my native language...

 

Frederic, I did not mean to block and not log. I meant to log what is blocked and does not notify the user. For example L 'n' S did not notify me when PCAudit2 was blocked and as far as I can see it was not logged.

The adapter that is probably causing my problems with the driver logs is my LinkSys Wireless - G PCI Adapter (WMP54G)

Before you fixed the problem with the WUSB54G adapter my computer was being forced to reboot as soon as Windows loaded, but only when I was using the software that came with my adapter. If i used Windows Wireless Zero or another WiFi program instead of the software that came with my adapter I did not have the problem. I think it has something to do with the LinkSys Wireless Network Monitor. The version that came with my PCI adapter is v4.0 If you like I can send you a copy of the software that came with it and you can make a fix, or I can send you any logs you want.

I am using the LinkSys Wireless Network Monitor now since L 'n' S does not cause me to reboot and the Internet Filtering seems to be working just fine. Windows Wireless Zero makes my connection dc after an hour of being online. Also, I get this error in my drivers logs:

WSA Error: 10038WSA Error: 10038WSA Error: 10038WSA Error: 10038WSA Error: 10038WSA Error: 10038WSA Error: 10038WSA Error: 10038WSA Error: 10038WSA Error: 10038WSA Error: 10038WSA Error: 10038WSA Error: 10038WSA Error: 10038WSA Error: 10038WSA Error: 10038WSA Error: 10038WSA Error: 10038WSA Error: 10038WSA Error: 10038WSA Error: 10038WSA Error: 10038WSA Error: 10038WSA Error: 10038WSA Error: 10038WSA Error: 10038WSA Error: 10038WSA Error: 10038WSA Error: 10038WSA Error: 10038WSA Error: 10038WSA Error: 10038WSA Error: 10038WSA Error: 10038WSA Error: 10038WSA Error: 10038WSA Error: 10038WSA Error: 10038WSA Error: 10038

 

You seem to get all kinds of weird things that I haven't seen, using LnS for a couple of days

 

Thanks Frederic. Installed with no problems, and it's passing those three tests.

 

Edited. Asked a question that was already answered here. Should have read the whole thread first

Trev.

 

Hey phaedrus,

See the first post in this thread by Frederic for installation instructions. The only difference if installing on XP is that following line

2- unzip the new driver into c:\winnt\system32\drivers

should read

2- unzip the new driver into c:\windows\system32\drivers

 

Thanks defen Picked it up after I posted sorry.

Cheers,

Trev.

 

Hi AJohn,

I did not mean to block and not log, my suggestion was to block and log silently, any new unknown application or DLL.
At this time for PCAudit2, there is no other solution, since the DLL name is different each time.

Thanks but I don't think I will investigate further very soon, since I already passed a long time on it, and finally there is a workaround to avoid the crash (but there is still an error message in the driver logs).

This error is displayed by Look 'n' Stop when a call to gethostname fails.

WSAENOTSOCK

Error Number: 10038

Socket operation on non-socket.

An operation was attempted on something that is not a socket.
Either the socket handle parameter did not reference a valid
socket, or for select, a member of an fd_set was not valid. ​

I don't know why you are getting this error.
Did you blocked Look 'n' Stop to connect to intenet in the application filtering ?
Maybe it is a side effect of "Watch DNS Call" or the new CheckDNSQ flag.

Frederic

 

I dont understand why you couldnt log failed DLL injection attempts. The DLL name is different every time, but couldnt it still be logged that something attempted to inject its DLL into x program(s)?

 

I thought your request was related to not notifying the user with a dialog box.
So I just answered this part, because it is not the way it is working right now.

Yes, it would possible to log all failed DLL attempts (injection or normal).
This is already possible when the DLLs are known by Look 'n' Stop.

For new DLLs, the above point needs to be addressed first.
Or are you asking, for new DLLs, to notifying the user and then to log if the user answered "Block the request" ? (this would be another request).

Frederic

 

Well I just thought you could make L 'n' S log all of the attempts progams like PCAudit2 make. What if a program was running in the background and tried to inject a DLL into something and failed? I could have no idea that I had such a program on my computer. Maybe log all failed DLL injection attemps and maybe even make a baloon popup for X amount of time to go along with it.

I like to be notified, but when I tested PCAudit2 it failed but L 'n' S did not notify me that anything was going on. If it werent for PCAudit2 having a screen that tells me what is going on I would have no clue anything has happend.

Did I explain a little better this time?

 

I'd like this option as well. If you have a balloon pop-up, then make it optional.

 

Hi Frederic,

Everything works now. You were right, it had nothing to do with the protocol filtering. I had strange behavior, because of the application filtering problem. Since I reinstalled and applied the LnSRegPatch everything works fine. With all the regflags enabled as instructed, "Watch DNS call" and "protocol filtering" disabled and all others enabled, all 3 leaktests worked. I even tried the wallbreaker test and that one also passed!

 

There is probably something you are setting up wrong birdie. I have tested them and L 'n' S stops everything it claims to.

Make sure that you:

1- rename C:\WINDOWS\system32\drivers\lnsfw1.sys to lnsfw1.old
2- unzip the new driver into C:\WINDOWS\system32\drivers

Here is a picture of my registry to show you what it should look like:

 

Thanx for your reply Ajohn, but I don´t understand what you mean. Everything is working fine here now, all tests were blocked.

 

Ohh ok. I thought you were saying you couldn't get them to work. Well at least people who are having trouble can look at my picture.

 

Hey AJohn, how come the Registry folder tree is partially blanked out in your screenshot ? Is this deliberate ? Is it because you've got a lot of porn installed on your system ?