New Beta Driver addressing additional vulnerabilities/Leaktests.

Discussion in 'LnS English Forum' started by Frederic, Nov 12, 2004.

Thread Status:
Not open for further replies.
  1. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    Yes, this is strange, protocol filtering is not involved in this process.
    Did you activate DLL detection ? and the ActivatedSoon flag is also important.

    Frederic
     
  2. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,213
    I followed Frederic's directions to the letter, but I get this whenever launching Look 'n' Stop upon boot:

    This is on WinXP Pro SP-2, with LNS 2.05p2.


    Edit: Never mind, I had done something stupid. (I had the driver disabled in Device Manager, for other reasons... and forgot!)
     
    Last edited: Nov 14, 2004
  3. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    Are you sure the file c:\winnt\system32\drivers\lnsfw1.sys is there ?
    What does happen if you come back to the official lnsfw1.sys file ?
    If you never used the ActivatedSoon flag before, there is perhaps a problem with this mode on your system and the driver get unloaded.

    Frederic
     
  4. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,213
    Very sorry, Frederic--I edited my post after realizing I had caused my own problem. (I had the driver disabled in order to diagnose some problems I've been emailing you about.)
     
  5. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    No problem. I prefer that instead of a real issue ;)

    Frederic
     
    Last edited: Nov 14, 2004
  6. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,213
    This argument doesn't make much sense to me. I am not aware of all attack methods used by trojans. But if there is a proven way to obtain outbound communication, that means a trojan could use that method. Why wait until the leak is actually used by a trojan before addressing the problem by way of catch-up?

    If you know the lock on your front door fails if you wiggle it just right, you fix it, even if you don't yet know of any burglars who have gained entry using that method. Right?
     
  7. Edwin024

    Edwin024 Registered Member

    Joined:
    Nov 14, 2004
    Posts:
    1,004
    But is that what is happening with LnS? I think that the leaktests show what is out there on the market nowadays. And if a firewall can stop those I am quite satisfied. You not?
     
  8. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,213
    Are you addressing me? If so, please understand that my message was intended to support, not criticize, what Frederic is doing with LNS with this beta driver. I do want my firewall to block all known leak methods.

    Even if a trojan doesn't use one of the known leak methods, some other crapware may (be it spyware or something else).

    LNS is the market leader for outbound protection. And outbound protection is all I use LNS for, since I have a hardware firewall. If someone has other priorities, maybe they should use something else.
     
  9. Edwin024

    Edwin024 Registered Member

    Joined:
    Nov 14, 2004
    Posts:
    1,004
    I guess I misunderstood you. Sorry for that! Maybe it's handy that we know where we all come from... I'm from Holland, so English is not my native language...
     
  10. AJohn

    AJohn Registered Member

    Joined:
    Sep 29, 2004
    Posts:
    935
    Frederic, I did not mean to block and not log. I meant to log what is blocked and does not notify the user. For example L 'n' S did not notify me when PCAudit2 was blocked and as far as I can see it was not logged.

    The adapter that is probably causing my problems with the driver logs is my LinkSys Wireless - G PCI Adapter (WMP54G)

    Before you fixed the problem with the WUSB54G adapter my computer was being forced to reboot as soon as Windows loaded, but only when I was using the software that came with my adapter. If i used Windows Wireless Zero or another WiFi program instead of the software that came with my adapter I did not have the problem. I think it has something to do with the LinkSys Wireless Network Monitor. The version that came with my PCI adapter is v4.0 If you like I can send you a copy of the software that came with it and you can make a fix, or I can send you any logs you want.

    I am using the LinkSys Wireless Network Monitor now since L 'n' S does not cause me to reboot and the Internet Filtering seems to be working just fine. Windows Wireless Zero makes my connection dc after an hour of being online. Also, I get this error in my drivers logs:

    WSA Error: 10038WSA Error: 10038WSA Error: 10038WSA Error: 10038WSA Error: 10038WSA Error: 10038WSA Error: 10038WSA Error: 10038WSA Error: 10038WSA Error: 10038WSA Error: 10038WSA Error: 10038WSA Error: 10038WSA Error: 10038WSA Error: 10038WSA Error: 10038WSA Error: 10038WSA Error: 10038WSA Error: 10038WSA Error: 10038WSA Error: 10038WSA Error: 10038WSA Error: 10038WSA Error: 10038WSA Error: 10038WSA Error: 10038WSA Error: 10038WSA Error: 10038WSA Error: 10038WSA Error: 10038WSA Error: 10038WSA Error: 10038WSA Error: 10038WSA Error: 10038WSA Error: 10038WSA Error: 10038WSA Error: 10038WSA Error: 10038WSA Error: 10038
     
  11. Edwin024

    Edwin024 Registered Member

    Joined:
    Nov 14, 2004
    Posts:
    1,004
    You seem to get all kinds of weird things that I haven't seen, using LnS for a couple of days :)
     
  12. Defenestration

    Defenestration Registered Member

    Joined:
    Jul 17, 2004
    Posts:
    1,105
    Thanks Frederic. Installed with no problems, and it's passing those three tests.
     
  13. phaedrus

    phaedrus Registered Member

    Joined:
    Aug 18, 2002
    Posts:
    95
    Edited. Asked a question that was already answered here. Should have read the whole thread first :oops:

    Trev.
     
    Last edited: Nov 14, 2004
  14. Defenestration

    Defenestration Registered Member

    Joined:
    Jul 17, 2004
    Posts:
    1,105
    Hey phaedrus,

    See the first post in this thread by Frederic for installation instructions. The only difference if installing on XP is that following line

    2- unzip the new driver into c:\winnt\system32\drivers

    should read

    2- unzip the new driver into c:\windows\system32\drivers
     
  15. phaedrus

    phaedrus Registered Member

    Joined:
    Aug 18, 2002
    Posts:
    95
    Thanks defen :) Picked it up after I posted sorry.

    Cheers,

    Trev.
     
  16. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    Hi AJohn,
    I did not mean to block and not log, my suggestion was to block and log silently, any new unknown application or DLL.
    At this time for PCAudit2, there is no other solution, since the DLL name is different each time.
    Thanks but I don't think I will investigate further very soon, since I already passed a long time on it, and finally there is a workaround to avoid the crash (but there is still an error message in the driver logs).
    This error is displayed by Look 'n' Stop when a call to gethostname fails.
    WSAENOTSOCK

    Error Number: 10038

    Socket operation on non-socket.

    An operation was attempted on something that is not a socket.
    Either the socket handle parameter did not reference a valid
    socket, or for select, a member of an fd_set was not valid.
    I don't know why you are getting this error.
    Did you blocked Look 'n' Stop to connect to intenet in the application filtering ?
    Maybe it is a side effect of "Watch DNS Call" or the new CheckDNSQ flag.

    Frederic
     
  17. AJohn

    AJohn Registered Member

    Joined:
    Sep 29, 2004
    Posts:
    935
    I dont understand why you couldnt log failed DLL injection attempts. The DLL name is different every time, but couldnt it still be logged that something attempted to inject its DLL into x program(s)?
     
  18. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    I thought your request was related to not notifying the user with a dialog box.
    So I just answered this part, because it is not the way it is working right now.

    Yes, it would possible to log all failed DLL attempts (injection or normal).
    This is already possible when the DLLs are known by Look 'n' Stop.

    For new DLLs, the above point needs to be addressed first.
    Or are you asking, for new DLLs, to notifying the user and then to log if the user answered "Block the request" ? (this would be another request).

    Frederic
     
  19. AJohn

    AJohn Registered Member

    Joined:
    Sep 29, 2004
    Posts:
    935
    Well I just thought you could make L 'n' S log all of the attempts progams like PCAudit2 make. What if a program was running in the background and tried to inject a DLL into something and failed? I could have no idea that I had such a program on my computer. Maybe log all failed DLL injection attemps and maybe even make a baloon popup for X amount of time to go along with it.

    I like to be notified, but when I tested PCAudit2 it failed but L 'n' S did not notify me that anything was going on. If it werent for PCAudit2 having a screen that tells me what is going on I would have no clue anything has happend.

    Did I explain a little better this time?
     
  20. Defenestration

    Defenestration Registered Member

    Joined:
    Jul 17, 2004
    Posts:
    1,105
    I'd like this option as well. If you have a balloon pop-up, then make it optional.
     
  21. birdie

    birdie Registered Member

    Joined:
    Nov 14, 2004
    Posts:
    8
    Hi Frederic,

    Everything works now. You were right, it had nothing to do with the protocol filtering. I had strange behavior, because of the application filtering problem. Since I reinstalled and applied the LnSRegPatch everything works fine. With all the regflags enabled as instructed, "Watch DNS call" and "protocol filtering" disabled and all others enabled, all 3 leaktests worked. I even tried the wallbreaker test and that one also passed! :cool:
     
  22. AJohn

    AJohn Registered Member

    Joined:
    Sep 29, 2004
    Posts:
    935
    There is probably something you are setting up wrong birdie. I have tested them and L 'n' S stops everything it claims to.

    Make sure that you:

    1- rename C:\WINDOWS\system32\drivers\lnsfw1.sys to lnsfw1.old
    2- unzip the new driver into C:\WINDOWS\system32\drivers

    Here is a picture of my registry to show you what it should look like:
     

    Attached Files:

    • adsf.JPG
      adsf.JPG
      File size:
      47.7 KB
      Views:
      1,444
    Last edited: Nov 15, 2004
  23. birdie

    birdie Registered Member

    Joined:
    Nov 14, 2004
    Posts:
    8
    Thanx for your reply Ajohn, but I don´t understand what you mean. Everything is working fine here now, all tests were blocked. :)
     
  24. AJohn

    AJohn Registered Member

    Joined:
    Sep 29, 2004
    Posts:
    935
    Ohh ok. I thought you were saying you couldn't get them to work. Well at least people who are having trouble can look at my picture.
     
  25. Defenestration

    Defenestration Registered Member

    Joined:
    Jul 17, 2004
    Posts:
    1,105
    Hey AJohn, how come the Registry folder tree is partially blanked out in your screenshot ? Is this deliberate ? Is it because you've got a lot of porn installed on your system ? :D
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.