new leaktest available : Ghost v1.0

Ok, I misuderstood what the "modify" part in Kerio meant. I agree that for your purposes at least, it fails.

 

I know, after i had long discussion with you in an other thread, that you are more interested in the overrall firewall results, which i doesn't do i'm sorry.

For overall results, i like to go on http://www.firewall-net.com/en/ i don't know
if you know this one.

 

Gkweb:

Is it true that for Outpost to get 10/10 in the AWFT, explorer has to be restricted (no access to the Net AND no using other progs to access the Net)? I showed U the link once...

 

on my comp, with IE and explorer fully trusted it got this result.
And about your link:

I understand that you have to remove it from partially allowed, ... to fully allowed.

EDIT : OPP 2 settings : http://perso.wanadoo.fr/jugesoftware/settings.zip

 

Hey, got a fun about about ZA 4.5.530

Just tested it with AWFT and sure enought it failed some tests - 4 and 5.

But it's the way it failed that puzzles me.

I had component control set to MAX, Advanced Program Control enabled but OpenProcess control DISABLED.

As required, Explorer was given Net acces right AND the right to use other apps to access the Net.

With these settings, ZA failed 4(1 pt) and 5(3 pts!!!), thus losing 4 points out of 10.

But here's what's strange: upon BOTH tests, ZA popped in to aks whether I wanted to let explorer and components access the Network (the listed components were something like 'awftr1.dll' or something). But before I could reply, or even if I replied 'NO', the tests still leaked through!!!
In other words, ZA did seem to "see" the 4 & 5 tests, but could not stop them, even if I told it to.

How can that be explained?

 

bug

sygate has one too with the "MBtest" leaktest, it sees it, it block it, but the first time all MBtest packets go trought it (verified with a sniffer).

To see something is one task, but when seen to freeze it properly is another.

 

Wow, that wuz a quick answer

So in other words, this is a design flaw in ZA, some sort of weakness that prevents it from blocking the leak properly? They don't seem to have corrected it even in v4.5??

If so, SHAME ON THEM!!!
I was thinking of switching (back) to Outpost or LnS, but these 2 on the other hand apparently failed PCaudit2 & Ghost. Back to waiting I guess...

But are U sure that LnS fails PCaudit2? From what I read, v2.05b1 is supposed to be able to handle it. Or perhaps this will only be the case for the final v2.05...


BTW, what exactly are the AWFT tests 4 and 5? Are they similar to Thermite in some way?

 

To choose one firewall because it fails this or this leaktest isn't a good idea, indeed since no one passes all leaktest, so you take no one firewalls right ?

I don't think any firewall vendors sould have Shame, i think it's a pretty hard job to do something efficient in _every_ way (web, intrusion detection, network filtering, etc...).

About AWFT, quote from their site :

About Look'n'Stop and PCAudit v2, yes, it fails it whereas it has components control, but Outpost too is in the same case.

So i think it's hard to choose a firewall only on his leaktest results, until it really failed too much leaktests.

 

Actually, what I meant was, it's REALLY a shame for Zonelabs, because AWFT are NOT recent tests, and the issue about ZA failing the 4 & 5 test has apparently been known for a while - unless the bug only dates from version 4.5 (because versions 4 and prev. would not run at all on tests 4 & 5 !?!), but in that case, it's even worse since that would mean there's a new bug in version 4.5 that wasn't there in previous versions!

Outpost, LnS & others may fail PCAudit2 & Ghost, but these 2 are recent tests at least, so it's not that "scandalous", I think.

One thing's for sure - as soon as another FW succeed in all the tests that ZA also passes (and hopefully, also on tests that ZA fails), I'll quit ZA, for I don't think they'll correct their AWFT flaw, nor their famous mem problem - at the time I'm writing this, vsmon has already swelled up to 25Mb RAM (it was only 6Mb at startup!)...

Oh, and yes I read the specs about the AWFT tests, but these are a bit hazy to me (I'm but a young Padawan, remember? ), that's why I was asking about a more 'down-to-earth' explanation about the 4 & 5 tests. From what YOU have read, are they similar to other tests such as Thermite (or another test) in some way?

 

First, i don't want to be responsible in public of people switching firewall because of me, i don't want to be in the aim of firewall vendors

About AWFT:

I think it's a thread injection (like Thermite) into Explorer.exe (not IE) putting in it iexplore.exe itself, so it bypass firewall which asks for explorer launching IE, because it doesn't launch it, it "hosts" it in his own process area
So this test could be seen as something like Thermite, but different because Thermite inject executable code which access the Internet, but here it's IE itself which is injected, a trusted application.

Notice i can be wrong, it's what i understood.

This test ask you first to browse on websites, while you do that it tries to see which running processes has access to the Internet on port 80 and is allowed.
Then it does like the other test, it loads a copy of the process inside explorer.exe (as a new thread) and patch it (how ? no information) before accessing the internet.
Which is difficult for firewall, is that it isn't necessarely your browser which could be used (i try with "success" with other processes other than my browser).

Unfortunaly, on both tests, we don't know how the executable is patched in memory.

 

Fear not - objectivity is of the essence here, and you're doing a good job. So should you ever be in their line of fire, just stand your ground and fight the danger, soldier!

Second, I don't want to confuse U in any way, but about Outpost (again, I know, but it's among my favourite FWs): the issue with AWFT is rather unclear, as some users setting explorer to 'fully trusted' have failed it, unless they enter 'explorer.exe' into a special .ini file which in turn adds some restriction to it, see this thread and scroll down:
http://www.outpostfirewall.com/forum/showthread.php?s=f30049bf32346712b8fe874b67b81cd5&threadid=8539&highlight=atelier

Makes sense too: if it could truly pass AWFT 10/10, then it would also pass Thermite, which it doesn't.

As for LnS, I guess it (really) passes AWFT 10/10 thanks to its new 'thermite patch'...

 

sounds logic, i will investigate this issue, thanks you

EDIT : someone else talked to me about that but i forgot in the meantime, to remember of 108 tests (6 FW, 12 leaktests + 6 tests AWFT) is not easy
So Outpost should apparently only pass the 4 tests ? so 4/10 ?
oups, really different than 10/10...
If i had to remove the makeshift protection in the ini file, OPP will it failed too "Tooleaky"
Really need investigation.

 

Reaaly sorry for the extra hassle, soldier
'tis difficult to test all these FWs, I concede.

One way to find out about Outpost would be to set it so it can pass AWFT 10/10, while granting FULL rights to explorer, BUT without any extra "special" rules for explorer, and STILL be able to use:
1) The browser
2) EMULE to connect to edonkey servers.

 

To be sure i install OPP on my other family computer, and re do tests.
First, i'm "surprised" (may be the good word would be astonished...) that a so crucial config in Outpost (block hidden processes explorer.exe and iexplore.exe by default) is hidden into ini files of OPP folder and that there isn't any option on the GUI!

Such option is a makeshift that should be disabled to do leaktests testing, someone in the past talked me about it too but i forgot this "small" point which is in fact a vital point.

I installed OPP on a win2k machine, and i got this results :

Leaktest : passed
FireHole : passed
Tooleaky : failed ! (OPP was passing it by blocking a hidden iexplore process)
Yalta : passed
PCAudit : passed

AWFT :
1 - failed
2 - i wasn't able to do it (didn't recognize my default browser loaded)
3 - passed
4 - failed
5 & 6 : i wasn't able to test them, even while opening 10 browser AWFT always said me "browse a little then retry".

Thermite : failed
Copycat : failed
WB : failed
PCAuditv2 : failed
Ghost : failed

After uninstalling blue screen even in safe mode... i'm currently restoring a ghost image and doing windows updates.

Again, the "to block hidden process" is a makeshift, OPP doesn't even see "Tooleaky", damn, since how long i was fooled ?
(file : OPP directory\outpost.ini)

Sorry to not be able to continue tests today, i have to re configure my other computer.
If you can test on your side, please pot your results.

thanks you.

 

thank you WHO?


Good job, soldier!

But I don't know if I should lament or rejoice. First ZA, now OPP. Man, it's about time woke up!

At least LnS is able to (truly) pass AWFT thanks to its 204b2 patch.

But there's one thing I still don't get:

What the hell is this 'block hidden processes' option - and how is it "vital"? Why does it HAVE to be disabled?
And most importantly, what does it mean??

 

Again, all I care about is if the firewall CAN stop an app without being really restrictive. That's what helps me decide whether to use a firewall or not. Still, it looks like ZAP and Outpost have bugs, and that bothers me. It's hard to decide on a firewall to use.

 

@Morgott

this feature block any processes attempting to access the Internet if they are hidden, OPP doesn't see if a malicious software launch it, it doesn't see the leaktest, it doesn't even pass the leaktest idea.
Tooleaky idea has never be to launch IE in hidden mode, it could as well do his job with IE not hidden, and in this case OPP would fail it because IE isn't hidden (in both case it doesn't see Tooleaky, it just see an hidden process).

It's like the "OpenProcess" of ZA which monitore something without passing the leaktest, here, to block unconditionaly any hidden process to access the Internet _is not_ to pass the leaktest.

Sorry to can't explain more, i return to my other computer.

 

OK, but take Explorer 4 example.

What is a "hidden" Explorer process?
What's the difference with a normal process which we see in the taskbar?
Can I manually laucnh ANY application as 'hidden', say by typing something like the following command line:
'explorer.exe /hide' or 'emule.exe /hide'? (just to illustrate)

 

Well, it all depends on how someone defines "pass the leaktest." My ZAP asks me if I want to allow an app to use a process.

 

OK, but take Explorer 4 example.

What is a "hidden" Explorer process?
What's the difference with a normal process which we see in the taskbar?
Can I manually laucnh ANY application as 'hidden', say by typing something like the following command line:
'explorer.exe /hide' or 'emule.exe /hide'? (just to illustrate)

 

A hidden process is decided in the code, when you launch it.
It's a process which runs normally, but all his windows (his GUI) are hidden to the user (but appears in the task manager).

example in "purebasic" :
RunProgram(IE,"","", #PROG_HIDDEN)

"hidden" is a process property, it's an information which can be retrieve by another program, in our case OPP.

OPP blocks any hidden process to access the internet.
The fact is that OPP hasn't at all any program launch monitoring, i mean that if i launch IE normally, as any legitimate program would do, OPP doesn't see it, it blocks _indirectly_ Tooleaky by blocking directly a hidden process : IE.

Try this test program (quicly written):
http://perso.wanadoo.fr/jugesoftware/Unhidden_IE_Launch.exe

it launch IE _normally_ on http://www.apache.org

_Any_ firewall with application launch monitoring (xx.exe launches yy.exe to access the internet, do you want to allow it?" will easily and without any pb block this simple executable (it could be seen as Tooleaky but not hidden).

If someone want to try it with OPP, feel free to post your result here.

 

so it would seem it is "cheating" more like - as ZA with 'OpenProcess' against Copycat.

U once said that an OpenProcess can be legitimate even when used to inject code into a process.

So the question is, can hidden processes also be legittimate?

 

OPP isn't cheating really, this feature could be interesting for the end user, DLL injection and thread injection could be legitimate, and a hidden process too, but i haven't any example of software doing it (hidden process).

In the reality, this feature could be usefull, i don't say Agnitum is cheating, i just say that this feature block many leaktests, not by seeing them, just by seeing at the end a hidden process, and by blocking it.
OPP doesn't even popup you, it just block it silently.

an example for make you understand : if i run in hidden mode all Wallbreaker test, OPP would pass Wallbreaker without seeing at all Wallbreaker, just because at the end it would be a hidden iexplore.exe or explorer.exe

 

So, do you think it is possible for a firewall to pass all these apps while having both Windows Explorer and Internet Explorer allowed? Is it just laziness on the firewall makers' part?

I'd also like to know if you have a favorite firewall, gkweb.