new leaktest available : Ghost v1.0

Look ‘n’ Stop v2.05b1 Feature-List didn’t cover pcAudit v4.0.0.0 or Copycat, so no bug. And as for the most commonly asked question, fix when? I’m just as clueless as the next fella!

Regards,

 

Then a dark day for firewalls it is comrades, for so far none can avert all existing threats...

Leaktests win once again.

So for now:
Leaktests 1 - 0 Firewalls .

 

Outbound/MBtest, ran (on my tests) two different kind of OS.
Outbound uses a ".dll" ans a ".vxd" in Win9x, MBtest use a ".dll" and a ".sys". As i said, results need to be checked.
When i tested ZA, it passed PCAv2 without anything strange or weird, for each apps trying to access the Internet ZA saw a new component which was the PCAudit dll.

if you go on my site, in the results page there is a link to a "detail/explanation of results" on which i have written exactly what you say.
Even after many many try... i wasn't able to pass PCAudit v1.
For PCAudit v2, NPF like ZA saw each time that there was a new component, the PCAudit dll.

There is _so much_ ways to escape from a computer that firewall vendors
will always have a hard work to do.
Will ever firewall wins against leaktests ? I think it's a never ending cycle where leaktests are released first, and firewall tries to block them after.

But i keep the faith, may be, one day...

 

Yeah, FW vendors are working hard, no doubt.

May the Force be with them.

But as U said, many are tempted by the Dark Side and and least one (BID) has succumbed to it.

 

I hope to never be tempted by the dark side too, imagine, i would just plug off from the internet and suddently all leaktests passed

 

That's it! You have found the ULTIMATE SOLUTION!

Why did FW vendors make it so complicated when the solution was under their noses all this time?

On the other hand, imagine a trojan that could leak out even with the Net connection severed - LOLOL that would surely be a trojan spawned in Hell itself

 

Leaktests solution, copyrighted under gkweb licence.

 

"Beta" version?

 

Of course, it may have bugs, like bad cutting the wire and let you a half of your bandwidth, in very rare cases.

Fixed in the next version.

 

Now that's what I call "sharp" wit

 

what ?

 

Let's just say we're talking about "cutting-edge" technology...

 

Hi again, gkweb - KAV detects ghost as a virus/trojan. Since it's obviously not one, maybe you should straighten this out with Kaspersky.

 

virus ? trojan ?

Ghost is just packed with UPX, yes, but this doesn't turn it into a threat.
Thanks you for the info, i will try to find an email adress to write to Kaspersky.

 

It does the same thing with the Firehole leak test. It's annoying, because you have to pause the AV to test. It detects Ghost as Exploit.Win32.Firehost. Glad you are writing them about it.

 

It is an Exploit, and since it’s labelled an Exploit and not a virus/Trojan/worm, you shouldn’t worry about it.

 

I just asked them what does it means exactly, just in case, and if it's a mistake, i request them to remove it from their database.

If i have an answer i will post it here.

 

Yes, if you have an answer, I'd like to see it.

Personally, I'd have a hard time using a firewall that can't pass both PCAudits. Those are important tests. Ghost seems to exploit real vulnerabilities in the basic protection, so failing that test also bothers me a lot.

 

my email to Kaspersky :

answer from Kaspersky :

what do you think about it ?

 

Outpost Pro v2 problem :
--------------------------------

Outpost has a outpost.ini file in his directory with inside by default explorer.exe and iexplore.exe in the "block hidden process" area.

With this default settings (that you can't modify in the GUI) it has 10/10 AWFT score and passes Tooleaky.

Without this settings, OPP has 5/10 AWFT score and fails Tooleaky.


From my point of view the fact to block hidden processes to access the Internet is again a makeshift since the threat isn't identitied, the process isn't block while accessing the network because it is "remotely" maliciously used but just because it is hidden.
Of course, as for all other firewall makeshift protection this feature is really interesting and usefull in a real environnement, but what is your opinion about it ?

- it's a makeshift, it doesn't pass leaktests, results are 5/10 and Tooleaky failed
- it's a legit protection, results are 10/10 and Tooleaky passed.

thanks you for your input, it will directly affect the official results page.

EDIT : without this options enabled, OPP seems to not have application launching monitoring at all (trojan.exe -> trusted.exe -> internet)

 

My jury finds Outpost guilty of failing the AWFT test at 5/10 by a unanimous 1/1 vote

 

Anyone else? mvdu ?

 

I agree with Morgoth

 

My vote - failing AWFT because Windows Explorer has to be off of the partially allowed applications list.