New Matousec Firewall Challenge

Since this thread started out mentioning the challenge to firewalls, I'm wondering if any of those tests included bypassing firewalls using APIs (Application Programming Interface). The current MS08-067 (Windows Server Service vulnerability) exploit uses this technique as described at the Microsoft Malware Research Center site:

Worm:Win32/Conficker.A
http://www.microsoft.com/security/portal/Entry.aspx?Name=Worm:Win32/Conficker.A

----
rich

 

How much are the firewall vendors paying Matousec for there testing, consultations, bug reports, and affiliate relationships? Anyone ask the firewall vendors this question before, especially the ones ranked so highly? I noticed the only ones who get the best rankings and recommendations are the ones who have formed affiliate relationships with Matousec (with the exception of Netchina).

 

http://www.matousec.com/projects/firewall-challenge/

"Products for testing are selected from those that were requested for tests by their vendors or often suggested for tests by our visitors, more times than other products. If there are no such products, we will select products for tests ourselves, preferentially taking products that have not been tested at all yet and have a real chance to succeed in our tests. Every vendor has a right for its product to be tested in Firewall Challenge for free two times in six months period and this right is valid only for stable and publicly available versions of the products. If a vendor offers more than one product it still has a right of only two free tests per six months. Moreover, next free testing of a product will be performed no sooner than one month after the last free testing. This rule should prevent vendors from using Firewall Challenge testing as a free beta testing service. The exception from this rule is for vendors that offer two versions of the same product, from which one is available free of charge and the other one is a commercial version with some extra functionality and these version are likely to have different results in Firewall Challenge. The second and the last exception from this rule is for vendors that offer a product with an antivirus engine and mark any of the tests of Security Software Testing Suite as a virus, an infected code, an unwanted or malicious application, or offend any part of the suite directly using pattern recognitions or any other form of blacklisting. We have experienced such a behaviour in the past in case of leak-tests, this approach deceives the users of such antivirus engines and make the testing more difficult for us. The vendors who offend the testing suite have no right for free testing at all but can still request a paid testing. "

 

You can hardly find just a single tests that would not use API. They all use different API.

 

Thanks, alex_s, I don't know much about these tests, but I ask because it occurred to me that with all the possibilities of using APIs to bypass/terminate firewalls, it seems like a never ending cat and mouse game to keep up, leaving the user to wonder if the next bypass in the works will render the firewall an ineffective part of her/his security.

But some other considertions.

By the time the firewall alerts, other damage has already been done, since the malware executable will have already installed/run. Here for example, a standard firewall alert, where the malware attempts to spoof svchost.exe by a file dropped into the %temp% directory:


_________________________________________________________________

By the time of the alert, Registry entries have been added and many other files dropped to disk.

It seems to me that the exploit should be caught earlier in the game -- when it attempts to execute, which is simple to do,
one example being the use of Software Restriction Policies. From another malware using the svchost.exe trick:




__________________________________________________________________

While the cat and mouse game of outbound firewall exploits makes for interesting reading, evryone I know involved
with helping people with basic computer security find them to be irrelevant.


----
rich

 

This is what those tests are about. Every test demonstrates a different way to bypass security in this or other way. And yes, this is never-ending game because OS-es change, security change and malware changes. This is hardly possible to build "ideal security", just because everything is made by the people, who cannot be "ideal" by definition

 

If you are helping your neighbors with computer security, do you advise them to watch that website, and if the firewall they are using drops in the ratings in the next set of tests, to ditch that firewall and get another?


----
rich

 

Windows firewall is very easy to bypass because Microsoft documents how
http://msdn.microsoft.com/en-us/library/aa366453(VS.85).aspx
(or you can call netsh command)
as windows firewall is designed to provide inbound protection, not outbound.

 

Nope. But I still track the rating myself. It's kinda nice to know your lovely firewall has the best rating not because it fights for rating, but because it fights for security

 

I wonder... if the firewall vendor is fighting for security, why doesn't it have developers searching for outbound vulnerabilites in their own lab? Why wait until some third party runs tests that the vendor's firewall fails, and then update the firewall so that it can maintain high ratings to compete with the other firewall products? Don't you think ratings are on the vendors' minds, since many users brag that their firewall gets the highest rating?

But that's the vendors' problem... their own cat and mouse game.

My question about helping your neighbor goes along with what others in this thread have commented about the real world. When I see vulnerabilities discussed, I have to decide what is pertinent to pass on to others. In the case of MS08-067 (Windows Server Service vulnerability) which uses an API to bypass the firewall (a potential outbound exploit), do I have to be concerned that a user's firewall is vulnerable? (In this case, a patch was issued before exploits in the wild surfaced, but this is often not the case)

First of all, many of the products listed on the site are more than a firewall, so that intrusion detection measures kick in to block the exploit. Note the difference in ratings between Comodo's Internet Security, and its Firewall Pro.

So what about preventative measures in the case of MS08-067, supposing a 0-day scenario? Looking at the exploits in the wild, I see that they are easily blocked from executing in two ways, by

1) inbound firewall protection: Port 445, 139

2) execution protection against the trojan executable payload, as I demonstrated above.

There is certainly nothing wrong with following these firewall challenges, but as a part of a computer security strategy, they need to be kept in perspective: using a stand-alone firewall that falls short in these ratings shouldn't necessarily lead to the conlusion that a user is vulnerable, if that user's preventative measures block the exploit from running in the first place.

As I mentioned in a previous post, a more comprehensive test against such outbound firewall exploits would be to package the code in a known vulnerability and let the users see if their security in place can block the exploit from executing. They may already have protection from other security measures, which then negates the need to worry about their stand-alone firewall.

Without understanding these basics, a user is likely to be wrongly influenced by these types of firewall challenge results.

----
rich

 

I haven't read all the thread but if the guys from Matousec are honest, they'll include an opt-out. Comparing different technologies without someone's consent & misleading neophytes isn't right and probably not legal in law at all. I need to ask one of my friends (lawyer) just for the fun of it. That's quite intriguing! Anyway, my guess is that something like an opt-out will never see the light of the day because once people will realize what it's all about, a lot of results will be removed, Matousec will lose too much money and the racket will end.

Btw, Mamutu is an excellent product. Don't be fooled by nonprofessionals.

 

It may be Memutu is excellent product, but if learns how to protect itself from an accidental termination, it will become even better

 

Not this again! Concentrate on the FIREWALLS, as is the test name, ffs. It's not about process termination of applications that are not even firewalls ....

 

Again, again and again. To successfuly protect others, product MUST protect itself first. For how can it protect others if it is killed BY ACCIDENT ?

 

Does it work in a LUA?
What does LnS have to do with Mamutu, besides nothing?

Guessing your reply, my reply to that is, start another thread with tests for Mamutu alone

 

LnS is another example. It's a superb firewall. If you compare firewalls with firewalls, hips with hips, firewall+hips bundles with firewall+hips bundles, etc. you'll see.

 

i COMPLETELY agree with you, matousec should implement different categories like that.

 

Mamutu does have tamper protection, but it is not enabled by default. It uses a captcha image at termination with the tamper protection on to verify if you want it to be shutdown.

 

I find MAMUTU an extremely well refined product worth every penny and getting better each update such as core componants etc.
Let me give an example; you might have seen TF for one or let's take some other security interceptors app for that matter when called on to alert seem to overly-hesitate or some have reported complete stall outs forcing an explorer restart to flush the clog in their programming code where something gave cause for the app to either lose track (too long) over trying to match a find in either it's database, local rules, or the app itself not up to aborting IMMEDIATELY and alerting the user, causing the user to wonder what the hold up is.

I don't want to pick on TF but compared to Mamutu this is just what i encountered each and every time. Mind you, if the programmers eventually tweak & finely adjust TF's response time it stands to be a world leading BB in my opinion because TF does have the potential to add rules and such whereas Mamutu basically seems to tap into it's own intelli-trap code to rapidly alert and when called on, immediately dismiss the offending app discredited as needing fully terminated.

TF on the other hand carries off (Quarantines) whatever it decides (Community Protection? ) is an offender and even if that happens to be IE or notepad, or even maybe a test file you use to routinely try your defenses practices. I tested it by running a script file and instead of trapping the script it carried off Regedit

I do hope they finally bring it up to where it can, and what it can be, but like Alcyon says, "don't pay any attention to non-professionals" because currently MAMUTU is a Hyper-Intelligent Behavioral Blocker that in my experiences with it so far compliment my HIPS of EQS superbly, and also passes the choice over to me the user to make the decision to either Terminate or Add To It's WhiteList apps i approve of.

EASTER

 

Many things do not work in LUA, but most users do not use LUA.

They both are security products that provide host-based security functions

I do not use Mamutu, why should I ?

 

Yes the natural behavior is to disable it by default, superfluous because to annoying.
High intelligent security must act silent but still remain effective without bothering the user.

 

Most users never used any of these programs. In fact, more have tried a LUA than any of these me thinks..

Right.