New version 2.05 beta 01.

Discussion in 'LnS English Forum' started by Frederic, Dec 4, 2003.

Thread Status:
Not open for further replies.
  1. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    Hi All,

    We are please to announce that the new version 2.05 beta 01 is out.

    Here are the links for download:
    - English release: http://looknstop.soft4ever.com/Beta/En/2.05b1/LooknStop_Setup_205b1.exe
    - French release: http://looknstop.soft4ever.com/Beta/Fr/2.05b1/Installation_LooknStop_205b1.exe

    To install this new version over an existing one, no need to uninstall first the current one, just run the setup and anwser Yes to the question.

    Here the content of this version (quite the same as the preview):

    Features Added:
    • DLL Filtering (Windows 2000-XP only)
    • Port & IP selection for the Application Filtering
    • Plug-in interface for localization, rule creation and log analysis by third party applications.
    • Detection of troyans that are using DLL injection or DNS request through svchost/services.
    • Detection of non-standard protocols and drivers under Win2000/XP.
    Changes:
    • Signature verification improvements (Windows 2000-XP only).
    • New attribute in Application Filtering to have only blocking access in the log or all access.
    • Addition of GB unit for statistic display in the Welcome page (however there is still the 4 GB limitation)
    • All miscellaneous options in one list in the Advanced Options dialog box.
    • In the "U/D #" column addition of a '-' or '+' information to know if the packet has been blocked or allowed.
    • In the Application Filtering, it is now possible to sort the lines by clicking on the column headers.
    • Addition of the 'TCP or UDP' selection to the list of protocols in the rule edition dialog box
    • Automatic log entries removal when reaching a limit (configurable by the user).
    • Application filtering: automatic removal of applications which no longer exist
    Fixes:
    • Under some 2003 Server configuration, the network interface wasn't correctly detected.
    • The field "IP to exclude for auto-detection" was sometimes badly interpreted.
    • The rule names in the log are now correct even if some rule have been added without applied yet.
    • Crash when the maximum number of Internet Filtering rules was reached.
    About plugins, you will find more information here:
    http://www.looknstop.com/En/Plugins/plugin.htm

    In case of problem, please use the following Web form to report the problem to us:
    http://www.looknstop.com/En/support_2.05beta.htm

    This version will expire by March, 2003, the official 2.05 or a new beta will be available before.

    To re-install the 2.04 over the 2.05b1, two solutions:

    1- uninstall the 2.05b1, reboot, reinstall 2.04, reboot
    2- remove lnsfw.vxd/lnsfw1.vxd (Windows 9x/Me) or lnsfw.sys/lnsfw1.sys (2000/XP) and remove fwapi.dll, then execute the 2.04 setup and reboot

    Regards,

    Frederic
     
  2. Andreas1

    Andreas1 Security Expert

    Joined:
    Jan 29, 2003
    Posts:
    367
    Location:
    Mainz (Ger)
    cool! great! super!

    downloading now and looking forward to giving it a go.
    Thanks for the improvements, Frédéric

    Andreas
     
  3. manuangi

    manuangi Registered Member

    Joined:
    Jan 29, 2003
    Posts:
    148
    Location:
    Italy
    Thank you!!

    I'm so excited the new 2.05's finally out! :D

    I'll download it at once!! ;)

    btw...is a full guide to how to use the new features already done?
     
  4. MickeyTheMan

    MickeyTheMan Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    1,016
    Re:Thank you!!

    The help file incuded covers it
     
  5. Jazzie1

    Jazzie1 Registered Member

    Joined:
    Dec 5, 2003
    Posts:
    174
    Cool, been waiting on this! Thx for releasing it!!!
    BTW: If I could get Andreas to give me back my Suse Linux cd's it would be complete!!! ;)))

    LOL
    CU
    Jazzie
     
  6. ellison64

    ellison64 Registered Member

    Joined:
    Oct 5, 2003
    Posts:
    2,499
    Hi...
    Is there anything new in this version for 98 users or is it not worth installing if you have the 2.04 version?
    tia
    ellison
     
  7. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    Hey ellison64

    Read the very first thread in this topic closely... ;)
     
  8. ellison64

    ellison64 Registered Member

    Joined:
    Oct 5, 2003
    Posts:
    2,499
    Ok,,,ive read it again.What i would consider important updates such as dll injection detection that warrants an update seem to be only for xp / 2000...why is that?.
    tia
    ellison
     
  9. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    DLL Injection using resources specifically to Win2K/XP… :'(
     
  10. ellison64

    ellison64 Registered Member

    Joined:
    Oct 5, 2003
    Posts:
    2,499
    sorry phantom...meant dll injection :oops: .Im not an expert but assumed malware that uses dll injection methods can happen on all operating systems.
    ellison
     
  11. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    Hey

    ahhh me bad...

    "Detection of troyans that are using DLL injection or DNS request through svchost/services."

    I don't re-call Win9x/ME using svchost & services... :)
     
  12. ellison64

    ellison64 Registered Member

    Joined:
    Oct 5, 2003
    Posts:
    2,499
    You are correct that 98 [me=ellison64]dont use svchost /services.Im thinking of exploits like pcaudit that uses dll injection to bypass firewall.It seems to bypass 2.04 and i assumed the dll injection detection would stop this...but only for 2000 and xp or am i missing something here?[/me]
    tia ellison
     
  13. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    You are missing something, if you really interested in this read through http://www.codetools.com/system/hooksys.asp
     
  14. ellison64

    ellison64 Registered Member

    Joined:
    Oct 5, 2003
    Posts:
    2,499
    thanks for the link phantom...however it doesnt really help me at all.All i really wanted to know is whether the new version with the dll filtering etc thats for xp 2000 will stop dll injection exploits like pcaudit.On 98 and using 2.04 it doesnt
    ellison
     
  15. Morgoth

    Morgoth Guest

    What about leaktests (or trojans) that inject themselves into open processes by modifying one of its threads (cd. Copycat?) ?

    2.04b2 stops Thermite but not Copycat. How does 2.05b1 fare against Copycat?
     
  16. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    NO firewall passes Copycat.

    As of now, the only way to prevent such leaktest to simply launch or run, is to use Application Monitoring feature/software as you can read in the other post we talkeld :)

    I am very impatient to see the first firewall which will really pass this leaktest, just wish it will be Look'n'Stop ;)
     
  17. Morgoth

    Morgoth Guest

    Wait one ... does this mean that
    - LnS 2.05b1 also fails the test

    or instead

    - 2.05b1 has not been tested yet (against Copycat) ??

    Me too, unless Zonealarm or Outpost fix their memory leak bugs... :rolleyes:
     
  18. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    No firewalls mean not one, even Look'n'Stop 2.05 beta1.

    And as JV Morris said on the other thread, any dishonnest firewall vendors could be compelled to identify directly the leaktest MD5 fingerprint to be the first to "pass" it.
    This is why when this time will come, i will do my best to ensure the leaktest is really passed ;)
     
  19. Morgoth

    Morgoth Guest

    Damn! Now I'm more impatient than ever.

    Hey, why not set up an opinion poll as to which firewall will be the first to (fully) pass the dreaded Copycat test ?! :D
     
  20. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    Giving that Copycat source was available and probably still available and yet Software Firewall vendors wasn’t capable of implementing proper detections by now after all this time with Copycat being around, I ‘d be surprised to see a Software Firewall release a version that actually sees Copycat exploiting Trusted Applications to access, to access Internet resources… ;)
     
  21. Morgoth

    Morgoth Guest

    The difference between Thermite & Copycat was explained to me a few posts ago (in a nutshell!!).

    Basically, the only difference is that Thermite creates a new thread in the open process whereas Copycat modifies an existing thread. The intricacies of these leaktests may be beyond my scope, but the way it sounds these 2 tests look pretty similar to me! So if at least one FW (namely LnS) was able to "truly" pass the Thermite test, then surely we won't have to wait that long B4 the other one is defeated as well, shall we?

    Perhaps there are no (real) trojans out there that use the 2nd method, so no FW vendor may have bothered to attend to it yet (BTW, how does the Beast trojan work? Does it operate in Thermite or in Copycat fashion??)

    C'mon folks, LnS & the Rest - so many good firewalls out there, it's about time one of them took the lead and distinguished itself from the pack! Show us what you've got!! :D :D
     
  22. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    Even if Thermite and Copycat are pretty similar, Copycat is by far harder to catch.
    Indeed Thermite has to take a risk in _adding_ a malicious content.
    However, a trusted application already launched and running, without any thread or DLL injected is untampered with from the firewall point of view.
    And it's hard to tell if sudently the trusted application access the internet, from
    one of his _own_ thread which it has created itself, if it is manipulated maliciously or if it is legitimate.

    Solution exists i think, but monitoring with scrutiny all thread of all processes in real time would take so much ressources (i think) that we have to find something more accurate, and it isn't so easy :)
     
  23. Morgoth

    Morgoth Guest

    Now see - I'll have nightmares again! :'(
     
  24. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    I'm sorry, it wasn't my purpose :doubt:

    keep the faith in Look'n'Stop, Frederic is well aware of the situation, and i'm sure it will try to find a solution ;)
    About others firewall vendors i don't know if they are investigating the pb or not, but who knows.

    Smile :D
     
  25. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    [shadow=red,left]From my view Look ‘n’ Stop has already distinguished itself from the pack from the very beginning.[/shadow]
     
Thread Status:
Not open for further replies.