new website : www.firewallleaktester.fr.st

Discussion in 'other firewalls' started by gkweb, Jun 7, 2003.

Thread Status:
Not open for further replies.
  1. _anvil

    _anvil Guest

    @RabbitOnTheMoon

    Yes, it works now (again ;) ). Good job!

    But still I'm interested, what you have changed in the recent Copycat- Versions. Obviously not only 'cosmetic' changes...
    (btw: a positive side-effect of the new version is, that it isn't detected by AV scanners, yet - unlike the former version, which surely scared people away... :rolleyes: )
     
  2. gkweb

    gkweb Guest

    thanks you RabbitOnTheMoon :)

    So if i understand correctly, you are the author of SSM and CopyCat ?

    Me too i have the same question than _anvil, the last version is 1Ko greater, what is changed? ^^


    And after, for everyone : Tiny Personal Firewall 4.5 has 0/10 on AWFT o_O is it possible ? i think my results are good but i want to check before showing such results on the website ;)

    regards,

    gkweb.
     
  3. RabbitOnTheMoon

    RabbitOnTheMoon Registered Member

    Joined:
    May 20, 2003
    Posts:
    18
    >gkweb
    Yes, I am ;)

    >_anvil
    You are right. I disagree with Kaspersky and other AV's, which are treating copycat as a virus "Exploit.W32.Copycat". Actually it is not a virus nor exploit. So I have changed some instructions, which are totally harmless ("Move(g^, InjectInfo.URL[1], 64);") and in fact may present in peaceful programs (!). By now it was not detected by KAV :)
    Regarding bug in SSM I can only say, that it have nothing to do with this cosmetic modification. It was rather more serious (SSM improperly handled arguments, passed to "NtOpenThread" function, which in it's turn, prevented it from determening the process which was about to be accessed)
     
  4. gkweb

    gkweb Guest

    happy to meet you ^^

    just for information (in case i am in wrong) : is copycat doing process injection like thermite does ?

    regards,

    gkweb.
     
  5. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,721
    Location:
    Canada
    Appears todo Code injection but not through a DLL Injection but through the Application itself…
     
  6. RabbitOnTheMoon

    RabbitOnTheMoon Registered Member

    Joined:
    May 20, 2003
    Posts:
    18
    Quite right.
    Thermite does a code injection via creating an additional thread within the target process. In general, you can notice (in task manager), that a thread count in this process has changed (increased by 1).
    Copycat does the same without thread creation. It "hypnotizes" ("hijacks") existent thread asking it to do something (d/l specified file), so you just can't know if the thread was hijacked or not and thereby no firewall should notice anything wrong, unless it checks and asks you about each and every URL you are surfing.
     
  7. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,721
    Location:
    Canada
    It's easy to just prevent an applications from using the involved functions without checking the fact the application connects, but this is not the way a firewall should work. ;)
     
  8. gkweb

    gkweb Guest

    hmmm.... i see... thermite and copycat seems to be the best clever leaktest and the more difficult to block for firewall.

    The difference between thermite and copycat is interesting too, but at least Look'n'Stop last version and last driver blocks Thermite, but copycat seems to not be blocked by all existings personal firewall, great job ;)

    I'm very waiting for the first firewall that will block both Thermite and Copycat :D

    regards,

    Guillaume.
     
  9. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,721
    Location:
    Canada
    Copycat is the extremely unique and cleverest, that’s my opinion…

    Also just little note; Look ‘n’ Stop last 2 or so drivers contained thermite support. ;)
     
  10. gkweb

    gkweb Guest

    yea i know, i have last driver :cool:

    ;)

    regards,

    Guillaume.
     
  11. gkweb

    gkweb Guest

    is anyone have Black Ice firewall ?

    Hi

    I did heard that black ice was not really a firewall because it doesn't detect trojan by network activity but by "fingerprint" like antivirus software does, so it should be able to defeat leaktest not by fighting them at network layer, but by identifying them directly...
    I couldn't find anythone with to check this point, and to add results on the site !

    Anyone with information about it o_O

    thanks.

    gkweb.
     
  12. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,721
    Location:
    Canada
    A Software Firewall can be just Application with Packet filtering…

    Application Filtering Layers in Software Firewalls which uses MD5 Checksum or something other-than is very well considered true Software Firewall… I believe what you possibly in reference too is IDS, Additional Layer to Software Firewalls. Sygate Personal Firewall uses IDS as an additional Layer to the currents (… Application Filtering Layer). ;)
     
  13. gkweb

    gkweb Guest

    I'm refering to the story about black ice that added detection of "steve gibson leaktest executable" instead of improve really there firewall...

    Besides that, it seems to be hard to find someone using it :'(

    regards,

    gkweb.

    P.S : you are not sleeping?? what time is it where you live ?
     
  14. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,721
    Location:
    Canada
    Now some people probably wouldn’t agree here but I don’t prefer IDS because it’s little too sensitivities, in other means buggy… It’s useful Feature to identify some “malicious” activity but like an Anti-Trojan System, it can become outdated very quickly if not maintained…
     
  15. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,721
    Location:
    Canada
    I rarely sleep bro… :D
     
  16. gkweb

    gkweb Guest

    i see :D

    you too by mistakes you created a rule that block sleeping ? i think Look'n'Stop is too much powerfull... :D
     
  17. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,721
    Location:
    Canada
  18. gkweb

    gkweb Guest

    that i said is true : Black Ice is not a regular firewall with rules filtering and application filtering.

    In fact, at setup BI scans all the comp to find all executable and to list them, by default they are all authorized, and all new application are foreign so blocked...
    His policy is to list executable on the system, not to react to something on the network layer really...
    So, if you have a folder with your leaktest, there are authorized...

    Regarding this, and regarding the fact that the product isn't available in trial or in free version, this product being for enterprise only, i will remove it from the website which is talking about _personal_ firewall, not professional.

    Hmm... 04h48 (morning) may be i should sleep a little, no ? ;)

    regards,

    gkweb.
     
  19. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    18,201
    Location:
    New England
    Um, no! Who needs sleep anyways! ;)

    I'd like to see how your testing intersects with sandbox technology. (Very similar to how BlackICE handles authentication of executables, so, too, do most sandboxes - at installation time, whatever is on the system is assumed to be secure - it warns you of new items though, from that point forward.)

    Now, your post regarding Tiny Personal Firewall (here) is a little hard to believe. Tiny is an incredibly powerful application, though it is very complex, with a huge learning curve as far as configuration goes. 0/10 makes no sense to me. There must be more to it than that.

    The most powerful tool on my system, by far and away is Tiny Trojan Trap, (which I use instead of TPF, because I use ZA+ as my firewall), the key component in the Tiny Personal Firewall.
     
  20. gkweb

    gkweb Guest

    After sleeping, i feel better now :)

    About Tiny Personal Firewall, it surprise me too, but for now it is the most leaked firewall that i tested (failed famous Gibson LeakTest).
    May be i'm in wrong, but the only leaktest that i was able to pass is Yalta.
    Of course, i would really appreciate other results, so for whose who wants to test and give me there results :

    http://www.tinysoftware.com/home/tiny2?s=2564890715093043147A1&la=EN&va=&pg=solo_download

    I tried to setting it at best, may be i failed this which could explain this bad results.

    regards,

    gkweb.
     
  21. gkweb

    gkweb Guest

    A new results page is available with more detailed results, hope you will like it.

    regards,

    gkweb.
     
  22. _avil

    _avil Guest

    Looks nice. :)

    But I just noticed, that according to your result page, Kerio 2.1.5 fails 'classical Yalta' (Win2000/XP) even with highest settings... :eek:
    This is surely a little mistake, Kerio has no probs with Yalta. ;)
     
  23. gkweb

    gkweb Guest

    i remember that it was on dest IP "MyProviderDNS" and port "53"
    where kerio didn't warn me.
    I will do test again to check.

    Besides that, happy you like it ;)

    regards,

    gkweb.
     
  24. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,721
    Location:
    Canada
    For “Default Settings” I noticed Look'n'Stop 2.04 is listed as “2/10” for AWFT results, I debate that specific reading, 2ndly I’m assuming you in reference to the Installation’s Default Application Filtering Layer driver and not the most recent release. I don’t see how Driver updating corresponds with settings levels, what I’m saying is there is no settings involved here, by default of updating the Driver no additional modifications to Look ‘n’ Stop’s Default settings it passes with flying colors.

    Also on the main page I find myself not seeing the Menu entirely, much less seeing any type of existence of a lengthy menu beyond my screen size, using Internet Explorer v6 to view your web-site…
     
  25. gkweb

    gkweb Guest

    I already think to this, but default settings corresponding to average user, and i don't think that average user will try to do much that just download official 2.04, this is why i write 2.04 in default settings, and 2.04p2 in Highest settings.
    However, you are true that 2.04p2 whitout any modification to settings (default settings) will pass successfully AWFT and thermite, so i need more point of view here, because of course i would prefer to write results of 2.04p2 version, but i want to be fair and right on my results, so i need more point of view ;)

    If most of people is thinking that "default settings" is already default settings even with go to forum, download last version, download last driver, then i will correct this.

    I understand what you are saying, and i took a lot of time before choose, not easy i think.

    Anyone else have idea?

    About the main page, it was written for 1024x768 res, i know that not everyone has this resolution... may be should i rewrite it for 800x600.

    regards,

    gkweb.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.