Official 2.05 Release

Discussion in 'LnS English Forum' started by Frederic, Apr 25, 2004.

Thread Status:
Not open for further replies.
  1. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    Hi all,

    The official 2.05 releases are available here:
    En: http://www.looknstop.com/En/LooknStop_Setup_205.exe
    Fr: http://www.looknstop.com/Fr/Installation_LooknStop_205.exe

    No real change compared to the 2.05b3, it is just to officialize it (expiration removal, help file updates, file versions...).

    No need to uninstall the 2.05b3 first. A reboot will be required after the update.

    The official 2.05 content is the following:

    Features Added:
    • DLL Filtering (Windows 2000-XP only)
    • Port & IP selection for the Application Filtering
    • Plug-in interface for localization, rule creation and log analysis by third party applications.
    • Detection of troyans that are using DLL injection or DNS request through svchost/services.
    • Detection of non-standard protocols and drivers under Win2000/XP.
    • Internet Filtering: addition of a context menu to Duplicate/Cut/Copy/Paste a rule

    Changes:
    • Signature verification improvements (Windows 2000-XP only).
    • New attribute in Application Filtering to have only blocking access in the log or all access.
      TCP Stateful Packet Inspection: the maximum number of monitored TCP connections has been set to 128 (instead of 64).
    • All miscellaneous options in one list in the Advanced Options dialog box.
      if the Automatic Selection is enabled for the Network Adapter, no selection occurs until the PC is considered as connected (instead of filtering by default the 1st adapter of the list)
    • In the "U/D #" column addition of a '-' or '+' information to know if the packet has been blocked or allowed.
    • In the Application Filtering, it is now possible to sort the lines by clicking on the column headers.
    • Addition of the 'TCP or UDP' selection to the list of protocols in the rule edition dialog box
    • Automatic log entries removal when reaching a limit (configurable by the user)
    • Application filtering: automatic removal of applications which no longer exist
    • Addition of GB (Giga-Bytes) unit for statistic display in the Welcome page (however there is still the 4 GB limitation)

    Fixes:
    • Compatibility with Hyper-Threading.
    • In the rule edition dialog box reset of some hidden fields when the protocol has been changed (in particular TCP Flags when changing from TCP to UDP).
    • in some particular cases (reserved field not set to 0) the TCP Stateful Packet Inspection could reject some valid incoming connections requests
    • Problem in the Data display zone in the Message Content dialog box (sometime the number of displayed bytes was wrong).
    • in case of a quick disconnection and reconnection a new IP address was not updated in the ruleset (for rules using "equal my @")
    • it was possible to create a rule with a right click on log items even when the configuration was locked with a password
    • Under some 2003 Server configuration, the network interface wasn't correctly detected.
    • The field "IP to exclude for auto-detection" was sometimes badly interpreted.
    • The rule names in the log are now correct even if some rule have been added without applied yet.
    • Crash when the maximum number of Internet Filtering rules was reached.

    Regards,

    The Look 'n' Stop Team
     
    Last edited: Oct 7, 2004
  2. curiousone

    curiousone Guest

    hi,

    will there be a new 1.05 lite version coming out as well?
     
  3. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    Hi,

    No, sorry, there is no plan to update this version at this time.
    Most of the 2.05 content is extensions of features which are not present in the Lite version (like Application Filtering, Advanced Options,...). So this new 2.05 content doesn't apply to the Lite version

    Frederic
     
  4. yair

    yair Guest

    i am disappointed of this version
    in pcflank they wrote
    "We contacted the developers (Soft4Ever) and they confirmed those results, but reported their beta version (2.04p2) should pass both Thermit and Atelier Web Firewall Tester. That’s good news for users of L’n’S firewall!"

    i did some testing with this version and it failed
    Thermit
    Copycat
    and only passed 2 of the 10 AWFT tests

    just like in the original test for 2.0.4
     
  5. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    Hi,

    Copycat is currently passed by no firewalls, so you can forget it.

    About Thermite and AWFT, Look'n'Stop 2.05 detects them without any problem,
    if it is configured correctly in the option (advanced mode, control thread injection, etc...).

    regards,

    gkweb.
     
  6. yair

    yair Guest

    thank you, you are correct of course

    thermite claimed success, but i think lns detected it so i guess the success msg is automated

    i thought CopyCat is pretty much the same as thermite, what makes CopyCa invincible?
     
  7. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    Hi,

    Copycat uses an _existing_ thread in the target process and add this code in it,
    whereas Thermite _add_ a thread into the process.

    Copycat is much more harder to detect :doubt:

    regards,

    gkweb.

    EDIT : below Look'n'Stop detecting Thermite.
     

    Attached Files:

  8. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    and thermite failing :
     

    Attached Files:

  9. yair

    yair Guest

    this is not the case in my computer :/
    Thermite announced success before i even clicked the block button in look n stop's msg.
    even when lns is already configured to block it, Thermite still announces success
     
  10. yair

    yair Guest

    when thermite is not already configured to be block, i can see that small "can't connect" msg box, but only for half a second and ofter that the only thing left on the screen is the success message
     
  11. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    Hi,

    yes, Thermite first display it success, then the error popup appears :)

    if Thermite success, it simply download an HTML webpage on his folder, if nothing happens, then Thermite was blocked ;)

    regards,

    gkweb.
     
  12. bvv

    bvv Guest

    Thermite seems to be aimed specifically at IE. At least, it wasn't able to perform its tricks with MYie (it reported IE should be started first).



    Quote:"Copycat uses an _existing_ thread in the target process and add this code in it,
    whereas Thermite _add_ a thread into the process.
    Copycat is much more harder to detect"


    It may be difficult, but it is not impossible. Look at the message from System Safety Monitor while trying to run Copycat:

    "The call to API function "NtOpenThread" was successfully intercepted. This function allows to gain total control over a thread in another process, and may be used in "DLL Injection"."
     
  13. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    Without willing to dive into the arcana of leaktests, SSM is not a firewall, and a firewall intercepting any "NtOpenThread" API call whithout knowing if it will
    follow an internet access afterwards or not (at this step you can't tell), will be full of false positives and will warn of any of such API call and will be more annoying than efficient.

    API hooking is a _proactive_ defense (you don't know what will follow but you block it anyway), while in the meantime leaktests detection must begin by the end, the network access, and is so _reactive_.

    If i do a program which just does an API call like the one above just to display a popup, am I still a malware trying to hijack a software to access the network ? :)

    regards,

    gkweb.
     
  14. yair

    yair Guest

    Process Guard writes "copycat tried to gain write/terminate/set info/suspend access on...." and it makes Copycat write "process memory is not accessible"

    outbound protection is the most important for me because of my router's firewall

    i disabled the internet filtering in lns because of that, can lns add to my router's firewall when it comes to inbound protection?
     
  15. bvv

    bvv Guest


    You are probably right, apart from the "full of false positives" part. I have been using SSM for quite some time and the warning message I mentioned may have popped up before, but I can't remember if it did. It doesn't occur often.
    So, until there is a better way of dealing with this "problem", it's probably better to be save than sorry. Just deny permission with SSM. If a trusted program doesn't work after that you can simply adapt the appropriate rule.
     
  16. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    I disagree, it is not because you didn't notice it a lot that it doesn't happens more :)

    You, may be didn't see often such API call occurs, but I see it every day using various security softwares, I have already used "sandboxe like" firewalls, and they do produce many false positive.

    Here we go :)

    Take a look at my website, advises part, and you will see that it's exactly my point.

    I perfectly agree sandboxe and API hooking are efficient and needed, but a firewall relying only on that is a nonsense, I expect my firewall to warn me about network accesses, not about possible system malicious activities which might probably lead to a network access attempt if afterwards an other API is called and if... you get my point, if there is a network access then I expect my firewall to warn me, if they is a suspicious API call then I expect my sandboxe to warn me, not my firewall.

    @yair
    For inbound may be nothing valuable if your router is well configured, but for outbound you can at least enable it and allow all normal protocols like IP/TCP/UDP/ICMP and block others. Enable too network driver protection to block other than winsock based malwares, like those using WinPcap.
    This one of the new feature of Look'n'Stop 2.05


    regards,

    gkweb.
     
    Last edited: May 15, 2004
  17. yair

    yair Guest

    well configured? it's a simple open a port for incoming connections, or leave it closed


    i will work on what you suggested tomorrow (it's 00:50 in my time right now)
     
  18. bvv

    bvv Guest


    Okidoki, point taken.
    If I understand you correctly it is (almost) impossible to detect and warn about these events accurately (when a "bad guy" tries to access the internet this way).
    If that's right, the question is how big this problem is. Does it leave a big hole in any firewall that Trojans can use at will and actually do something with it, or is it just a theoretical problem?
     
  19. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    Indeed :doubt:
    I think it's possible anyway, but it ask a lot of work just to accuratly detect one leaktest.
    May be, I don't know, Copycat is only detectable by sandboxes.

    When sudently a connection occurs, you have to be able to track back the real source, it is possible, but very hard in the case of copycat for instance.

    Look'n'Stop 2.05 succesfully detect Thermite, it isn't that easy :)

    In the meantime, softwares like SSM or Process Guard works very well with your firewall.

    @yair
    I just know that there is routers which by default forward ports or have a default weak administration password, or again has the Telrnet port open, etc...

    But glad you perfectly know how to configure your router, I couldn't know ;)

    regards,

    gkweb.
     
  20. ellison64

    ellison64 Registered Member

    Joined:
    Oct 5, 2003
    Posts:
    2,499
     
  21. AgentX

    AgentX Registered Member

    Joined:
    Dec 25, 2003
    Posts:
    44
    Location:
    The Intarweb
    Why the website hasn't been updated to the latest version 2.05? Someone unaware
    of this forum won't have the slightest of idea of a new version having been released.
    Please update the website and provide direct links to plugins, rules (rie files) and also
    beta version straight from the website.

    Regards,
    AgentX
     
  22. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
  23. Lilith

    Lilith Registered Member

    Joined:
    May 5, 2004
    Posts:
    5

    sorry but I don't see any update ...
    the downlonable version is the 2.04
     
  24. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    may be you need to empty your web browser cache, it shows 2.05 here, and the download link offers the 2.05.

    I have attached what i see in my browser.

    regards,

    gkweb.
     

    Attached Files:

  25. AgentX

    AgentX Registered Member

    Joined:
    Dec 25, 2003
    Posts:
    44
    Location:
    The Intarweb
    Hi gkweb,
    Yes, the website is up-to-date now, but it wasn't when I typed my last message.
    It's nice to see the latest information posted on the website, which took no less than
    two weeks. But, I still don't see direct links to all the plugins and rule files nicely
    arranged with description.

    Regards,
    AgentX
     
Thread Status:
Not open for further replies.