pcAudit Leak Test Failure

Discussion in 'LnS English Forum' started by damoisture, Jan 24, 2006.

Thread Status:
Not open for further replies.
  1. damoisture

    damoisture Registered Member

    Joined:
    Nov 9, 2005
    Posts:
    11
    http://anonym.to/?http://www.pcinternetpatrol.com/page/view/49
    http://anonym.to/?http://www.pcinternetpatrol.com/downloads/pcaudit.exe

    This program acts as a trojan, installs a hook to catch the keystrokes, and then transmits computer and captured key info to the web. While I know it is not LNS's job as a firewall to catch the first two, it should be able to prevent this information from being transmitted to the web, which it was not. I'm using 2.05p3 with Phant0m's v6 ruleset, but I also tested the Enhanced and Standard rulesets with no luck.
     
  2. RedShark

    RedShark Guest


    It is something that is not configured correctly on your firewall ,because I have XP2 Pack and it can't connect to there site or anything you shold get a message very good protection! could not bypass your system.

    Not sure by it can access one or more of your start-up apps to contect.Not sure which one but.


    Go to app filtering >go to Windows Explorer and the rule should be
    first is a red FLAG to NOT ALLOWED second green open ALLOWED,I also failed this test until I put that red flag in the first part of windows explorer


    Please tell me if that worked? It took some time to find the opening that was using to inject the dll hook on windows explorer.But it can't bypass my o/s anymore,good luck
     
  3. JohnnyBravo

    JohnnyBravo Registered Member

    Joined:
    Jan 26, 2006
    Posts:
    82
    I have also failed this test.
    I'm using look'n'stop and I've configured it with Enhanced rules plus
    internet filtering rules ( SP2 internet sharing , FTP client , DC++ ...)
    What else can I do?
     
  4. Uroboros

    Uroboros Registered Member

    Joined:
    Nov 9, 2003
    Posts:
    70
    Same here. Test failed. What the heck??

    Is there some advanced setting not turned on that (in my case anyway) would crash my Athlon64 system if it was (my reason for not turning the option on)
     
  5. JohnnyBravo

    JohnnyBravo Registered Member

    Joined:
    Jan 26, 2006
    Posts:
    82
    Well , that Phant0m6 rules set stops leeking , but it also stops too many other applications
     
  6. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    Application Filtering Layer that actually suppose to deal with probable leak threats that’s demonstrated by leaktests.

    And as for the Rule-set, I believe when you say ‘stops too many other applications’ I believe you are in the scopes of p2p sharing software, I don’t believe on basing foundation of rules for the public that allows doorways in through the firewall by default for variety of popular p2p sharing softwares. I believe this to be the work of the users to do up, create/import rules for their own habits.
     
  7. sukarof

    sukarof Registered Member

    Joined:
    Jun 22, 2004
    Posts:
    1,714
    Location:
    Stockholm Sweden
    I get a bit confused here when I see you guys talking about Phantoms rule set supposed to block Pc audit.
    I understand that pc audit works by thread injection

    So isnt it the "watch thread injection" in LnS that is supposed to stop this leaktest?
    When I look in Portexplorer I see how pcaudit opens a port in a active program that is allowed to connect in LnS already (firefox for example), but if pcaudit tries to start a program that is not allowed to or doesnt have a rule then LnS "wantch thread injection" kicks in.
    Does this mean that if I allow a program to connect to the net (for example a browser, email client and so on) in LnS then it is open for thread injecton, even if "wathc thread injection" is enabled?
    Does Phantoms rule set prevent firefox, which is allowed (in LnS) to connect to the net, from being injected?
     
    Last edited: Jan 28, 2006
  8. JohnnyBravo

    JohnnyBravo Registered Member

    Joined:
    Jan 26, 2006
    Posts:
    82
    Now I've passed the test (with Enhanced rules set+ SP2sharing ) by blocking explorer in the Aplication filtering:)

    yes , it was DC++

    I'm not good with this ( so far) , so I'll use EnhancedRulesSet
     
    Last edited: Jan 28, 2006
  9. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    Only way ‘a’ rule-set would deal with this scenario is if you specify what to block (destination addresses and/or ports), and this only be the after math.

    Hi JohnnyBravo

    Regarding Importing/Creating rules,
    Regardless if you an expert or not, if you going to fail in Phant0m``s Rule-set, you’ll do just as worse in EnhancedRulesSet.

    The goal in importing/creating rules, if they are server-rules, rules to permit initiating connections from remote machines (like ‘Internet >> PC’, connections to server software such as local web server), you place the rules ‘just’-above ‘Block incoming connections’ rules, the rule that blocks incoming TCP packets with SYN Flag set.

    For client-rules, rules permitting you to make connections to servers (like ‘PC >> Internet’), you place the rules ‘just’-below the ‘Block incoming connections’ rules, the rule that blocks incoming TCP packets with SYN Flag set

    Isn’t that difficult to understand, right? :)
     
  10. JohnnyBravo

    JohnnyBravo Registered Member

    Joined:
    Jan 26, 2006
    Posts:
    82
    I was succesfully passing this test with the previous configuration , but unfortunately I had to reinstall my WindowsXP.Now I always fail , I used this tutorial
    https://www.wilderssecurity.com/showthread.php?t=83498
    to set up the LnS , and I've noticed that when starting Firefox ( for example , probably the same with the other programs) I only get this warning
    [​IMG]

    and this one not
    [​IMG]

    I have already once reinstall LnS , but the problem stays
     
  11. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
  12. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    As for different features, special tweaks, apply lns-ActivateBetaFeatures.reg which can be located in the Look 'n' Stop installed location...
     
  13. JohnnyBravo

    JohnnyBravo Registered Member

    Joined:
    Jan 26, 2006
    Posts:
    82
    Last edited: Feb 5, 2006
  14. JohnnyBravo

    JohnnyBravo Registered Member

    Joined:
    Jan 26, 2006
    Posts:
    82
    What to do
    I pass the test if my Browsers( Firefox & Opera) are closed but if I run the test while surfing the net I fail

    I'm using advanced settings And all the options are turned on:(
     
  15. Kush

    Kush Registered Member

    Joined:
    Dec 10, 2004
    Posts:
    138
    Location:
    Montreal,Canada

    Hello JohnnyBravo,


    Sorry you are having trouble passing this test,I have LnS and Process Guard and I pass it all the time.And not due to PG.

    I have shut down PG,or it would not be allowed to run at all!,so I shut it off PG run pcaudit and I get "your system has very good protection,please reboot your system to exit pcaudit"

    So, not sure what you are doing wrong?,did you Add your own rules? Can you put a snapshot of your Rule-Set up so we can see if there is something wrong in your rule-set.


    I was using Phant0m's Rule-Set for the past 4-5 years and now moved on to Phant0m's v7,due to being lazy and sometimes my IP is changed every 48 hours and sometimes not for years.

    If you are having trouble with dll injection and not sure how to stop it? PG won't let it run ever! And is very good at stopping dll injection for over all protection of your O/S and many other things!,but you should pass it without PG running.If your Rule-Set is correctly done?



    I just ran the test again with my browser opened and it still could not bypass my security and PG was off during this test.

    My APP filtering is very tight!I have port and IP ranges for all my applications and my DnS severs so things can't bypass LnS.Only the Ip's and ports that I allow only! It's takes a bit of time to set up but works for me!

    Good luck JohnnyBravo.

    Hope your find your leak.Its either in App filtering or in your Internet filtering settings.
     
  16. JohnnyBravo

    JohnnyBravo Registered Member

    Joined:
    Jan 26, 2006
    Posts:
    82
    Hello Kush

    thanks for your time:)
    I'm using EnhancedRulesSet + SP2sharing.rie+DC++.rie
    I've tried Phantoms rules 6, and it's a bit to complicated for me to configure:(
    But, I have a good news , I did a resetup of LnS and now it's working well:D

    btw I've tried Process Guard for a few days and it's OK , but I had some problems , I guess due to mine inexperience with this app , but most of all because of my computer resorces I had to remove it, now I have 26 always running processes and then I had 31 ( with Regdefender too) and + LnS took 11 MB of RAM , and now only 3


    I 've never had that messageo_O

    I would also like to do this , but dono how
     
  17. Kush

    Kush Registered Member

    Joined:
    Dec 10, 2004
    Posts:
    138
    Location:
    Montreal,Canada
    Hello JohnnyBravo,


    If you are in Advanced Mode, a new button "Edit" is displayed in the Application Filtering page. This allows you to select ports and IP for the current selected application. By clicking this button (or double-clicking the application) the following dialog box will open:

    see help file builit in and it's all in there.I just cut and pasted all this from the help file,when you are in app filtering hit the help button and scroll down near the bottom of the help file and it will tell you how it is done.

    If you wanted to block all ports on an app you would type in !1-65535 (as is )and all ports would be blocked to that APP.

    If you want certain IP's and ports just follow the help file it all in there.

    Just be careful when adding a range there are no spaces ex: 192.1x8.0.1-192.168.0.100;2x.2x0.241.3x;2x.2x1.2x5.77;24.xxx.243.122


    The above is an example of one of one app I set up protection on and then I added the ports 25;80;125 there are no spaces it is as shown.

    And if you wanted to block this for any reason you just add an ! in front of the IP range so it would be !292.1x8.0.1-292.1x8.0.100 it has now blocked all ports to that App.


    There are 4 selections:

    ports to allow/block for TCP protocol,
    ports to allow/block for UDP protocol,
    IP Address to allow/block for the TCP protocol,
    IP Address to allow/block for the UDP protocol,
    Use ; as a separator, - to specify a range, and ! for blocking.
    For instance, to block the range 192.168.0.1 to 192.168.0.100 and also 192.168.100.100 you have to enter: !192.168.0.1-192.168.0.100;!192.168.100.100

    An application with a port or address IP selection appears in the list with a .(Yellow) Icon

    To do this correctly you will have to find out what software your programs IP. Use Whois and it will show you the range that your programs use as there sever and by looking at the log file it is very easy to find what program is using certain ports to connect and you add them as above.


    As for the test there is an older pcaudit and a new one the new one will just stay it could not connect to there sever,if you have it setup correctly?

    I was a user of P2P software but found there are just too many stealth worms out there and everybody that I fix there computers has them on there computer and they are very hard to remove and you might find yourself reinstalling your O/S if you get to many of these stealth worms your anti-virus won't even notice them! I have used the top five anti-virus program and not one could stop the stealth worm which becomes part of your O/S in a short time,if you share files you are sharing to the world wide web big security leak and a big risk if you don't know how to stop a hacker,so that is up to you to decide.



    Good luck it takes a bit of time to set-up and if you do something wrong,just look at your LnS log file and it will show you if you left out a range or certain IP's and what port was blocked.


    There is also a limit on just how many port's to add and IP'S allowed,and that is where you can run into problems,like Internet Explorer
    can be very hard to add everything because you just don't have the room,unless you visit a few sites only.Otherwise you will find that IE is being blocked due to the lack of space to add them all,but works on most other apps with no problems,so I did tighten up everything to pass this test with LnS and just one mistake and it will find a program to leech its way onto the internet. I don't worry about leak test much anymore since running PG,everything will be an invalid sys32 file or handle invalid. But is great you tell what is allowed to run on your HD and then put it into lock mode and nothing will run unless you gave it access.LnS and PG make a good team for your over all security and you won't have to worry about setting up these rules for APP filtering,but I did it anyway to make it even more tight to prevent leaks and for over all protection of my O/S.:)
     
  18. imsai

    imsai Registered Member

    Joined:
    Oct 18, 2005
    Posts:
    13
    How to protect trusted process from injection of some malicious code into its address space?
    It means in older Windows OS - 95/98/Me.

    No chance at all?
     
Thread Status:
Not open for further replies.