PCAudit. This is scary!

Discussion in 'LnS English Forum' started by cdysthe, Mar 10, 2004.

Thread Status:
Not open for further replies.
  1. cdysthe

    cdysthe Registered Member

    Joined:
    Mar 6, 2004
    Posts:
    70
    Location:
    Austin, TX and Oslo, Norway
    Hi,

    I went to this site: http://www.pcinternetpatrol.com/ and downloaded PCAudit. I ran the application and followed the instructions and was really surprised by what this application was able to get through my firewall, router and anti virus protection without any of them even noticing it was running!

    Since I am not an expert on any of this could someone here tell me why all this can be let through? I do understand this much: You need to actually run some kind of software on your machine to have this happen to you. After all, PCAudit is an application. Still, it's remarkable to me that it's allowed to send out all this information without LnS even noticing that it's running!

    Try it! It's scary! :)
     
  2. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    If you want more tests, go to my website (in my sig).
    You will notice by testing yourself that every firewall has at least one (even more) leaktest that it doesn't pass, and all leak method could lead to leak exactly same data than PCAudit.

    Take a look at the advice page too ;)
     
  3. Kevin_b_er

    Kevin_b_er Registered Member

    Joined:
    Dec 1, 2002
    Posts:
    13
    It just shows LnS needs to get its butt in gear on upgradign the DLL monitoring code so it actually sees pcaudit...
     
  4. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    Of course you can read what you want to read, but if you read all, you will notice what i have just stated earlier :)

    _None_ of the firewalls pass _all_ leaktests, and LnS is the one which passes most of them as of now.
    So yes you can dislike any firewalls, all have pros & cons, but i don't think you can blame Carl Lewis to not running faster ;)
    To run is just one sport categorie, athletism is more than that as firewalls are more than just outbound application filtering, but don't we all want our security software to be better than they are ? :rolleyes:

    I think that with time, every firewalls will improve their outbound application filtering, as well as Look'n'Stop.
    If you can't wait, i would strongly advise you to unplug from the Internet, the safest way to use a computer may be :cool:
     
  5. slammer_JvA

    slammer_JvA Registered Member

    Joined:
    Feb 23, 2004
    Posts:
    1,588
    Location:
    Below sea-level. Safe and sound behind our dikes:
    :eek: :eek: :eek: Gee, I did the same and have to admit: it IS "scary"! :eek: :eek: :eek:

    After learning here at Wilders and "doing much of the deeds" the last few weeks I didn't expect this! :mad:
    Am I still that naiv on this department? o_O :oops:
    Sure hope to get some more info/insight on this topic from you all.
    I'll be monitoring this thread for one, that's 4 sure.
    Take care & grtz
    Slammer
     
  6. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    For those who are scared :

    http://perso.wanadoo.fr/jugesoftware/firewallleaktester/eng/advices.htm
     
  7. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    Folks been so jumpy about these leaktests which exploits to gain Internet resources by bypassing Software Firewalls Application Filtering Layers they got the Firewall vendors even running around trying to find methods of fix, and the very disappointing thing about this is most if not all Personal Software Firewall vendors are mainly focused here when they really should be focus elsewhere. Where I personally consider most important, improving Personal Software Firewall packet filtering layers…
     
  8. cdysthe

    cdysthe Registered Member

    Joined:
    Mar 6, 2004
    Posts:
    70
    Location:
    Austin, TX and Oslo, Norway
    Some comments:

    You will jump when an application is able to send out what you type and the content of your disk to a server somewhere. That is simply scary. Especially when it's able to do so without a pip from the software that was supposedly designed to prevent it. For someone like me who doesn't know a lot about protocols and ports and such it just proves that I need to learn about protocols and ports and such! :)

    This particular program *is* created by a firewall vendor trying to promote their solution which of course is immune to this particuar exploit. That doesn't make the potential harm a program like this could cause less.

    If you are in the bullet proof vest business and someone shows that certain kind of bullets can pass through and kill people, you will have to take that seriously or you won't be in the bullet proof vest business for very long.. :)

    LnS can stop this exploit if configured to do so by disabling Windows Explorer to access the Internet. A good firewall should accommodate everyone from the ones not too concerned about security simply because they do not have much to hide, to the ones who needs a high level of security and still can't/won't use a hardware firewall solution (laptop users spring to mind).

    The behaviour of this particular program is more in the "Trojan league" so maybe anti virus software should be able to detect it also? :)

    Just my 2.5643 cent....
     
  9. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    I don’t see where it states on the official site that Look ‘n’ Stop is guaranteed to provide protection against ALL Trojans, or even that it provides protection against methods used by pcAudit v2…

    I’m curious; are you capable of naming some Trojans which uses methods that used by pcAudit v2? How many Trojans can you name that uses methods that are used by other Leaktests on gkweb site?

    What will everyone expect next when they see Trojans becoming malicious against their Personal Software Firewalls? Are we going to expect Firewall vendors to prevent that too?

    And so you feel that Application Filtering is much more important then what makes up a Software Firewall, its Packet filtering Layer? How do you feel about our Personal Software Firewalls packet filtering systems lacking big time?
     
  10. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Yes, and when you show me how someone can actually manage to get that exploit onto my computer to start with without me having purposely d/l'ed it - then I might get somewhat concerned (but probably not).

    "Leak" tests - and even certain "security scans" - are mainly sales tools - or, in the best light, concept tools. Without real-world attacks utilizing these methods (and a totally stealthy method of installing them on ANY otherwise properly-protected computer), they're a non-issue for me.

    "Problem" solved. Yet another "vulnerability" taken care of by proper configuration. Who'd a thunk it? Pete
     
  11. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    Actually from this person’s observation, configuring Windows Explorer connecting rights to deny was a solution. Thing is pcAudit will try basically anything to gain Internet resources, just set Windows Explorer connecting rights to deny and execute your favourite web-browser and re-run the pcAudit test… ;)
     
  12. MickeyTheMan

    MickeyTheMan Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    1,016
    One thing to remember is that a firewall is only one layer of protection. Others are needed as well.
    For example PCAUDIT can be defeated by the simple use of a program like Naviscope without even a firewall installed....
     
  13. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    Hey MTM

    This still applies even for pcAudit v2??
     
  14. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    OK; well I know Naviscope stops pcAudit v3.0.0.3 at least, and that is only because pcAudit v3.0.0.3 used UserAgent that Naviscope blocks but the thing still remains is UserAgent isn’t necessary… ;)
     
  15. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    I am on the best light so :)

    I am surprised that you ignore that real trojans use those methods, the most common may be is DLL injection and may be Thread injection, i remember of the Last "The Beast" but i am NOT a trojan expert so i can't really tell.
    Ask Gavin Coe from DiamondCS i think it will have answers.

    And you got the point, based on some _personal criteria_ it might not be an issue for you, but be for others, i think it's very common in security,i have friends who simply doesn't even have an AV because they don't download anything bad and don't open email attachments... etc... you know that, "safe hex" etc...

    I think _everything_ about personals firewalls IS personal opinion/taste, that it was features, network filter, or apps filter, so hard to agree on everything.

    _The fact_ however is that exploits can bypassed most firewalls _as is_,
    they are facts, nothing else.
    After that all leaktests can be easily blocked even with the worst firewall in apps filtering just by adding other layers.

    Pls keep this thread clean, i just wanted to give my point of view, not to start a war, peace :rolleyes:
     
  16. cdysthe

    cdysthe Registered Member

    Joined:
    Mar 6, 2004
    Posts:
    70
    Location:
    Austin, TX and Oslo, Norway
    If my "Supposedly designed to prevent it" is interpeted as referring to some sort of LnS guarantee that is not correct. It's just that when you're not a security guru and buy a firewall you may want to at least get some sort of warning if/when information is sent out through the firewall to a server. It would be even better if it was stopped ;)

    Maybe it's the "wall" in firewall that is the problem? Maybe there is no such thing as a software fire-"wall"? Maybe it should be called "firescreen" or "netfilter" instead? Wall's keep things in or out unless they are noisily penetrated or torn down... :)

    http://www.viruslibrary.com/virusinfo/I-Worm.BadtransII.htm

    I don't know. It's up to the anti virus camp and the firewall camp to fight for this business. I would assume the makers of this leaktest generates some business from scaring people into buying their product? :)

    Frankly, I don't know what's more important. I pay a software vendor to keep on top of this and create a firewall that is a good as possible for the novice and expert alike. If you tell me that packet filtering is more important for every day security I will of course beleive you. However, a demo like "PCAudit" sure makes you want some control of applications running on your system and what they send out. At least I do in all my ignorance.. :rolleyes:
     
Thread Status:
Not open for further replies.