Remote Code, Communication, Blocker?

Discussion in 'other anti-malware software' started by arran, Mar 10, 2009.

Thread Status:
Not open for further replies.
  1. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,139
    is there such a thing? because I have tried ZAbypass test on my pc
    http://www.firewallleaktester.com/leaktest26.htm

    And what it does is communicate with your already running browser and use that to bypass firewall and make outgoing connections.

    I am running

    look n stop
    EQS
    Sandboxie

    And neither of these seem to be able to block ZAbypass from using the browser.
     
  2. chrome_sturmen

    chrome_sturmen Registered Member

    Joined:
    Apr 29, 2006
    Posts:
    785
    Location:
    Sverige
    online armor protects against remote code control
     
  3. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,139

    So have u tested this with online armor?
     
  4. chrome_sturmen

    chrome_sturmen Registered Member

    Joined:
    Apr 29, 2006
    Posts:
    785
    Location:
    Sverige
    i've not tested it, but I do know it's a feature of online armor.
     
  5. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,910
    Location:
    U.S.A.
    arran, perhaps I'm doing this leaktest wrong but just downloading it and trying to open it, AVG 8.5 throws a fit (one example):

    Capture3-11-2009-3.54.45 PM.gif

    Then, when I add it to the exceptions and run the .exe, my ZA Free 5.5.094.000 throws an alert:

    Capture3-11-2009-3.56.46 PM.gif

    So of course, I would either click AVG's Move to Vault and/or ZA's Deny buttons, and this leaktest does not go anywhere.
     
  6. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    is this the free version of zone alarm?thanks
     
  7. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,910
    Location:
    U.S.A.
    jmonge, yes it is and you'll find it at FileHippo. The Zone Alarm Release History page still does have old version downloads but their Free Forum reports that some of them create installation problems. FileHippo is your best bet.
     
  8. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    cool thanks:thumb:
     
  9. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,139
    even tho zone alarm here has blocked the outgoing connection, it isn't really a Communication Blocker.

    what ZAbypass does is send mesage to csrss.exe which sends message to your browser to bypass your firewall and make the outgoing connection.
    Comodo is really the only one I know of with its feature in its HIPS called
    "Send Message"

    EQS Fail
    Process Guard FAil
    Mamutu Fail.

    If anyone knows of any HIPS program like comodo has here in the screenie please post.
     

    Attached Files:

    • hmm.JPG
      hmm.JPG
      File size:
      69.3 KB
      Views:
      1
  10. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,910
    Location:
    U.S.A.
    arran, I don't know what to tell you but I have followed the instructions below detailed in the zabypass.pdf, which is part of the file download, and my ZA Free blocks it every time as soon as Internet Explorer opens.

    • Step 1: Run “zabypass.exe”
    • Step 2: The sample information in the text box is meant to be sent to the to the attacker’s site. If you want to change the information in the text box then feel free to do that (Note: Only the text which appears in the text box will be sent to the server and no information is logged).
    • Step 3: Click on “GO” button to send the information to the server.
    • Step 4: On successful execution, Internet Explorer (or the default browser) will be open up and will try to access the attacker’s (here it is my site…..For GOD sake don’t think I am attacking you, it is just a demo ;o) without getting blocked by Zone Alarm (refer Screenshot 3 for details). The firewall will not prevent it as Internet Explorer is a trusted program and will be allowed to access the any site.
    The only thing I can think of is since I don't allow IE access to Internet Server (Red X), and have an Ask (blue question mark) in Trusted Server, that's why the exploit does not work and I get a program alert. I see that the author states:
    but only a fool would allow unfettered Server access to any program.
     
  11. PROROOTECT

    PROROOTECT Registered Member

    Joined:
    May 5, 2008
    Posts:
    1,102
    Location:
    HERE ...Fort Lee, NJ
    Hi,

    @ Arran, tweak your Services Windows; and download SeconfigXP here: http://seconfig.sytes.net/?sv=1.1 Notch all ( all ), click 'For home', click Apply ! ... like me. That's all.

    Yours PROROOTECT:thumb:
     
  12. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,139
    you have made a complete Moronic idiotic post, you know that don't you.
    SeconfigXP has nothing to do with the topic at here, and I already have SeconfigXP installed and it does not block zabypass.exe,
     
  13. PROROOTECT

    PROROOTECT Registered Member

    Joined:
    May 5, 2008
    Posts:
    1,102
    Location:
    HERE ...Fort Lee, NJ
    Thank You for assessment of my post; man is fallible.

    I just wanted to help.

    PROROOTECT
     
  14. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    you got a nice complement:)
     
  15. trismegistos

    trismegistos Registered Member

    Joined:
    Jan 29, 2009
    Posts:
    365
    Update:
    EQSecure 4.1 prevented the "send message to other process" or "process message" of the ZABypass test.

    So that makes, comodo, malware defender and eqsecure 4.1 having "process message" blocking capability or as the OP puts it, "Remote Code, Communication, Blocker" capability.
     
  16. LoneWolf

    LoneWolf Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    3,408
  17. trismegistos

    trismegistos Registered Member

    Joined:
    Jan 29, 2009
    Posts:
    365
  18. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,139
    Thanks for letting me know trismegistos. This was one reason why I dumped EQS for MD. I might give EQSecure 4.1 a try out. I doubt its file and folder rules would be as good as MD's tho.

    Preventing programs from communicating to other programs plays a very important role in controlling the behavior of programs. It is an important feature that all HIPS should have.

    shame how firewallleaktester is down. still have the zabypass test tho
     
  19. andyman35

    andyman35 Registered Member

    Joined:
    Nov 2, 2007
    Posts:
    2,336
Loading...
Thread Status:
Not open for further replies.