Remote Code, Communication, Blocker?

Discussion in 'other anti-malware software' started by arran, Mar 10, 2009.

Thread Status:
Not open for further replies.
  1. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,156
    is there such a thing? because I have tried ZAbypass test on my pc
    http://www.firewallleaktester.com/leaktest26.htm

    And what it does is communicate with your already running browser and use that to bypass firewall and make outgoing connections.

    I am running

    look n stop
    EQS
    Sandboxie

    And neither of these seem to be able to block ZAbypass from using the browser.
     
    arran, Mar 10, 2009
    #1
  2. chrome_sturmen

    chrome_sturmen Registered Member

    Joined:
    Apr 29, 2006
    Posts:
    875
    Location:
    Sverige
    online armor protects against remote code control
     
    chrome_sturmen, Mar 10, 2009
    #2
  3. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,156

    So have u tested this with online armor?
     
    arran, Mar 10, 2009
    #3
  4. chrome_sturmen

    chrome_sturmen Registered Member

    Joined:
    Apr 29, 2006
    Posts:
    875
    Location:
    Sverige
    i've not tested it, but I do know it's a feature of online armor.
     
    chrome_sturmen, Mar 11, 2009
    #4
  5. JRViejo

    JRViejo Super Moderator

    Joined:
    Jul 9, 2008
    Posts:
    98,440
    Location:
    U.S.A.
    arran, perhaps I'm doing this leaktest wrong but just downloading it and trying to open it, AVG 8.5 throws a fit (one example):

    Capture3-11-2009-3.54.45 PM.gif

    Then, when I add it to the exceptions and run the .exe, my ZA Free 5.5.094.000 throws an alert:

    Capture3-11-2009-3.56.46 PM.gif

    So of course, I would either click AVG's Move to Vault and/or ZA's Deny buttons, and this leaktest does not go anywhere.
     
    JRViejo, Mar 11, 2009
    #5
  6. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    13,744
    Location:
    Canada
    is this the free version of zone alarm?thanks
     
    jmonge, Mar 12, 2009
    #6
  7. JRViejo

    JRViejo Super Moderator

    Joined:
    Jul 9, 2008
    Posts:
    98,440
    Location:
    U.S.A.
    jmonge, yes it is and you'll find it at FileHippo. The Zone Alarm Release History page still does have old version downloads but their Free Forum reports that some of them create installation problems. FileHippo is your best bet.
     
    JRViejo, Mar 12, 2009
    #7
  8. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    13,744
    Location:
    Canada
    cool thanks:thumb:
     
    jmonge, Mar 12, 2009
    #8
  9. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,156
    even tho zone alarm here has blocked the outgoing connection, it isn't really a Communication Blocker.

    what ZAbypass does is send mesage to csrss.exe which sends message to your browser to bypass your firewall and make the outgoing connection.
    Comodo is really the only one I know of with its feature in its HIPS called
    "Send Message"

    EQS Fail
    Process Guard FAil
    Mamutu Fail.

    If anyone knows of any HIPS program like comodo has here in the screenie please post.
     

    Attached Files:

    • hmm.JPG
      hmm.JPG
      File size:
      69.3 KB
      Views:
      1
    arran, Mar 13, 2009
    #9
  10. JRViejo

    JRViejo Super Moderator

    Joined:
    Jul 9, 2008
    Posts:
    98,440
    Location:
    U.S.A.
    arran, I don't know what to tell you but I have followed the instructions below detailed in the zabypass.pdf, which is part of the file download, and my ZA Free blocks it every time as soon as Internet Explorer opens.

    • Step 1: Run “zabypass.exe”
    • Step 2: The sample information in the text box is meant to be sent to the to the attacker’s site. If you want to change the information in the text box then feel free to do that (Note: Only the text which appears in the text box will be sent to the server and no information is logged).
    • Step 3: Click on “GO” button to send the information to the server.
    • Step 4: On successful execution, Internet Explorer (or the default browser) will be open up and will try to access the attacker’s (here it is my site…..For GOD sake don’t think I am attacking you, it is just a demo ;o) without getting blocked by Zone Alarm (refer Screenshot 3 for details). The firewall will not prevent it as Internet Explorer is a trusted program and will be allowed to access the any site.
    The only thing I can think of is since I don't allow IE access to Internet Server (Red X), and have an Ask (blue question mark) in Trusted Server, that's why the exploit does not work and I get a program alert. I see that the author states:
    but only a fool would allow unfettered Server access to any program.
     
    JRViejo, Mar 13, 2009
    #10
  11. PROROOTECT

    PROROOTECT Registered Member

    Joined:
    May 5, 2008
    Posts:
    1,102
    Location:
    HERE ...Fort Lee, NJ
    Hi,

    @ Arran, tweak your Services Windows; and download SeconfigXP here: http://seconfig.sytes.net/?sv=1.1 Notch all ( all ), click 'For home', click Apply ! ... like me. That's all.

    Yours PROROOTECT:thumb:
     
    PROROOTECT, Mar 13, 2009
    #11
  12. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,156
    you have made a complete Moronic idiotic post, you know that don't you.
    SeconfigXP has nothing to do with the topic at here, and I already have SeconfigXP installed and it does not block zabypass.exe,
     
    arran, Mar 13, 2009
    #12
  13. PROROOTECT

    PROROOTECT Registered Member

    Joined:
    May 5, 2008
    Posts:
    1,102
    Location:
    HERE ...Fort Lee, NJ
    Thank You for assessment of my post; man is fallible.

    I just wanted to help.

    PROROOTECT
     
    PROROOTECT, Mar 15, 2009
    #13
  14. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    13,744
    Location:
    Canada
    you got a nice complement:)
     
    jmonge, Mar 15, 2009
    #14
  15. trismegistos

    trismegistos Registered Member

    Joined:
    Jan 29, 2009
    Posts:
    363
    Update:
    EQSecure 4.1 prevented the "send message to other process" or "process message" of the ZABypass test.

    So that makes, comodo, malware defender and eqsecure 4.1 having "process message" blocking capability or as the OP puts it, "Remote Code, Communication, Blocker" capability.
     
    trismegistos, Jun 12, 2009
    #15
  16. LoneWolf

    LoneWolf Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    3,785
    LoneWolf, Jun 12, 2009
    #16
  17. trismegistos

    trismegistos Registered Member

    Joined:
    Jan 29, 2009
    Posts:
    363
    trismegistos, Jun 13, 2009
    #17
  18. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,156
    Thanks for letting me know trismegistos. This was one reason why I dumped EQS for MD. I might give EQSecure 4.1 a try out. I doubt its file and folder rules would be as good as MD's tho.

    Preventing programs from communicating to other programs plays a very important role in controlling the behavior of programs. It is an important feature that all HIPS should have.

    shame how firewallleaktester is down. still have the zabypass test tho
     
    arran, Jun 13, 2009
    #18
  19. andyman35

    andyman35 Registered Member

    Joined:
    Nov 2, 2007
    Posts:
    2,336
    andyman35, Jun 14, 2009
    #19
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...