Jump to content
alfa1

A bit disappointed on Leaktest results (MP2)...

Recommended Posts

i have noticed with displeasure that Kis 6 MP2 (6.0.2.614) isn't able to intercept some Leaktest contrarily to what declared in the official statement: http://forum.kaspersky.com/index.php?showtopic=29194

 

 

Infact, i am not able to pass Breakout 1/2, Osfwbypass, WB n°2 and (maybe) BITStester...

 

 

TEST SETUP:

XP PRO SP2, KIS 6 MP2 (6.0.2.614) with AAA active (prompt for action enabled) and AIC active (content modification/run as a child enabled), RegDefend.

 

Bitstester:

bitstestersl5.th.jpg

 

Breakout 1:

bo1fw9.th.jpg

 

Breakout 2:

only RegDefend alerts me about this strange behavoiur (HTML page setted to be the desktop wallpaper...)

bo2rdfw0.th.jpg

anyway if i temporary disable him, KIS does not point out on Active Desktop abuse....

 

 

CPILSuite ok (1/2/3), Zapass ok, Surfer ok, ecc...

 

10tz2.th.jpg

 

 

PS: sorry for my poor english. :(

Edited by alfa1

Share this post


Link to post
.. Osfwbypass (for osfw... remember to copy that htm file to c:\), and bits ..

could tou explain better the right procedure to execute these 2 Leak?

 

Perhaps i'm mistaking something...

 

Txs! :)

Edited by alfa1

Share this post


Link to post

Ok, lucianbara! :)

 

I had to copy modal-dialog.htm in c:\ to execute osfwbypass-demo... :rolleyes:

Anyway, no starting internet browser with parameters pop-up was showed according to official statement :wacko: ...

 

At the beginning i accomplish iexporer.exe process to run as a child of svchost.exe:

69795182fa5.th.jpg

 

but....

 

20828469iv0.th.jpg

 

:angry:

 

 

 

 

 

PS: is it so difficult to find an univocal way to intercept such tecnique for developers like these employed in Kaspersky Lab, one of the biggest security farm of the planet?

 

Please....

And come on!

 

The customers are waiting for you!

Edited by alfa1

Share this post


Link to post
PS: is it so difficult to find an univocal way to intercept such tecnique for developers like these employed in Kaspersky Lab, one of the biggest security farm of the planet?

 

Please....

And come on!

 

The customers are waiting for you!

Speak for yourself. Would you prefer that KL hard code an intercept for these leaktests into AH? Like some other vendors do? That is why PFW vendors get accused of selling snake oil.

 

As I said, speak for yourself. I myself would prefer that KL not concentrate on such things. There is a reason that most security experts do not put much stock in leaktests. They really don't mean that much. If you would like, I would be happy to send you (PM) a few zillion links to that effect. Many of them from Volker. You know, the guy who developed breakout. [bg] Start with Google.

 

BTW, your English is fine.

 

Ron :)

Share this post


Link to post

Hi, Ron!

 

As a rule i agree with you,

"I would prefer that KL not concentrate on such things" (for ex., it's better to spend time in developing new heuristic engine...)

 

Anyway the official statement is their, not mine! ;)

 

Take a look here: http://forum.kaspersky.com/index.php?showtopic=29194

 

 

In second place, don't sound good this answer

"Speak for yourself."

 

(it seems me offensive words ;) ) while i have not attached anybody!

 

Peace and love! ;)

Edited by alfa1

Share this post


Link to post
As a rule i agree with you,

"I would prefer that KL not concentrate on such things" (for ex., it's better to spend time in developing new heuristic engine...)

 

Anyway the official statement is their, not mine! ;)

 

Take a look here: http://forum.kaspersky.com/index.php?showtopic=29194

In second place, don't sound good this answer

"Speak for yourself."

 

(it seems me offensive words ;) ) while i have not attached anybody!

 

Peace and love! ;)

No offense intended. I was simply responding to your Come On!. I could/should have added a couple of winks. Sorry. ;)

 

One thing that I have learned using KL products for the last couple of years, is never, ever believe anything on the KL Web Site. The info is quite often months behind, and much is usually lost in translation. And most of it comes from marketing bozos anyway. [grin] :P

 

Now back to the snake oil thing. If you look at David Matoušek's testing, the significant results, IMHO, have to do with vulnerabilities in the applications themselves (PFWs), and not in the shortcomings in efficacy (leak tests). Here are a couple of examples of what I mean.

 

Comodo Multiple insufficient argument validation of hooked SSDT function Vulnerability

 

Outpost Multiple insufficient argument validation of hooked SSDT function Vulnerability

 

Kerio Multiple insufficient argument validation of hooked SSDT function Vulnerability

 

What this means is that, from a security standpoint, installing and using a PFW with such vulnerabilities, is worse than simply using the WinXP or Vista FW. At least those can be fixed once a month when you patch your Windows OS.

 

Unfortunately, people put so much stock in these leaktests, that the vendors are forced to deal with them. And passing leaktests has nothing to do with securing a box. The real malware can simply tunnel around a PFW, or even easier. Just latch on to a user-permitted connection. The days of the script kiddies are over, but unfortunately too many PFW vendors are stuck in the past.

 

Just my 0.02. Speaking for myself. [big grin] :D

 

Peace and love to you as well. ;) Again, sorry for the unintended tone in my earlier reply. :o

 

Ron :)

Share this post


Link to post
What this means is that, from a security standpoint, installing and using a PFW with such vulnerabilities, is worse than simply using the WinXP or Vista FW. At least those can be fixed once a month when you patch your Windows OS.

 

Unfortunately, people put so much stock in these leaktests, that the vendors are forced to deal with them. And passing leaktests has nothing to do with securing a box. The real malware can simply tunnel around a PFW, or even easier. Just latch on to a user-permitted connection. The days of the script kiddies are over, but unfortunately too many PFW vendors are stuck in the past.

+1

 

Paul

Share this post


Link to post

Nice writeup, Ron!

 

I agree wholeheartedly! Outbound filtering is IMO a nice gimmick, but no real security feature. To many ways around it. :)

Share this post


Link to post
Now back to the snake oil thing. If you look at David Matoušek's testing, the significant results, IMHO, have to do with vulnerabilities in the applications themselves (PFWs), and not in the shortcomings in efficacy (leak tests). Here are a couple of examples of what I mean.

If someone is selling snake oil, the it's clearly this Matousec guy :angry:

He supposedly finds vulnerabilities in security products and then threathens the manufactures to pay him what he wants so they can see the supposed vulnerabilities. Pretty dirty business practice, not even remotely reliable.

Share this post


Link to post
If someone is selling snake oil, the it's clearly this Matousec guy :angry:

He supposedly finds vulnerabilities in security products and then threathens the manufactures to pay him what he wants so they can see the supposed vulnerabilities. Pretty dirty business practice, not even remotely reliable.

We had that discussion in another venue. I haven't made my mind up yet. Like you, I too have my concerns. Nonetheless, what I said about the vulnerabilities in PFWs stands. A much more important consideration than leak testing.

 

BTW, keep and eye on Matoušek's work. After he gets done shaking down [grin] the PFW vendors, he is going after the AV vendors. It should be interesting.

 

Ron :)

Share this post


Link to post

×
×
  • Create New...

Important Information

We use cookies to make your experience of our websites better. By using and further navigating this website you accept this. Detailed information about the use of cookies on this website is available by clicking on more information.