About firewalls and 'LeakTest'

Gibson's attitude that others that don't, as I call it, "watch the back door" are junk is a bit harsh and extreme - that's the kind of talk that starts flame wars and more.

I do agree that I think such monitoring is essential before a software firewall can call itself a complete firewall program.

He is also incorrect in stating that ZoneAlarm (and we all know how much I love that little app) is the only one doing it. Of the top software programs used as firewalls (Sygate Personal Firewall, Norton Personal Firewall, ZoneAlarm, the McAfee Personal Firewall and BlackIce Defender) the only one I know that suffers this debilitating shortcoming is BlackIce Defender.

The 'back door guard' service is very useful in detecting adware and spyware, and could be extremely beneficial in detecting a new trojan/virus/worm on a system that was not intercepted on the way into the system by the anti-virus software for whatever reason.

Firewalls should be considered as tools to not only control access into the system, but to control access to the internet. That's the way business organizations use them, why should a personal firewall be any different?

here's the link to the article
I don't know about the rest of the firewalls, but I do use ZoneAlarm. I think that they should keep testing these products to make sure we have the best possible protection. If they printed incorrect information hopefully the companies involved will correct them. I think it's so important for consumers to know what works and doesn't so we can decide what programs to use.

http://www.internetnews.com/intra-news/article/0,,7_529661,00.html

I don't know about the rest of the programs, either, but I personally use Sygate Personal Firewall. For the first week after I install the program, it's constantly asking me that "xyz.exe is trying to access the network. Do you want to allow it?". Sygate definitely monitors the outgoing connections also.

Just my .02

Matt
--
Neo: "I know Kung Fu."
Morphius: "Show me..."

yeah, i love my sygate.
i dont even know its running, but sure am glad it is when i get those prompts "sub7superhackeri_kill_u.exe" is trying to contact the network. saved my butt a load of times.

said by acryl:

---

yeah, i love my sygate.
i dont even know its running, but sure am glad it is when i get those prompts "sub7superhackeri_kill_u.exe" is trying to contact the network. saved my butt a load of times.

---

So how are these getting into your machine in the first place? Don't you have a decent anti-virus program running?
Sygate is very good at watching the back door - a little stiff in allowing you to give a program one-time permission or denial, but good at the job. Just be careful with it - if you cancel a window that is asking for permission (not saying Yes or No) it will give the program permission to transmit anyhow, and that could accidentally let your 'sub7superhackeri_kill_u.exe' visitor out without you realizing it - for then and forever!

I got the Linksys 4-port router; that works as a firewall and NAT. You can't even start a Quake server on it unless you set the server's IP to the DMZ. Now that's control.

As for those stupid programs making those connections, ditch them. Get rid of all Netscape and RealNetworks programs, ditch all the Yahoo bloatware plugins, and take a stand against banner ads: add these lines to your hosts file (in \windows\ or \winnt\system32\drivers\etc\):

127.0.0.1 ad.doubleclick.net
127.0.0.1 m.doubleclick.net

Each line remaps a DNS entry to a specific IP address; mapping anything to 127.0.0.1 effectively prevents access to it (127.0.0.1 is localhost, and since localhost has jack squat, you'll see 404 errors where those banner ads are!). Keep mapping those ad servers to 127.0.0.1, and your browser will ignore them!

you could do that... or use norton's firewall and it does it for you, which one is easier?

--
Hey, I can call my ma from up here.....
Hey ma ! Get off the damn roof.

I think you're missing the point. Of course a NAT router provides a great simple firewall. Of course one can avoid programs that one THINKS may try to access the Internet without permission.

BUT... other programs may, for any number of reasons, well-meaning or nefarious, access the Internet at any given time, particularly with the growing presence of "always on" connections.

And yes, some of those other programs may be Trojan horses that one has unwittingly allowed onto one's system. People (and certainly virus scanners) do make mistakes.

So the point of an outbound-checking personal firewall like ZoneAlarm is to provide an added level of protection against such unknowns, for example when some cool little piece of shareware decides to open a port to its author's ftp server without your knowledge.

As to the banner ads issue, your approach is pretty incomplete. Far better to use a proxy like Internet Junkbuster or the Proxomitron, which make it easier to add filters by URL and not just host or IP address (e.g., www.myfavoritesite.com/bannerads/). Since of course not all ads are hosted directly at big evil sites like DoubleClick.

-- B

> ZoneAlarm may spit out cryptic names of windows and
> package subsystems, with an allow, yes? no? question that
> only a windows hacker would be able to decode.

I really don't agree with this at all. ZoneAlarm does a nice job of making it incredibly easy -- a program is attempting to access the Internet -- do you want to let it out?

Now if the "program" is in fact a poorly named "subsystem" component, then yes, it would be confusing to an average user. But I just don't see much value in ZoneAlarm or anyone else maintaining some kind of database of all poorly named executables, just in order to say "the Skins module of Sonique is trying to phone home".

One is alerted that a program is trying to get out. Most "subsystems" should NOT be doing this! (ZoneAlarm tells you the name of the program, and more if you just look in its "Programs" window.) If you are using a program that does not communicate with other users or computers, there should be no reason to allow it, or any of its "subsystems", to access the Internet without a darned good reason!

I have some reservations about ZoneAlarm, particularly in its lack of fine control vis a vis particular ports and destination hosts. If a program is granted "Internet" rights it can go anywhere it wants on whatever ports it wants. So it's pretty much all or nothing.

But ZoneAlarm's got to be the easiest thing around. (And the best, by most reviews.) I'm not sure what more you'd want -- features breed bloat and often complexity. Office 2K, anyone?

-- B

Sorry if I'm harping on this, but...

> both incoming and outgoing traffic needs to obey a
> firewall ruleset that is easily understood and maintained
> by users.

Again, I disagree. I think ZoneLabs made the (correct) decision that most users have NO idea what a "firewall" ruleset is, don't want to know, and certainly don't want to maintain! So they came up with the simplest paradigm they could -- do you or do you not want to let a program use the Internet? As I said, I have some problems with this, but it's a darned effective broad sword in helping out tons and tons (the "vast majority") of average joe users...

I mean, how many antivirus users could describe or maintain "rulesets" for various categories of viruses? They just install an AV program, (hopefully) update it occasionally, and pretend that they're covered.

There's just no way they're going to ever educate themselves on the intricacies of IP Winsock ports and cracker exploits, no matter how simply presented. Even the major commercial firewalls like Checkpoint, supposedly administered by knowledgeable technicians, know this and provide pre-packaged, relatively no-brainer rulesets for common threats.

-- B

To get an even deeper view into Gibson's thinking and research on the matter you should also visit Gibson's Firewall Section and read on what he has to say about the various software firewalls. I hadn't read these pages in quite some time and ausnetwanderer sent me a reminder about it - good reading.

I also have the Linksys, with firewall, I still use a software firewall, and it still has alerts logged on it about attempted hacks. Though alot less than before the Linksy. I am using PC Viper, its free, was posted on this site awhile ago when he was doing firewall updates, here is the link, seems to have more features and things you can fine tune than Zonealarm. http://www.pcviper.com

Zonealarm on my windows 2000 box comes up with messages like "svchost.exe" wants to use the internet, yes/no?
It doesnt say WHY it wants to access the net, and WHAT INFO it wants to send or receive.. or what SVCHOST.EXE actually is. (its just a windows service.. one of dozens all with names that provide no clue as to their real functionality).

zonealarm does ok under the circumstances. My point is that these circumstances are geekspeak for the vast majority of users and generate a lot of questions and worries as well. the quicker PCs go away and are replaced by a range of dedicated secure appliances, the better.. if in the year 2010 I plug my 'fridge into my home gateway so it can keep re-order groceries, I don't want to have to install a firewall on it and receive messages of the zone alarm kind.

But he hasn't updated them in a very long time, has he? I mean, once ZoneAlarm was finally released, I think he stopped refreshing the data on the "also rans".

[NEVER MIND THAT -- it looks as if he HAS updated it slightly now that he's released "LeakTest". ]

Not that it isn't a REALLY valuable resource. I completely agree that all of the ShieldsUp sub-site at http://grc.com is terribly informative for security, networking, firewalls, routing...

The forums are great too, although best accessed by a newsreader set to the private news server at grc.com.

-- B

[text was edited by author 2000-12-08 12:48:48]

I also have the Linksys, with firewall, I still use a software firewall, and it still has alerts logged on it about attempted hacks. Though alot less than before the Linksy. I am using PC Viper, its free, was posted on this site awhile ago by Justin, when he was doing firewall updates, here is the link, seems to have more features and things you can fine tune than Zonealarm. http://www.pcviper.com

Knowledge is Power (KiP)

First of all, visit http://grc.com/su-firewalls.htm, read the entire page (a great read), and download Leaktest. Only two current firewalls will fully protect you from this test-trojan: ZoneAlarm (ZAF/ZAP) and Tiny Personal Firewall with MD5 checking enabled.

Here are some nice Gibson quotes.
"Leaktest can be named anything you like while it easily bypasses the Sygate firewall. Rename it Dracula, or just leave it named Leaktest. For this test, you must depress and hold either of your keyboard's "Shift" keys when you click on and release the "Test" button. The Leaktest window title will immediately change to confirm that it has recognized your request for "stealth mode" operation."

". . . Sygate's firewall is so poorly written that, so far, it is the only firewall I have found which can so easily be completely circumvented with just a few simple lines of code — regardless of the name of the penetrating program."

"This means that any Trojan horse or spyware program running in your computer will have unrestrained access to your Internet connection UNTIL you respond to the Sygate firewall dialog box and say 'no'."

"As you have seen, the Symantec/Norton firewalls stand out due to their horrible and incredibly unsafe default "Automatic Rule Creation" feature. The Sygate firewall stands out due to its uniquely (so far as I know) and incredibly poor protection. And BlackICE Defender wasn't even mentioned here because, although it is a noisy inbound blocking firewall, it offers ABSOLUTELY NO PROTECTION and control against outbound Trojan, virus, and spyware communications. (Leaktest merrily communicates out through BlackICE Defender without any trouble.)"

ZoneAlarm is the only firewall he has tested that passes Leaktest even when renamed to a trusted application, placed in the application's directory and run (and even when the same is done and Leaktest is run in stealth mode). Although not officially tested by Gibson yet, Tiny Personal Firewall with MD5 cheking enabled does fully pass, just as ZoneAlarm (ZoneAlarm has this crcryptographic signature testing enabled without an option to disable it) does.

And for all you people running more than one firewall, Gibson had this to in a newsgroup discussion:
"For what it's worth, I *COMPLETELY* agree with you. Windows was
NEVER DESIGNED to have a firewall installed. The Networking layers
are a total mess ... and it's somewhat AMAZING that two firewalls
don't completely crash the system."

That was in response to this:
"That doesn't necessarily mean that ZA missed it. There could have been a
conflict between the two programs and BID picked it up instead. ZA may well
have picked it up if BID hadn't interfered. Of course, there's no way to
prove it....but history has shown (with other applications) that running
two at once isn't a good idea. Try running two active virus scanners at the
same time and you'll see what I mean."

In the meantime, Symantec is reportedly informing curious PC industry reporters that they will immediately update their installed base of Norton Internet Security products in response to the vulnerabilities revealed by Leaktest. Symantec's "Live Update" system will be used to provide these updates to their users.

Gibon's goal is not to start a flame war, but to bring attention to the faults of our best defense against hackers, our personal firewalls. By doing this it is expected that manufactures will open their eyes and make adjustments just as Norton is doing.

I quote [from Gibson]:
"These firewalls are not going to get better unless there's someone saying and able to prove -- and to enable the user to prove -- that these things are junk."

Still, don't be fooled into thinking you are fully protected from trojans with ZoneAlarm or Tiny PF.
Quoted from a user:
"I know of one program that DISABLES Zone Alarm. It is called "StayOn Pro".
It says that it will prevent ur ISP from disconnecting ur connection but i
found out that i does a lot more than that. It allows everything in the
Program List of ZA to connect to the internet and become a server. Scared
the life outta me. You can find it at ZDNet/downloads. Try it guys and girls
just for the fun of it ]"
Also, there is currently a "test-trojan" out called 711 that apparently disables ZoneAlarm.
http://download.wrq.com/fileinfo.asp?filename=atgd322.exe
-Final version of AtGuard now available for free (legitimately).
>Since AtGuard doesn't perform EXE fingerprinting -- ever -- it's
> ALWAYS possible to blow through it from the SAME directory as the
> approved program, yes??
>
>
Steve,

Reply from a user:
"Absolutely -- without fail! That's why I don't give *any* program carte
blanche in my ruleset. The only apps approved are the ones actually
running at the time. If I stop Gravity, for instance, I uncheck its
'allow' rule if I stay connected. If I am using Gravity only, the allow
rule for my browser is unchecked. If anything -- or something
*pretending* to be anything -- wants out, it has to ask.

Admittedly, I am probably 1 in 100,000 AtGuard users to do this. The
vast majority of users will set (or have rules set for them - NIS) allow
rules and be WIDE open to exactly what your leaktest proves."
------
Just so you know.

BTW, go to http://www.lockdown2000.ic24.net/index.html.
Lockdown 2000 is a hiliarious piece of junk--and I mean JUNK!
Check out the history bit on the author, Mr. Paris, and his previous scams. http://www.primenet.com/~lippard/pchelp/LDfacts.htm pertains to the actual code of this of this program. After decrypting the code, the author said this about the program's trojan check: "The trojan check especially is a complete joke." Of course he exposed plenty more dirt. This included "It's also clear that the progress bar Lockdown displays while doing its "System Check" runs far more slowly than does the check itself! The progress bar is there for show. The actual check is very rapid, because there isn't much to it." This stemmed from curiosity as to why LockDown is so damn slow!

Knowledge is Power (KiP)

> It doesnt say WHY it wants to access the net,

But how could it? How can ZoneAlarm determine why another program chooses to access the Internet? (other than mentioning the port)

> and WHAT INFO it wants to send or receive..

It's just data; the suspect program is starting to open a port out and ZA catches it before letting ANY data start out. While it would be nice, I just can't see a firewall reading another program's mind (although I suppose it WOULD be nice for it to read in enough of the outbound data to display something more meaningful -- on the other hand it might have to "fake" an open port before the suspect program would even start transmitting).

> or what SVCHOST.EXE actually is. (its just a windows
> service.. one of dozens all with names that provide no
> clue as to their real functionality).

Now, see here I WOULD be concerned. I don't use Win2K much, and I haven't used it with ZoneAlarm. But... WHY IS that service accessing the "Internet"? It sure as heck shouldn't be without your permission, don't you think? Unless it's just part of the TCP/IP stack and you're just browsing (so ZA should have ignored it), or unless it's part of Windows Update and you're RUNNING Windows update, etc. I think ZA has provided you a valuable hint that something may be going on that I, for one, might not want!

By the way, it could also just be that you need to add your network adapter to ZA's "local zone". I would not be as concerned if it's just Win2K looking around for its domain buddies; it's accessing the "Internet" zone that bothers me.

> zonealarm does ok under the circumstances. My point is
> that these circumstances are geekspeak for the vast
> majority of users and generate a lot of questions and
> worries as well.

Well, yes! But the older personal firewalls were even worse. Black Ice is notorious for freaking out users with constant flashing "attack" warnings that are just, as Gibson calls them, Internet Background Radiation (stray packets, relatively harmless mass port probes, etc.).

For the firewall to be effective and at least a bit flexible, it's got to stop at SOME point and tell the user something. I can't see it getting much simpler than ZA's approach, but I'd love to hear another idea. [No, I'm not related to them in ANY way.]

> the quicker PCs go away and are replaced by a range of
> dedicated secure appliances, the better.. if in the year
> 2010 I plug my 'fridge into my home gateway so it can
> keep re-order groceries, I don't want to have to install
> a firewall on it and receive messages of the zone alarm

Well okay, but wouldn't you want to have a firewall SOMEWHERE in the picture? I mean, even an "Internet appliance" can be vulnerable. It still talks TCP/IP, it still may have data and services on it that you'd like to protect, etc. Malicious people hack routers and firewalls all the time; they certainly might want to attack your refrigerator and short out your house, for example.

Speaking of fridges, my sister-in-law fell for the 3Com "Audrey" commercials showing people trying to use a fridge-based paper blotter to organize their family, and cursing until they buy an Audrey. The funny thing is the Audrey, as far as I know, does NOT mount on a fridge! (It is cute though.)

-- B

P.S. By the way, I am continually impressed by the depth and professionalism of the DSLReports site. It seems like it must have had thousands of person-hours of development. Nice work.

uhm, yes i run AV, norton 2000 for nt.
i didnt mean "sub7superhackeri_kill_u.exe" literally.
I was just being general, as in ive had some programs, that i didnt know what they were trying to access the network.

I stumbled upon gibson's site last night for the first time... I've known about him since I worked at Iomega and heard about trouble in paradise, but never actually had the "Gibson Experience". The only thing I have to say is what a pompus, self loving ass! That man seriously needs to get over himself. None of his programs do anything all that special, in fact some do more harm than good. Trouble in paradise doesn't do much of anything except trash zipdrives and scare the hell out of the people that don't end up losing their drive. I downloaded it and ran it last night out of pure curiosity, it told me my drive diddn't have the "click of death" but was otherwise FUBAR. According to that little app that Gibson touts to be the best thing since creamy peanutbutter, my brand new USB zip100 is trashed. It can't read or write data. I should call Iomega and demand a replacement because that one is defective! Funny, it works fine for me. I guess I don't know what I'm talking about, and the fact that I copied a 95 meg file to it, from it, deleted the file, AND long formatted the disk was a figment of my imagination.
Gibson seems to have a clue about how things work, but some things he should stay out of. He is lending a helping hand to the paranoia surrounding computers, rather than helping make it end.
--
What you do in the dark will eventually surface to the light

I agree, although some of these software firewalls do a good job with what Windows allows, strictly speaking you cannot fully protect the client machine when it is also the bastion host unless the user is very careful about what apps are allowed to run on the client machine, and that means thinking about all the angles and possibilities. The idea that the firewall app can be touched from the client's OS is a security hole. But a software firewall is still much better than nothing, and I still tell everyone I know, using broadband or dial-up, to install ZA and a virus scanner if nothing else.

I agree with a lot that is being said here. After contacting Symantec, I was made aware of the fact that at present there is no Trojan using the technique that he describes. I am glad that he found a POSSIBLE security hole in all these Firewalls, but to raise an alarm over something that doesn't exist yet is irresponsible. I just wish he would have been more scientific in his report instead of calling all these programs "Junk".

Someone should monitor his work and write a report on HIS findings. His altruistic endeavours are a bit self aggrandizing, and in the end serves only to create more paranoia.

I will continue to support and use Symantec programs and at least Symantec is addressing this possible security problem.
Why doesn't he write and develop his own firewall program?
Meanwhile, there are other security problems to contend with. Hopefully, one day there will be a definitive security protocol that works for everyone. The resources are out there, there must be an answer to all the problems somewhere.
--
Regards, Emilio
Support Amnesty International

I have been using ZoneAlarm for a number of months. I have found this program to be very effective and easy to use.
Like any other program, you have to understand the use for which it is intented

I concur..... His site seems to only instigate paranoia and bloat the facts far beyond what is true. Too many people are suckered into thinking that everyone online is waiting in the shadows for them to make a mistake.
I think he has issues with some companies such as Iomega and is out to destroy their credibility. As for ZoneAlarm, I think he has more at stake than just making a recommendation. Everytime he dreams up a new way to check what a computer does or does not do on the internet, ZoneAlarm gets the perfect score and everything else is "junk". I've tested ZA and it is junk, unless you like being interrupted constantly. Sygate runs quietly in the background and it did pass the Leaktest though he says otherwise, ZA is intrusive, monotonous, and unless it has changed it is complicated for anyone that is clueless about internet protocol, addressing, or ports.

Sorry, but you are either hallucinating, trolling, or confusing ZoneAlarm with some other product.

My main reservation about ZoneAlarm is that it DOESN'T allow one to have any specific control over "internet protocol, addressing, or ports".

If you tell it to "always allow" a program it NEVER bothers you again. If you set it up to log quietly, it NEVER alerts you to mild probes (but merely blocks them).

I think you may be talking about some other program.

-- B