Results 1 to 10 of 10

Thread: BlackICE Agent not Firewalling After Standby.

  1. #1
    Senior Member
    Join Date
    Nov 2001
    Posts
    742

    BlackICE Agent not Firewalling After Standby.

    KPMG-2002019: BlackICE Agent not Firewalling After Standby.

    Source: bugtraq@securityfocus.com

    Title: BlackICE Agent not Firewalling After Standby

    BUG-ID: 2002019
    Released: 06th Jun 2002
    --------------------------------------------------------------------

    Problem:
    ========
    In a default installation, The BlackICE Agent might not reactivate
    when the host returns from standby. This could allow a malicious
    user to bypass the firewall completely.



    Vulnerable:
    ===========
    - BlackICE Agent 3.1 eal on Windows 2000 laptop

    Not Vulnerable:
    ===============
    - BlackICE Agent 3.1 ebh on Windows 2000 laptop


    Details:
    ========
    The BlackICE Agent setup contains the parameter
    "restart.whenSuspend", which should be enabled by default. This,
    however, is not always the case, and as a result the firewall
    might not reactivate after a system standby. The BlackICE Agent
    would still give all the appearences of being active, but the
    filter function would not be in effect, and network communication
    would be possible to the same extent as if the software wasn't
    installed.


    Vendor URL:
    ===========
    You can visit the vendor webpage here: http://www.iss.net


    Vendor response:
    ================
    The vendor was notified on the 15th of March, 2002. The issue was
    assigned case number 526997. On the 18th of March, we received a
    workaround that seemingly solved the issue. On the 6th of June, 2002
    the vendor informed us that the issue had been corrected in the
    latest build.


    Corrective action:
    ==================
    Upgrade to BlackICE Agent V3.1 EBH, available through:

    https://bvlive01.iss.net/issEn/DLC/login.jhtml

    Author: Andreas Sandor (asandor@kpmg.dk)

  2. #2
    Computer Forensics
    Join Date
    Jul 2001
    Posts
    672
    Since when did black ice do anything other than detect intrusion attempts ?
    Antionline in a nutshell
    \"You\'re putting the fate of the world in the hands of a bunch of idiots I wouldn\'t trust with a potato gun\"

    Trust your Technolust

  3. #3
    Senior Member
    Join Date
    Apr 2002
    Posts
    711
    BlackICE always used to actively block perceived intrusion attempts in to a machine... so well, in fact, on certain boxes it could completely shut down an interface, allowing no traffic in or out of the box. LOL

    One of its (other) early problems was that you couldn't ever get it out of promiscuous mode (ie. cable modem folks were screwed, as the thing would continually alarm about weird connections in to their neighbor's machine).
    \"Windows has detected that a gnat has farted in the general vicinity. You must reboot for changes to take affect. Reboot now?\"

  4. #4
    Priapistic Monk KorpDeath's Avatar
    Join Date
    Dec 2001
    Posts
    2,628
    Originally posted here by hogfly
    Since when did black ice do anything other than detect intrusion attempts ?
    After much ado they finally added intrusion blocking. It's still not a half bad IDS, on the other hand, it's not that great of a firewall. Not just because of this issue but like other products it does crash 'open'.
    Mankind have a great aversion to intellectual labor; but even supposing knowledge to be easily attainable, more people would be content to be ignorant than would take even a little trouble to acquire it.
    - Samuel Johnson

  5. #5
    lol, and i know someone who runs a windows 2k laptop with that exact same version of blackice , i just emailed him about it

  6. #6
    I have a question:I keep getting *attacks* from myself(I'm on a dialup connection):TCP PORT SCANS and SYN FLOODS.How do I get BlackIce to stfu without telling it to trust myself and wtf is causing this?

  7. #7
    Computer Forensics
    Join Date
    Jul 2001
    Posts
    672
    draziw: haha thats exactly why I tried it, and tossed it out...... when realplayer from someone on the roadrunner network sets off your firewall with its perceived 'UDP probe" the product is ****.


    It never was that great a firewall, and still isn't IMO. it did have that lovely feature that plays sounds when something set it off though... hell we replaced the .wav with a "DIVE DIVE DIVE" alarm sound........might as well pretend that it was actually doing something.....

    it did do a good job of alerting you to attempts...I will give it that.. I wouldn't trust it to protect my system though....not ever

    hrm for the $40 bucks it costs(not sure if that is still accurate)...you could pick up an old 486 and run IPF/PF........ or atleast use tiny personal firewall.....atleast that has rule management
    Antionline in a nutshell
    \"You\'re putting the fate of the world in the hands of a bunch of idiots I wouldn\'t trust with a potato gun\"

    Trust your Technolust

  8. #8
    Senior Member
    Join Date
    Apr 2002
    Posts
    711
    Originally posted here by VicTT
    I have a question:I keep getting *attacks* from myself(I'm on a dialup connection):TCP PORT SCANS and SYN FLOODS.How do I get BlackIce to stfu without telling it to trust myself and wtf is causing this?
    You'd have to post either you log (in CSV) or your evidence/sniffer files (*.enc I think) here, I think, for anyone to give you a straight answer... and your IP at the time of the files would help, too.

    As I've said... BlackICE likes to run in promiscuous mode, even if you try to tell it not to... (though if they're coming from you???) Like I said... not much we can say without a little bit of documentation.
    \"Windows has detected that a gnat has farted in the general vicinity. You must reboot for changes to take affect. Reboot now?\"

  9. #9
    Senior Member
    Join Date
    Apr 2002
    Posts
    711
    Originally posted here by hogfly
    draziw: haha thats exactly why I tried it, and tossed it out...... when realplayer from someone on the roadrunner network sets off your firewall with its perceived 'UDP probe" the product is ****.

    It never was that great a firewall, and still isn't IMO. it did have that lovely feature that plays sounds when something set it off though... hell we replaced the .wav with a "DIVE DIVE DIVE" alarm sound........might as well pretend that it was actually doing something.....

    it did do a good job of alerting you to attempts...I will give it that.. I wouldn't trust it to protect my system though....not ever

    hrm for the $40 bucks it costs(not sure if that is still accurate)...you could pick up an old 486 and run IPF/PF........ or atleast use tiny personal firewall.....atleast that has rule management
    I agree with you... I had the pleasure (?) of working with these folks in their early attempts are piecing together a widely deployed, "smart" firewall. With all the problems we had with certain name brand cards mysteriously having problems with BlackICE, to the thing reporting "probes" because it was in promiscuous mode and b*tching about someone else's legitimate multicast session or DNS lookup... *sigh* Not fun...

    We also had a few times where it reported an event, but didn't block anything (even when we were actually attacking the box so as to test the thing).

    Think I probably still have a few flames saved from their CTO or whatever, too, addressed to me from that time in my life... (though you would think they would be a bit nicer to potential large customers)
    \"Windows has detected that a gnat has farted in the general vicinity. You must reboot for changes to take affect. Reboot now?\"

  10. #10
    Senior Member
    Join Date
    Jun 2002
    Posts
    394
    doesn't blackice only stop incoming 'attacks'
    i read a report from a rep from blackice team that said it doesn't block/monitor any traffic initiated by the user...so according to blackice, any servers run by you, were meant to be run...which is not always the case.
    Hmm...theres something a little peculiar here. Oh i see what it is! the sentence is talking about itself! do you see that? what do you mean? sentences can\'t talk! No, but they REFER to things, and this one refers directly-unambigeously-unmistakably-to the very sentence which it is!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •