August 31st, 2003, 09:19 PM
Leak test question
This kind of belongs in a combination Roll Call/ Newbie Questions/ Firewall forum...
So, firts things first (stands) Hi, I'm groovicus, and I'm an addict (sits back down) :D
Now to the topic at hand. I have a firewall installed, have it configured properly, and have windows configured properly.
Now, upon running any of the various leak tests, it always fails. I understand how it works (after investigating the source code of a few of these). What I don't understand exactly are the practical implications of failing the test.
What I do understand:
- The test is somewhat contrived. You have to give the hijacked process permission to access the internet.
What I assume:
-I really don't need to worry about it too much as long as all the computers on my network are safe. The only way I can see it hurting me is if I get infected by a computer on my network, and the worm/virus getting to my computer.
I have done lengthy searches (including here), but have not found anything that will validate my assumptions.
August 31st, 2003, 09:59 PM
August 31st, 2003, 10:26 PM
I take it your referring to the leak test program from www.grc.com, the same guy who run`s the shields up pages.
From the way i understand the program it attempts to make outgoing connections to a remote server from various ports, just as a trojan would.
It depends on what fire wall you are running, if you are running a home based firewall like Zone Alarm it should pop up a message telling you that the program is trying to make an outgoing connection to a remote server. Their for if it had been a trojan you would see an unknown program trying to make a remote connection and you would choose to block the connection. The leak test would then report that your fire wall passed as no remote connection was able to be made.
If you are running a commercial firewall or a unix based firewall itshould be set up to block connections to ports which are not specifically allowed and their for the leak test would not be able to make the connection and their fore it would pass.
August 31st, 2003, 10:35 PM
Ok...to try and be more specific. When I run the leak test from Gibson research, as long as I don't allow the program access to the internet, then my firewall passes. It's my understanding that this particular test is used to simulate a trojan trying to send out information from your computer.
One of the other leaktests I was studying attached a small "fake trojan" to Internet explorer, which in my case has permission to access the internet. In that case, the leak test succeeds (and my firewall fails) because internet explorer has permission to access the internet.
I hope that explains it a little more clearly. Maybe it is much ado about nothing.
Is there a way to automatically verify the integrity of a program that already has permission to access the internet, and deny access if the integrity has been compromised. Or does my firewall already do that, and I need to read the manual a little better.
August 31st, 2003, 10:44 PM
The idea is to prevent Leak test« from connecting to the grc server.
If your firewall pops a box up asking to allow it. Deny it. Then it should fail to connect.
September 1st, 2003, 12:13 AM
sorry for the previous reply, wasn`t really much help, i just persumed you were using the grc leak test.
would you be able to supply a link or send me a copy of the leak test that you are using, it would be intresting to see how it binds to IE.
by the way what firewall are you actually using?
September 1st, 2003, 12:40 AM
This is the one that I was looking at. As I was re-reading through the source, it doesn't actually bind to IE, it just uses IE via a hidden window to send a message to a URL.
I use zone alarm pro...from what I (think) I have learned, the issue at hand is not really vendor specific, and I didn't want to start another "what firewall is better" debate, because it has been thoroughly covered elsewhere.
September 1st, 2003, 10:08 AM
cheers for the link i`ll have a good look at it today.
I wasn`t trying to say one firewalls better than another, thats one of those endless discusions, everyones got their favourite. i just wondered if it was a home based firewall or a commercial firewall cause they work diffrently.
September 1st, 2003, 03:09 PM
ok... there are 9 categories of leak tests there... not sure exactly which one you're on about - unless it's all of them?? I haven't gone through all of them in detail but after a brief look over them they all seem to work in a similar way.
The first one titled 'leak test' is the one from GRC/Steve Gibson, so homenet's first reply still gives you an overview of what is happening.
I think that the second and third categories are what you were referring to in your earlier post, please correct me if I'm wrong. Anyway both of them are similar in that each 'leaktest' uses a dll file masquerading as an IE component - GRC's leaktest doesn't (I think, I may be wrong, been a while since I looked at it) do this at the moment . If I recall ZAP correctly, it has a specific program component control area which pops up saying ... such and such a component is new or altered and is trying to access the internet or LAN do you want to allow it.
Most firewalls with outbound component specific control should have something similar to ZAP. Either you do or you don't let the dll component access the internet using the browser. If you do then you have allowed a connection and the 'trojan' is through, your data is sent to some dodgy geezer and you're potentially screwed - best of all it might even be your fault that you're screwed if you let the trojan through. If you don't allow the dll access the internet, then you should be ok (assuming that no data is sent). Of course if your firewall does not have this type of control and lets the dll through without asking you for permission then you may as well ditch that firewall cos it's junk. This is all explained on the website link you gave.
The reason that you are always failing the tests is because when ZAP asks you if you want to allow a component to access the interent you have said yes - if the leak tests were trojans you would be screwed. If you say no - as you should be doing to everything asking to connect to the internet UNLESS you know exactly what the program/component is and you're happy for it to access the internet - and you pass the tests then you're ok. Of course if you said no to the question asking if you wish program/component to access the internet and you still fail the leak test - either get another firewall or check to see if your version is up to date.
The main thing you have to remember about security is that it is NOT a static state of affairs, it is a fluid environment. You cannot just install something either hardware or software and totally forget about it, you HAVE to ensure that it is up to date and doing its job. Installing any kind of firewall and never keeping it up to date is suicide.
Also it is best policy to deny everything access to the LAN or internet unless you are sure you actually need it to access the LAN or internet.
Hope that explains it
Quis Custodiet Ipsos Custodes
September 1st, 2003, 03:20 PM
It explained it quite well, thank you.