Firewall Vendors point of view
  > CATEGORIES
  LEAK TESTING
  KILL TESTING
  ADVICES
  DOCUMENTS
  REWARDS
  > IN THE WILD
  > LINKS
  > FAQ
  > TOOLS

     SCAN YOUR COMPUTER

     TEST YOUR BROWSER
Vendors Opinion, October 2005 :

AGNITUM OUTPOST
1)About the program:

Outpost Firewall 3.0 provides comprehensive protection against latest threats, including spyware and sophisticated hacker attacks. Preventative protection integrated into Outpost safeguards the user's system against unauthorized program tampering and malicious hijackings of one application by another. As manifested by the results of leak test comparison scoresheet, Outpost holds the upper position in the effectiveness of protection provided.

2)About leak tests

Leak tests represent a great mechanism to test the true effectiveness of a firewall's ability to recognize and prevent the execution of foreign code within the context of a trusted application. Leak tests serve as one of the baseline firewall performance metrics.

That said, however, it is important to understand that making a firewall too tight in terms of security settings greatly offsets its usability. It is possible to create a completely leak test-proof firewall, but this one would render the work with the computer almost intolerable because of too many user prompts appearing on any action, whether it is legitimate or not.


KASPERSKY KAH/KIS
There are a number of general algorithms that are used by software criminals to steal user sensitive information.

They are as follows:
1) Substitution
2) Launcher
3) Default rule
4) Direct Network Interface reaching
5) DLL Injection
6) Direct Process Injection
7) Timing attack
8) DNS Recursive request

The Kaspersky Internet Security suite provides its customers with extensive and complete protection from all the aforementioned techniques by involving a set of specialized services that are able to deal not only with known threats but also with those ones that have not yet been disclosed to the majority of software criminals, and even with those that have not been invented yet.

As far as the well known breach techniques are concerned, the Kaspersky Internet Security suite proves its customers choice by effectively executing tough control over malicious software behaving indecently via well known means of firewall penetration, including, but not limited to those ones which only use direct network access to fulfill their tasks.

The KIS in its entirety easily detects and neutralizes in the same predictable manner not only the simplest but also the most exquisite approaches of violating user's protection and privacy.

Substitution, Default Rule using, Launchers. These form the least dangerous set of software. The KIS tracks an executable's checksum and component set and uses this information to determine possible code injection. Since now, the Substitution has no means left to survive.

The KIS keeps an eye upon an application's runtime environment to detect and block activities which deal with code injections either directly into the application's address space or indirectly via a dynamic library attached. If any of these activities are detected the KIS notifies the end user about it and depending on the settings the end user might have made behaves respectively. There is virtually no limit of intermediate application chaining before a malicious software finally launches a trusted application. Launchers are off side from now on.

The KIS is shipped with a predefined set of application and packet rules that impose the most strict protection, though still being as imperceptible to the end user as it is at all possible in such a hazardous environment as a network one can be nowadays. We, as Kaspersky Lab, still, feel obliged to warn our customers against modification of these rules, without first thorough analysis of potential results. It always is better to suffer little from a somewhat slow response of one's computer than suffer losses as a result of software criminals exploring one's bank account.

The KIS operates not only on the application level but also extends its control to the Ring 0 which ensures no access to any device in the end user's computer can be established unverified and unapproved. This includes but is not limited to low-level file access as we as direct access to network interface. Thanks to this no application can obtain direct access to the network interface freely as it have been before and therefore, threats exploring this technique have no slightest chance to transmit user's sensitive information to software criminals.

As far as the DNS Recursive request issue is concerned, the KIS ensures its customer's privacy and sensitive information protection via disabling the default DNS client thus forcing applications using DNS servers to disclose themselves which leads to a very easy case of application's rights verification. It is pity that firewall vendors try by all means to avoid dealing with such exquisite sort of threats complaining that this kind of techniques are not reported to be used by malicious software yet... "Yet" is the keyword...


ZONE ALARM
 Zone Labs has published a document the July 16 2004 available there : LINK
We will probably have news from them nextly, I will add a news when it is the case.

LOOK'N'STOP
 We should have news from them next week, I will add a news when it is the case.
Home      News      Contact      Online form      Mailing list