Jump to content
Login new information ×
Login new information
Donations campaign phase one 2024

Safesquid

someone

By someone
in Security & Privacy Center

Recommended Posts

Bizarre™

Bizarre™

Posted
Posted

@someone:

My screenshots are not example of HIPS.

Also, have you read Matousec's Introduction?

Question: What kind of products are suitable for Proactive Security Challenge testing and which are not?

Answer: We often receive requests to test security products that are not suitable for Proactive Security Challenge. It is important to understand what kind of products do we test. The primary requirements are that the product implements application-based security model and behavior blocking. This means that it allows its users to control selected actions of applications. Among behavior blocking capabilities, the product must be able to control applications' network access. Then we require the product's project to be alive. We are not interested in already dead projects without a future although exceptions may appear. Finally, we require the tested version of the product to be stable, publicly available in English and run on Windows OS that is currently supported by the challenge. Most of the products called an Internet security suite, a personal firewall, a HIPS, a behavior blocker do meet all these criteria and hence they are suitable for Proactive Security Challenge testing.

ESS clearly meets the criteria from Matousec: Link

Here's a detailed report for ESS from Matousec: Link

Thus concludes why ESS firewall sucks.

Link to comment
Share on other sites
  • Replies 35
  • Views 4.8k
  • Created
  • Last Reply
someone

someone

Posted
  • Author
Posted

I know yours screenshots is about the firewall part.... and because of this i asked you if some of the features in the screenshots are in the tests.... if none of the Firewalls features are being tested you cannot conclude if it is good or bad by this test... the test is about hips and only about hips features... seein by your point so all Firewall linux distro sucks because it not have hips and it cant score good in a matousec test? all routers suck because it not have hips? Firewall is for application netwotk actvities not to control direct disk access, memory injection... the only test at matousec i think is reasonable is the one that test the self-defense protection. ESS firewall can suck... i'm not saying it's good because i not used it much but matousec not is the right place to confirm this. From matousec test you can only confirm the protection relationed to the ESS hips is limited. none information about the firewall.

Link to comment
Share on other sites
Bizarre™

Bizarre™

Posted
Posted

@someone:

If you think that Matousec is inadequate then can you give us a site that gives a much comprehensive test for firewalls?

Besides, why are you putting words in my mouth? I didn't mention anything about Linux / Router / other OS firewall.

I believe we are going off-topic. This thread is about Safesquid proxy. I'm going to stop my rant now :)

Link to comment
Share on other sites
someone

someone

Posted
  • Author
Posted

yes a great off topic indeed ! sure i'm only chating about this with you guys because i think you guys can have good points to talk about too. Tests about firewall is difficult to find.... not know if have some independent organization/tester... anyway http://www.grc.com/x/ne.dll?rh1dkyd2 and http://www.pcflank.com/ can be used to this but is very basic. What is tested here is the Firewall part... how it stealth you and react for a port scanner and things like that. But i think a more complete test will be better.

Last word about this: If you have time, take a machine that are direct connected to internet and install Malware defender. Is a good HIPS and score 89% -- 10+ . take a look at the network protection and see if it have the options that Comodo, Outpost and ESS firewalls have. Now make some of this above test and see how it perform. make a scan with nmap or another tool and see how it perform. Last time i tried malware defender can't prevent the ping test at grc.com. but this is because it is not designed to do this... is designed to make file protection, system protection and in/out control. Stealth and this type of thing is not malware defender job do (in this case most people i see using malware defender are behind a router) but even without this options it score high at matousec because the network protection is not tested, what is tested is the file/system protection.

Kaspersky score 96% -- 10+ and the firewall even stealth all your ports (some are only closed) - but in a system not patched the simple fact that you are visible can be a problem maybe.

anyway thx for your time and for share you knowledge.

take care.

Link to comment
Share on other sites
Bizarre™

Bizarre™

Posted
Posted
yes a great off topic indeed ! sure i'm only chating about this with you guys because i think you guys can have good points to talk about too. Tests about firewall is difficult to find.... not know if have some independent organization/tester... anyway http://www.grc.com/x/ne.dll?rh1dkyd2 and http://www.pcflank.com/ can be used to this but is very basic. What is tested here is the Firewall part... how it stealth you and react for a port scanner and things like that. But i think a more complete test will be better.

Here's my answer.

Termination tests' methodology

Question: The methodology for termination tests seems to indicate that termination of any of the security product's processes results in a failure in the test. I disagree with that methodology as the main features of the product may be unaffected by the termination (e.g. if the process that was terminated was only the tray icon) or the product may have some kind of "fail-safe" (e.g. blocking all connections if the processes are not running). I think a test (e.g. "leaktest.exe") should be run after a termination to see if the protection is still working or not. If the product stopped the test after the termination it should receive a partial score (e.g. 50% of the normal score for the termination test).

Answer: The idea behind our scoring system is the simplicity of the tests. We can not really say how the termination of one component affects the whole protection system unless we analyse the system deeply. We do not do that in Proactive Security Challenge. Imagine a product that implements the GUI component which communicates with the user. Imagine that if this component is terminated, the product blocks all connections to the Internet. You say that if we run "leaktest.exe" to verify the protection, it will tell us whether the protection is weakened. In a classic model of a driver, service and GUI component there are communications channels opened between these components. And these channels may be implemented so that only one connection is allowed to prevent malicious software to connect to the channel and send requests over it. If the GUI component is terminated, it may become possible to connect to these channels and attack the service or driver component through them. The verification you suggest does not reveal this case and there are many other situations that should be verified before we could say that the protection was not weakened. Termination of any of the product's component is a security issue. In our scoring system it is penalized and we are not aware of any easy modification that would make the system more accurate or more fair.

Last word about this: If you have time, take a machine that are direct connected to internet and install Malware defender. Is a good HIPS and score 89% -- 10+ . take a look at the network protection and see if it have the options that Comodo, Outpost and ESS firewalls have. Now make some of this above test and see how it perform. make a scan with nmap or another tool and see how it perform. Last time i tried malware defender can't prevent the ping test at grc.com. but this is because it is not designed to do this... is designed to make file protection, system protection and in/out control. Stealth and this type of thing is not malware defender job do (in this case most people i see using malware defender are behind a router) but even without this options it score high at matousec because the network protection is not tested, what is tested is the file/system protection.

First, let's define a firewall.

Now, let's review Malware Defender.

Let's see what Matousec has to say.

Security products versus Proactive Security Challenge, instead of malware

Question: How is avoided a danger that security product vendors will start to focus on fighting against Proactive Security Challenge instead of malware? The reason can be immediate positive business impact of successfully passed tests.

Answer: We have faced this problem since leak-testing. Some vendors really fight the tests and not their attacking techniques. Some vendors optimize against the given set of tests rather than solving the causes. If we have a suspicion that the tested product attacks some test directly, we use internally modified versions of the tests to prove it. If we can prove such behavior, we mention this in the report and the product fails the test. Another situation is when the vendors blindly add functionality to their software to pass some technique. In such case, their users might be confused by absurd, false, misleading or somehow bad alerts, popups and questions. In this case, such a product might get through our tests but it would be unusable for most of users. We hope that vendors will not do this for their own good. To prevent the unwanted behavior of the vendors, we are going to add new tests to the system and test selected products against the new tests without prior notices to their vendors. For this purpose we will select, preferentially, the prodcuts of those vendors that concentrate on fighting the tests instead of the real security of their products. This approach should give us more accurate results in a sense of their real security. Finally, we have also set a fixed rules about the frequency of testing, this should also help. However, our original rules about paid retesting allowed vendors to make quick silent fixes and order retesting with the only intention of replacing the old results with new and better results. This is why we have added new rules that limit paid retesting too.

Kaspersky score 96% -- 10+ and the firewall even stealth all your ports (some are only closed) - but in a system not patched the simple fact that you are visible can be a problem maybe.

I can agree with that.

Link to comment
Share on other sites
someone

someone

Posted
  • Author
Posted

Wikipedia said:

A firewall is a part of a computer system or network that is designed to block unauthorized access while permitting authorized communications. It is a device or set of devices configured to permit, deny, encrypt, decrypt, or proxy all (in and out) computer traffic between different security domains based upon a set of rules and other criteria.

From this description you see something about file/services/system protection against malware being job of a Firewall take care?

"designed to block unauthorized access while permitting authorized communications. It is a device or set of devices configured to permit, deny, encrypt, decrypt, or proxy all (in and out) computer traffic between different security domains based upon a set of rules and other criteria"

"It is a device or set of devices configured to permit, deny, encrypt, decrypt, or proxy all (in and out) computer traffic between different security domains"

"computer traffic between different security domains"

How now seeing matousec test you can say firewall X is good and firewall Y is bad if any of this mentioned descritpions are tested? What is tested is the HIPS component... is the proactive challenge testing the HIPS/behaviour blocker or anything like that module.

I repeat: i'm not saying ESS firewall is good, but matousec is not the right place to confirm this.

Maybe ESET not implemented A full HIPS because the main target and the main users type that buy it is the "normal" home user and he not wish be bored with questions like:

"explore.exe is executing ieexplore.exe" allow/deny?

"appx.exe in C:\ program files\ are creating a key in HKEY_xxxxxxxxx\ blablablabla\ yyyyyy\unknowthing" allow/deny?

Even comodo are making great efforts in make the HIPS module less intrusive.

I look at the ESS be designed to work like: the Firewall module take care of the:

"to block unauthorized access while permitting authorized communications. It is a device or set of devices configured to permit, deny, encrypt, decrypt, or proxy all (in and out) computer traffic between different security domains based upon a set of rules and other criteria"

and the AV take care of the malware trying infect the machine whatever can be the vector. If you cannot trust ESET AV can maintain you system clean why use it so?

if your system are protected by the firewall from the internet and the LAN and you trust your AV can alert you about something infected BEFORE it execute you not need a HIPS.

And this type of design is the better for the common user - or a HIPS implementation by policy like Defensewall/Geswall/AppGuard - is more user friendly and can protect better because it not depend from the user knowledge. If you see http://www.av-comparatives.org/comparativesreviews/single-product-reviews Defensewall scored 100% againt real malware and not displayed crazy popups.

Link to comment
Share on other sites
HX1

HX1

Posted
Posted

I kind of feel the same..on the general idea here.. BUT I think the focus Bizarre is putting on this is that several areas of a system can be compromised using different methods. I have read is several places that the solution simply NOT a good firewall. There are MANY other areas which need to be addressed as well. It something that I overlook because I do it as a habit.. and have for so many years... When I setup a system I disable any and all un-necessary services and block anything I don't need.. I always felt that 'Well.. I am definitely not going t be able to be hit there anymore..LOL'.. Proactive Security measure will always go beyond throwing up a shield..and will depend on the User action who is setting behind the compute and the knowledge they have to actively protect themselves.. and the manner in which they configure a system and with what considerations...

After looking at HIPS and NIPS for a while I did realize that the need for HIDS in several areas would be ideal for individuals with other system/operative considerations and programs. The thing is that a lot of this has changed over the last two years... Some things we don't really have to watch as closely due to changes in our OS, and settings that are altered/protected. Exploits will always exist.. ad wherever someone is making a doorway there is always someone looking for a way to pick the lock, to the door that is still being made....

Link to comment
Share on other sites
Mo Husen

Mo Husen

Posted
Posted

I kind of feel the same..on the general idea here.. BUT I think the focus Bizarre is putting on this is that several areas of a system can be compromised using different methods. I have read is several places that the solution simply NOT a good firewall. There are MANY other areas which need to be addressed as well. It something that I overlook because I do it as a habit.. and have for so many years... When I setup a system I disable any and all un-necessary services and block anything I don't need.. I always felt that 'Well.. I am definitely not going t be able to be hit there anymore..LOL'.. Proactive Security measure will always go beyond throwing up a shield..and will depend on the User action who is setting behind the compute and the knowledge they have to actively protect themselves.. and the manner in which they configure a system and with what considerations...

After looking at HIPS and NIPS for a while I did realize that the need for HIDS in several areas would be ideal for individuals with other system/operative considerations and programs. The thing is that a lot of this has changed over the last two years... Some things we don't really have to watch as closely due to changes in our OS, and settings that are altered/protected. Exploits will always exist.. ad wherever someone is making a doorway there is always someone looking for a way to pick the lock, to the door that is still being made....

That's why I only use Windows Xtra Protection :rofl:

Link to comment
Share on other sites
Bizarre™

Bizarre™

Posted
Posted

@heath28m:

At last, someone who understands my POV :)

@someone:

I have nothing more to say. I don't think you'll ever understand my point.

I shall leave you to your own device.

Link to comment
Share on other sites
someone

someone

Posted
  • Author
Posted

"I shall leave you to your own device. "

if you think this is what you need do... ok so... i really want understand your point - i think i can learn something from it... but until now i can't.

"I don't think you'll ever understand my point." ----- i say for you the same.

you see - HIPS/BB only add another layer of protection - another module in the SS making ONE protection - if the HIPS module suck you cant condem the entire SS or the firewall module. what is bad is the HIPS module. only.

Last open question - if matousec really is a test firewall why they changed the name from " Firewall test" for "Proactive test" ?

again thx for you time. take care

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...