Agnitum Outpost Firewall tűzfalak topikja
-
cooldoc #481 We plan to release version 4.0 early summer this year. First beta version will be released in May. If you would like to participate in beta program please visit http://www.agnitum.com/products/outpost/betatest.php . If you may test Outpost x64 please mention it in your application because we are especially interested in such testers.
1. Prevention of application’s attempts to inject components into another process
Windows operating system by design enables installing system interceptors (hooks) through which foreign code can be injected into other processes. Usually this technique is used to perform common, legitimate actions - for example - switching the keyboard layout or launching a PDF file within the web browser window. However, it can be likewise used by malicious programs to embed malicious code and thus hijack the host application.
An example of leak test using such technique to stage a simulated attack is a PC Audit program (http://www.pcinternetpatrol.com/).
New Outpost will control the installation of a hook interceptor in a process’s address space. This will be implemented via the interception of functions that are typically used by malicious processes (Trojans, spyware, viruses, worms etc.) to implant their code into legitimate processes (i.e. Internet Explorer or Firefox). The behavior of a DLL file invoking such functions will be considered suspicious and will trigger legitimacy verification.
The old system of Process Memory/Component Control was reactive in a way that Outpost would block access to processes where a new component had been detected. In 4.0, Outpost will prompt which processes you want to allow to embed components into other processes, and those which should be denied such an action. This gives more control over what’s happening on a PC, and enables you to confront spyware programs that use such techniques to defend themselves.
2. Detection of application’s attempts to gain control over another application
DDE technology is used to control applications. Most famous browsers are DDE servers and can be used by malicious programs to transfer private information into the network.
With 4.0, every attempt to use the DDE intercommunication is monitored with no exclusion, whether the process is open or not.
One example of this technique is Surfer leak test (http://www.firewallleaktester.com/leaktest15.htm). ZABypass is another example of a leak test using this method.
New DDE inter process communication control will enable Outpost Firewall Pro to control the methods used by applications to get control over the legitimate processes. It will prevent malware from hijacking the legitimate program and will check whether such DDE-level interactivity is allowed to be performed upon the network-enabled applications. In case such attempt is detected, it will trigger legitimacy verification.
3. Use of SHA256 identification algorithm
Starting with version 4.0, Outpost will utilize the SHA256 verification routine to identify applications during the process of automatic creation of network access rules through the ImproveNet. This will enable to provide absolute precision in identifying an application, ultimately bringing more security.
In the near future the SHA256 algorithm will be used only to identify applications because even on new PCs the SHA256 calculation might take quite a long time.
4. Suppression of attempts to launch browser with command-line parameters
Several firewalls are exposed to a vulnerability of a predatory code launching the default web browser with command-line parameters, allowing to circumvent the existing protection because the firewall is made to believe the legitimate application is performing the legitimate actions. However, in those command-line parameters some piece of private or critical data may be contained, along with the host name as a target recipient of thereof.
The example of using such technique is Wallbreaker leaktest (http://www.firewallleaktester.com/leaktest11.htm)
With new Outpost, your browser will be better protected against tampering thanks to the restricted list of processes that are allowed to start default browser with command line parameters.
Beyond traditional browsers, command-line launch control would apply to all network-enabled applications which are present in the configuration and/or the preset.conf file.
5. Low-Level Network Access Control
Some network drivers allow direct access to network adapter bypassing the standard TCP stack. These drivers can be used by sniffers and other malicious programs to get low-level network access and pose an additional risk for the system as traffic passing through them cannot be screened by a firewall.
New Outpost will allow controlling applications requesting network access bypassing standard methods. This feature strengthens the overall network security level preventing outbound data leakage. http://www.insecure.org/nmap/download.html.
The user will be able to control an application’s attempts to open a network-enabled driver, meaning that without the user’s authorization, an application won’t be able to send even the ARP or IPX data.
6. Definition of Preset Macros for Advanced Users
In the current Outpost version there is no possibility to create “quick” rules allowing advanced users to handily define security rules for their Intranet communications and some Windows-based services (for example, DNS).
On the other hand, this is a non-trivial task for the ordinary computer user. To make the process of creating the most secure configurations easier, Outpost will feature macro definitions for applications and global rules, which can be used, for example, to designate local network as LOCALNET or all DNS servers as DNS.
The list of available macro addresses is as follows: DNS Servers, Local Networks, Gateways, WINS Servers, My Computer, All possible My addresses, Broadcast addresses, and Multicast addresses.
7. Double DNS resolution control
DNS Client service contains potential vulnerability called DNS tunneling. The main point is that malicious code can transfer and receive any information using correct DNS packets to the correctly configured operating DNS server.
The example of using this technique is DNSTester leaktest (http://www.klake.org/~jt/dnshell/).
Outpost version 4.0 will perform double verification of access to the DNS Client service, providing a more secure system. This enables control access to DNS API even with the DNS Client service on, benefiting users who, out of compatibility concerns, cannot disable this service themselves.
This new inclusion will allow assigning permissions to a specific process for using the DNS Client service.
8. Advanced Control of Applications’ Memory
In version 4.0 the entire memory space used by any active application on a computer will be scrutinized by Outpost (not just that of a network-enabled application). In case of malware trying to modify any legitimate application’s memory Outpost will detect it and display a pop-up prompt asking for your decision. This feature will protect against even “unknown” malware not detected by antivirus and anti-spyware vendors.
The examples of using this technique are THERMITE and COPYCAT leaktests (http://www.firewallleaktester.com/leaktest8.htm, http://www.firewallleaktester.com/leaktest9.htm)
While the old system was reactive—Outpost blocked network access to processes whose memory had been modified—the new system works proactively: it allows you to permit or deny the modification of memory of other processes at the application level. For example, Visual Studio 2005 would be able to modify memory, while the “copycat.exe” leak test would be disallowed from doing so.
9. Spyware Signature Analyzer
The spyware analyzer will be improved to better protect from varieties of one single spyware sample, including even “unknown” samples and variants. Spyware Scan will use the unchanged part of the file, not the whole one to better analyze the results.
10. Active Desktop Control
Installing the specific HTML file for Active Desktop, malicious processes can transfer private data on behalf of Windows Explorer. The example of using this technique is Breakout leaktest (http://www.firewallleaktester.com/leaktest16.htm). Outpost will control such attempts to steal data by bamboozling the firewall.
11. Prevention of attempts to control other application’s windows
Windows allows applications to exchange window messages between processes. Malicious processes can get control over other applications sending them window messages and imitating user input from keyboard and mouse clicks. The example of using this technique is Breakout leaktest (http://www.firewallleaktester.com/leaktest16.htm).
Here the point is program interactivity through the SendMessage, PostMessage API, and so on. This technique is sometimes used for legitimate inter-process interactivity, but can likewise be used for nefarious purposes by perpetrators.
Outpost will control such attempts.
12. Prevention of attempts to modify critical registry entries
Malicious processes can modify registry to get network access on behalf of other application, for example, Windows Explorer.
The example of using this technique is Jumper leaktest
http://www.firewallleaktester.com/leaktest17.htm
These attempts will be temporarily controlled by Outpost’s internal Anti-Leak mechanism. This “proactive” capability will be extended—and even now it offers to select whether you want to allow embedding an object into a certain area of the registry.
13. x64 Support
14. Added later Self-protection mode
With self-protection turned on, Outpost protects itself against termination caused by viruses, Trojans or spyware. Even attempts to simulate user keystrokes that would otherwise lead to firewall shutdown are detected and blocked. Outpost also constantly monitors its own components on the hard drive, registry entries, memory status, running services, and so on, and disallows any changes by malicious applications. This self-protection enables Outpost to erect a so-called "defense shield" around itself and all of its components.
Reply With Quote