Kerio 2.1.5 Vulnerabilities!!

[jo]

It looks like System Safety Monitor alone catches these known and published
exploits by checking each executable before allowing it to run. As to what
unknown, unpublished, and possibly more sophisticated exploits go... ?

It certainly looks very good; it is something I have been vaguely
looking for recently and I was pleased to have Aaron point us to it.

I managed to crash it on 98SE while looking through the options; I will
see if I can reproduce this on next boot.

First impressions are excellent though.

 

[Aaron]

Heh, it doesn't check them, you do

And I wouldn't be too smug even if you use this. As of now, SSM can still
be fooled by rootkits.

It certainly looks very good; it is something I have been vaguely
looking for recently and I was pleased to have Aaron point us to it.

I managed to crash it on 98SE while looking through the options; I
will see if I can reproduce this on next boot.

Sadly it's most compatiable with Win Xp, then Win2k. Win 98 is least
supported. The next version might even be worse for win 98 users.

 

[jo]

Not in this context. Yes, Proccessguard's primary purpose is to prevent a
process from being terminated and the freeware version guards only one
process besides itself .

But in this context I'm talking about the use of the "program checksum
mode" in it.

This can be set to prevent all but recognised and allowed programs from
running. Run it first in training mode, than lock it to prevent other apps
from running.

There are no restrictions for this function.

Ah. My bad, thx.

In additon, it can automatically block drivers,services from autostarting,
global hooks, etc which protects you from practically all keyloggers.

It is not totally worthless. Have you tried it?

Nope... I read the page hurriedly and misinterpreted what I saw. Thx for
the heads up, I will have a look at it

 

[jo]

Nope... I read the page hurriedly and misinterpreted what I saw. Thx for
the heads up, I will have a look at it

NT only

 

[Joe P]

Chrissy,

The router prevents inbound connections while I use Kerio to prevent
any outbound access not permitted by a rule. Inbound attempts to
connect to a non-listening port would fail but I don't trust Windows
Update or new programs not to open a port. If something changes before
I notice (not likely, I monitor all installs and 1st executions of
programs with InCtrl5 and Regshot and check open ports regularly) the
router would prevent the inbound connection attempt.

Say for example in Windows98 you have closed ports 137, 138, and 139.
Any small change to your network settings may reopen them.

The only solution is vigilance and staying knowledgeable and up to
date with new attacks or flaws.

Joe P

 

[Chrissy Cruiser]

Chrissy,
Whatty?

The router prevents inbound connections while I use Kerio to prevent
any outbound access not permitted by a rule.

A real gentlemen would do so, of course.

Inbound attempts to
connect to a non-listening port would fail but I don't trust Windows
Update or new programs not to open a port. If something changes before
I notice (not likely, I monitor all installs and 1st executions of
programs with InCtrl5 and Regshot and check open ports regularly) the
router would prevent the inbound connection attempt.

Say for example in Windows98 you have closed ports 137, 138, and 139.
Any small change to your network settings may reopen them.

The only solution is vigilance and staying knowledgeable and up to
date with new attacks or flaws.

Joe P

Very nice explanation. Thanks.

 

[Aaron]

NT only

Yes, most of the programs in this category are NT only. Even SSM is more
suitable for NT and up.

 

[jo]

Even SSM is more
suitable for NT and up.

Yeah. Two different crashes from it so far on 98SE. But it is so
absolutely what I want atm, and have been looking for for a while, that
I will accept its flaws and treat it gently.

The help file warns me against putting it in startup

 

[JanC]

John Corliss schreef:

If you use the "deny all" rule, make sure it's the last in the list.
When Kerio 2.1.5 adds a new rule, it puts it at the bottom, even below
the "Deny all" rule. You need to move it above the "Deny all rule."

You don't need a self-made "deny all" rule, use the slider on the front of
the administration panel instead...

 

[JanC]

jo schreef:

Nope. They can just keep trying till they get a hit. I spent quite a bit
of time with leak tests a few months ago and remember being interested
to see 'notepad' trying to connect out.

Well, if you see notepad trying to get out, you know there is something
wrong --> the trojan/spyware/whatever won't survive long...

 

[JanC]

Kerodo schreef:

Also specify Services.Exe (Win2k) as the app in your DNS rule, or
Svchost.Exe if you use XP. That tightens it up a little more.

Some applications do their own DNS lookups.

 

[Richard Steven Hack]

Freeware version limited to protecting a single app, AKA absolute
crippleware

http://www.diamondcs.com.au/processguard/index.php?page=download

Also check this out - a Process Guard vulnerability:
http://www.security.org.sg/vuln/procguard.html

Also note that Wilders Security Forums has the official Process Guard
support forums. For example, here
http://www.wilderssecurity.com/showthread.php?t=42555
is a thread on configuring AVG 7.0 in Process Guard.