waking

Can't pass GRC leak test

Recommended Posts

Using OA Firewall Free 5.5.0.1616

Windows XP (Media Center) 32-bit SP3

Kaspersky Antivirus 2012

I have a similar issue with LeakTest. I get the Program Guard popup asking if I want to let it run. I reply "Allow" (it's *not* trusted) and the program starts. When I click on the "Test For Leaks" I get *no* popup from the Firewall, and the Leak Test says: "Firewall Penetrated".

I have had the popup asking if I want to allow Internet access from *other* programs, so I know that it works generally. But as LeakTest masquerades as a program which is probably already trusted for Internat access it doesn't appear (under the name of LeakTest) in the Firewall's list of programs. (Nor probably in a log file either.)

How can I get it blocked?

Share this post


Link to post
Share on other sites

I thought LeakTest did some clever impersonation tricks to fool the firewall into thinking it's a trusted program. But after re-reading the description it looks like that has to be a manual task by the user. So if that's not what it's doing, why doesn't OA catch it? The name "LeakTest" doesn't appear in the firewall's list of programs, nor does it appear in a log file made during the tests.

If I set OA to block all network traffic, LeakTest will fail. So it appears to be actually going out to the Net.

Something else which is very bizarre. Since LeakTest didn't appear in the Firewall's Programs list, I manually added it and then set it to "Blocked". I then reran LeakTest - with the exact same result! I was prompted to allow it to run or not. I allowed it (not Trusted) and when the program dialog appeared I clicked the button to run the test: "Firewall Penetrated!"

It seems to be bypassing the firewall's protection altogether (except when all traffic is blocked).

----------------------------

Update: Well this is a fine kettle of fish!

If I turn *off* all KAV protection, LeakTest gets blocked by OA! Also, when I removed the entry in the firewall's Programs list which I had manually entered I get the expected popup from OA telling me that LeakTest wants to access the internet and should I allow it.

When I turned KAV protection back on - LeakTest again slips through without OA seeing it.

I also tested by turning off individual protection components in KAV - Web Anti-Virus, IM Anti-Virus, Mail Anti-Virus, and even File Anti-Virus. LeakTest still slipped through - only turning KAV off completely allowed OA to detect LeakTest's activity.

Share this post


Link to post
Share on other sites

I have a similar issue with LeakTest. I get the Program Guard popup asking if I want to let it run. I reply "Allow" (it's *not* trusted) and the program starts. When I click on the "Test For Leaks" I get *no* popup from the Firewall, and the Leak Test says: "Firewall Penetrated".

Please pardon my confusion, but it sounds like Online Armor passed the leak test. In a real-world situation, would you have clicked 'Allow' for an unknown application that seemed suspicious?

Share this post


Link to post
Share on other sites

Please pardon my confusion, but it sounds like Online Armor passed the leak test. I

Hardly. (Well, actually it did after I turned KAV off.)

>In a real-world situation, would you have clicked 'Allow' for an unknown application that seemed suspicious?

I would - and often have - clicked "Allow" and "Remember ,,,: for applications. This allows them to run, but with the "Ask" setting for all activities which are being monitored. I have run applications for some time like this, and then when one does something that requires access to the Net - such as checking for updates - OA informs me that the program wants to access the Net and gives me the choice to Allow it or Block it.

As I said at the end of my last post, with Kaspersky Antivirus protection off, that is exactly how OA handles LeakTest. It asks me if I want to let it *run* (Program Guard), and I Allow it. Then when I click the button to start the test, OA informs me that LeakTest wants to connect with the Internet (Firewall), and I Block it. With KAV protection enabled, OA fails to alert me that LeakTest is trying to access the Internet. (Note that this is with Kaspersky *Antivirus*, not Internet Security.) Even if I manually set a Program Rule for LeakTest in the Firewall to Block it always. the setting is ignored - and the log file shows no indication that LeakTest ever went through the Firewall.

If I understand the implications of your question correctly, if we:

(a) Allow a program to run, then it automatically has access to the Net, (Which isn't true - unless we make it Trusted.)

(b) Block the program so it doesn't run - in which case it can't access the Net or do anything else.

Nowhere in those two scenarios is there any suggestion of a role for the *firewall*. But in the "real world" there is, and it comes after we "Allow" a program to *run*, but *don't* mark it as Trusted - and when the Firewall has a setting of "Ask" for the program.

Amendment: Since the Firewall doesn't have an "Ask" setting in the Programs list, my last comment should have read "when the Firewall doesn't have an "Allowed" setting for the program, or has no entry at all for it."

Share this post


Link to post
Share on other sites

My apologies for the confusion. My implication was more along the lines of pointing out that the HIPS in Online Armor attempted to block the leak test, which is technically a pass (since OA did detect it and did offer to prevent it from running). My question was intended to demonstrate that, had you selected to block it from running, that Online Armor would have protected you.

As for why the firewall didn't warn you about the leak test, I would need to know more about this leak test before I knew why it wasn't blocked. (see below for explanation)

Share this post


Link to post
Share on other sites

As an addendum to what I just posted, I spoke to Andrey about this, and he mentioned that KAV has a network filter driver (I think it acts as a sort of proxy) that prevents third-party firewalls from filtering network traffic, which is why OA did not warn you about the leaktest trying to access the network.

Share this post


Link to post
Share on other sites

I spoke to Andrey about this, and he mentioned that KAV has a network filter driver (I think it acts as a sort of proxy) that prevents third-party firewalls from filtering network traffic, which is why OA did not warn you about the leaktest trying to access the network.

Thanks for that. It sounds reasonable.

If true. that's rather disconcerting since it appears to mean that with KAV (and not KIS) I will have little or no outbound firewall protection.

I have found a short thread in the Kaspersky forums with posts from two users who discovered the same problem using Windows firewall. When any one (or more) of the protection components for email, IM, or Web shield is (are) enabled KAV intercepts outgoing Net traffic. After satisfying itself that it's OK it passes it through to the firewall - *but* under its own program name (avp.exe). So any non-Kaspersky firewall will never see the name of the actual program that's accessing the Net and can't control it. The firewall only sees that KAV wants to send something to the Net and of course that's allowed as KAV is a Trusted (or excluded) program.

Also, there remains an apparent inconsistency. As i mentioned in my earlier pots, OA *does* (has) popped up a warning about a program trying to access the Internet *with* KAV 2012 protection enabled. For example, when clicking on a link to check for updates. e.g. - Adobe Reader which uses another process (AdobeARM.exe) to access the Internet. With *no* Firewall rule set for AdobeARM.exe, OA will pop up the dialog asking if I want to Allow or Block this Internet access. It appears that in some cases a particular program may not get filtered by KAV in the way described above.

In any event, it's apparently not an OA problem so thanks for the feedback. If Kaspersky is unresponsive, unwilling or unable to change this behavior. I'll have to consider my options. Use KIS rather than KAV. or try another anti-virus program and see which one(s) respect the role of 3rd-party firewalls and lets them do their job.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.