11-08-2010 10:09 PM
Definitely interesting. I ran the same test on my laptop, Win 7 Home Premium, NIS2011 and can confirm the results of the OP. One screen came up stating that an unknown program was attempting to use Internet Explorer to access the net. I chose block this instance. Internet Explorer was blocked from access, but the text was sent anyway. I had to go into program rules and unblock IE.
On checking history the okay for access was given by Insight as per screen shot.
11-08-2010 11:53 PM - edited 11-09-2010 12:00 AM
I've been playing around a bit with this and when Advanced Events Monitoring is on, even without PC Flank running, manually launching IE causes Norton to pop up a security alert exactly like the alert you see when running PC Flank - so the initial IE alert is standard procedure and actually has nothing to do with PC Flank. The keylogger is blocked, but the larger issue is that PC Flank then seems to successfully use OLE to control Internet Explorer. The keylogger is really just a side note - the real test is designed to show that a malicious program could get internet access by using IE.
I'm not sure that "access allowed" by Download Intelligence would permit the leak test to direct the actions of IE. It doesn't seem that it should. So the test results are definitely interesting.
Anyway, Google search results seem to show that a whole lot of firewalls have trouble with this test.
11-09-2010 01:05 AM
11-09-2010 01:07 AM
11-09-2010 04:32 AM
Now I understand from the link you shared that The (pass) or (fail) messages is decided if the leaktest gains control of your Internet Explorer browser through OLE, not if data is/isn't transmitted. I tried that though and I can confirm that The test is reliable, but its output is ambiguous, cause it's supposed to say ( your firewall is leaky but the internet connection is disconnected ) when u r offline ....
But when you go online u will see the test data that u just provided leaked to their server !! , which is a big fail for NIS2011 no doubt...
I disabled the NIS2011 firewall only , and I got comodo firewall installed ( with proactive defense option ) on my virtualbox win7..
1- started IE manually
2- started PC Flank leak test ( comodo popped up a message that it's a malicious software ! But I ignored this alert with the once option )
3- I typed the test data ( comodo didn't detect the keylogger activity like NIS did ! )
4- I pressed next , and voila ! , comodo caught it ! , a message popped up saying :
( PCFlankLeaktest.exe is trying to access a protected com Interface InternetExplorer.Application.1. If PCFlankLeaktest.exe is one of your everyday applications , you can allow this request.)
I blocked it and the result
( your firewall has passed the test ) ....
I will try to have both NIS2011 ( with the firewall on ) and Comodo firewall installed together and see how it goes for me ...
11-09-2010 06:45 AM - edited 11-09-2010 07:39 AM
It is not the firewall of Comodo that causes it to pass but the HIPS component. HIPS are not very useful for most users as to understand all the alerts, you need to know the ins and outs of programs and the operating system.
There is no malicious payload in a leak test. If there were a malicious payload abusing this technique, Norton should block it.
11-09-2010 07:27 AM
You can't really run two firewalls at the same time. First there is no purpose in doing that, and secondly it will cause conflicts that may involve other apps.
11-09-2010 12:27 PM
I agree that the comodo HIPS component causes it to pass the test , in the same time the NIS HiPS component fails to do so !
I think the rationale behind the leak tests is painfully simple: "If this test can get past your computer's security defenses, then so can a hacker."
I know that it may cause conflicts , that's why I'm testing it.
11-09-2010 12:45 PM
I think why Comodo may have passed the tset is because it has a default "block all" rule. Just imagine a security guard that denys all entry except those you manually allow. On the other hand Norton acts as a security guard that allows all except those that behave "suspeciously."
11-09-2010 02:16 PM
I think that a strange program trying to send some sort of data to his server after a keylogger activity ! without my permission is suspicious enough to be blocked
by the way , I'm a big fan of NIS , but I'm pretty sure that it needs improvements on this kind of OLE leak techniques