Jump to content


Friends, we are happy to invite you to our NEW Global Kaspersky Club! Please follow this link www.kasperskyclub.com , sign-in and enjoy our new platform!


Photo

Leak & Kill Tests of Kaspersky Internet Security 6.0


  • Please log in to reply
10 replies to this topic

#1 IStogov

IStogov

    Crew Chief

  • Founders
  • PipPipPipPip
  • 487 posts

Posted 18 October 2006 - 08:08 PM

LeakTests

What Firewall Leak Tester is testing ?

Nowadays, threats from the Internet are growing, both from the inside and the outside.
To answer to a security need from Internet users (us), security software firms have created "personal firewalls", softwares acting like real hardware firewalls, but on user's computers.
These personal firewalls have network level filtering, that we will name "network filtering", and an outbound application filtering that we will name "software filtering".

Due to the fact that most of these personal firewalls offer reasonable protection against inbound attacks coming from the Internet, we will only study here their software filtering, outbound filtering that can be stressed by Trojans which try to initiate themselves by connecting to the outside to transmit data out.

To test this software filtering feature, many leaktests (""leak"" test) exist, they are programs created by different authors, each trying to bypass the personal firewalls with his own trick.

Test Results
leaktest.JPG leaktest_blocked.JPG
http://www.firewallleaktester.com/


Kill Tests
Finally, from firewallleaktester.com definition, Kill Tests tests are termination tests, not leaktests.
A leaktest will try to bypass your firewall stealthly without attacking it, it's purpose is to hijack a trusted communication flow to go out undetected.
A termination, on the other side, is a direct and brutal firewall attack to disable it's security. All eventual subsequent network accesses will be "standard" accesses


Firewall termination defense scoreboard explanation (details column explanation in the table below)

V : This icon means that the firewall is blocking sucessfully the termination method, and possibly warns the user about it. This is the safest and most secured result.

+: This icon means either one of the following possibilities :
- the firewall interface and/or service was terminated, but the network protection was still active
- the firewall was freezing or eating all CPU, but the network protection was still active
- Windows was freezing or crashed

This result is still "safe". Some firewalls while terminated switch the traffic off, nothing can get in or out.

X : This icon means that the firewall is terminated by the termination method, and it's network security is disabled. That means that once terminated by this method, anything can send data out.
This is bad, since a malware can disable the firewall, before sending data out without using leaktests methods

Defense scoreboard
Termination_defense.JPG
http://www.firewallleaktester.com/
я не червонец, чтобы нравиться всем

#2 norwegian

norwegian

    Frequent poster

  • Moderators
  • PipPipPipPipPipPip
  • 1097 posts

Posted 19 October 2006 - 02:25 AM

Wonder if the latest build would have the same results ? Or has the improvements been passed to version 303 via updates ?

Guess when the new version comes out they will have to test again. :)

Great that it's second on the list. Thanks for the improvements so far to the team. The users asked, and the team has proven themselves. Why would you go anywhere else. :D

#3 Sall

Sall

    Rookie

  • Members
  • Pip
  • 28 posts

Posted 02 February 2007 - 07:23 AM

I just tested the ghost leaktest from http://www.firewallleaktester.com/

And kis didnt catch this one :)

I guess that ghost test is a tough one.

#4 Lucian Bara

Lucian Bara

    Jedi Master

  • Global Moderators
  • PipPipPipPipPip
  • 912 posts

Posted 02 February 2007 - 09:22 AM

I just tested the ghost leaktest from http://www.firewallleaktester.com/

And kis didnt catch this one :)

I guess that ghost test is a tough one.

hello
you have to activate "Starting browser with parameters" in the activity analyzer settings for kis to pass it.
Intel Core 2 Duo E4500 @ 2,2GHz, Msi Asus P5PL2-E, 2048MB-DDR2 (2*1024), Leadtek PX6600 256MB, Teac DV-W516GA, Leadtek tv2000 xp Expert, HDD 200GB*2 (sata/sata2)

#5 FadeToBlack

FadeToBlack

    The Hitman

  • Members
  • PipPipPip
  • 137 posts

Posted 09 February 2007 - 07:43 PM

The bad thing about leaktests is that they don't reflect the real life situation. Most annoying thing is that products get a lot of development into passing leaktests, but when new ones show up security software usually fails to block those. In my opinion KAV's Proactive Defence needs a lot of improvement in this area and the tests must be passed without modifying settings or other "tricks".

Edited by FadeToBlack, 09 February 2007 - 07:48 PM.

Regards,
Michael

#6 Lucian Bara

Lucian Bara

    Jedi Master

  • Global Moderators
  • PipPipPipPipPip
  • 912 posts

Posted 09 February 2007 - 08:47 PM

you mean like outpost and fpr? :)

as for kav it depends what protection settings you choose, interactive or basic protection, these determine the activated modules in the proactie defense.
Intel Core 2 Duo E4500 @ 2,2GHz, Msi Asus P5PL2-E, 2048MB-DDR2 (2*1024), Leadtek PX6600 256MB, Teac DV-W516GA, Leadtek tv2000 xp Expert, HDD 200GB*2 (sata/sata2)

#7 FadeToBlack

FadeToBlack

    The Hitman

  • Members
  • PipPipPip
  • 137 posts

Posted 10 February 2007 - 01:11 AM

What about that? It got fixed. That guy is an idiot. He's always on Agnitum's nerves even though they fixed the bugs. Kaspersky guys paid him too much attention. leaktesting can be done at any given time without much problems by anyone using Outpost, but using KAV/KIS is a little more difficult. After all, leaktests should be passed by default, right?
I am talking about Proactive Defence here though :), which seems to be made only for leaktesting. I do not have doubts that in real life situations it works (from what I have seen at AV-Comparatives), but for leaktesting is a somehow easy target. The marketing department is always having work to do (as I can see both here and Agnitum), no worries there.

Edited by FadeToBlack, 10 February 2007 - 01:14 AM.

Regards,
Michael

#8 Lucian Bara

Lucian Bara

    Jedi Master

  • Global Moderators
  • PipPipPipPipPip
  • 912 posts

Posted 10 February 2007 - 01:24 AM

not really, the dangerous behaviour + rootkit + strange values & strange activity is the malware catching thing (x.generic , trojan, p2pworm, and so on) and invader to some extent (it gives you rollback ability but you have to find the process that started it all)

integrity control is something that's novices should not enable,

the starting browser with parameters is the only thing i can think of that only has it's value in leaktests.
Intel Core 2 Duo E4500 @ 2,2GHz, Msi Asus P5PL2-E, 2048MB-DDR2 (2*1024), Leadtek PX6600 256MB, Teac DV-W516GA, Leadtek tv2000 xp Expert, HDD 200GB*2 (sata/sata2)

#9 FadeToBlack

FadeToBlack

    The Hitman

  • Members
  • PipPipPip
  • 137 posts

Posted 10 February 2007 - 02:35 PM

Well, I believe it has a great value in real life terms, but it was made for leaktests. I honestly do not see the point of leaktests. I know someone that has a friend working for the US Army. He bypassed his router, his firewall and then copied a file from his computer as a proof. The router companies have an agreement with the US and they give access to any router they make. So, I honestly do not see the point of passing leaktests when people can enter your PC just like that with the most tight security.
Regards,
Michael

#10 Lucian Bara

Lucian Bara

    Jedi Master

  • Global Moderators
  • PipPipPipPipPip
  • 912 posts

Posted 10 February 2007 - 04:55 PM

some of the features in the proactive defense are not for leaktests, they really don't stop any leaktests they are for other things.
Intel Core 2 Duo E4500 @ 2,2GHz, Msi Asus P5PL2-E, 2048MB-DDR2 (2*1024), Leadtek PX6600 256MB, Teac DV-W516GA, Leadtek tv2000 xp Expert, HDD 200GB*2 (sata/sata2)

#11 FadeToBlack

FadeToBlack

    The Hitman

  • Members
  • PipPipPip
  • 137 posts

Posted 10 February 2007 - 10:05 PM

I didn't say that, however I am very glad that it's very effective in real life conditions :whistle:.
Regards,
Michael