Just out of curiosity I tried this ridiculous leak test: http://www.grc.com/lt/leaktest.htm
On clicking "Test for Leaks" a connection was established right away. There is no dialog coming up, there is no rule for this program and yet Outpost allows the traffic.
LEAKTEST[1].EXE grc.com Browser HTTP connection OUT CLOSING TCP HTTP 3615 0 Bps
Hello gottcha,
Did you follow the instructions on how to use this test (http://www.grc.com/lt/howtouse.htm)?
Excerpt:Look through your firewall's permissions for the filename of any program that is granted access through the firewall. Then simply rename LeakTest to that name (just as a Trojan, virus, and spyware would) and run it
Attached the results of the test.
Right, the CC is irrelevant for this test imo. I've already said that this test fails on one computer while it doesn't on the other with the same settings. That is the strange thing here.
Turning on the highest log settings didn't give me any useful information either. Outpost basically tells me on the failing machine that it is allowing HTTP traffic (without any rules) and on the other it correctly logs "learning mode".
The entire sequence of events.
Picture 2. I purposely clicked allow, still no penetration.
P.S. Forum allows 5 pics only. The last one indicates there was no connection as per pic in other post.
what version of op? what are your host protection settings? did you ever run the leaktest when in auto-learning or rules wizard mode? i had to clean out the entry for it in the component control section and remove the rule in the apps rule section after leaving learning mode. once you create the rule and 'fail', you'll need to go back in and remove the app rule and the component entry to start 'fresh'
edited:
ah, refreshing page shows you've cracked it. OP's default settings are not the most secure ones, they are the beginner settings, so many people using it for the first time did not understand the component contol prompts and complained about it being so hard to make the block/allow descisions that they set it that way. more experienced users can set it to a more secure level. this particular setting was discussed earlier in another thread tho not in the context of 'leaktest'
For me it can happen only when warning about starting new or unknown executables activated.:rolleyes:
You know, Kurt, I think it is always best to verify all settings in all apps. I do, also when importing OFP's configuration from one version to another.
But, in this case, I really do not know why this setting is not ticked by default. Perhaps we should ask Agnitum about this?
It doesn't matter how or where I run this program or what name it has.
The outcome is always the same:
http://i29.tinypic.com/34o3nsx.jpg
gottcha,
are you using the latest NOD32, version 3.0?
KAV 7 and NOD32 3 apparently do the same, port 1110 (later versions also uses port 19780 I think) is the proxy.
Is component control activated?
Here is the sequence of events in pictures after I renamed leaktest.exe to the name of one of my network apps (iexplore.exe).
KAV does not intercept traffic at all since Web-Control is deactivated on both systems.
Unless someone has a founded explanation please don't bother, I am sure Agnitum support will get back to me soon.
Just for info.:rolleyes:
The Protocol anti-leak control is always allow exe.;)
The only thing for me now is to prevent access to the CC.
Regards Kurt
I do not have any solution to propose but in case you are interested, I am using the same version of Outpost, KAV 7 antivirus (with Web antivirus activated, so everything goes through KAV port 1100) and Windows Vista Home Premium. I did the test and there was no comunication between my PC and the server. I got a worning about the executable, I allowed it and then nothing. No more notifications. Just that the leaktester could not comunicate with the server. Follow the "A Guide to producing a Secure configuration for outpost". Someone has proposed it before. It is quite big but take it step by step, reading the explenations as well.
I got a prompt for rules with or without component control enabled when I ran leaktest.exe. Naturally, I removed leaktest.exe from the components list between tests. With CC disabled, after I blocked leaktest.exe (via the rules dialogue), the test said Unable to connect anyway.
Hello gottcha,
The message that a new program to access calls while I have never received.
http://i32.tinypic.com/2nak7j4.jpg
Best Regards Kurt
Are you renaming leaktest.exe to the name of one of your apps (one in your network rules for example)? This has to be done for the test to work as intended.LeakTest v1.x is used by RENAMING it — from LeakTest.exe to some other program filename — to simulate the behavior of malware which could easily alter its own name in order to masquerade as a valid and permitted application.Please read the instructions per link I posted above!
I once tried this test without any firewall, it also gave the message that my firewall was penetrated.
No, Kaspersky KAV7 is installed. But here as well on both systems I ran this test.
No, Kaspersky KAV7 is installed. But here as well on both systems I ran this test.
You may have to modify settings according to this KAV 7.0 kb (http://www.agnitum.com/support/kb/article.php?id=1000030&lang=en#15) so the leaktest will pass.
KAV does not intercept traffic at all since Web-Control is deactivated on both systems.
Unless someone has a founded explanation please don't bother, I am sure Agnitum support will get back to me soon.
Well, if you are sure you don't see any connections to 1110 or 19780 while connecting to websites or anything else I guess you're right..
However, I experienced your issue myself with both KAV7 (my old AV) and NOD32 (my new) when testing with leaktest.
Changing some settings in NOD32 limited this tunneling behaviour to only my browsers, and not everything else, and after this the test passed (couldn't penetrate).
When you asked Agnitum I hope you mentioned what antivirus you have in your question.
In the protocols, anti-leak monitoring and control components is the Leak.exe than allow.:eek:
There was no security in my message, where I had the block. The Leak.exe was simply without further inquiry.:eek:
Host Protection Level is on "Advanced"
Standard would indeed only Optimal.
That I can understand but then not.:mad:
if you are in 'auto-learning' mode, it will automatically accept the leaktester and create a new rule for it and let it run. thats what auto-learn is supposed to do. you should turn it off as soon as you have run thru trying all your normal apps.
so, if you allow it to run and connect to the internet, you get the failed message, which is to be expected.
I use 6.0.2284.253.0485
I can do whatever I want, it always comes back the message: Firewall Penetrated:mad:
In the Advanced setting is not enabled by the following: Warn about starting news or unknown executables:mad:
That must not be. Especially since the default Advanced not only is Optimal.:mad: And at the optimal settings is even less active.
Amazingly, right before preparing to send a debug log to Agnitum, Outpost passed the test.
Right before doing this I cleaned out the log folder. Since this is the only thing I did before suddenly the rule dialog showed, it also is my only explanation.
Just now, I made a control test to see if the dialog still shows up. Surprisingly the test failed again. This time I just removed the file from the component list (note there was no firewall rule for this program created before) and now the dialog shows up again - test passed.
So now I have Outpost Newly installed.:rolleyes:
And we should not believe that it will appear to run the leak test is now following window:
http://s2.directupload.net/images/080315/temp/duwk2gi9.jpg (http://s2.directupload.net/file/d/1368/duwk2gi9_jpg.htm)
Strange:D
Regards Kurt
In the Advanced setting is not enabled by the following: Warn about starting news or unknown executables
That is what caused OFP to fail.
Agreed: the setting should probably be activated by default.
The message that comes without a firewall is already clear.:rolleyes:
It should therefore only be expressed that a contact was possible and no firewall prevented.
But if a firewall is activated, no contact should be made or the firewall, the starting block, or at least reported.;)
This makes the Outpost is not.
Regards Kurt
I Leak.exe Nero.exe now renamed.;)
Nero.exe is one of my programs in the network rules is listed.
The same result. Get the message: Firewall Penetrated!:rolleyes:
No message, no window where I could block.
And you will not believe it, suddenly a new entry under well-known components:
Nero.exe - Manufacturer - Gibson Research Corp.:eek:
So much for the Outpost control components. This new Nero.exe was again without prompting.
Regards Kurt
Hello minoka,
That the same with me.:mad:
Get the message: Firewall Penetrated!!
Components control is activated with me.:rolleyes:
Regards Kurt
It is the part of the firewall not host protection that is failing this test. There is a difference in allowing a program to start and preventing network access.
I will contact Agnitum, maybe they have some idea of what is going on.
Hello kronckew,
Now my components settings just like you.;)
The problem lies in the fact that when the slider to set Advanced or Optimal no check mark is set at "Warn about starting new or unknown executables"
Best Regards Kurt
Already done on both systems.
KAV 7 and NOD32 3 apparently do the same, port 1110 (later versions also uses port 19780 I think) is the proxy.
I'm not sure the port numbers, but a proxy idea is the premise I'm going on. Otherwise I have no idea what else would cause the leaktest fail.
gottcha,
are you using the latest NOD32, version 3.0?
Tried this on a different machine and there it works somehow, a rule creation dialog shows up.
15:44:58 LKTEST.EXE: 5288 TCP connection with 4.79.142.200:80 requested Learning Mode
that is exactly what i get after the warning about a new or changed executeable. please see 1 section E3. short and sweet.
again, like a vampire, you have to invite it in the first time, but thereafter the vampire does not need to ask.
again, make sure you remove any pre-existing rule for the leaktester executeable as well as the entry in component control or you are still allowing the vampire in.
the 'point' and relevance of component control is to have it check all NEW and changed executeables before it gets anywhere near the rules creation part.
After months of unsuccessfully trying to resolve this issue, making complete re-installations of Outpost and being in contact with customer support, the rules for HTTP connections are finally correctly being applied.
After installing Outpost 2009 that is :)
What does it matter if the application changed? Component Control really is not the problem nor relevant here.
I am running the latest Outpost with the same settings on two machines but only one fails it.
This is what should be displayed no matter what the filename is, since it is unknown and there is no existing rule:
http://i32.tinypic.com/2nak7j4.jpg
I reinstalled Outpost as the last version was released so I am not going to do it again unless there is a good reason.
I do not understand what is going on, Kurt.
I can rename leaktest.exe to anything, I always get unable to connect.
What version of OFP are you using? I performed the leaktest with OFP 2225.
Below my Component Control settings.
Hello minoka,
Now is also reported to me.;) But when I first warning about starting new or unknown executables activated.
I believe this is a vulnerability.:mad:
Thank you for your help.;)
Best Regards Kurt
and this is exactly what I get if I run leaktest.exe...but this is not quite the purpose of the test.
I am out of here, looks like kronckew and I are cross-posting :)
auto-learning' mode with me is not activated.;)
 I could use some help again...
 Lost Licences |
Outpost fails 3 year old leak test