Re: BlackIce security questions
From: Duane Arnold (notme_at_notme.com)
Date: 03/02/04
- Next message: donutbandit: "Re: Tiny Personal Firewall - which version?"
- Previous message: JED: "Re: how to create 'allow destination unreachable' in Sonicwall"
- Next in thread: Fred: "Re: BlackIce security questions"
- Reply: Fred: "Re: BlackIce security questions"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 02 Mar 2004 00:07:26 GMT
>
> OK, let me know what they say!
>
>
As I promised, the response from ISS Tech Support. Also down at the bottom,
the response also addresses the issues with the SYSTEM exploit mentioned in
the BlackIce ccd release thread.
Duane :)
-----Original Message-----
From: support-l1@networkice.com [mailto:support-l1@networkice.com]
Sent: Monday, March 01, 2004 10:33 AM
To: darnold92@insightbb.com
Subject: RE: Operations: NON Admin Use Accountr is able to change
BlackIcesettings1515950-rs-43998[T200402210046]
Dear Mr. Arnold,
Your files are unusual. Mainly, it appears the BIPCP never got
completely installed. The following will address this and the "issue"
mentioned by the online fellow.
The "issue" required the hacker to have so many "ducks in a row" on the
target system that it seemed impossible to accomplish. In any case, it's
handled with the latest version and a clean un/reinstall should get you
rolling as well.
A clean un/reinstall should put you right. However, a more aggressive
approach is called for here. Look at your OS's Help files to learn how to
get into Safe Mode. That done, get the install files
(http://blackice.iss.net/update_center/index.php) and BIRemove.exe
(http://www.iss.net/support/consumer/BI_uninstall_exe.php) on your DeskTop.
Then shut down the PC. NOTE: The BIRemove file is also currently in your
BlackICE folder.
Cold boot into Safe Mode and run BIRemove.exe. Next, run a rigorous
anti-virus scan. Then shut down the PC, wait 10 seconds fort he hard disk
to spin down and stop. Re-apply power to the PC and install in regular
Windows mode.
Remember, uninstall and AV scan in SM. Cold boot to normal Windows for
reinstall.
A few notes about Application Protection...
When installing or updating applications:
The Application Protection window will pop up. Click on Install Mode
Options, then Enable Install Mode. This will pause the Application Control
so that you are not prompted to accept every file that is included in the
new program. Install Mode will stay in memory for 3 minutes. After 3
minutes, a window will appear that will ask you if you want to Disable
Install Mode. If the installation is finished, click on Disable Install
Mode. If the installation is not finished, click on Cancel to continue in
Install Mode. Once the installation is finished, click on Disable Install
Mode when the window reappears. This will restart Application and
Communication Control.
Starting with version 3.6.cbd, there is a new feature that will
automatically update the baseline for you. Once you have selected Disable
Install Mode, a window will appear that will ask you if you want to update
the baseline to include the files that have been created or modified. At
this point, you should choose "Update" to proceed, or "Cancel" if you want
to manually update the baseline later.
If you choose to manually re-baseline your system after
installing/updating programs, follow the directions below.
Right click on the BlackICE icon and choosing Advanced Application
Protection Settings. Click on the Baseline tab. On the left, check the drive
that you have installed the update or new application to. Then click on Run
Baseline at the bottom of the window.
As well, when the Application Protection Window pops up and tells you
that an Unknown Application is detected, you have 4 options.
Terminate: Will not allow the application to run
Continue: Allows the application to run, but does not add it to the
baseline file
More Info: Gives you more information about the file
Don't Ask Me Again and then Continue: Adds the file to your baseline and
enters the file into the checksum.txt file as a trusted application/file.
Note, if you choose Terminate AND Don't Ask Me Again, the application
will never run and you will not be prompted to let it run.
We also recommend that you read the BlackICE PC Protection 3.6 User's
Guide located at the following link.
http://blackice.iss.net/product_documentation.php
Please let us know if we can aid you further. Please be sure to
include all previous correspondence.
Thank you for choosing BlackICE to secure your system!
Regards,
Thomas
BlackICE Support
Sender : darnold92@insightbb.com
Tracking Number : T200402210046Z1454086
Pool : Level1
Sent to : <support-l1@networkice.com>
Date : 2/28/04 2:26 PM
--- Protect Agent Files is enabled. Also, can you comment on the response I got from some little *Tool Tips* clown when I made a post about ccd being released and I made a post about it in a FW and Security NG? We call him little Mikey. I call him Milk Toast Mikey, because he is a real PITA You know, one of these little so called *hacker* types. I know about the link below. http://www.eeye.com/html/Research/Upcoming/20040213.html Duane :) Duane Arnold wrote: >----------------------------------------------------------------------- >-- WHAT'S NEW --------------------------------------------------------- >----------------------------------------------------------------------- > >- Updated to detect and block attacks that cause a buffer overflow in > Check Point VPN clients and Check Point VPN-1. > New IssueID: 2110045,ISAKMP_Certificate_Request_Overflow > Refer to http://xforce.iss.net/xforce/xfdb/14150. > >- Updated to detect an exploit of the ASN.1 vulnerability covered in > MS04-007. > New IssueID: 2120012,SSL_ASN1_Overflow > >- Updated SMB parser. > >Duane :) Yeah, it's a good idea to upgrade, since older versions have a critical, remotely exploitable vulnerability: eEye Digital Security has discovered a critical vulnerability in both RealSecure and BlackICE. The vulnerability allows a remote attacker to reliably overwrite heap memory with user-controlled data and execute arbitrary code within the SYSTEM context. This attack will succeed with BlackICE using its most paranoid settings. This exploit is made possible largely due to the fact that BI doesn't perform SPI. Obviously, it's a poor choice for defense. -----Original Message----- From: support-l1@networkice.com [mailto:support-l1@networkice.com] Sent: Monday, February 23, 2004 2:12 PM To: darnold92@insightbb.com Subject: RE: Operations: NON Admin Use Accountr is able to change BlackIcesettings1515950-rs-43998 [T200402210046] Dear Sir, I'd be delighted to assist you. That sounds correct. Only the Administrator who installed should be able to change settings. Have you selected Protect Agent Files in the Application Control tab? In order to further speculate on this, I'll need to examine some files from your BlackICE folder. Please send the following: Attack-List.csv BlackD.log BlackD-Old.log BlackICE.ini FireWall.ini License.key Sigs.ini The next 5 files will only be present if you are running version 3.5 or newer. Actlcl.txt (might or might not exist), Checksum.txt Protect.ini RapApp.log RapApp-old.log NOTE: All the requested files will have an icon resembling an stenographer's notebook except the Attack-List.CSV file. This will have a MSExcel icon. All can be zipped together. If you are unfamiliar with zipped files, go to this URL: http://www.WinZip.com/ and select "Download Evaluation Version." Install it and read the Help files. This will allow you to unzip files sent to you and zip files into a group of files like those we need to aid you with BlackICE. Finally, who is your Internet Service Provider? Which browser & version number are you using? Please let us know if we can aid you further. Please be sure to include all previous correspondence. Thank you for choosing BlackICE to secure your system! Regards, Thomas BlackICE Support Sender: darnold92@insightbb.com Tracking Number: T200402210046Z1449003 Pool: Level1 Sent to: <support-L1@networkice.com> Date: 2/21/04 7:00 AM I just noticed that any non Admin user can Edit BlackIce Settings and go to the Advanced Firewall rules and make changes and they HOLD when I logoff and log back in when an Admin account on my XP Pro machine. As a non Admin, I cannot stop and start the Engine or Application Control, but I can make changes to the settings? A message box from BI shows on the login indicating *as a NON Admin that the account doesn't have rights to make changes to BI*, but it happens. So what's the deal with this? Duane J __________ NOD32 1.629 (20040220) Information __________ This message was checked by NOD32 antivirus system. http://www.nod32.com __________ NOD32 1.643 (20040301) Information __________ This message was checked by NOD32 antivirus system. http://www.nod32.com
- Next message: donutbandit: "Re: Tiny Personal Firewall - which version?"
- Previous message: JED: "Re: how to create 'allow destination unreachable' in Sonicwall"
- Next in thread: Fred: "Re: BlackIce security questions"
- Reply: Fred: "Re: BlackIce security questions"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
