Re: FirewallLeaktester and Sunbelt Kerio Firewall



q_q_anonym...@xxxxxxxxxxx wrote:
what about the attack vector of blocking svchost with a whitelist.

This is not an attack vector - what is the attack?

the attack was-

malware uses svchost.exe to make an outgoing connection.

The idea of whitelisting svchost.exe to prevent abuse of it, is that
it'll be easier to Investigate whether outgoing connections are
legitimate, if svchost.exe can't be abused.
(I know, one could use process explorer or prcview, but this way those
programs aren't necessary).

I guess if you're in a limited account, the firewall or sniffer or port
monitoring program shouldn't be compromised. (since you say there are
IDSs that aren't comrpomised when the host is compromised, the same
should go for other programs too).


You say it [the IDS] has to be privileged to control CPU usage of other
processes. But if the IDS is "run as" Administrative that allows more
than necessary, and there are those mentioned issues.
[malware could escalate]

Sorry, I don't understand your point here.


I think i misunderstood you before.

Did you mean that the OS should limit cpu usage for various processes.
and give the IDS some CPU usage priority. And the IDS on installation
would configure the OS to do that, but the IDS would run as limited -
in a limited account, and so wouldn't have that power when running.

I initially thought you were talking about letting the IDS run as
Administrator, or somehow giving it privileges to adjust CPU usage
priority. It's possible in windows xp to run as limited, but have some
processes run as Administrative. But that looks to me like it could be
abused.

.