Test conducted under XP-CIS 5.3, every item enabled, but sandbox disabled and trusted vendor list empty.
Configuration set to proactive, firewall custom with maximal alert level, defense+ paranoïd with execution control enabled, code injection enabled and cloud disabled, every monitoring item checked.
No trusted file, customized strategy asking everything going in and out in the firewall, and customized strategy for services.exe in defense+.
The test is very basic, trying to leak using successively the task manager, telnet and ftp.
If you allow the first request (allowing explorer.exe to run the demo), and then deny as you should the 3 following ones, you pass:
With CIS V5.0 enabled as I recommend here the only thing the program was able to do was make a list of my documents. Since it couldn’t connect to the internet to give the data away I would therefore consider that CIS passed the test completely.
I don’t think this is a real test of any sorts, all it did was try to make a list of my documents folder. And even if it had tried to connect to the net to send out my list, I got a firewall alert about a sandboxed application.
Thanks guys for pointing that out , but I remember that D+ in CIS 5 ( defaults options ) was able to detect and block listing of files easily when I was testing some malwares. May be this test uses a different technique or whatever and that’s why it bypasses D+.
At least we have the firewall alert as a second layer of protection. And that’s cool.
Not speaking of the as usual erratic behavior of the sandbox, this test tries to act as a trojan by leaking some file names, but a trojan in real conditions could leak anything else.
If you correctly allow explorer for its executable, and then deny its tentative to write in 3 genuine (and safe if you trust Microsoft) executables, the test shall only use your browser last to show you the results online, and you must allow this request.
You have 4 defense+ alerts, the first one allowed and the 3 others denied, and a single firewall alert deliberately allowed.
The firewall has therefore no incidence whatsoever in the test if you don’t allow writing to the tested executables, and it is therefore not true to state that defense+ is bypassed: defense+ is the first line of defense making the protection successfull, an eventual intervention of the firewall only taking place in a second time if you falsely allow defense+ but monitor the outgoing accesses of the 3 windows executables to your browser (you can, by the way, have specific applications requiring access of taskmgr and browser ftp to internet and should closely monitor them if so, but i don’t see a usual situation anymore where telnet should be allowed).