Hi there,
Using Norton Anti Virus 2002 here. I use E-mail checkers to check and delete mail directly on the mail server. I also use Outlook to get mail I don't want to delete and to save them on my PC and to send mail.
When I check or send mail, Outpost isn't detecting any of them. The first time I did that after installing Outpost, Outpost detected NAV for connecting to the net and suggested rules for "default E-mail client" witch I decided to use.
So, OK, NAV is between the mail checker/sender programs and the net, picking up all in and outgoing traffic on ports 110 and 25 (pop3 and smtp). If you aware of that, no problem.

I like Outpost for the ability to detect trojans connecting to the net. But now with NAV sitting in between, it's becoming tricky.
Let's asume that a trojan replaces the executable of a mail checker I use and it's so new that NAV doesn't know it. Outpost won't pick up because it's NAV that's going to connect and I gave it permission in the past. It can only connect to port 110 because otherwise, if it will use another port it will be reported. But in this way the trojan can send any info and files from my PC to any E-mail address he has on board without detection.

I know, it's not that Outpost isn't doing his work correctly but more that you will have to update the virus database frequently but nevertheless a tricky situation IMHO.
Am I wrong here or any other idea's about this??


Using WinXP prof dutch, Outpost Pro 1.0.1220.2238, Filtnt.sys 1.0.220.

Thats the way it works.

Outpost controls the connections and active/java of sites and NAV is the guy which must kill Virus and Trojans. Normally a good AV should also control pages when they are saved in the temp dirs of the browser.

Let's asume that a trojan replaces the executable of a mail checker I use and it's so new that NAV doesn't know it. Outpost won't pick up because it's NAV that's going to connect and I gave it permission in the past.Outpost will inform you that mail checker that tries to go online is not the same program that you created rules for.

Outpost uses MD5 checksumming.

Am I wrong here or any other idea's about this?? Guess...yes ;)

Wizz... you are #1 as always :D

Outpost will inform you that mail checker that tries to go online is not the same program that you created rules for.

No, that's the problem. The replaced mail checker will not be detected because it won't connect to the net itself. It's NAV that will make the connection and NAV isn't the one that's being replaced

The replaced mail checker will not be detected because it won't connect to the net itself. It's NAV that will make the connection and NAV isn't the one that's being replaced

Did I understand right:

1) Trojan replaces your mail checker
2) trojan doesn't connect in stead of your mail checker
3) trojan connects through NAV
4) NAV wasn't replaced, so Outpost won't detect the trojan that sends your info.

Right?

How it is possible that:

1) trojan connects through NAV?
2) what for trojan replaced your mail checker?

How it is possible that:

1) trojan connects through NAV?
2) what for trojan replaced your mail checker?

1 Yes, it could if the virus database is to old
2 It didn't. I'm just don't like the idea

Well, we all know that NAV isnt the ultimate piece of anti-trojan (especially trojan!) technology, but I dont think its sooo bad. :D

Well, we all know that NAV isnt the ultimate piece of anti-trojan (especially trojan!) technology, but I dont think its sooo bad. :D

True, but if I use NAV, a trojan isn't detected by OP because it's not connecting itself. If I don't use NAV there's no online check voor mail virusses.

Yes, it could if the virus database is to old
2 It didn't. I'm just don't like the ideaLet's clarify...what do you mean under 'trojan connects through NAV'?

If you mean that NAV (that doesn't know about this new trojan) will let this trojan go out, then it doesn't mean that Outpost will let the trojan to set connection...

If you mean that torjan goes online using NAV settings, then Outpost will detect it after MD5 checking...

Danil, its possible that NAV uses an own proxy.

Let's clarify...what do you mean under 'trojan connects through NAV'?

If you mean that NAV (that doesn't know about this new trojan) will let this trojan go out, then it doesn't mean that Outpost will let the trojan to set connection...

If you mean that torjan goes online using NAV settings, then Outpost will detect it after MD5 checking...

I mean the first one. The trojan tries to connect to port 25 (smtp) to send mail with my info and/or files. NAV will detect the connection request but doesn't know that it's a replaced mail checker because of a old virus datavase and will stop it from connecting because NAV will do the connection himself and sends the mail INSTEAD of the trojan.

May I suggest a simpler solution ,which is to download registry prot (freeware)from here
http://www.diamondcs.com.au/
its under the our releases tab on the left.Its a tiny prog that monitors any registry /system alteration change or modification and notifys you of the change and whether you want to accept or not.Ideal for trojan detection.
me

May I suggest a simpler solution ,which is to download registry prot (freeware)from here
http://www.diamondcs.com.au/
its under the our releases tab on the left.Its a tiny prog that monitors any registry /system alteration change or modification and notifys you of the change and whether you want to accept or not.Ideal for trojan detection.
me
Thanks for the link. It' sure a usefull tool. But when a trojan just replaces my e-mail checker executable without changing the registry?
I know. It's beginning to sound paranoia. But it's kind of a security hole, but then again, there will always be one I think.

If something tries to open an online connection and its new, Outpost will catch it. Same if something which is already ruled is suddenly changed.
So replacing the emailer wont work.

That's what i wrote from the very begining :p

If something tries to open an online connection and its new, Outpost will catch it. Same if something which is already ruled is suddenly changed.
So replacing the emailer wont work.
That's the hole point I try to make. Outpost won't catch a thing because the replaced E-mailer won't go online itself. NAV does go online for it.
NAV should detect that it's a trojan at that time. But for this kind of trojan (I don't even know if there is one and maybe there never will be one) we heve to trust de virus database of NAV because no firewall is gona detect it.
That's gona be a different kind of thining. Normaly we expect that a firewall detects a trojan that will communicate to the outside world. It will as long as it communicates itself, witch isn't the case here.
By the way, I'm talking about NAV but maybe other anti virus programs will do the same.

I use NAV.

GyGho I don't think this would happen as to connect to NAV's proxy the e-mail client (or in this case the trojan) would have to make a local connection. So OP would perform a checksum on the email client* (or trojan with the same executable name) and realise that it is not your original e-mail client.

Or so I believe... Wizz, Danil is this the case?

* Edited:
Assuming you have the loopback rules turned off in the system wide section.

The first thing that struck me reading this thread ( way back in the beginning) is that you gave NAV the preset rules of an email program. I would delete the rule go into rules wizzard mode and let it establish new rules. or use the AV preset. Save the email preset for email programs.
I use NAV myself as a backup to AVG. (secondary scan on demand, not running in background)
Regards,
chris

Assuming you have the loopback rules turned off in the system wide section.
Thanks, this helps a lot, it was turned on. Now all my e-mail clients are detected by OP and can OP use the MD5 signature check. Learning every day here :rolleyes:

It was a loopback issue *pat myself on head* I thought we had here a question about application commandeering.

To Risc!

The first thing that struck me reading this thread ( way back in the beginning) is that you gave NAV the preset rules of an email program. I would delete the rule go into rules wizzard mode and let it establish new rules. or use the AV preset. Save the email preset for email programs.
I use NAV myself as a backup to AVG. (secondary scan on demand, not rnning in background)
Sure, thats a way of doing it but in that case I will have to disable the scanning for incoming and outgoing mail and I like that future of NAV. If I leave it unabled and I delete the rule for NAV, the moment I use a E-mail program OP comes up with the rules wizzard for NAV for port 110 and 25.

Thanks everyone. It was a fine discussion and have learned a lot :cool:

So did I :D

<cygho said ..Thanks for the link. It' sure a usefull tool. But when a trojan just replaces my e-mail checker executable without changing the registry?
I know. It's beginning to sound paranoia. But it's kind of a security hole, but then again, there will always be one I think.>

Im not 100% here but personally Im not aware of any trojan ,that doesnt add/delete/replace or modify system and registry files in one way or another , and to replace the executible of your mail checker would I think be detected by registry prot.
me

IMHO... OP does a great job, as I am sure we'll all agree on. It recognized that the IExplorer.exe was not the same one that I had created rulesets for and asked me if I would like to really like it to connect to the internet, warning me that it might be a trojan or invalid .exe... I wish I had known about screen shots at that point then I would be able to show you.

I had run the repair option on Internet Explorer just prior to this, rebooted, and was accessing the web when it occured. With NAV and OP I would not worry much if I were you. What really bothers me is how long before the jerks that code virii begin learning to write it in assembly language?

Oh, and Kaspersky is the master. :) heheh IMHO

Hailz from across the big pond :)

KGIII

Hi guys.If a really big bolt of lightning hit, fried through your UPS and fried your computer, would Outpost tell you you're screwed?
What if it was a trojan mimiking a lightning bolt?:D Would NAV get involved.:D
Just wanted to lighten up a very enlightening thread.
chris

Hey! chrisclu,
I just had a double of Kona black after reading this thread.

I have been experimenting with Trojan detection with outpost.
I doubt very much if a Trojan could take control of an executable even with scripts and get by Outpost.
The premise is that it could alter part of the application and not be detected.
I've sent packets as small as 42bytes and there stopped cold no matter what there called or where there going or protocol. :)

From the newbie:

I allowed NAVAPPW32.EXE (NAV 2002) outbound POP3 and SMTP (beats me why it requested both as outbound, BTW?). The question is, what now differ NAV now from standard e-mail client?

Also, regarding trojans: unfortunately, I am affraid (after some experiments with NAV 5.x to 6) that BO source can be modified rather simple to avoid NAV detection, even with current vdefs. I do not play now with NAV 2002/BO scary tandem, so I can not confirm. It would be great to see in the Outpost some part of Tauscan...

It would be great to see in the Outpost some part of Tauscan...it is in our plans ;)

Hi,

I think what cygho is referring to is the ability of some recent exploits (tooleky,firehole etc.) to use programs such as IE without modifying the executable. So iexplore.exe isn't renamed and the checksum/hash on the file doesn't change. IE in particular provides some avenues through which an external program can use its functionality without that external program connecting to the Internet. IE also provides means for extensions to register themselves to be auto-loaded into the program. (And there are other ways, too.)

Some of the newer ones called blended threats.
You use a Trojan horse and a worm to have more than one way to attack a system. Through shared code. The SirCam worm is an example.

The bottom line is to use common sense and protect yourself from inbound exploits. :)

Outpost is very good, but if its not allowed in you don't have to worry to much about outbound.

I think what cygho is referring to is the ability of some recent exploits (tooleky,firehole etc.) to use programs such as IE without modifying the executable.
It will be addressed in Outpost 1.1. I'll post our plans (roadmap) after 1.0 official release.

Hi guys,
Having part of Tauscan in OutPost sounds like a dream!! I can hardly wait. You must have one heck of a long todo list. Thanks for staying on top of things.

Mikhail, were you out of town or just very busy.. Good to see you back.
Chris

Mikhail, were you out of town or just very busy.. Good to see you back.
Both busy and out of town :) We are very intensivly preparing the final version and help files so it is rock'n'roll time here at Agntium.

Rock On,
Is editing all done or do you need some additional help? More than willing.
chris

Is editing all done or do you need some additional help? More than willing.
You offer is appriciated. I'll let you know when we will need your skills. Thank you :)