Firewall termination defense testing
转载自:http://www.firewallleaktester.com
38种用来结束和禁用防火墙的方法,当然也可以用于测试HIPS、Antivirus。。。。
在我看来,这些公开的方法更多的只具备参考价值,具有实际意义的是对未知方法的检测。
October 07 2006 : New test board, "Firewall termination defense" testing
38 termination methods used :
A new firewall termination test page is born !
Leaktests methods can be used to bypass silently your firewall, but what if it can be simply terminated and disabled, and then your data being sent out normally without using any leaktest trick ? Some malware in the wild are trying to terminate various Anti-Virus and Firewall softwares, so I thought it may worth to add a test for that also.
13 firewalls are tested against 38 termination methods, which means at least 500 tests done. As some tests are repeated many times to ensure the correctness of the result, this is a great ammount of work. That explains why I didn't test all known firewall available, and why I didn't use all termination tools I've found. However I plan later to add more tools and firewalls to the test bed, this time is just the begining.
I have used for the tests public termination tools freely available for anyone, thus for the firewall vendors themselves. However, as for the leaktests, all of these termination methods used are only the known ones, it probably exists some unknown and unpublished ways of termination. Always think to what might happen while securing yourself (e.g : monitoring process execution to block potential unknown threats), and not only to what is currently known .
Firewall termination defense scoreboard explanation
This page gives you an overview of the needed things to know before looking at the results themselves, that you can reach by clicking the button "View Results" at the bottom of this page.
1 - Table Legend : 
: This icon means that the firewall is blocking sucessfully the termination method, and possibly warns the user about it. This is the safest and most secured result.
: This icon means either one of the following possibilities :
- the firewall interface and/or service was terminated, but the network protection was still active
- the firewall was freezing or eating all CPU, but the network protection was still active
- Windows was freezing or crashed
This result is still "safe". Some firewalls while terminated switch the traffic off, nothing can get in or out.
: This icon means that the firewall is terminated by the termination method, and it's network security is disabled. That means that once terminated by this method, anything can send data out.
This is bad, since a malware can disable the firewall, before sending data out without using leaktests methods
2 - Self-defense rating : 
: This icon is given to a firewall blocking succesfully at least 3/4 of the termination methods. As there is 38 tests, 38/4*3 = 28.5 rounded to 29 (that means at most 9 orange crosses, and 0 red).
: This icon is given to a firewall blocking less than 3/4 of the termination methods, but which cannot be disabled completly (0 red crosses). This category is still "safe", but less resistant.
: This icon is given to a firewall being terminated and completly disabled (application and network control turned off) by at least one termination method.
3 - Termination tools used : - Advanced Process Termination (APT) v4.0 from DiamondCS :
forum post- Simple Process Termination (SPT) v1.0.0.1 from System Safety :
download page- ProcX (PX) v1.0 from Firewall Leak Tester :
download page- SDTRestore (SDT) v0.2 from SIG^2 :
download pageAPT#1 to APT#12 are APT termination methods from N°1 to 12.
APT#13 and APT#14 are kernel kill 1 & 2
APT#15 and APT#16 are crash methods 1 & 2
APT#17 and APT#18 are suspend methods 1 & 2
4 - Understanding the results : The results of these tests are not meant to show good or bad firewalls, even a firewall being in the red category can be a very good firewall doing it's job very well.
However, if you feel concerned about it being potentially terminated, you may need to install an HIPS (e.g AppDefend, ProcessGuard, System Safety Monitor, etc...) to handle and block termination attempts.
Finally, from my definition, these tests are
termination tests, not leaktests.
A leaktest will try to bypass your firewall stealthly without attacking it, it's purpose is to hijack a trusted communication flow to go out undetected.
A termination, on the other side, is a direct and brutal firewall attack to disable it's security. All eventual subsequent network accesses will be "standard" accesses.
http://www.firewallleaktester.com/termination.php测试结果
