Re: Nmap and Sygate Personal Firewall

[kx <kxmail () gmail com>]

I think it is a winpcap/sygate interaction issue due to this thread on
winpcap-users:

http://www.winpcap.org/pipermail/winpcap-users/2006-May/001048.html

I believe sygate has a protection mechanism to avoid parallel stack
firewall evasion.

http://www.vigilantminds.com/files/defeating_windows_personal_firewalls.pdf

Sygate Personal Firewall 5.6.2808.0 detected a parallel stack in the
above linked paper.

"1 - Parallel Stack - Bypass

This attack involves attempting to bypass filtering that is performed
at higher layers by communicating directly with the NDIS interface. If
the firewall performs filtering at a layer higher than NDIS, then it
will not be able to see this communication. The attack works by using
its own Network protocol layer driver, so it could be prevented by
either monitoring the loading of protocol drivers or performing
filtering at the NDIS layer.

Winpcap and Nemesis http://www.winpcap.org and http://www.packetfactory.net";

Cheers,
  kx


> On 5/22/06, Jim Hayes <sd1986 () optonline net> wrote:
> > In the past I was able to perform scans with the Sygate PF enabled and
> > had no issues.  Recently I am having issues with network connectivity
> > after a scan and need to reboot.  If I disable the FW before the scan
> > then I will not run into any problems.
> >
> > Anyone have any thoughts on how I can resolve
> >
> > Using the latest versions of Nmap and version 5.6 of the Sygate Personal
> > Firewall
> >
> > Jim
> >
> >
> >
> > _______________________________________________
> > Sent through the nmap-dev mailing list
> > http://cgi.insecure.org/mailman/listinfo/nmap-dev


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev