rejetto forum

Portable sHFS : HFS via Stunnel with configuration GUI [english]

AvvA · 46 · 87728

0 Members and 1 Guest are viewing this topic.

Offline AvvA

  • Tireless poster
  • ****
    • Posts: 135
    • View Profile
Here are some results :

on the site :
http://www.virustotal.com/url-scan/report.html?id=1d93c87a12ac0cd30d75f6a086589824-1285243449

On the global archive file :
http://www.virustotal.com/file-scan/report.html?id=c8f962a5b65f1267326377dcdc73a4edd127852e8862a52fea9645b5530f6ee5-1285250716

And on the hfs166EN.exe :
http://www.virustotal.com/file-scan/report.html?id=02848148477a0de6fa48662562ecf3dad6c8fd142e76959e2ddf5d3abf5118bb-1285251082

I recommand you try virustotal.com when you've got this kind of alert. This will show you the same thing as comodo at the right line, and a bunch of others anti-malwares. This is really more accurate than only one anti-virus claiming an unknown program is a virus ^^.
You can see there that some anti-malware claim it's a false alert and the big majority find nothing malicious.

I think comodo just don't have this file's definition up to date, and the fact that hfs.exe's purpose is to serve files may be troublesome when not knowing the executable...


I also submit again my hard disk files just to be sure I haven't any virus at the source, but the result are the same for my file on hard drive, the file on my server, and the file from rejetto (hfs #266). Are you sure that you submit the last 266 from rejetto ? I can find different result with 2.2f version (stable version accessible on the internet HFS's site), but the sam thing with rejetto's #266's file...
« Last Edit: September 23, 2010, 02:35:52 PM by AvvA »


Offline chthonic

  • Tireless poster
  • ****
    • Posts: 121
  • I own the copyright to this image... "Back Off!"
    • View Profile
yes. comodo has an auto submit feature.

when I got my original 266 from rejetto, comodo  "did not" give a virus alert.

the alert went off when I was extracting the files from your current SHFS package. the hfs266en.exe was the only file that gave an alert...

I have have submitted every beta build of hfs to comodo. the security package does that on prompt and you can always set it for auto submit. so I know comodo has the latest file versions.

comodo has a particular way of marking false alert files and virus files. it's not hard to determine which is which once you get used to it. it also has an option to notify them separately of false alerts and actual virus files.



Offline AvvA

  • Tireless poster
  • ****
    • Posts: 135
    • View Profile
This is time waste to me... but...

#266 : http://www.rejetto.com/forum/index.php/topic,8981.0.html

virustotal analyse : http://www.virustotal.com/file-scan/report.html?id=02848148477a0de6fa48662562ecf3dad6c8fd142e76959e2ddf5d3abf5118bb-1285525456

As you can see, the md5, sha1 and sha256 of the files HFS266.exe from rejetto.com and HFS266en.exe from my server are the same, this explicitely means the files are the same.
So, naturally, alerts are the same.

So, if comodo doesn't give you the same alert on the 2 files, I guess you'd better look for an other anti-virus program, this one doesn't seem to be really accurate...

Please, before saying again that you're blindly confident in comodo and that what you think you've scanned in the past was #266, just look at the results from my previous post and those from this one, think about it, and then react.

Thanks.


Offline Mars

  • Operator
  • Tireless poster
  • *****
    • Posts: 2063
    • View Profile
@chthonic
I give you two compilation of the version 266 for a complementary analysis of this version with the anti-virus program.
The difference of size comes essentially from libraries used in not compressed mode,

This version (1958Ko not compressed) is compressed with upx 3.07,
http://hfs.webhop.org/hfs266_upx307.exe

this one of rejetto (2152Ko not compressed) was compressed with the version upx 2.00. Here, it is the original version of rejetto but expanded and compressed with upx 3.07.
http://hfs.webhop.org/hfs266_rejetto_upx307.exe

 ;)
« Last Edit: September 26, 2010, 09:26:02 PM by Mars, Silentpliz »


Offline AvvA

  • Tireless poster
  • ****
    • Posts: 135
    • View Profile
oh sorry... of course, if there are several releases of the same build (but what for ?), it's possible to have differents results and sha1/256.

But my point is elsewhere : what would be my purpose with this project if I put viral things inside that would be automatically pointed as a virus ?

I just want to help people that don't know anything about network to be able to use HFS with a secure wrapped https connexion, nothing else...  :'(


Offline Mars

  • Operator
  • Tireless poster
  • *****
    • Posts: 2063
    • View Profile
MP to @AvvA
les deux versions que j'ai ajoutées ne sont là que pour compléter l'analyse virale engagée par notre ami, elles ne sont là que pour déterminer si l'erreur virale ne viendrait pas d'une ancienne bibliothèque delphi utilisée par rejetto. donc pas d'inquiétude.  ;)


Offline chthonic

  • Tireless poster
  • ****
    • Posts: 121
  • I own the copyright to this image... "Back Off!"
    • View Profile
I wasnt making an accusation, I was just alerting you of the "ODD" result.


this was the first time that Comodo ever gave that result on HFS.

this might mean there was a code string that resembled the trojan result I posted before.


this has been known to happen with other AV packages


Offline AvvA

  • Tireless poster
  • ****
    • Posts: 135
    • View Profile
Hum, yes, I guess I was hurt because I'm against those kind of acts (adding trojans, etc...).
So, well, please forgive me for the 'hard' answer, and let's start again ^^

Thanks about the warning, I have check again my local and distant files, and re-download rejetto's one to check I still have the same files.
The results tell me I'm right, I've got the sames files at local, distant and also the same as rejetto's ones.

Just for you to be able to confirm what I'm saying, I took #266 from there : http://www.rejetto.com/forum/index.php/topic,8981.0.html .


@SilentPliz : Oui ok, pas de souci ^^


Offline chthonic

  • Tireless poster
  • ****
    • Posts: 121
  • I own the copyright to this image... "Back Off!"
    • View Profile
yes same source as my original copy... but was the compression level the same?  I am guessing it's because the file name might have been altered.. any single tiny change from the original signature would set off that kind of an alert.

the french version file set off no alerts at all. that is why I posted the results of the english version... because something was not right.  :P
************************

on another note, I like your configurator. very useful!

however  ;D , I use custom port settings in my router. and the HFS and the stunnel have 2 separate ports. One is the incoming port for connections and the Second port is the 'private' port the program is set for.

I would like to make a suggestion for the port settings in your program;

have an option for [default] values: port 80 for HFS and 443/80 for sTunnel

then an option for custom router values: incoming port/private-forwarded port (the one the software actually listens on behind the firewall); example: HFS 80/?? or vice versa and sTunnel is ??/?? with the default port of 443 forwarding to the private ACCEPT port of sTunnel which then links to the private CONNECT port that the HFS is actually using.

if you have a dynamic dns service... you can change the default port for regular web but you cant change it for web SSL which is 443

there is also a more effective certificate generation string for openSSL... the one used for your configurator shows the SSL traffic in sTunnel. but the web broswer doesnt recognize the certificate/site as SSL enabled, even though the address is changed to https://??.??
« Last Edit: September 26, 2010, 11:25:40 PM by chthonic »


Offline AvvA

  • Tireless poster
  • ****
    • Posts: 135
    • View Profile
About the virus, perhaps changing the name makes comodo tilt, but it doesn't change the sha1/256 signature of the file, I mean that the actual 'my file' and the actual rejetto's #266 are the same, even with a different name :D

***

Thanks :)

About your suggestions, Im not sure I understood totally what you meaned, or its purpose, but let's try to answer. Feel free to correct me if I misunderstood ;)

Quote
have an option for [default] values: port 80 for HFS and 443/80 for sTunnel
I won't default HFS connect port to 80, it is the default HTTP port, I can't see a reason to assign this specific port between Stunnel and HFS.
443 is already the default listening port.
But, you can easily switch to advanced mode (icon in the top right corner of sHFS confmakr) and set it yourself if it's what you need ;)

Quote
then an option for custom router values: incoming port/private-forwarded port (the one the software actually listens on behind the firewall); example: HFS 80/?? or vice versa and sTunnel is ??/?? with the default port of 443 forwarding to the private ACCEPT port of sTunnel which then links to the private CONNECT port that the HFS is actually using.
This doesn't concern me as far as I know ^^
You must set a unique port between HFS and Stunnel, the only way to do so is to switch to advanced mode, if you don't, port 44300 is used, I use it only because it's usually a free port. you can't set a joker.

Now, set HFS-Stunnel link to port 80, Stunnel listening port to 443, and set your router to follow to Stunnel port 443 all requests made on port '??' you have choosen.

Quote
if you have a dynamic dns service... you can change the default port for regular web but you cant change it for web SSL which is 443
To me you're mismatching, your dynamic DNS service has to redirect requests to Stunnel listening port on your machine, it's on you to configure correctly your Dynamic DNS service.
Also, https adresses default to 443, it's useless to add port number.

On another hand, I won't do something about dynamic DNS services because each one has it's own way and application to manage its functions. This is why I just add a check box, that will indicate the fact to HFS, but you'll still have to configure it manually.

So in your example, https://dynamic.domain/hfs_stuffs/ have to redirect to https://your.computer/hfs_stuffs/, then Stunnel will take the request as https is on 443 port.
if you router redirect ?? port to 443 on your computer, just make your dynamic dns provider redirect to ?? on your router's IP.

Quote
... the one used for your configurator shows the SSL traffic in sTunnel. but the web broswer doesnt recognize the certificate/site as SSL enabled, even though the address is changed to https://??.??
SSL traffic showed in Stunnel can be modified with confmakr, again in advanced mode. You'll have to reduce the log level.

There is no way you'll self-make a certificate which will be approved automatically, I leave you with google to find out why ;)

Quote
there is also a more effective certificate generation string for openSSL...
Yeah ?
Can you show me, please ?


Offline AvvA

  • Tireless poster
  • ****
    • Posts: 135
    • View Profile
@lxp : yes, it should work on any NT+ Windows, this meaning that I'm not sure as I didn't test it on each and every Windows OS declination (ie : all server and family versions that I don't use).

@Chthonic : So, how does it works ? Does it ? Wasn't I too far from what you asked to me ?


Offline chthonic

  • Tireless poster
  • ****
    • Posts: 121
  • I own the copyright to this image... "Back Off!"
    • View Profile
I did all that before you suggested it.. it still reacted the same way.. but it did not have an issue with build 267+


Offline AvvA

  • Tireless poster
  • ****
    • Posts: 135
    • View Profile
Hi :)

Quote from: v0.7 changelog
- random.rnd is now correctly re-created at each Stunnel/HFS start.
- small language change in order to use the correct HFS's EXE file depending on current Windows' language code (before only take good EXE on fr-fr and en-us, now will take the good one on all fr-?? systems).
- Added OpenSSL icon in 'about' tab and change the URL linked related to below changes.
- OpenSSL DLLs and EXE files are now taken from Stunnel mirrors, as DLLs are the exact same files as those supplied with Stunnel :
  - move VC++ files in stunnel folder,
  - delete openssl folder which contains openssl.exe and 3 cryptographic DLLs,
  - openssl.exe is now under stunnel folder.
It uses now the same DLLs to create the key with OpenSSL, and to use them with Stunnel (before, keys and certificates where create with slrproweb files and used with Stunnel crypto files).
I believe this should improve stability of HFS-Stunnel usage.
  
- update from Stunnel 4.33 to 4.35b1
- update from OpenSSL 1.0.0a to 1.0.0c
- update from HFS 2.3 #266 EN/FR to 2.3 #273a(FR) and 2.3 #273(EN)

As usually, I check each wikis, documentations and tuts before applying an update to this GUI, in order to verify if changes are needed in my source code. This time I found a well documented HFS-Stunnel thing on the HFS' wiki, that's nice, but I also notice that no reference to this GUI was there.

The first question coming to my head was "Why didn't he puts a link to this GUI ?",
"Is this too much of a mess ?",
"Is this a security-trust problem ?".

If someone have a clue on this, an idea on how I can enhance this GUI to better fits newbie usage, I'm all ears opened ^^'.


edit : last minute update without version change, it was about the random.rnd file (you can check if you've got the last version with MD5 checksums).
« Last Edit: January 30, 2011, 06:05:48 PM by AvvA »