What do I have to do with DefenseWall that will allow me to install RegRun Platinum 4.5? Any comments or advice would be greatly appreciated.


Peace & Love,

CogitoErgoSum

Well, if any application was stopping me then i would close down that application and then install Regrun. I'm sure you will be well protected by your other apps while DW is closed down.

By the way, I just registered Regrun Platinum today. What a cracking application. It's my fave.

muf

I know that it does automatically put a lot of zip files in the untrusted area, so that's most likely what's happening. Unfortunately DW runs at the driver level, so just closing the UI won't do anything. What I would do is open the zip file, then look at the list of untrusted processes that are running, figure out which one it's keeping untrusted, and disable protection for that process (and close/reopen the zip file).

-{ Quote: "Unfortunately DW runs at the driver level, so just closing the UI won't do anything." }-

Yeah, but surely it has the option to close it down completely. I mean Online Armor has an option from the system tray that allows me to close down the GUI and the application itself. Are you saying that Defencewall won't allow this?

muf

Notok,

I determined that there are two untrusted processes running when I open the zip file and click on the regrunplat450.exe file. Unfortunately, these two untrusted processes are temp files that change their file name or directory every time I close and open the zip file and click on the regrunplat450.exe file. It is because of this that I cannot disable the protection for these processes. The only thing that I can think of is to uninstall DefenseWall during the install of RRP and reinstall it afterwards. Please advise.


Peace & Love,

CogitoErgoSum

have u tried installing safe mode?

-{ Quote: "Yeah, but surely it has the option to close it down completely. I mean Online Armor has an option from the system tray that allows me to close down the GUI and the application itself. Are you saying that Defencewall won't allow this?" }-Nope.. unfortunately the only way to disable protection is to uninstall it.

-{ Quote: "I determined that there are two untrusted processes running when I open the zip file and click on the regrunplat450.exe file. Unfortunately, these two untrusted processes are temp files that change their file name or directory every time I close and open the zip file and click on the regrunplat450.exe file. It is because of this that I cannot disable the protection for these processes. The only thing that I can think of is to uninstall DefenseWall during the install of RRP and reinstall it afterwards. Please advise." }-I think the easiest way of doing this would be to just extract regrunplat450.exe somewhere and then run it, rather than just running it from your zip program. Just make sure that you didn't set the folder that you're running it from as Untrusted.

-{ Quote: "Nope.. unfortunately the only way to disable protection is to uninstall it." }-

Uw, bummer. And there was me thinking of giving Defencewall a whirl. Just off to put on my re-think cap. :)

muf

Notok,

FYI, I downloaded "regrunplat.zip" into "My Documents" folder. Before I clicked "regrunplat.zip" which revealed "regrunplat450.exe", I right-clicked "regrunplat.zip" and selected "run as trusted". I guess that means that I am using the standard resident WinXP zip program. Unfortunately, after clicking "regrunplat450.exe", I can still clearly see that DefenseWall considers this file as "untrusted".

To quote your latest post, "I think the easiest way of doing this would be to just extract regrunplat450.exe somewhere and then run it, rather than just running it from your zip program. Just make sure you didn't set the folder that you're running it from as Untrusted." What can I specifically do differently to conform to your recommendation? I greatly appreciate your help and patience.


Peace & Love,

CogitoErgoSum

-{ Quote: "FYI, I downloaded "regrunplat.zip" into "My Documents" folder. Before I clicked "regrunplat.zip" which revealed "regrunplat450.exe", I right-clicked "regrunplat.zip" and selected "run as trusted". I guess that means that I am using the standard resident WinXP zip program. Unfortunately, after clicking "regrunplat450.exe", I can still clearly see that DefenseWall considers this file as "untrusted"." }-That is strange... I would contact the developer.

-{ Quote: "What can I specifically do differently to conform to your recommendation? I greatly appreciate your help and patience." }-Just double click on "regrunplat.zip" and drag-and-drop "regrunplat450.exe" to the desktop, then just run "regrunplat450.exe" from the desktop :)

Hi!

The main problem of the runnnig application from the archive- it is impossible to trace the source for the extracted file. That is why the only choise I have is to put applications running from the %TEMP% directory by the processes I know as unpackers (Explorer, WinZIP,WinRAR, 7-zip) into the untrusted zone automatically, because I don't know if they are trusted or not. The only siggestion is to extract application from the archive DefenseWall could know how to run it (trusted or untrusted). I'll think if I can do something to make this process easyer and more understandable. Any suggestions?

P.S. All this things are described in the FAQ section of the Help file.

-{ Quote: "Uw, bummer. And there was me thinking of giving Defencewall a whirl. Just off to put on my re-think cap. :)
muf" }-
Well, the main aim was if it is impossible to switch off the protection from the ring3- mode it will be impossible for the malware to switch off the defense. Even if you close GUI the defense will be working anyway (and protecting you!). That is why DefenseWall is designed this way!
As about running applications directly from the archives- I've designed it this way because I have no other choise. Just put yourself on my place- what would you do if it is impossible to trace the source of the unpacked application file?

-{ Quote: "Well, the main aim was if it is impossible to switch off the protection from the ring3- mode it will be impossible for the malware to switch off the defense. Even if you close GUI the defense will be working anyway (and protecting you!). That is why DefenseWall is designed this way!
" }-

Yeah but this way you also stop the user from closing it down. This basically means that the user has no control over DW. I don't like that. There should be a way for the user to shut it down completely. i.e When you install Defencewall you have to set up a password and then when you want to close it down it asks you enter the password to verify it.



CogitoErgoSum,
Could you not disable DW from starting up. Disable the service and GUI from ever starting, then once you get Regrun installed you can re-enable the DW startup of the service and GUI. Or is DW resistant to this as well?

muf

"Quote:
Originally Posted by Ilya Rabinovich
Well, the main aim was if it is impossible to switch off the protection from the ring3- mode it will be impossible for the malware to switch off the defense. Even if you close GUI the defense will be working anyway (and protecting you!). That is why DefenseWall is designed this way!

Yeah but this way you also stop the user from closing it down. This basically means that the user has no control over DW. I don't like that. There should

be a way for the user to shut it down completely. i.e When you install Defencewall you have to set up a password and then when you want to close it down it asks you enter the password to verify it.


CogitoErgoSum,
Could you not disable DW from starting up. Disable the service and GUI from ever starting, then once you get Regrun installed you can re-enable the DW startup of the service and GUI. Or is DW resistant to this as well?"




muf It seems that the service won't be read - but you can change it to a manual start - install and then change back as you suggest.

-{ Quote: "Yeah but this way you also stop the user from closing it down. This basically means that the user has no control over DW. I don't like that. There should be a way for the user to shut it down completely. i.e When you install Defencewall you have to set up a password and then when you want to close it down it asks you enter the password to verify it." }-

I must agree with muf. Defesencewall is hardly the first and only program to run in ring zero, and not allowing the user to temporarily shut it down is silly.

-{ Quote: "Yeah but this way you also stop the user from closing it down. This basically means that the user has no control over DW. I don't like that. There should be a way for the user to shut it down completely. i.e When you install Defencewall you have to set up a password and then when you want to close it down it asks you enter the password to verify it." }-

I must agree with muf. Defesencewall is hardly the first and only program to run in ring zero, and not allowing the user to temporarily shut it down is silly.

-{ Quote: "Just double click on "regrunplat.zip" and drag-and-drop "regrunplat450.exe" to the desktop, then just run "regrunplat450.exe" from the desktop :)" }-

Notok,

Thanks for the help as I was able to install RegRun Platinum 4.5. I followed your advice with a slight twist. I set "regrunplat.zip" to "run as trusted" before opening it. I then copied and pasted "regrunplat450.exe" to the desktop. Next, I set "regrunplat450.exe" to "run as trusted" before running it from the desktop.


Peace & Love,

CogitoErgoSum

Thanks muf and Ilya for your advice.


Peace & Love,

CogitoErgoSum

Just glad you got it sorted. Pity you had to go through all that faffing around to do so. At least you got there in the end. :)

muf

-{ Quote: "Thanks for the help as I was able to install RegRun Platinum 4.5. I followed your advice with a slight twist. I set "regrunplat.zip" to "run as trusted" before opening it. I then copied and pasted "regrunplat450.exe" to the desktop. Next, I set "regrunplat450.exe" to "run as trusted" before running it from the desktop." }-Glad to hear it :) You should be able to extract to the desktop without disabling protection on the zip file itself in the future, but at least you know what to do from now on :)

-{ Quote: "Yeah but this way you also stop the user from closing it down. This basically means that the user has no control over DW. I don't like that. There should be a way for the user to shut it down completely. i.e When you install Defencewall you have to set up a password and then when you want to close it down it asks you enter the password to verify it." }-
Well, I'm afraid, you are wrong. Just think: how many _real_ users will set up the password? No-no, just let me guess- non of them?

-{ Quote: "
CogitoErgoSum,
Could you not disable DW from starting up. Disable the service and GUI from ever starting, then once you get Regrun installed you can re-enable the DW startup of the service and GUI. Or is DW resistant to this as well?
muf" }-
I'm afraid, you are wrong one more time. If CogitoErgoSum need to disable DW, he should set "Start" field of the "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dwall" registry key to "3" and restart. The DW driver won't be loaded at startup.

Firstly, the password suggestion was just a "on-the-fly" suggestion. There are other ways you could accomodate user termination.

Secondly, users usually have to tamper with the registry when they are infected with something that is difficult to remove. Ring any bells? This Defensewall is sounding more and more like a piece of malware itself. Needless to say i've deleted the installer as i prefer something on my computer that I have control over.

muf

-{ Quote: "Firstly, the password suggestion was just a "on-the-fly" suggestion. There are other ways you could accomodate user termination." }-
Just name me one of them that could be used in the real world with the real users.

-{ Quote: "
Secondly, users usually have to tamper with the registry when they are infected with something that is difficult to remove. Ring any bells?" }-
It is very easy to remove DW. With three mouse clicks. Ring any bells?

-{ Quote: "
This Defensewall is sounding more and more like a piece of malware itself." }-
I'm afraid, you still don't know the defenition of the "malicious software". Google will help you!

-{ Quote: "
Needless to say i've deleted the installer as i prefer something on my computer that I have control over.
" }-
Then you should delete your Windows OS from your hard disk, because it give you non of the chance to being controled over! Linux forever!

-{ Quote: "Firstly, the password suggestion was just a "on-the-fly" suggestion. There are other ways you could accomodate user termination.

Secondly, users usually have to tamper with the registry when they are infected with something that is difficult to remove. Ring any bells? This Defensewall is sounding more and more like a piece of malware itself. Needless to say i've deleted the installer as i prefer something on my computer that I have control over.

muf" }-
Disabling Defensewall from startup with Winpatrol seems to work without going into the registry.

Great to see that Defensewall protects against the latest WMF exploit.

-{ Quote: "Disabling Defensewall from startup with Winpatrol seems to work without going into the registry." }-
No, you are wrong. There are two ways to disable DW from protecting the system.
1. Delete dwall.sys into "Recicle bin" and restart (later it will be very easy to restore file and restart to rise up the protection).
2. Set "Start" field of the "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dwall" registry key to "3" and restart.
All those actions are not allowed for the untrusted processes and, also, restart will close untrusted processes zone. That is why it is 100% safe method instead of the disabling the protection on-the-fly.

-{ Quote: "
Great to see that Defensewall protects against the latest WMF exploit." }-
DefenseWall doesn't protect against WMF exploit themself. It protect you from the malware consequences. It put them inside the untrusted processes zone and doesn't allow to modify system's parameters, to break thought the sandbox and to autorun.

Ilya

Is this the same as setting the sevice to start manually?

2. Set "Start" field of the "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dwall" registry key to "3" and restart.

-{ Quote: "Ilya

Is this the same as setting the sevice to start manually?

2. Set "Start" field of the "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dwall" registry key to "3" and restart." }-
Not exactly. It is for the driver, not for the service.

Changing the service would have a similar effect? and is a bit easier

-{ Quote: "No, you are wrong. There are two ways to disable DW from protecting the system.
1. Delete dwall.sys into "Recicle bin" and restart (later it will be very easy to restore file and restart to rise up the protection).
2. Set "Start" field of the "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dwall" registry key to "3" and restart.
All those actions are not allowed for the untrusted processes and, also, restart will close untrusted processes zone. That is why it is 100% safe method instead of the disabling the protection on-the-fly.
" }-

Ilya don't you agree that your job should help users find an easy way to disable DW? By easy i mean methods accessible in the GUI, not registry hacks, or forced deleting sys files.

This sounds exactly like what you would do for malware, because they don't allow themselves to be shut down from within the program, and you need to do extra steps outside the program to shut it down.

Granted, many malware are far more resistant then DW to shut down with multiple protecting services and programs.

I appreciate your fear of malware processes easily shutting down DW, but
for many users, if they don't find an easy way to shut down some software, they will yell malware. You surely don't want that to happen.

As a compromise why not do a system like captcha (http://www.devx.com/DevX/Link/21310). Whenever there is a requests that DW be shut down, a randomised series of images will be shown, and DW will only be shut down if the correct input is entered.

It is highly unlikely that any malicious process will be able to beat it, and it has the advantage over passwords that, the system always runs even if the user does not borther to set up a password.

Of course, the drawback is , it's possible that the malicious process is being guided by a real human intelligence.....

Another question, what happens if 'netstop' is used against your service? How about providing a bat file or reg file to allow users to easily turn off DF?
Any restricted process, which tried to exploit these methods would fail, since their child processes would not have sufficient privlages right?

-{ Quote: "Ilya don't you agree that your job should help users find an easy way to disable DW? By easy i mean methods accessible in the GUI, not registry hacks, or forced deleting sys files." }-
I just don't understand why somebody need to switch off the defense? I always thought that my job is to protect users, but not to disable their protection.

-{ Quote: "
This sounds exactly like what you would do for malware, because they don't allow themselves to be shut down from within the program, and you need to do extra steps outside the program to shut it down." }-
In fact, all the anti-malware software must protect their defense core from being shutted down by the malware processes, as malware must protect themself from being shutted down by the user. But it doesn't mean that anti-malware softwate===malware. Yes, in this case there is the same ideology, and so on? If you don't like DW you can always uninstall it......

-{ Quote: "
I appreciate your fear of malware processes easily shutting down DW, but
for many users, if they don't find an easy way to shut down some software, they will yell malware. You surely don't want that to happen." }-
I don't think so.

-{ Quote: "
As a compromise why not do a system like captcha (http://www.devx.com/DevX/Link/21310). Whenever there is a requests that DW be shut down, a randomised series of images will be shown, and DW will only be shut down if the correct input is entered.

It is highly unlikely that any malicious process will be able to beat it, and it has the advantage over passwords that, the system always runs even if the user does not borther to set up a password." }-
I don't think it is good idea. If you know how the program generate the picture it is always possible to make recognize engine. It is too risky. I have no right for that.

-{ Quote: "
Another question, what happens if 'netstop' is used against your service? " }-
Nothing will happens. Service runnes only during the OS start process, after that it is inactive. You won't be able to stop the service which is not running. Anyway, the defense is 100% kernel mode, you will be unable to unload the driver.

-{ Quote: "
How about providing a bat file or reg file to allow users to easily turn off DF?
Any restricted process, which tried to exploit these methods would fail, since their child processes would not have sufficient privlages right?" }-
Yes, I could make it. Untrusted process won't be able to use it because of the DW restrictions. But, anyway, it will need restart that 1)changes start it's action 2)to clean up the untrusted processes zone. You will see two .reg files within the next release's package of the DW (1.5).

-{ Quote: "
-{ Quote: "Ilya don't you agree that your job should help users find an easy way to disable DW? By easy i mean methods accessible in the GUI, not registry hacks, or forced deleting sys files." }-
I just don't understand why somebody need to switch off the defense? " }-

Well here's one very common reason- For testing to see if it is causing a conflict?

-{ Quote: "
In fact, all the anti-malware software must protect their defense core from being shutted down by the malware processes, as malware must protect themself from being shutted down by the user. But it doesn't mean that anti-malware softwate===malware. Yes, in this case there is the same ideology, and so on?
" }-

Yes, and they all provide a relatively simple yet secure (not 100% nothing is) to shut it down temporarily, something your product doesn't.

-{ Quote: "
If you don't like DW you can always uninstall it......
" }-

Well what if I only want to turn it off temporarily? As i said i appreciate your concern with helping to protect users, but i'm afraid such a policy where you don't allow users a simple way to shut down DF is going to lead to people abandoning your software.


-{ Quote: "
I don't think it is good idea. If you know how the program generate the picture it is always possible to make recognize engine. It is too risky. I have no right for that.
-{ Quote: "

There is no perfect unbreakable defense , and there's always a tradeoff. Are you sure your method of turning off DF is 100% foolproof?


-{ Quote: "
Yes, I could make it. Untrusted process won't be able to use it because of the DW restrictions. But, anyway, it will need restart that 1)changes start it's action 2)to clean up the untrusted processes zone. You will see two .reg files within the next release's package of the DW (1.5)." }-

Besides just adding the 2 reg files, i sugguest you link them to DF GUI (maybe with new tab that says 'shut down DF protection'(requires restart)' , with instructions.

Personally I think needing to restart the machine to turn off DF is a good enough compromise. As long as The option is prominantly shown on your GUI, so even beginners can figure out how to turn off DF's protection without having to come to Wilders and learn how to edit registry.

-{ Quote: "Well here's one very common reason- For testing to see if it is causing a conflict?


Well what if I only want to turn it off temporarily? As i said i appreciate your concern with helping to protect users, but i'm afraid such a policy where you don't allow users a simple way to shut down DF is going to lead to people abandoning your software.

Personally I think needing to restart the machine to turn off DF is a good enough compromise. As long as The option is prominantly shown on your GUI, so even beginners can figure out how to turn off DF's protection without having to come to Wilders and learn how to edit registry." }-

OK. Your arguments are reasonable. I'll integrate the "Disable/Enable" item into the DW context menu. But, anyway, user will have to restart their computer to make sure that, even if this action is initiated by the malware, all the untrusted processes will be closed before the protection will be disabled and malware won't get any advantages from this point. Also, the "Help" menu item will be integrated (some users can not find the help from the "Start"->"Programs"->"DefenseWall" menu). Next release (1.15) will be soon......