hello, has anyone ever tried this firewall/sandbox program? i've searched the forums and there's very little information about it. how well does GeSWall protect vs spyware, rootkits, and other net hazards? has it ever been tested?

i went on over to the spycar.org website and tried out the tests found there. when GeSWall is active they don't seem to run at all. is this normal?

any help would be appreciated, thanks in advance.

edit: i just went to http://www.trustware.com/index.php and tried the "Setup File Test" and the results were horrendous:(

a keylogger was installed, various processes were attacked and the contents of MyDocuments folder were shown!

-{ Quote: "edit: i just went to http://www.trustware.com/index.php and tried the "Setup File Test" and the results were horrendous:( " }-Hi zopzop,
It as been a while since I looked at this application, but it can take a bit of setting up to protect your system fully. Example: in the test you mention, the program will access your documents folder,..by default installation of Geswall, this folder is not protected, so you would need to place a rule in: Resources- and create a rule to set this folder as "Confidential". You will then be warned of access attempts made on this location.
If I remember correctly, the only folder set as "confidential" by default is /all users/confidential- which you would need to create to store your private folders/files

hello again and thanks for the info stem! i was checking geswalls log of the attack and i got the following:

-{ Quote: "2006.05.19 01:36:02 TrojDemo[1].exe READONLY access to C: (File)
2006.05.19 01:36:02 TrojDemo[1].exe READONLY access to \Device\NamedPipe\wkssvc (File)
2006.05.19 01:36:02 TrojDemo[1].exe READONLY access to \Device\NamedPipe\lsass (File)
2006.05.19 01:36:02 TrojDemo[1].exe REDIRECT access to HKU\S-1-5-21-1883361466-3712099913-3824120397-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders (Registry)
2006.05.19 01:36:02 TrojDemo[1].exe REDIRECT access to HKU\S-1-5-21-1883361466-3712099913-3824120397-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{16b72c66-a066-11da-b324-806d6172696f} (Registry)
2006.05.19 01:36:02 TrojDemo[1].exe REDIRECT access to HKU\S-1-5-21-1883361466-3712099913-3824120397-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{16b72c65-a066-11da-b324-806d6172696f} (Registry)
2006.05.19 01:36:02 TrojDemo[1].exe REDIRECT access to HKU\S-1-5-21-1883361466-3712099913-3824120397-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{16b72c67-a066-11da-b324-806d6172696f} (Registry)
2006.05.19 01:36:02 TrojDemo[1].exe REDIRECT access to HKU\S-1-5-21-1883361466-3712099913-3824120397-1005\Software\Microsoft\Windows\ShellNoRoam\MUICache (Registry)
2006.05.19 01:36:02 calc.exe READONLY access to C: (File)
2006.05.19 01:36:02 TrojDemo[1].exe REDIRECT access to C:\WINDOWS\system32\taskmgr.exe (File)
2006.05.19 01:36:02 TrojDemo[1].exe REDIRECT access to C:\WINDOWS\system32\telnet.exe (File)
2006.05.19 01:36:02 TrojDemo[1].exe REDIRECT access to C:\WINDOWS\system32\ftp.exe (File)
2006.05.19 01:36:02 TrojDemo[1].exe DENY access to C:\Documents and Settings\Tiggy\My Documents\Confidential (File)
2006.05.19 01:36:02 TrojDemo[1].exe DENY access to C:\Documents and Settings\Tiggy\My Documents\Confidential (File)
2006.05.19 01:36:08 TrojDemo[1].exe REDIRECT access to HKU\S-1-5-21-1883361466-3712099913-3824120397-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders (Registry)
2006.05.19 01:36:08 Maxthon.exe READONLY access to \Device\NamedPipe\lsass (File)
2006.05.19 01:36:08 Maxthon.exe READONLY access to explorer.exe (Process)
" }-

it says the trojandemo had "readonly" and "redirect" access to my pc. how terrible is this?

As I mentioned, it is quite a while since I installed and used this, but at that time the system files/reg had very little default protection. I cannot find the msi for Geswall, so cannot say which version I had.

EDIT,
I downloaded and installed the latest (free) version to have another play,......on running the test I am warned of the execution and the access attempts of the "confidential" folders, but even my attempts to stop access to the system32 files is at this moment not having much success, as Geswall simply redirects (creates a copy of the file) and allows access to the copy, which does stop any alteration to the original files, but does not stop the access, and Geswall is not alerting to the keylogging or the attempted network access.
I have to go to work now, so I will try to find time later to continue to play,.....

kk i'm back again :)

i keep trying to run tests from various sites to put geswall to the test (since so few people have it/test it) and i came along this one from ghost security:
http://www.ghostsecurity.com/index.php?page=regtest

test 1 attempts to write stuff to the registry VERY quickly and these are the results of the test from geswall's log:

-{ Quote: "2006.05.21 00:12:04 regtest.exe READONLY access to C: (File)
2006.05.21 00:12:04 regtest.exe REDIRECT access to HKLM\SOFTWARE\Microsoft\RFC1156Agent\CurrentVersion\Parameters (Registry)
2006.05.21 00:12:04 regtest.exe READONLY access to HKLM\SOFTWARE\Classes\CLSID\{71446468-E341-8ED8-AAD6-FA05E62B7E28} (Registry)
2006.05.21 00:12:04 regtest.exe REDIRECT access to HKLM\SOFTWARE\Licenses (Registry)
2006.05.21 00:12:04 regtest.exe REDIRECT access to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run (Registry)
2006.05.21 00:12:04 regtest.exe READONLY access to \Device\NamedPipe\lsass (File)
2006.05.21 00:12:09 regtest.exe REDIRECT access to HKLM\SYSTEM\ControlSet001\Control\Session Manager (Registry)
2006.05.21 00:12:12 regtest.exe REDIRECT access to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run (Registry)
2006.05.21 00:12:18 regtest.exe REDIRECT access to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run (Registry)
" }-

"redirect" comes up a lot in this test and the bufferzone test so i tried to look up what it means on gentle security's website:
http://gentlesecurity.com/docs/applications.html
-{ Quote: "Redirect Application my read resource but once it tries to modify it, GeSWall creates a local copy of the file or registry key, which is modified instead. That allows the application to work smoothly and at the same time prevents modification of trusted resources. The local copy is not permanent. It is erased on application termination. " }-

unless i'm understanding this wrong, it means the tests (both the bufferzone one and this one) are only attacking a "dummy" registry while my real registry is safe and sound.

test 2 attempts to write to various autostart locations then forces a shutdown, these are my results from geswall:
-{ Quote: "2006.05.21 00:20:22 regtest.exe READONLY access to HKLM\SYSTEM\ControlSet001\Services\1RegTest (Registry)
2006.05.21 00:20:22 regtest.exe REDIRECT access to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx (Registry)
2006.05.21 00:20:22 regtest.exe READONLY access to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\@1GhostRegTest (Registry)
" }-

and a WHOLE bunch of deny type messages like this:
-{ Quote: "2006.05.21 00:20:24 regtest.exe DENY 0 message to ashDisp.exe (Process)
" }-

it couldn't reboot my machine, then once i manually rebooted nothing happened it couldn't affect the registry.

Hi zopzop,
I havnt had time to continue to "play" with Geswall.

-{ Quote: " i'm understanding this wrong, it means the tests (both the bufferzone one and this one) are only attacking a "dummy" registry while my real registry is safe and sound." }-This is correct, I mentioned this in my post#4



-{ Quote: "and a WHOLE bunch of deny type messages" }-This will be the "block local communications", .... I am curious if this would block the Breakout (http://www.firewallleaktester.com/leaktest16.htm) test
I will try to find time to re-install, as I still want to see why it didnt pick up on the keylogger (in the "setup file test")

-{ Quote: "Hi zopzop,
I havnt had time to continue to "play" with Geswall." }-

no worries stem.

-{ Quote: "This is correct, I mentioned this in my post#4" }-
i see it now :) sorry stem i'm sorta slow then it comes to this ;)


-{ Quote: "This will be the "block local communications", .... I am curious if this would block the Breakout (http://www.firewallleaktester.com/leaktest16.htm) test" }-
i tried the test you linked to stem here are my results from geswall's log:
-{ Quote: "2006.05.21 12:00:03 breakout-en[1]. READONLY access to C: (File)
2006.05.21 12:00:03 iexplore.exe READONLY access to explorer.exe (Process)
2006.05.21 12:00:04 iexplore.exe READONLY access to \Device\NamedPipe\lsass (File)
2006.05.21 12:00:06 iexplore.exe REDIRECT access to HKU\S-1-5-21-1883361466-3712099913-3824120397-1005\Software\Microsoft\Windows\ShellNoRoam\Bags\7\Shell (Registry)
2006.05.21 12:00:28 iexplore.exe READONLY access to HKU\S-1-5-21-1883361466-3712099913-3824120397-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count (Registry)
2006.05.21 12:00:29 iexplore.exe READONLY access to HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication (Registry)
2006.05.21 12:00:33 iexplore.exe READONLY access to explorer.exe (Process)
2006.05.21 12:01:11 iexplore.exe REDIRECT access to HKU\S-1-5-21-1883361466-3712099913-3824120397-1005\Software\Microsoft\Windows\ShellNoRoam\MUICache (Registry)
2006.05.21 12:01:11 breakout-wp[1]. READONLY access to C: (File)
2006.05.21 12:01:11 iexplore.exe READONLY access to explorer.exe (Process)
2006.05.21 12:01:11 breakout-wp[1]. REDIRECT access to HKU\S-1-5-21-1883361466-3712099913-3824120397-1005\Control Panel\Desktop (Registry)
2006.05.21 12:01:11 breakout-wp[1]. READONLY access to HKU\S-1-5-21-1883361466-3712099913-3824120397-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders (Registry)
2006.05.21 12:01:11 breakout-wp[1]. READONLY access to \Device\NamedPipe\lsass (File)
2006.05.21 12:01:11 breakout-wp[1]. READONLY access to HKU\S-1-5-21-1883361466-3712099913-3824120397-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{16b72c66-a066-11da-b324-806d6172696f} (Registry)
2006.05.21 12:01:11 breakout-wp[1]. READONLY access to HKU\S-1-5-21-1883361466-3712099913-3824120397-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{16b72c65-a066-11da-b324-806d6172696f} (Registry)
2006.05.21 12:01:11 breakout-wp[1]. READONLY access to HKU\S-1-5-21-1883361466-3712099913-3824120397-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{16b72c67-a066-11da-b324-806d6172696f} (Registry)
2006.05.21 12:01:11 breakout-wp[1]. DENY 1A message to explorer.exe (Process)
" }-

-{ Quote: "I will try to find time to re-install, as I still want to see why it didnt pick up on the keylogger (in the "setup file test")" }-

i know this is odd, maybe there wasn't really a keylogger installed in the bufferzone test? i tried to email geswall's support team, but they are slow with the responses to the free desktop version of geswall (i don't blame them though).

edit: i didn't see that there were 2 breakout tests on that page and that i needed to be using IE to test them. updated my post with the ie results for both tests.

Hi zopzop,
-{ Quote: "i know this is odd, maybe there wasn't really a keylogger installed in the bufferzone test?" }-I didnt try this test with Geswall, I just ran the "trojdemo" (setup file test). Does Geswall intercept API calls? on an isolated application?,.. it appears strange that trojdemo can call API function "createprocess<calc.exe>" (run calc.exe) albeit readonly. This is possibly as the info on Geswall does state that applications are allowed to run normally, just that the "redirect" stops any corruption/damage to the apps/reg used. Blocking this call (blocking calc.exe from being run by trojdemo) will make the trojdemo fail. If this is allowed then trojdemo makes an API function call "setwindowshookEx" (installs system wide hook). It does say at the Geswall website that Geswall blocks keyloggers (but the test results from trojdemo reports that the keylogging was succesfull). I will have a good re-read of the help files, and then re-install on to a new installation of XP to try (just in case any of my apps where causing conflict).

Re- breakout,... yes it does look like the windows messages are intercepted/blocked (thanks for running the test / posting the info)

Just for info, when I run the "trojdemo" on a system with SSM installed, the test results are (I did allow calc.exe to be run):-

-{ Quote: "------ Hooks / Keylogging test ------<br>
Simple Keylogger attack: Failed!<br>
<br>
<br>
<br>" }-

EDIT,
I have re-installed Geswall onto XPsp2-all updates (well up to 10 days ago when I created the image), on the default installation of Geswall (no firewall/av or other hips installed), these are the test results from the running of "Trojdemo" (the test did fail, but due to network connection being blocked by external firewall)

-{ Quote: "------ Hooks / Keylogging test ------<br>
Simple Keylogger attack: SUCCESS!<br>
<br>
------ Files Attack test ------<br>
Attacking C:\WINDOWS\system32\TASKMGR.EXE: SUCCESS!<br>
Attacking C:\WINDOWS\system32\TELNET.EXE: SUCCESS!<br>
Attacking C:\WINDOWS\system32\FTP.EXE: SUCCESS!<br>
<br>
------ Local Spy test ------<br>
-- Browsing local documents.. --<br>
C:\Documents and Settings\Stem\My Documents\desktop.ini<br>
C:\Documents and Settings\Stem\My Documents\Confidential\readme.txt<br>
C:\Documents and Settings\Stem\My Documents\My Music\Desktop.ini<br>
C:\Documents and Settings\Stem\My Documents\My Music\Sample Music.lnk<br>
C:\Documents and Settings\Stem\My Documents\My Pictures\Desktop.ini<br>
C:\Documents and Settings\Stem\My Documents\My Pictures\Sample Pictures.lnk<br>
<br>" }-I am a little surprized that the "local spy test" managed to read the "confidential" folder, and didnt stop the "simple keylogger" So from this, if I hadnt blocked the network connection, the private info would of been sent out.

-{ Quote: "Hi zopzop,
I didnt try this test with Geswall, I just ran the "trojdemo" (setup file test). Does Geswall intercept API calls? on an isolated application?,.. it appears strange that trojdemo can call API function "createprocess<calc.exe>" (run calc.exe) albeit readonly. This is possibly as the info on Geswall does state that applications are allowed to run normally, just that the "redirect" stops any corruption/damage to the apps/reg used. Blocking this call (blocking calc.exe from being run by trojdemo) will make the trojdemo fail. If this is allowed then trojdemo makes an API function call "setwindowshookEx" (installs system wide hook). It does say at the Geswall website that Geswall blocks keyloggers (but the test results from trojdemo reports that the keylogging was succesfull). I will have a good re-read of the help files, and then re-install on to a new installation of XP to try (just in case any of my apps where causing conflict)." }-

API, hooks, etc..? whoosh over my head :)

-{ Quote: "Re- breakout,... yes it does look like the windows messages are intercepted/blocked (thanks for running the test / posting the info)" }-
yw, anytime stem!

-{ Quote: "Just for info, when I run the "trojdemo" on a system with SSM installed, the test results are (I did allow calc.exe to be run):-
" }-

SSM? system safety monitor?


-{ Quote: "I am a little surprized that the "local spy test" managed to read the "confidential" folder, and didnt stop the "simple keylogger" So from this, if I hadnt blocked the network connection, the private info would of been sent out." }-

again i'm not too sure about the keylogger. but it's odd that the trojdemo.exe test saw your confidential folder/files. i ran the test on my machine and the trojdemo.exe test did not find my confidential folder/file. here are my results:
-{ Quote: "------ Hooks / Keylogging test ------
Simple Keylogger attack: SUCCESS!

------ Files Attack test ------
Attacking C:\WINDOWS\system32\TASKMGR.EXE: SUCCESS!
Attacking C:\WINDOWS\system32\TELNET.EXE: SUCCESS!
Attacking C:\WINDOWS\system32\FTP.EXE: SUCCESS!

------ Local Spy test ------
-- Browsing local documents.. --
C:\Documents and Settings\Tiggy\My Documents\desktop.ini
C:\Documents and Settings\Tiggy\My Documents\Pictures 006.bm.bmp
C:\Documents and Settings\Tiggy\My Documents\ShadowSurfer.exe
C:\Documents and Settings\Tiggy\My Documents\My Collections\Desktop.ini
C:\Documents and Settings\Tiggy\My Documents\My Collections\Main Collection.cfs
C:\Documents and Settings\Tiggy\My Documents\My eBooks\test.txt
C:\Documents and Settings\Tiggy\My Documents\My Music\Desktop.ini
C:\Documents and Settings\Tiggy\My Documents\My Music\Sample Music.lnk
C:\Documents and Settings\Tiggy\My Documents\My Music\Samples.lnk
C:\Documents and Settings\Tiggy\My Documents\My muvees\test.txt
C:\Documents and Settings\Tiggy\My Documents\My Pictures\Desktop.ini
C:\Documents and Settings\Tiggy\My Documents\My Pictures\Sample Pictures.lnk
C:\Documents and Settings\Tiggy\My Documents\My Pictures\Samples.lnk
C:\Documents and Settings\Tiggy\My Documents\My Pictures\Thumbs.db
C:\Documents and Settings\Tiggy\My Documents\My Pictures\Twins.bmp
C:\Documents and Settings\Tiggy\My Documents\My Pictures\Baby's Pictures\Baby's Pictures 001.jpg
C:\Documents and Settings\Tiggy\My Documents\My Pictures\Baby's Pictures\Baby's Pictures 002.jpg
C:\Documents and Settings\Tiggy\My Documents\My Pictures\Baby's Pictures\Baby's Pictures 003.jpg
C:\Documents and Settings\Tiggy\My Documents\My Pictures\Baby's Pictures\Baby's Pictures 004.jpg
C:\Documents and Settings\Tiggy\My Documents\My Pictures\Baby's Pictures\Baby's Pictures 005.jpg
C:\Documents and Settings\Tiggy\My Documents\My Pictures\Baby's Pictures\Baby's Pictures 006.jpg
C:\Documents and Settings\Tiggy\My Documents\My Pictures\Baby's Pictures\Baby's Pictures 007.jpg
C:\Documents and Settings\Tiggy\My Documents\My Pictures\Baby's Pictures\Baby's Pictures 008.jpg
C:\Documents and Settings\Tiggy\My Documents\My Pictures\Baby's Pictures\Baby's Pictures 009.jpg
C:\Documents and Settings\Tiggy\My Documents\My Pictures\Baby's Pictures\Baby's Pictures 010.jpg
C:\Documents and Settings\Tiggy\My Documents\My Pictures\Baby's Pictures\Baby's Pictures 011.jpg
C:\Documents and Settings\Tiggy\My Documents\My Pictures\Baby's Pictures\Baby's Pictures 012.jpg
C:\Documents and Settings\Tiggy\My Documents\My Pictures\Baby's Pictures\Baby's Pictures 013.jpg
C:\Documents and Settings\Tiggy\My Documents\My Pictures\Baby's Pictures\Baby's Pictures 014.jpg
C:\Documents and Settings\Tiggy\My Documents\My Pictures\Baby's Pictures\Baby's Pictures 015.jpg
C:\Documents and Settings\Tiggy\My Documents\My Pictures\Baby's Pictures\Baby's Pictures 016.jpg
C:\Documents and Settings\Tiggy\My Documents\My Pictures\Baby's Pictures\Baby's Pictures 017.jpg
C:\Documents and Settings\Tiggy\My Documents\My Pictures\Baby's Pictures\Baby's Pictures 018.jpg
C:\Documents and Settings\Tiggy\My Documents\My Pictures\Baby's Pictures\Baby's Pictures 019.jpg
C:\Documents and Settings\Tiggy\My Documents\My Pictures\Baby's Pictures\Baby's Pictures 020.jpg
C:\Documents and Settings\Tiggy\My Documents\My Pictures\Baby's Pictures\Thumbs.db
C:\Documents and Settings\Tiggy\My Documents\My Pictures\Screen Saver Pictures\Dragon_head_Wallpaper.jpg
C:\Documents and Settings\Tiggy\My Documents\My Pictures\Screen Saver Pictures\ehthumbs.db
C:\Documents and Settings\Tiggy\My Documents\My Pictures\Screen Saver Pictures\GadoAnimal.jpg
C:\Documents and Settings\Tiggy\My Documents\My Pictures\Screen Saver Pictures\JennyAnimal.jpg
C:\Documents and Settings\Tiggy\My Documents\My Pictures\Screen Saver Pictures\JennyAnimal1.jpg
C:\Documents and Settings\Tiggy\My Documents\My Pictures\Screen Saver Pictures\LongAnimal.jpg
C:\Documents and Settings\Tiggy\My Documents\My Pictures\Screen Saver Pictures\ShenlongAnimal.jpg
C:\Documents and Settings\Tiggy\My Documents\My Pictures\Screen Saver Pictures\ShinaAnimal.jpg
C:\Documents and Settings\Tiggy\My Documents\My Pictures\Screen Saver Pictures\StunAnimal2.jpg
C:\Documents and Settings\Tiggy\My Documents\My Pictures\Screen Saver Pictures\Thumbs.db
C:\Documents and Settings\Tiggy\My Documents\My Pictures\Screen Saver Pictures\transformers_651.jpg
C:\Documents and Settings\Tiggy\My Documents\My Pictures\Screen Saver Pictures\UrikoAnimal.jpg
C:\Documents and Settings\Tiggy\My Documents\My Pictures\Screen Saver Pictures\wallpaper_bloody_roar_3_02_1600.jpg
C:\Documents and Settings\Tiggy\My Documents\My Pictures\Screen Saver Pictures\XionAnimal.jpg
C:\Documents and Settings\Tiggy\My Documents\My Pictures\Screen Saver Pictures\YugoAnimal.jpg
C:\Documents and Settings\Tiggy\My Documents\My Pictures\tommys pics\110_0011.JPG
C:\Documents and Settings\Tiggy\My Documents\My Pictures\tommys pics\110_0012.JPG
C:\Documents and Settings\Tiggy\My Documents\My Pictures\tommys pics\110_0014.JPG
C:\Documents and Settings\Tiggy\My Documents\My Pictures\tommys pics\110_0015.JPG
C:\Documents and Settings\Tiggy\My Documents\My Pictures\tommys pics\110_0031.JPG
C:\Documents and Settings\Tiggy\My Documents\My Pictures\tommys pics\110_0040.JPG
C:\Documents and Settings\Tiggy\My Documents\My Pictures\tommys pics\38712468_l[1].jpg
C:\Documents and Settings\Tiggy\My Documents\My Pictures\tommys pics\Thumbs.db
C:\Documents and Settings\Tiggy\My Documents\My Videos\Desktop.ini
C:\Documents and Settings\Tiggy\My Documents\My Videos\Pictures 007.bmp
C:\Documents and Settings\Tiggy\My Documents\My Videos\Samples.lnk
" }-

basically that's my documents folder without the confidental folder from geswall. there is something i should mention about this test though, it will not report an empty folder. for example the "My eBooks" and "My muvees" folder did not show up in the original test because they were empty. so i created a garbage file "test.txt" and ran the test again. then they showed up. on my system the trojdemo.exe can't access the geswall confidental folder. it's odd that it can on yours though.

You can setup your own confidential directories in GeSWall Console as described here http://www.gentlesecurity.com/docs/resources.html

As correctly noted, an access to files and registry was redirected to per-process copies. It means that target files stay unmodified. GeSWall VBS demo script http://www.gentlesecurity.com/demo.html uses special method to avoid this false-positive problem. The script starts one process for odification and another process to check result. In that case checking process doesn't see per-process modifications from another process, e.g.:

copy calc.exe notepad.exe
fc noteapd.exe calc.exe

and "reg.exe query" is used to check registry modifications.

As for key logger, it is blocked. TrojDemo calls SetWindowsHookEx that installs a hook for messages. However, API call requires a DLL that will be loaded into logged process. So whenever some keyboard messages occurs, the system calls HookProcedure within given DLL.

That is blocked by GeSWall, as it prevents "untrusted" DLLs (created by isolated applications) to be loaded into non-isoalted (trusted) processes. Therefore, key logger will not be able to see any keyboard message of non-isolated processes. TrojDemo specifies itself (trogdemo.exe) as a DLL. Because trogdemo.exe is created by isolated browser GeSWall will block its loading in spite of SetWindowsHookEx doesn't report an error.

thanks for the info brian! :)

so now i've/we've tested geswall against the spycar.org site and it passed, i've/we've tested it against the ghost security reg test and it passed, i've/we've tested it against both breakout leak tests and it passed.

brian, stem, and others on this forum; how would geswall fair vs the infamous killdisk virus? VMware (virtualization app), sandboxie (sandbox app), and app defend couldn't stop it. the info was gotten from this thread here:
http://www.wilderssecurity.com/showthread.php?t=132040

anyone brave enough to try using geswall vs the killdisk virus?:D

Brian Walche,
Is there any way to stop an isolated program from accessing files, such as in the /system32/, I did attempt to stop access simply be making the directory "confidential" but the accessing of "redirected" files from the folder still took place.

EDIT,
I have been re-looking at Geswall, I note that only "Known applications" are "Isolated".
I wanted to check on the "keylogging" as trojdemo results indicate keylogging as successful- but from your explanation, I would think that the program believes it was successful (keylogging started) but no windows message would be allowed (no keystrokes monitored).
I run a simple screen capture utility- Hoversnap, this when started is not monitored by Geswall and installs window hook <hoverkHook.dll>, this is successful and key logging/monitoring is performed with no intervention from Geswall.
Do I take it from this that any "unknown to Geswall" application that is able to run on the system is ignored and able to do whatever to the system?

If you mean denying access instead of redirecting then making a directory “confidential” must help. Additionally you may exercise these options:
1) In application definition, create a rule: “%SystemRoot%\system32\” with “Read Only” permission. You could use “deny” permission but an application may refuse to start because of this.
2) Set application’s security level to “Untrusted (Jail)”. In that case, you would need to specify explicitly all resources required by the application.

Yes, GeSWall Personal Edition claims safe use of internet applications by preventing attacks coming via them, particularly via isolated applications. That is limitation of course, but perhaps not sufficient. GeSWall already supports dozens of most popular internet applications such as browsers, messengers, e-mail, p2p cleients, etc. and the process continues http://www.gentlesecurity.com/safe.html Note that “known” applications are identified regardless versions and localizations.

All these applications considered as “threat gates”, that means they serve as entry points for attacks. GeSWall tracks files created by these isolated applications and isolates them as well.

GeSWall Enterprise Edition deals with such problems and isolates not only “known” applications. However, there are various options for Personal Edition as well. For sample, please read this tip http://www.gentlesecurity.com/tips.html#sonydrm

Brian Walche.
Thanks for the the info,

I did look at the "Threat Gate", but in the Geswall help files, this is stated as "Reserved for internal GeSWall use" so at the time I did not try this. But as you have linked me to an example of the "threat gate" use, I will try this. (does this mean the help file needs an update?)

Regards,

EDIT,
-{ Quote: "However, there are various options for Personal Edition as well. For sample, please read this tip http://www.gentlesecurity.com/tips.html#sonydrm" }-
I re-installed to try this this option, but files from the cd/dvd where able to run without being isolated, maybe this option is for the server/enterprise editions only?

-{ Quote: "EDIT,

I re-installed to try this this option, but files from the cd/dvd where able to run without being isolated, maybe this option is for the server/enterprise editions only?" }-


stem, i tried it and i got mixed results. for example all *.exe type files were isolated but *.zip and *.rar type files were not.

-{ Quote: "stem, i tried it and i got mixed results. for example all *.exe type files were isolated but *.zip and *.rar type files were not." }-Hi zopzop,
yes, it will only be the executable files,...... I must have conflict somewhere, even when I add an application, this is not isolated. I will, later, move over to another PC, and try there.

-{ Quote: "anyone brave enough to try using geswall vs the killdisk virus?" }-I think, if GeSWall isolates this pgm/virus, then I can see no problems. I dont have access to this virus, so unable to test.

-{ Quote: "
I think, if GeSWall isolates this pgm/virus, then I can see no problems. I dont have access to this virus, so unable to test." }-

dang it! i linked to the post on this forum where a forum member "crazy4stef" posted a link to the virus, but the forum moderator removed the link :(
http://www.wilderssecurity.com/showpost.php?p=753917&postcount=7

want me private message him and get the link then give it to you via private messages? i'm too terrified to test it myself.

-{ Quote: "want me private message him and get the link then give it to you via private messages? i'm too terrified to test it myself." }-yes, go ahead, no problems this end, PC is sandboxed anyway... and any problems the HD is safe formatted/full backups. (Re-think= I will use an HD that can be removed after running this)

EDIT,
This quote taken from the post you linked.
-{ Quote: "I had tested the virus under SSM, SSM can detect the API it called, but didn't block it" }- This must be down to settings within SSM, as if it can be detected by SSM, then it is possible to block it using SSM_ I will try this also

Note to mods/anyone:-
I am going to try this, in the full knowledge that this may corrupt/kill my installed system/OS/HD_ and I do not advise anyone try this without full knowledge of the precautions to take, and the possible outcome (unusable HD)

I will post findings on this_ (from a users point of view_ not technical_ just what happens) on this thread

-{ Quote: "yes, go ahead, no problems this end, PC is sandboxed anyway... and any problems the HD is safe formatted/full backups. (Re-think= I will use an HD that can be removed after running this)" }-

kk but be careful stem, in that same thread crazy4stef said he tested the virus using vmware and sandboxie and the virus still wrecked havoc on his machine. i'm thinking "regular" sandboxing/virtualization is ineffective against "killdisk". on a side note, i asked the creator of "defensewall" if his program could contain "killdisk" and he said v1.55 of defensewall doesn't but v1.56 will. he's an excellent programmer and defensewall is awesome but it's not free.

-{ Quote: "EDIT,
This quote taken from the post you linked.

Quote:
I had tested the virus under SSM, SSM can detect the API it called, but didn't block it

This must be down to settings within SSM, as if it can be detected by SSM, then it is possible to block it using SSM_ I will try this also" }-

is SSM the acronym for the program "system safety monitor"?

-{ Quote: "Note to mods/anyone:-
I am going to try this, in the full knowledge that this may corrupt/kill my installed system/OS/HD_ and I do not advise anyone try this without full knowledge of the precautions to take, and the possible outcome (unusable HD)

I will post findings on this_ (from a users point of view_ not technical_ just what happens) on this thread
" }-

kk stem, i PMed crazy4stef and asked him for the link. i'll PM you as soon as i get it.

-{ Quote: "kk but be careful stem, in that same thread crazy4stef said he tested the virus using vmware and sandboxie and the virus still wrecked havoc on his machine. i'm thinking "regular" sandboxing/virtualization is ineffective against "killdisk"." }-Thats o.k., I mentioned that the PC is sandboxed (no virus is speadable) If GeSwall or SSM cannot contain, then the HD is safe format, If the HD is completely unrecoverable, then the HD is binned. Its simply a "see what happens" (I have a HD available for each test, that are disposable)

-{ Quote: "is SSM the acronym for the program "system safety monitor"?" }-Yes,..

-{ Quote: "kk stem, i PMed crazy4stef and asked him for the link. i'll PM you as soon as i get it." }-
No problem

-{ Quote: "...I am going to try this, in the full knowledge that this may corrupt/kill my installed system/OS/HD_ and I do not advise anyone try this without full knowledge of the precautions to take, and the possible outcome (unusable HD)..." }-Hi Stem,

Hopefully you will read this before you try. The first time I executed the KillDisk executable, SSM alerted as expected (The call to API function "CreateProcess"...). I blocked it quickly and that was followed by a typical Windows error popup (see screenshot below). I rebooted and all was well. I then executed the file again, but this time I let the alert dialogue sit there for a bit while I set up another screenshot. After about 10 seconds, the file executed anyway with the SSM dialogue still waiting for an allow/block decision. If you see a small popup with only an OK button and some foreign characters, the file will have done its damage. The system indeed was not bootable. Luckily I used a BootIt NG boot CD and some fresh images to recover quickly.

You should forward that file to the SSM people and let them have a look at it. I have not tried it yet on one of my AppDefend systems, or within VMware.

Nick

stem check your private messages, crazy4stef was nice enough to PM me the address of the killdisk virus :)

:thumb: kk guys here's my results of testing geswall vs killdisk: IT PASSED! :thumb:

somethings worth mentioning:

1) when i donwloaded the virus to test, avast didn't detect it :( :thumbd:

2) i made sure the "isolated" window was around my unzipping program, izarc before i continued

3) this almost gave me a heartattack:
-{ Quote: "If you see a small popup with only an OK button and some foreign characters, the file will have done its damage. The system indeed was not bootable." }- that was from nick s's post.

when i ran the test a dialoge box appeared with funky letters and the "ok" button, BUT it was isolated. i restarted the machine and it booted just fine! :)

here are the results from geswall's security log:
-{ Quote: "2006.05.23 17:06:44 Test.exe REDIRECT access to \Device\Harddisk0\DR0 (File)" }-

these results, ie the blocking of killdisk while using an isolated program, were confirmed by Brian Walche in an email he sent me.


the reason why i almost had a heartattack during #3) was because i didn't make a backup of my hard drive or my files when i ran the virus. LOL that wasn't too smart but geswall saved my butt! :D

Hi zopzop! interesting and nice work. Thanks for sharing!
Just few questions/ requests from me,
Can u please upload teh file to Jotti and Virus total, just to see?
Also did u contact the author of Sandboxie about this?
Is it possible to check it with RollbackRx?
Thansk.

-{ Quote: "Hi zopzop! interesting and nice work. Thanks for sharing!" }-
np anytime. know any other tests we can throw at geswall?

-{ Quote: "Just few questions/ requests from me,
Can u please upload teh file to Jotti and Virus total, just to see?" }-
i don't know what jotti is :( but i googled it and i'm ASSuming :) it's this site?
http://virusscan.jotti.org/
here are my results -
-{ Quote: "File: virus.rar
Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 bce8272b6cf6cf3ce14ecc60e201e705
Packers detected: -
Scanner results
AntiVir Found Trojan/KillDisk.X
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found Trojan.Killdisk.X
ClamAV Found nothing
Dr.Web Found Trojan.KillDisk.290
F-Prot Antivirus Found nothing
Fortinet Found W32/KillDisk.X!tr
Kaspersky Anti-Virus Found Trojan.Win32.KillDisk.x
NOD32 Found Win32/KillDisk.Q
Norman Virus Control Found nothing
UNA Found nothing
VirusBuster Found nothing
VBA32 Found Trojan.KillDisk.290" }-
so i was right, avast didn't detect it :( but man i'm gettin' me antivir :P

-{ Quote: "Also did u contact the author of Sandboxie about this?" }-
no and the reason is i didn't test it vs sandboxie, another forumer did. his name is "crazy4stef" and he posted his results here:
http://www.wilderssecurity.com/showpost.php?p=752380&postcount=1

-{ Quote: "Is it possible to check it with RollbackRx?
Thansk." }-
i don't have rollbackrx, but my "real life" friend tested this killdisk thing vs deepfreeze and deepfreeze wasn't fazed by it at all.

Thanks again.
About the tests I am sorry to say I am not so expert to mention some real good tests.
However if u run more tests in future, pls share with us.
I will like to see if any other user can try it against RollbackRx, ShadowUser and FDISR.
Thanks.

Hi,zopzop.

I test this virus under GeSWall,I failed to block it with default rules ,Did you add additional rules?

RollBackRx is excellent to pass this test, after restoring to a snapshot the system recovered!

-{ Quote: "Hi,zopzop.

I test this virus under GeSWall,I failed to block it with default rules ,Did you add additional rules?

RollBackRx is excellent to pass this test, after restoring to a snapshot the system recovered!" }-
That,s nice as I use RollbackRx!

-{ Quote: "Hi,zopzop.

I test this virus under GeSWall,I failed to block it with default rules ,Did you add additional rules?
" }-

nope. the only thing i did was make sure that the program was isolated. the thing is with geswall you have to make sure the program you are using is treated as "safe" (hence isolated). this is what i did:

1) i downloaded (selected "run") the virus using maxthon (safe application)

2) maxthon (safe application) called izarc (not safe but since it was called by a safe application it was isolated).

3) i ran the virus within izarc (safe cause it was called by maxthon) and geswall stopped it dead in it's tracks.

Hi zopzop,
I am still unable to download from the link you PMed me (have used 4 different browsers), and have still not received your e-mail with attachment (I will leave the mailbox open for another 24hrs)

-{ Quote: "Hi zopzop,
I am still unable to download from the link you PMed me (have used 4 different browsers), and have still not received your e-mail with attachment (I will leave the mailbox open for another 24hrs)" }-Thanks, file now received,....
I have just come across a slight problem,... I have installed "Prisma" firewall, due to another thread, and cannot connect while "Prisma" is active and Firefox is "Isolated" by GeSWall.

stem i found yet another test we can throw at geswall, it's called the DFK threat simulator and more information can be found here:
http://www.morgud.com/interests/security/dfk-threat-simulator.asp

the direct download to the file (and the "cleanup" utility) is found here:
http://www.morgud.com/interests/security/dfk-threat-simulator.asp#download

note to mods, THIS IS NOT MALWARE, IT'S ONLY A TEST.

Hi zopzop,
It is already looking like GeSWall will stop any attack on the system via "redirect",..once the application is successfully isolated, my main problem at the moment with GeSwall is compatablity,.. as I mentioned in my earlier posts, I have been unable to set my CD rom as a "threat gateway", also not able to set files as "isolated", now the apparent incompatiblily with "Prisma firewall" (well there must be some problem, as I mentioned in my last post, Prisma firewall active + firefox isolated by GeSWall = no internet connection (well,... not on this system.)
I do not deny the, what seems, great protection for the O.S./system by GeSWall when an application is isolated,.. but if there are incompatabilities that are not so apparent, then I would need to look for these before jumping into a "test" that may corrupt the system (even with full backups at hand)

^^i totally understand stem. i wish gentlesecurity had a forum on their webpage (and that geswall was more popular) so it could have more testers and tech support.

if anyone cares here are my results from my geswall log after running the threat simulator:
-{ Quote: "
2006.05.24 14:57:22 Office Idiots ( READONLY access to \Device\NamedPipe\wkssvc (File)
2006.05.24 14:57:22 Office Idiots ( READONLY access to \Device\NamedPipe\lsass (File)
2006.05.24 14:57:22 Office Idiots ( REDIRECT access to HKU\S-1-5-21-1883361466-3712099913-3824120397-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders (Registry)
2006.05.24 14:57:22 Office Idiots ( REDIRECT access to HKU\S-1-5-21-1883361466-3712099913-3824120397-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{16b72c66-a066-11da-b324-806d6172696f} (Registry)
2006.05.24 14:57:22 Office Idiots ( REDIRECT access to HKU\S-1-5-21-1883361466-3712099913-3824120397-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{16b72c65-a066-11da-b324-806d6172696f} (Registry)
2006.05.24 14:57:22 Office Idiots ( REDIRECT access to HKU\S-1-5-21-1883361466-3712099913-3824120397-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{16b72c67-a066-11da-b324-806d6172696f} (Registry)
2006.05.24 14:57:22 Office Idiots ( REDIRECT access to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders (Registry)
2006.05.24 14:57:22 Office Idiots ( REDIRECT access to HKU\S-1-5-21-1883361466-3712099913-3824120397-1005\Software\Microsoft\Windows\ShellNoRoam\MUICache (Registry)
2006.05.24 14:57:22 IZArc.exe READONLY access to explorer.exe (Process)
2006.05.24 14:57:22 projector.exe READONLY access to \Device\NamedPipe\lsass (File)
2006.05.24 14:57:26 swfactive.exe REDIRECT access to HKLM\SOFTWARE\Microsoft\RFC1156Agent\CurrentVersion\Parameters (Registry)
2006.05.24 14:57:26 swfactive.exe READONLY access to HKLM\SOFTWARE\Classes\CLSID\{70427A8D-2282-D83D-AA3B-C5E8A95C2A27} (Registry)
2006.05.24 14:57:26 swfactive.exe REDIRECT access to HKLM\SOFTWARE\Licenses (Registry)
2006.05.24 14:57:27 IZArc.exe READONLY access to \Device\NamedPipe\lsass (File)
2006.05.24 14:57:29 swfactive.exe READONLY access to \Device\NamedPipe\lsass (File)
2006.05.24 14:57:29 swfactive.exe DENY access to gswserv.exe (Process)
2006.05.24 14:57:29 swfactive.exe DENY access to gswui.exe (Process)
2006.05.24 14:57:29 swfactive.exe REDIRECT access to HKLM\SYSTEM\ControlSet001\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings (Registry)
2006.05.24 14:57:29 swfactive.exe READONLY access to HKU\S-1-5-21-1883361466-3712099913-3824120397-1005\Software\Microsoft\RAS Autodial (Registry)
2006.05.24 14:57:29 swfactive.exe READONLY access to HKLM\SOFTWARE\Microsoft\RAS AutoDial\Control (Registry)
2006.05.24 14:57:29 projector.exe REDIRECT access to HKU\S-1-5-21-1883361466-3712099913-3824120397-1005\Software\Microsoft\Security Center (Registry)
2006.05.24 14:57:29 projector.exe REDIRECT access to HKU\S-1-5-21-1883361466-3712099913-3824120397-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced (Registry)
2006.05.24 14:57:30 swfactive.exe READONLY access to avgnt.exe (Process)
2006.05.24 14:57:30 swfactive.exe READONLY access to avguard.exe (Process)
2006.05.24 14:57:33 swfactive.exe READONLY access to HKLM\SYSTEM\ControlSet001\Control\MediaResources\msvideo (Registry)
2006.05.24 14:57:37 swf-files.exe READONLY access to \Device\NamedPipe\wkssvc (File)
2006.05.24 14:57:37 swf-files.exe READONLY access to \Device\NamedPipe\lsass (File)
2006.05.24 14:57:37 swf-files.exe REDIRECT access to HKU\S-1-5-21-1883361466-3712099913-3824120397-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders (Registry)
2006.05.24 14:57:37 swf-files.exe REDIRECT access to HKU\S-1-5-21-1883361466-3712099913-3824120397-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{16b72c66-a066-11da-b324-806d6172696f} (Registry)
2006.05.24 14:57:37 swf-files.exe REDIRECT access to HKU\S-1-5-21-1883361466-3712099913-3824120397-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{16b72c65-a066-11da-b324-806d6172696f} (Registry)
2006.05.24 14:57:37 swf-files.exe REDIRECT access to HKU\S-1-5-21-1883361466-3712099913-3824120397-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{16b72c67-a066-11da-b324-806d6172696f} (Registry)
2006.05.24 14:57:37 swf-files.exe REDIRECT access to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders (Registry)
2006.05.24 14:57:37 swf-files.exe REDIRECT access to HKU\S-1-5-21-1883361466-3712099913-3824120397-1005\Software\Microsoft\Windows\ShellNoRoam\MUICache (Registry)
2006.05.24 14:57:37 runtime.exe READONLY access to \Device\NamedPipe\lsass (File)
2006.05.24 14:57:38 runtime.exe REDIRECT access to HKU\S-1-5-21-1883361466-3712099913-3824120397-1005\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run (Registry)
2006.05.24 14:57:38 runtime.exe REDIRECT access to HKU\S-1-5-21-1883361466-3712099913-3824120397-1005\Software\Microsoft\Windows\CurrentVersion\Explorer (Registry)
2006.05.24 14:57:38 runtime.exe READONLY access to \Device\NamedPipe\wkssvc (File)
2006.05.24 14:57:38 runtime.exe REDIRECT access to HKU\S-1-5-21-1883361466-3712099913-3824120397-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{16b72c66-a066-11da-b324-806d6172696f} (Registry)
2006.05.24 14:57:38 ntvdm.exe READONLY access to C:\WINDOWS\system32\ntdos.sys (File)
2006.05.24 14:57:38 runtime.exe REDIRECT access to HKU\S-1-5-21-1883361466-3712099913-3824120397-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{16b72c65-a066-11da-b324-806d6172696f} (Registry)
2006.05.24 14:57:38 runtime.exe REDIRECT access to HKU\S-1-5-21-1883361466-3712099913-3824120397-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{16b72c67-a066-11da-b324-806d6172696f} (Registry)
2006.05.24 14:57:38 runtime.exe REDIRECT access to HKU\S-1-5-21-1883361466-3712099913-3824120397-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders (Registry)
2006.05.24 14:57:38 runtime.exe REDIRECT access to HKU\S-1-5-21-1883361466-3712099913-3824120397-1005\Software\Microsoft\Windows\ShellNoRoam\MUICache (Registry)
2006.05.24 14:57:38 ntvdm.exe READONLY access to C:\WINDOWS\system32\himem.sys (File)
2006.05.24 14:57:38 ntvdm.exe READONLY access to C:\WINDOWS\system32\country.sys (File)
2006.05.24 14:57:39 iexplore.exe READONLY access to C: (File)
2006.05.24 14:57:41 IZArc.exe READONLY access to \Device\NamedPipe\lsass (File)
2006.05.24 14:57:41 ntvdm.exe READONLY access to C:\WINDOWS\system32\command.com (File)
2006.05.24 14:57:42 runtime.exe REDIRECT access to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders (Registry)
2006.05.24 14:57:42 iexplore.exe READONLY access to HKU\S-1-5-21-1883361466-3712099913-3824120397-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders (Registry)
2006.05.24 14:57:42 ntvdm.exe READONLY access to C:\WINDOWS\system.ini (File)
2006.05.24 14:57:42 delnext.exe REDIRECT access to HKLM\SYSTEM\ControlSet001\Control\Session Manager (Registry)
2006.05.24 14:57:42 iexplore.exe REDIRECT access to HKU\S-1-5-21-1883361466-3712099913-3824120397-1005\Software\Microsoft\Windows\ShellNoRoam\BagMRU (Registry)
2006.05.24 14:57:42 iexplore.exe READONLY access to explorer.exe (Process)
2006.05.24 14:57:42 iexplore.exe READONLY access to \Device\NamedPipe\lsass (File)
2006.05.24 14:57:42 iexplore.exe READONLY access to HKU\S-1-5-21-1883361466-3712099913-3824120397-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{16b72c66-a066-11da-b324-806d6172696f} (Registry)
2006.05.24 14:57:42 iexplore.exe READONLY access to HKU\S-1-5-21-1883361466-3712099913-3824120397-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{16b72c65-a066-11da-b324-806d6172696f} (Registry)
2006.05.24 14:57:42 iexplore.exe READONLY access to HKU\S-1-5-21-1883361466-3712099913-3824120397-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{16b72c67-a066-11da-b324-806d6172696f} (Registry)
2006.05.24 14:57:42 iexplore.exe READONLY access to HKU\S-1-5-21-1883361466-3712099913-3824120397-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\Links (Registry)
2006.05.24 14:57:42 iexplore.exe READONLY access to C:\WINDOWS\system32\shell32.dll (File)
2006.05.24 14:57:42 iexplore.exe READONLY access to C:\WINDOWS\system32\url.dll (File)
2006.05.24 14:57:42 iexplore.exe READONLY access to C:\WINDOWS\system32\mshtml.dll (File)
2006.05.24 14:57:42 iexplore.exe READONLY access to C:\Program Files\Internet Explorer\iexplore.exe (File)
2006.05.24 14:57:42 iexplore.exe READONLY access to C:\WINDOWS\system32\inetcpl.cpl (File)
2006.05.24 14:58:03 swfactive.exe DENY access to gswserv.exe (Process)
2006.05.24 14:58:03 swfactive.exe DENY access to gswui.exe (Process)
2006.05.24 14:58:03 swfactive.exe READONLY access to avgnt.exe (Process)
2006.05.24 14:58:15 wmplayer.exe REDIRECT access to HKU\S-1-5-21-1883361466-3712099913-3824120397-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders (Registry)
2006.05.24 14:58:15 wmplayer.exe READONLY access to \Device\NamedPipe\ROUTER (File)
2006.05.24 14:58:15 wmplayer.exe READONLY access to \Device\NamedPipe\lsass (File)
2006.05.24 14:58:35 swfactive.exe REDIRECT access to HKLM\SYSTEM\ControlSet001\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings (Registry)
2006.05.24 14:58:35 swfactive.exe READONLY access to HKU\S-1-5-21-1883361466-3712099913-3824120397-1005\Software\Microsoft\RAS Autodial (Registry)
2006.05.24 14:58:35 swfactive.exe READONLY access to HKLM\SOFTWARE\Microsoft\RAS AutoDial\Control (Registry)
2006.05.24 14:58:35 swfactive.exe DENY access to gswserv.exe (Process)
2006.05.24 14:58:35 swfactive.exe DENY access to gswui.exe (Process)
2006.05.24 14:58:35 swfactive.exe READONLY access to avgnt.exe (Process)
2006.05.24 14:58:37 swfactive.exe READONLY access to HKLM\SYSTEM\ControlSet001\Control\MediaResources\msvideo (Registry)
2006.05.24 14:59:08 swfactive.exe DENY access to gswserv.exe (Process)
2006.05.24 14:59:08 swfactive.exe DENY access to gswui.exe (Process)
2006.05.24 14:59:08 swfactive.exe READONLY access to avgnt.exe (Process)
2006.05.24 14:59:33 IZArc.exe REDIRECT access to HKU\S-1-5-21-1883361466-3712099913-3824120397-1005\Software\Microsoft\Windows\ShellNoRoam\MUICache (Registry)
2006.05.24 14:59:33 IZArc.exe READONLY access to C:\WINDOWS\system32\notepad.exe (File)
2006.05.24 14:59:33 notepad.exe READONLY access to C: (File)
2006.05.24 14:59:35 IZArc.exe READONLY access to \Device\NamedPipe\lsass (File)
2006.05.24 14:59:40 swfactive.exe REDIRECT access to HKLM\SYSTEM\ControlSet001\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings (Registry)
2006.05.24 14:59:40 swfactive.exe READONLY access to HKU\S-1-5-21-1883361466-3712099913-3824120397-1005\Software\Microsoft\RAS Autodial (Registry)
2006.05.24 14:59:40 swfactive.exe READONLY access to HKLM\SOFTWARE\Microsoft\RAS AutoDial\Control (Registry)
2006.05.24 14:59:40 swfactive.exe DENY access to gswserv.exe (Process)
2006.05.24 14:59:40 swfactive.exe DENY access to gswui.exe (Process)
2006.05.24 14:59:40 swfactive.exe READONLY access to avgnt.exe (Process)
2006.05.24 14:59:43 swfactive.exe READONLY access to HKLM\SYSTEM\ControlSet001\Control\MediaResources\msvideo (Registry)
2006.05.24 15:00:13 swfactive.exe DENY access to gswserv.exe (Process)
2006.05.24 15:00:13 swfactive.exe DENY access to gswui.exe (Process)
2006.05.24 15:00:13 swfactive.exe READONLY access to avgnt.exe (Process)
2006.05.24 15:00:13 notepad.exe REDIRECT access to HKU\S-1-5-21-1883361466-3712099913-3824120397-1005\Software\Microsoft\Notepad (Registry)
2006.05.24 15:00:13 IZArc.exe READONLY access to explorer.exe (Process)
2006.05.24 15:00:15 IZArc.exe READONLY access to \Device\NamedPipe\lsass (File)
2006.05.24 15:00:16 IZArc.exe REDIRECT access to HKU\S-1-5-21-1883361466-3712099913-3824120397-1005\Software\IZSoftware\IZArc (Registry)
2006.05.24 15:00:16 IZArc.exe READONLY access to HKU\S-1-5-21-1883361466-3712099913-3824120397-1005\Software\IZSoftware\IZArc\Favorites (Registry)
2006.05.24 15:00:20 Maxthon.exe READONLY access to explorer.exe (Process)
2006.05.24 15:00:45 swfactive.exe REDIRECT access to HKLM\SYSTEM\ControlSet001\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings (Registry)
2006.05.24 15:00:45 swfactive.exe READONLY access to HKU\S-1-5-21-1883361466-3712099913-3824120397-1005\Software\Microsoft\RAS Autodial (Registry)
2006.05.24 15:00:45 swfactive.exe READONLY access to HKLM\SOFTWARE\Microsoft\RAS AutoDial\Control (Registry)
2006.05.24 15:00:45 swfactive.exe DENY access to gswserv.exe (Process)
2006.05.24 15:00:45 swfactive.exe DENY access to gswui.exe (Process)
2006.05.24 15:00:46 swfactive.exe READONLY access to avgnt.exe (Process)
2006.05.24 15:00:47 swfactive.exe READONLY access to HKLM\SYSTEM\ControlSet001\Control\MediaResources\msvideo (Registry)
2006.05.24 15:00:48 iexplore.exe READONLY access to HKU\S-1-5-21-1883361466-3712099913-3824120397-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count (Registry)
2006.05.24 15:01:17 swfactive.exe DENY access to gswserv.exe (Process)
2006.05.24 15:01:17 swfactive.exe DENY access to gswui.exe (Process)
2006.05.24 15:01:18 swfactive.exe READONLY access to avgnt.exe (Process)
2006.05.24 15:01:32 Maxthon.exe READONLY access to \Device\NamedPipe\lsass (File)
2006.05.24 15:01:32 Maxthon.exe REDIRECT access to HKU\S-1-5-21-1883361466-3712099913-3824120397-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{16b72c66-a066-11da-b324-806d6172696f} (Registry)
2006.05.24 15:01:32 Maxthon.exe REDIRECT access to HKU\S-1-5-21-1883361466-3712099913-3824120397-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{16b72c65-a066-11da-b324-806d6172696f} (Registry)
2006.05.24 15:01:32 Maxthon.exe REDIRECT access to HKU\S-1-5-21-1883361466-3712099913-3824120397-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{16b72c67-a066-11da-b324-806d6172696f} (Registry)
2006.05.24 15:01:32 Maxthon.exe READONLY access to C:\WINDOWS\system32\shell32.dll (File)
2006.05.24 15:01:32 Maxthon.exe READONLY access to C:\Program Files\Internet Explorer\iexplore.exe (File)
2006.05.24 15:01:33 Maxthon.exe REDIRECT access to HKU\S-1-5-21-1883361466-3712099913-3824120397-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders (Registry)
2006.05.24 15:01:33 Maxthon.exe READONLY access to C:\WINDOWS\system32\url.dll (File)
2006.05.24 15:01:33 Maxthon.exe DENY access to gswserv.exe (Process)
2006.05.24 15:01:33 Maxthon.exe DENY access to gswui.exe (Process)
2006.05.24 15:01:33 Maxthon.exe REDIRECT access to HKLM\SYSTEM\ControlSet001\Services\.NETFramework\Performance (Registry)
2006.05.24 15:01:33 Maxthon.exe REDIRECT access to HKLM\SYSTEM\ControlSet001\Services\PSched\Performance (Registry)
2006.05.24 15:01:33 Maxthon.exe REDIRECT access to HKLM\SYSTEM\ControlSet001\Services\RemoteAccess\Performance (Registry)
2006.05.24 15:01:33 Maxthon.exe REDIRECT access to HKLM\SYSTEM\ControlSet001\Services\RSVP\Performance (Registry)
2006.05.24 15:01:33 Maxthon.exe REDIRECT access to HKLM\SYSTEM\ControlSet001\Services\TapiSrv\Performance (Registry)
2006.05.24 15:01:33 Maxthon.exe REDIRECT access to HKLM\SYSTEM\ControlSet001\Services\Tcpip\Performance (Registry)
2006.05.24 15:01:33 Maxthon.exe READONLY access to C:\WINDOWS\explorer.exe (File)
2006.05.24 15:01:33 Maxthon.exe READONLY access to C:\WINDOWS\system32\control.exe (File)
2006.05.24 15:01:33 Maxthon.exe READONLY access to C:\WINDOWS\NOTEPAD.EXE (File)
2006.05.24 15:01:33 Maxthon.exe READONLY access to C:\WINDOWS\system32\mspaint.exe (File)
2006.05.24 15:01:33 Maxthon.exe READONLY access to C:\WINDOWS\regedit.exe (File)
2006.05.24 15:01:33 Maxthon.exe READONLY access to C:\Program Files\Windows Media Player\wmplayer.exe (File)
2006.05.24 15:01:33 Maxthon.exe READONLY access to C:\Program Files\Google\Google Earth\GoogleEarth.exe (File)
2006.05.24 15:01:33 Maxthon.exe REDIRECT access to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders (Registry)
2006.05.24 15:01:33 Maxthon.exe REDIRECT access to HKLM\SYSTEM\ControlSet001\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings (Registry)
2006.05.24 15:01:33 Maxthon.exe READONLY access to C:\WINDOWS\system32\moricons.dll (File)
2006.05.24 15:01:33 Maxthon.exe READONLY access to explorer.exe (Process)
2006.05.24 15:01:40 Maxthon.exe READONLY access to explorer.exe (Process)
2006.05.24 15:01:49 swfactive.exe REDIRECT access to HKLM\SYSTEM\ControlSet001\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings (Registry)
2006.05.24 15:01:49 swfactive.exe READONLY access to HKU\S-1-5-21-1883361466-3712099913-3824120397-1005\Software\Microsoft\RAS Autodial (Registry)
2006.05.24 15:01:49 swfactive.exe READONLY access to HKLM\SOFTWARE\Microsoft\RAS AutoDial\Control (Registry)
2006.05.24 15:01:49 swfactive.exe DENY access to gswserv.exe (Process)
2006.05.24 15:01:49 swfactive.exe DENY access to gswui.exe (Process)
2006.05.24 15:01:50 swfactive.exe READONLY access to avgnt.exe (Process)
2006.05.24 15:01:51 swfactive.exe READONLY access to HKLM\SYSTEM\ControlSet001\Control\MediaResources\msvideo (Registry)
2006.05.24 15:02:17 Maxthon.exe READONLY access to explorer.exe (Process)
2006.05.24 15:02:22 swfactive.exe DENY access to gswserv.exe (Process)
2006.05.24 15:02:22 swfactive.exe DENY access to gswui.exe (Process)
2006.05.24 15:02:22 swfactive.exe READONLY access to avgnt.exe (Process)
" }-

things to note:

1) after i ran the test, the "spware simulator" ran but it was isolated

2) 5 of the fake virii were actually installed on my system (i ran antivir after the test to see if anything was installed on my computer):
-{ Quote: "C:\Documents and Settings\Tiggy\Local Settings\Temp\swfactive.exe
[DETECTION] Contains a signature of the (dangerous) backdoor program BDS/Optix.B.53 Backdoor server programs
[INFO] The file was deleted!
C:\Documents and Settings\Tiggy\Vanquish Media Group\Win32l.exe
[DETECTION] Is the Trojan horse TR/Hijack.Stesal.A
[INFO] The file was deleted!
C:\Documents and Settings\Tiggy\Vanquish Media Group\Win32v.com
[DETECTION] Contains code of the Eicar-Test-Signature virus
[INFO] The file was deleted!
C:\Documents and Settings\Tiggy\Vanquish Media Group\Win32r_vanquish\bin\vanquish.dll
[DETECTION] Is the Trojan horse TR/PSW.XShadow.A
[INFO] The file was deleted!
C:\Documents and Settings\Tiggy\Vanquish Media Group\Win32r_vanquish\bin\vanquish.exe
[DETECTION] Is the Trojan horse TR/PSW.XShadow.D
[INFO] The file was deleted!
" }-

i'm hoping someone more knowledgeable than me can figure out what these results mean. i also emailed brian and hopefully we'll hear from him soon.

-{ Quote: "2) 5 of the fake virii were actually installed on my system " }-These (found at "documents/settings") without relevant registry entries/run commands are of no danger (reg access/changes would need to be checked). The abilty from an GeSWall isolated program to write here would need to be looked at.

I will take time to look at the other log,.....

I installed GeSWall, just second day of use now.
Currently I have two problems.
1- Whenever I open firefox, I get the pop up shown in first snapshot. I don,t know what is the reason, The confidential folder is empty by the way. What does it mean then and how I can egt rid of it?
2- In opera when I go to Wilders or some other forum and click User CP, I get the pop up shown below the first one. Same popup comes again and again when I opened Notes in the sidebar of Opera and tried to write something here. How to disable it?

Any help will be appreciated.
Thanks.

wow, this is odd. i have firefox and maxthon installed on both my computers and i use geswall, anvtivir, and jetico (comodo on my desktop) and i never encountered a problem. like stem said, there must be hidden conflicts somewhere. hopefully a gentlesecurity rep will help solve these problems.

Hi aigle,
For some reason it looks like you may have your confidential folder set where firefox as its cache, open GeSWall and remove any entry in the "resources" that end in "confidential",.... as you have no confidential folders (and you have not set any) this will not cause problems.
Your 2nd alert, I`m not sure, maybe write permissions on the folder? I will load opera to see.

Hi zopzop,..
I have re-installed, to continue to play, it is worth the effort,... looks like a good possiblity, barring possible conflicts.

-{ Quote: "Hi aigle,
For some reason it looks like you may have your confidential folder set where firefox as its cache, open GeSWall and remove any entry in the "resources" that end in "confidential",.... as you have no confidential folders (and you have not set any) this will not cause problems." }-
Thanks Stem!
My confidential folder is in my documents that is created automatically by GeSWall during install. Ofcourse Firefox also keeps its application data in in same main folder where my documents are located but both are separate and the confidential folder is empty as I checked. So its, strange alert. Anyway to get rid of this message I will try to remove the confidential folder from resources. Just wondering it might be due to some extension installed on my FireFox!
-{ Quote: "Your 2nd alert, I`m not sure, maybe write permissions on the folder? I will load opera to see.
" }-
This second alert is more bothering for me as Opear is my main browser now a days.
With IE I don,t get any type of alerts while surfing same sites. So 3 browsers behave differently with GeSWall.

-{ Quote: " open GeSWall and remove any entry in the "resources" that end in "confidential"
" }-

Hi, it resolved the issue but still don,t know why I was getting the alert exactly.
Also what can be disadvantage of loosing this folder. Are u able to reproduce the same issue?

And pls let me know if u find the reason about pop up from Opera.
Thanks.

-{ Quote: "Hi, it resolved the issue but still don,t know why I was getting the alert exactly." }-Maybe just a bad string in the line/location entry for your "confidential folder"?
-{ Quote: "Also what can be disadvantage of loosing this folder. " }-You can replace this, just create a folder (any name/location) then add this location into the "resource" as "confidential" (see image)


-{ Quote: "And pls let me know if u find the reason about pop up from Opera." }-I have just installed, I think you will just need to add a rule to allow access to the file/location, I will post once I know what is needed.

Thanks Stem.

Hi aigle,
From the alert you posted (for Opera), it appears you have not installed Opera to the default location, so GeSWall is blocking Opera from updating the hotlist (bookmark) file.
In GeSWall, simply add this file/location into the Opera profile (see image)

hey stem, did you get geswall working on your pc? i've been busy searching the web for more tests :)

so far i've tried spycar.org, the bufferzone tests, the dfk threat simulator, and a 'real life' virus "kill disk". it seems that geswall has passed all these tests.

i'm dying to try geswall vs real life 'drive-by' spyware installs like spyware quake and coolwebsearch.

Hi Stem. U are right. I am able to fix it now. Nice helpful snapshots by u. Thanks

-{ Quote: "hey stem, did you get geswall working on your pc? i've been busy searching the web for more tests :)

so far i've tried spycar.org, the bufferzone tests, the dfk threat simulator, and a 'real life' virus "kill disk". it seems that geswall has passed all these tests.

i'm dying to try geswall vs real life 'drive-by' spyware installs like spyware quake and coolwebsearch." }-

May be u can get links to spyware infected downloads from here.

http://www.stopbadware.org/home/reports
http://www.stopbadware.org/reports/reportdisplay?reportname=winfixer

-{ Quote: "Hi aigle,
From the alert you posted (for Opera), it appears you have not installed Opera to the default location, so GeSWall is blocking Opera from updating the hotlist (bookmark) file.
In GeSWall, simply add this file/location into the Opera profile (see image)" }-
Hi, I was too early to post. The issue is still there. I think I need to enter the registry path to the file, not the location of file but I don,t know how to find this registry path.

I put the whole folder Profile and it resolved some other issues with opera but not this one. Strange for me as all settings etc for opera are in this folder.

Hi aigle,
First, add the filename to the entry in GeSWall. Then check that the file is not set to read-only.
(I have only managed to bring up this opera alert if I set the file to read-only)

-{ Quote: "hey stem, did you get geswall working on your pc?" }-Yes and,.. no. I have set a my cdrom to a "Threat gate", and any .exe file run from there is now being isolated,... but any autorun installer is not.
I am still playing,....... but a bit short on time.

-{ Quote: "Hi aigle,
First, add the filename to the entry in GeSWall. Then check that the file is not set to read-only.
(I have only managed to bring up this opera alert if I set the file to read-only)" }-
It was already not set on read only.
BTW, rebooting the windows made this settings work. No more pop up. Again weired. Seems a bit buggy or my be some conflicts!
I feel user manual/ help to be not detailed and no forums support makes it more difficult.
Just wonder if anybody can tel how it compares to the paid product DefenceWall?

-{ Quote: "
I feel user manual/ help to be not detailed and no forums support makes it more difficult." }-
ITA! i think that gentlesecurity has got a real winner with this product but they are marketing it horribly.

-{ Quote: "Just wonder if anybody can tel how it compares to the paid product DefenceWall?" }-
no clue, but i do know 2 things:
1) that geswall with the default settings stopped killdisk dead in its tracks but the current version of defensewall (v1.55) doesn't
2) that ilya is one monster of a programmer. he took the bufferzone security challenge and cracked their software! so he definitely knows his stuff. he's aware of the current problem defensewall is having with killdisk type virii and he said v1.56 of defensewall will handle them properly. he's extremely fast with the responses on his message board! IMHO defensewall is probably the best sandboxing program out there bar none.:thumb:

stem and aigle if you guys still care i found and ran some more tests :)

1) the "zapass" test, geswall blocked it successfully
http://www.whirlywiryweb.com/article.asp?id=%2Ftrojanimplant
my geswall log
-{ Quote: "2006.05.26 10:47:02 zapass.exe DENY access to gswserv.exe (Process)
2006.05.26 10:47:02 zapass.exe DENY access to gswui.exe (Process)
2006.05.26 10:47:02 zapass.exe READONLY access to services.exe (Process)
2006.05.26 10:47:02 zapass.exe READONLY access to lsass.exe (Process)
2006.05.26 10:47:02 zapass.exe READONLY access to ati2evxx.exe (Process)
2006.05.26 10:47:02 zapass.exe READONLY access to svchost.exe (Process)
2006.05.26 10:47:02 zapass.exe READONLY access to spoolsv.exe (Process)
2006.05.26 10:47:02 zapass.exe READONLY access to explorer.exe (Process)
2006.05.26 10:47:02 zapass.exe READONLY access to SynTPEnh.exe (Process)
2006.05.26 10:47:02 zapass.exe READONLY access to eabservr.exe (Process)
2006.05.26 10:47:02 zapass.exe READONLY access to avgnt.exe (Process)
2006.05.26 10:47:02 zapass.exe READONLY access to sched.exe (Process)
2006.05.26 10:47:02 zapass.exe READONLY access to avguard.exe (Process)
2006.05.26 10:47:02 zapass.exe READONLY access to ehrecvr.exe (Process)
2006.05.26 10:47:02 zapass.exe READONLY access to ehSched.exe (Process)
2006.05.26 10:47:02 zapass.exe READONLY access to wwSecure.exe (Process)
2006.05.26 10:47:02 zapass.exe READONLY access to dllhost.exe (Process)
2006.05.26 10:47:02 zapass.exe READONLY access to hpqwmi.exe (Process)
2006.05.26 10:47:02 zapass.exe READONLY access to mmc.exe (Process)
" }-


2) ProcX. these aren't really tests, they are just really powerful process termination programs and geswall stopped it from terminating geswall;)
some of the log (it's too long to post the whole thing but it was basically a whole bunch of readonly and deny's)
-{ Quote: "2006.05.26 10:35:36 ProcX[1].exe READONLY access to \Device\NamedPipe\lsass (File)
2006.05.26 10:35:39 ProcX[1].exe REDIRECT access to HKU\S-1-5-21-1883361466-3712099913-3824120397-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{16b72c66-a066-11da-b324-806d6172696f} (Registry)
2006.05.26 10:35:39 ProcX[1].exe REDIRECT access to HKU\S-1-5-21-1883361466-3712099913-3824120397-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{16b72c65-a066-11da-b324-806d6172696f} (Registry)
2006.05.26 10:35:39 ProcX[1].exe REDIRECT access to HKU\S-1-5-21-1883361466-3712099913-3824120397-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{16b72c67-a066-11da-b324-806d6172696f} (Registry)
2006.05.26 10:35:39 ProcX[1].exe READONLY access to C:\WINDOWS\system32\shell32.dll (File)
2006.05.26 10:35:39 ProcX[1].exe READONLY access to C:\WINDOWS\system32\ati2evxx.exe (File)
2006.05.26 10:35:39 ProcX[1].exe DENY access to gswserv.exe (Process)
2006.05.26 10:35:39 ProcX[1].exe READONLY access to C:\WINDOWS\system32\spoolsv.exe (File)
2006.05.26 10:35:39 ProcX[1].exe DENY access to gswui.exe (Process)
2006.05.26 10:35:39 ProcX[1].exe READONLY access to C:\WINDOWS\explorer.exe (File)
" }-

3) it seems to have failed this keyhook test though
http://diamondcs.com.au/processguard/index.php?page=attack-keystroke-loggers

i'm emailing brian the results of test #3 to see if he can make any sense out of it. i'm trying to find a spyware quake and cws website to try geswall on. if anyone on this board knows any, PM me the links ;)

edit didn't try diamondcs's test my bad that was only procx.

Hi, nice tests and intersting results. Pls keep updated as u go ahead. Thanks.

-{ Quote: "
1) that geswall with the default settings stopped killdisk dead in its tracks but the current version of defensewall (v1.55) doesn't
2) that ilya is one monster of a programmer. he took the bufferzone security challenge and cracked their software! so he definitely knows his stuff. he's aware of the current problem defensewall is having with killdisk type virii and he said v1.56 of defensewall will handle them properly. he's extremely fast with the responses on his message board! IMHO defensewall is probably the best sandboxing program out there bar none.:thumb:" }-

To me failing of DefenceWall is not good sign. He can fix it right today but this doesn,t change anything. These are not signature based programmes. So if they fail today against one malware, 2morrow they can fail against any other one. This behaviour is more acceptable from signature based appliances.
Just my thoughts. I am not expert at all in these things.

aigle and stem have you seen this thread?
http://www.wilderssecurity.com/showthread.php?t=128594

about processguard (and appdefend) failing to stop a program protected by ICE from shutting down regmon.exe?

this is what joe3563 said:
-{ Quote: "Hey... check this out.

Install PG, run Regmon.exe (from sysinternals) and set it as a protected app. Run a program called Video Link Parser (vlprs.exe, from Zheadware).

Vlprs.exe shuts down the protected app everytime. No change or setting in PG prevents this from happening.

I want to see what this app is doing to my registery. The guys at Zheadware don't want us to find out so their code shuts down sysinternal's Regmon and Filemon utilities.

So much for PG guard..... time to delete it from my system come up with another way to sandbox vlprs.exe.
" }-

well i downloaded the zheadware program called Music Video Downloader 4.0 from here:
http://www.zheadware.com/products.htm
this is the one that comes with the vlprs.exe file. i installed it and went to geswall and followed these steps from geswall on adding new programs to geswall's safe applications:
http://gentlesecurity.com/docs/applications.html

just to see if geswall can stop it from shutting down regmon.exe
here are the results from geswall's log:
-{ Quote: "2006.05.26 13:05:27 vlprs.exe DENY 12 message to Regmon.exe (Process)
2006.05.26 13:05:27 vlprs.exe DENY 12 message to Maxthon.exe (Process)
2006.05.26 13:05:29 vlprs.exe READONLY access to HKLM\SOFTWARE\9245A345 (Registry)
2006.05.26 13:05:32 vlprs.exe DENY 12 message to Regmon.exe (Process)
2006.05.26 13:05:32 vlprs.exe DENY 12 message to Maxthon.exe (Process)
2006.05.26 13:05:33 vlprs.exe READONLY access to HKLM\SOFTWARE\Microsoft\Windows\99EAEC89 (Registry)
2006.05.26 13:05:35 vlprs.exe REDIRECT access to C: (File)
2006.05.26 13:05:35 vlprs.exe READONLY access to HKU\S-1-5-21-1883361466-3712099913-3824120397-1005\Software\ZHEADWARE (Registry)
2006.05.26 13:05:39 vlprs.exe DENY 12 message to Regmon.exe (Process)
2006.05.26 13:05:39 vlprs.exe DENY 12 message to Maxthon.exe (Process)
2006.05.26 13:05:47 vlprs.exe DENY 12 message to Regmon.exe (Process)
2006.05.26 13:05:47 vlprs.exe DENY 12 message to Maxthon.exe (Process)
" }-
it stopped it COLD! regmon.exe was NOT shut down!

i'm trying to get my hands on the xpkiller trojan cause i heard that is a nasty av killing virus and appdefend and processguard were having issues with it.

Hi zopzop. Great job. I am happy to see it as u know PG and AntiHook failed here and it was one cause of dealy of PG release as I read.
Did u tried GeSWall itself aginst advanced process termination. Can it defend itself like PG?

edit no i didn't sorry i confused procx with diamondcs's test my bad ;(

re-re-edit! ;) i found Advanced Process Termination and i ran a few tests, these are my results:

so to update:
1) gswserv.exe is IMMUNE to ALL attempts to kill/suspend/crash it running the advanced process termination program!
2) other processes are IMMUNE to ALL attempts to kill/suspend/crash them EXCEPT to "kill 6" attempt.


hope that helps.

Thansk. I think it will be a good idea to inform the writer about this so that he can manage it in next version.

aigle good news, geswall DOES indeed STOP the "kernel kill" attempt. I had originally run apt.exe (the advanced process terminator) unisolated to see how powerful it was, unknown to me, it (apt.exe) install a file in my windows/system folder. since the program was unisolated at the time, the file it installed was also considered unisolated and that's how the "kernel kill" attempt was shutting down processes. Deleting the file, dcsprocx.sys, and re-running the test, geswall stopped the kernel kill attempt (since apt.exe and dcsprocx.sys were fully isolated)!

here is my geswall log:
-{ Quote: "2006.05.26 17:37:09 apt.exe READONLY access to C: (File)
2006.05.26 17:37:09 apt.exe READONLY access to \Device\NamedPipe\lsass (File)
2006.05.26 17:37:10 apt.exe REDIRECT access to C:\WINDOWS\system32\ntdll.dll (File)
2006.05.26 17:37:10 apt.exe REDIRECT access to C:\WINDOWS\system32\kernel32.dll (File)
2006.05.26 17:37:10 apt.exe REDIRECT access to C:\WINDOWS\system32\user32.dll (File)
2006.05.26 17:37:10 apt.exe DENY access to gswserv.exe (Process)
2006.05.26 17:37:10 apt.exe DENY access to gswui.exe (Process)
" }-

so to update:
1) gswserv.exe is IMMUNE to ALL attempts to kill/suspend/crash it running the advanced process termination program!
2) other process are IMMUNE to ALL attempts to kill/suspend/crash them EXCEPT to "kill 6" attempt.

Great work. Really nice. Thanks for the update.

-{ Quote: "To me failing of DefenceWall is not good sign. He can fix it right today but this doesn,t change anything. These are not signature based programmes. So if they fail today against one malware, 2morrow they can fail against any other one. This behaviour is more acceptable from signature based appliances.
Just my thoughts. I am not expert at all in these things." }-

I've new about such the attack, but I've mada a mistake at programming stage. Now it is already fixed as many other errors. The fact is that there are errors within any product, but the only important thing is how fast you fix it.

-{ Quote: "...The first time I executed the KillDisk executable, SSM alerted as expected (The call to API function "CreateProcess"...). I blocked it quickly and that was followed by a typical Windows error popup (see screenshot below). I rebooted and all was well. I then executed the file again, but this time I let the alert dialogue sit there for a bit while I set up another screenshot. After about 10 seconds, the file executed anyway with the SSM dialogue still waiting for an allow/block decision..." }-Just a quick follow-up to my previous post. After more testing, KillDisk is, in fact, not able to bypass SSM execution protection. From my report to SSM support:

"First, I could not duplicate KillDisk bypassing the SSM alert. I let the alert hang for about 30 minutes, twice. I believe the error I reported was caused by pressing Enter while HyperSnap-DX "appeared" to have focus on the Desktop. Here, it takes 10-15 seconds before an SSM alert makes the Desktop non-functional. Within that 10-15 seconds, I had...taken a screenshot, and started the "Save as" dialogue. But when I pressed Enter to save the screenshot, HyperSnap-DX no longer had the focus and the keystroke was directed at the SSM alert. Since my alert config was "Allow-this action just once", I allowed KillDisk to execute. I was able to duplicate this application focus event."

Beyond execution protection, though, SSM cannot yet stop KillDisk's attack on the partition table.

Nick

Is there any benefit from using GeSWall if I'm using ProcessGuard (full version) and KAV, with the proactive defense module enabled?

I am not quite sure what GeSWall is. I have read this thread and Gentle Security.

Is this a complete firewall, or should it run alongside a firewall?

I have got one problem with GesWall. Whenever I start the GesWall Console, i receive the following error message. I tried to repair the installation but no benefit. Don,t know how can I fix this and what is the reason for this error. I need some advice. Thanks.

Just another issue, after putting Opera in GesWall Trusted( isolated) appliances, " post quick reply button " on wilders forum is not working!

aigle, i wish i knew what was going on with that error ;( have you tried emailing geswall support?

ps do you know anyone with the xpkiller trojan?

-{ Quote: "aigle, i wish i knew what was going on with that error ;( have you tried emailing geswall support?

ps do you know anyone with the xpkiller trojan?" }-

Thanks.
I will mail to them.
About the second one I will try to search though I don,t have it.
If somebody is kind enough he may donate us the link.

kk guys i've tested the xpkiller trojan vs geswall and to my amazement, geswall did not stop it. it disabled both my windows firewall and the automatic update feature :(

this was tested in geswall 2.2.5 personal edition

EDIT:

gentlesecurity already has released a fix. apparently it was working on all previous verions up to 2.2.5 but it broke in 2.2.5 :) I CAN CONFIRM GESWALL STOPS IT COLD, here's proof from my geswall log:
-{ Quote: "2006.05.29 19:43:33 xpkiller.exe DENY access to SC_MANAGER OBJECT\ServicesActive (SystemObject)
" }-

just make sure if you have geswall 2.2.5 installed to UPDATE it first before attempting to run this test. right click the geswall icon in the taskbar, then select "update geswall".

nice job gentlesecurity! :)
ps i also tested bufferzone home against xpkiller and bufferzone stopped it, i will post a message on ilya's site to see if defensewall works against xpkiller.

Again I will say that the bugs in a sandbox are too serious to me than the bugs in an AV, AT or AS type software. See u tried just few malware samples--- Sandboxie, DefenceWall and GeSWall failed against at least one of them( even the bug might be fixed now). BufferZone and DeepFreeze have revealed their weakness already.
I can,t imagine what will happen if u put these sandboxes against hunfreds of malware samples( as is done while testring AV)!!
Either the sandbox technology is premature currently or more dangerously windows OS is prooving to be persistantly vulnerable in this regard as well( as it is in case of traditional defence by AV, firewall etc).
That,s computer life! We have to live with it.

That is life, but not only computer related ;-) nearly the same rules are applied everywhere.

You are right, bugs in “prevention solutions” are more serious then AV’s ones. However, there is one important difference.

In computer security, there is a notion of Trusted Computer Base (TCB). That is something you inevitably have to rely on. For example, windows kernel and drivers are TCB. A security bug within kernel will compromise the whole security. The best when TCB as small as possible. The good when you can enumerate exactly what TCB is. So, you at least know if there is a bug in one of these components, the security will not work. The problem with AV and some other “traditional solutions” that they have an infinite TCB by definition. Even if your AV is perfect and has no any bug, you are still at danger. The security is definitely gaining from turning this AV’s uncertainty into engineering problems.

We can expect there to be bugs, but we can then try to put together a reasonable layered defense so that hopefully if something gets past, another will stop it. This is not paranioa and not a reason to not have HIPS at all. No sandbox producer can claim a perfect product, but they can distinguish themselves as one of the best available.

Now, if they can agree that bugs can happen, watch this: What if HIPS can be honest and market as -always- a double. :wacko: But look, what if Ges and DW both say they do their best but once in a while there could be a bug or something and therefore the fact is a double technology nested HIPS: DW + GeSWall. It's fun not being a programmer because I have no idea how this would work :P , but it seems logical: 2 separate technologies, independantly produced but compatible on the machine means that if one tech has an unknown hole, the other maybe does not.

Ever watch Star Trek: Deep Space Nine? Only a difference in Klingon technology allowed their ships immunity to a weapon that ruined the tech of the others. This saved that whole part of the galaxy from the attacker.

Read up on biodiversity: habitats or organisms with little biodiversity are more vulnerable to change. The more diversity, the better chance of survival. http://www.britannica.com/ebc/article-9357293?query=biodiversity&ct=
Computer security -requires- technodiversity!:blink:

aigle, keep in mind that other non-sandboxing programs failed to stop the xpkiller trojan. heck avast! and AVG didn't even detect killdisk (another trojan)on my machine when i ran it! i wish there was a way to get our hands on more virii so we can put the sandboxes to the test. geswall, bufferzone, sandboxie, and defensewall are awesome first lines of defense against malware IMHO. but that's why many on this board recommend layered defense. see my sig for mine :D

ps i need more virii/trojans/malware to test. if you have any PM me ;D

Well, I have both GeSWall and DefenseWall 1.56 on this cpu together now.
Yay! TechnoDiversified HIPS!
Well, they seem ok, so far.

Any comments from the developers as to, say, what specific things to look out for or what specific things might cause resource problems?

I just put them on the way they are so far, have not changed anything. DW is in basic mode.

For those who are testing virii, if it passes one of these, try with both on and see what happens!

Hi all,

Answer to Aigle:
Bufferzone has not revealed its weakness already if you refer only to the bypass trick of Ilya. It was a POC aimed at proving BZ is not fully ring0 and therefore can easily be bypassed. Now it is fully ring0. I talk under the control of master Ilya.

As Geswall and DW, it is still in beta or in developpment. Let it time to improve!

Second, you shouldn't count by hundreds of thousands of malwares to test these technologies, but by number of tech to make an infection or %$# behaviour. You then restrict drastically the number of tests: installing driver and/or service, communicating with outside, registering keystrokes (at the moment for example, BZ has a developpment bug: last version lets some kind of keylogger work, whereas previous versions didn't - fixed in next version), stealing info., deleting files...

To puddingalien:
I disagree with your comparison with biodiversity: so far you multi layered protection (actually mono layered with impression more is better) didn't face enough situations to be "selected" as competitive option by environment. Time will tell if your approach is right. Think anyway about the risk the 2 products conflict and let unprotected some areas... even without you realising it...;D

OK, what about DeepFreeze Unfreeze? According to my knowledge it is still not fixed exactly.

-{ Quote: "Well, I have both GeSWall and DefenseWall 1.56 on this cpu together now.
Yay! TechnoDiversified HIPS!
Well, they seem ok, so far.

Any comments from the developers as to, say, what specific things to look out for or what specific things might cause resource problems?

I just put them on the way they are so far, have not changed anything. DW is in basic mode.

For those who are testing virii, if it passes one of these, try with both on and see what happens!" }-
Hi puddinggalien, I am sorry that I don,t agree with ur setup at all. Two appliances with very similar work on one OS will make a mess rather that giving u any benefit. If u want to make ur OS stronger use multiple appliances but they should have different mechanisms-- that,s layered defence.
No one will recommend ur set up. It,s simply not going to work. This thing has been discussed so mnay times here.

yeah, I couldn't boot at all today, had to go safe mode, uninstall DW 1.56.
:-[

aigle, stem, anyone else who cares :)

i've ran another test this time the mysterious "keygen.exe" file causing a raucus here:
http://www.wilderssecurity.com/showthread.php?t=133934

according to blipblop it deletes the following files:
winupdates
gpedit.msc
cmd.exe
msconfig.exe
regedit.exe
taskmgr.exe
mmc.exe
reg.exe
command.com

and disables taskmanager and registrytools as well as hijacking IE. well geswall stopped it and here's my geswall log:
-{ Quote: "2006.06.03 19:47:15 Keygen.exe REDIRECT access to HKU\S-1-5-21-1883361466-3712099913-3824120397-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders (Registry)
2006.06.03 19:47:15 Keygen.exe READONLY access to C:\Documents and Settings\Tiggy\Local Settings\Temporary Internet Files (File)
2006.06.03 19:47:15 Keygen.exe REDIRECT access to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths (Registry)
2006.06.03 19:47:15 Keygen.exe REDIRECT access to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1 (Registry)
2006.06.03 19:47:15 Keygen.exe REDIRECT access to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2 (Registry)
2006.06.03 19:47:15 Keygen.exe REDIRECT access to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3 (Registry)
2006.06.03 19:47:15 Keygen.exe REDIRECT access to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4 (Registry)
2006.06.03 19:47:15 Keygen.exe READONLY access to C:\Documents and Settings\Tiggy\Local Settings\History (File)
2006.06.03 19:47:15 Keygen.exe READONLY access to C:\Documents and Settings\Tiggy\Local Settings\Temporary Internet Files\Content.IE5 (File)
2006.06.03 19:47:15 Keygen.exe READONLY access to C:\Documents and Settings\Tiggy\Cookies (File)
2006.06.03 19:47:15 Keygen.exe READONLY access to C:\Documents and Settings\Tiggy\Local Settings\History\History.IE5 (File)
2006.06.03 19:47:15 Keygen.exe READONLY access to C:\WINDOWS\system32\gpedit.msc (File)
" }-

sadly antivir doesn't recognize it as a virus, jotti confirms this :(

Did u sent it to them.
BTW, still NOD 32 also dos not dtetect it.

ver 2.3 is out
caption for isolated app slightly changed

-{ Quote: "ver 2.3 is out" }-

ya the new version also now stops martin's undetectable keylogger from recording keys :) i'm lovin' this program!:thumb:

i'm using v2.3 now on xp no sp installed.with default setting,eachtime i open my firefox,a popup ask me to whether isoluted firefox or not.if i choose yes it will take about 1min to openup firefox.is this normal?

There is a box to remember the option. Mark this box checked and then click yes, next time u will not get a pop up and FF will b automatically isolated.

-{ Quote: "i'm using v2.3 now on xp no sp installed.with default setting,eachtime i open my firefox,a popup ask me to whether isoluted firefox or not." }-

aigle is right. there is also another way to stop those popups. open up the geswall console, not the one from the taskbar, the one from the programs list. then go to the geswall console subdirectory located under the root console folder, then select "auto-isolation, no popup dialogs". then you'll never be bothered by the geswall popup again until you change the security setting again.

-{ Quote: "if i choose yes it will take about 1min to openup firefox.is this normal?" }-

nope that's not normal (unless that's how long it takes firefox to start without geswall). i have firefox, maxthon, and avant installed and they don't take that long to start with or without geswall's protections enabled. did you try contacting geswall's tech support?

i think i will try to reinstall again.all broswer take years to launch up when geswall is active.once i shut down geswall.all browser open up as per normal.another problem is i can only access the console through my admin account,but hack i install geswall through my 2nd account who is also with admin right.

I don,t have this issue. May be some conflict. Try to reinstall and contact their support as well.

Hey I have been enjoying this thread then I get to the end and discover you guys have stopped posting to it for the past month !

Anyway, it’s a good thread and after reading it yesterday evening I installed GesWall but I am finding it quite tricky to use compared to DefenseWall. I really like DefenseWall but with 5 PCs in the house it’s not a viable option for me cost wise (I wish Ilya could licence it like BOClean where all home PCs are covered under the one licence ;D ).

Anyway I stumbled upon this thread and it seems to me that GesWall is very similar to DefenseWall but for free - but trickier to use. For applications I am having trouble getting to grips understanding Trusted, Trusted Always, Trusted but Isolated, etc. I’ve downloaded the PDF and read it but I’m still struggling. I think I am right in saying that ‘Trusted but Isolated’ is the equivalent to DW’s ‘Untrusted’? So then I don’t understand where GesWall’s ‘Untrusted’ comes in to things?

There are built-in application rules which set various things as Trusted or Trusted always but I don’t understand what happens about all the applications that are not listed as trusted – does this mean by default they are untrusted and would still generate a pop up if run and it tries to connected to the internet? But then presumably it would only alert if it tried to connect or access the confidential area – so what happens if it is malware that wants to do damage but doesn’t actually connect to the internet or try to access a confidential area? For example, what if I had an infected executable (not a known app) that was downloaded before installing GesWall, presumably this would be ‘untrusted’? But it would not be ‘Isolated’ and if it didn’t try to connect or access the Confidential folder then I could execute it and GesWall wouldn’t know about it to stop it – I know this is where you still need your AV

I guess what I’m trying to say is that GesWall should alert and give the option to isolate when any untrusted app runs and not just when the known ones launch? OK this will generate numerous pop ups in the early days of installation but like other programs the alerts would settle down once you have launched all your usual programs. I guess a compromise would be some kind of context menu integration like DW that allows you to launch something as ‘untrusted’ with just a right-click.

I have also been confused by the isolated status of items created or downloaded by an isolated application. For example, I downloaded the latest version of Crap Cleaner using Isolated Firefox and when I launched the setup it was shown as isolated and the installation failed – which is exactly what I would expect, but then I downloaded another program (K9 anti-spam) which also showed Isolated when I ran the set up but it appears to have installed OK ?? – which I wouldn’t have expected.

Another strange problem was that within IE or FF (Isolated) I couldn’t download files to one of my partitions on my second hard-drive but I could download to everywhere else on my PC (including other partitions on the second hard-drive). The partition in question is where My Documents is located so I can only assume that in creating the confidential folder within My Documents GesWall actually set a restriction on the whole partition – not just the confidential sub-folder. I deleted the Confidential folder and deleted the Resource entry but it still didn’t solve it – so I created a Resource for the whole partition (I:\) and set it to untrusted and this then allowed me to write to that partition. With hindsight I think I should have perhaps rebooted after removing the Confidential resource – I’ll try that later, but regardless, it did seem to restrict the whole partition rather than just the confidential sub-folder within My Documents – BTW My Documents itself is in a sub-folder and not on the root of the partition.

Anyway, sorry for such a long-winded post but I think I’m going to really like this product once I get to understand it better and I know my daughters will want me to change the window bar to pink instead of the default green ;D . Any tips and advice on how better to use this will be much appreciated.

hello q1aqza, i think the reason why this thread and most of this forum is "dead" is cause it's summer vacation in most of the world :)

i'm not an expert on geswall's in's and out's but you could try emailing geswall's tech support: http://gentlesecurity.com/support.php
they are really responsive. if i were you i'd copy/paste your post in an email to their tech support team.

i've been testing geswall for months now (against some of the worse malware out there : killdisk, xpkiller, sony's rootkit, "ice" protected apps, etc...) and it's never let me down once.

GesWall really look not easy to use except on it default settings.
Just a general rule, u must install it on a non infected system. All ur applications are trusted by default but when one of tese tries to make a network connection, u will get a pop up that u want to isolate it or not( making it trusted but isolated-- equivalent to unutrusted in DefeseWall as far as I can understand).
Moreover there is a list of predefined applications as well that is expnding.
BTW, they are going to add right click menue to add any application in untrusted ones just like DefenseWall.
One more point, as afr as I can understand there is virtualization for registry but no virtualization for file system, on the other hand Sandboxie has virtualization for both. I am still trying to understand its configurations.

Thanks for the replies aigle and zopzop. I have done as suggested and copied my post into the support link you gave me.

In the mean time I'll do some more playing around with it.

Just to let you know that I got a quick response from Brian from GesWall support - great support for a free product :thumb:

Since I got myself over here finally... I reported to them some issues that prevented it from working on my machine, so, this is one that I'm waiting for a better version. ;D

-{ Quote: "Since I got myself over here finally... I reported to them some issues that prevented it from working on my machine, so, this is one that I'm waiting for a better version. ;D" }-
What were those issues?
BTW, it seems conflicting with KIS, causes hangs up and I uninsatlled it on two systems where it was installed with KIS trial version.

various (my email account that I assume has them, is down right now).
instant turn off cpu (a type of crash) when runniing some scans, like mcafee online av scan and some scans on the cpu too.
trouble getting geswall off the cpu, wouldn't uninstall properly.
It was actually a little while ago, I don't remember them all, but in the past they've emailed me when they've thought something was fixed.

oh, from stuff I've read, KIS is conflicting with quite a lot out there.

Not really strange with KIS being a full security app too..

As part of my computer's new infrastructure, GeSwall is now part of my security setup. It fits perfectly into my jigsaw puzzle.
On My System: Microsoft Office 2003. All isolated. When I try to save a MS Word document for my school project, it can't save properly and the file is set to read-only.
When I try to install a Game program from Real Networks(realarcade) test:
The installer fails non-stop as a result of GeSwall's restrictions.
Some of my own experiments: Set IE to Untrusted, and IE won't execute at all! Good I say. ::):o:D
In IE, isolate IE and most dangerous features should not be able to work at all, it is better than running a program in non-admin mode. G is tighter than that.

Resource consumption is within reasonable limits.