Any of you learned people out there like to comment on DefenseWall and how good or not it is as a HIPS? It seems to offer the universal pancea, ie, protection without alrming numbers of popups, but how good is it. From what I have read in reviews it sems to be the business but I trust the feedback from the members of this forum.

How does it compare to GesWall?

Any thoughts gratefully accepted.;D

Hi we have different paid sandboxed running on different PC's':

GeSWall 2.5 pro on son's PC, DefenseWall on Wife's PC.

DefenseWall has two options trusted and un-trusted, GeSWall Pro has four. DW runs out of the box, GW needs more configuration, even for the listed aps.

For instance when you "auto-isolate" WindowsMediaPlayer as an untrusted ap, you will be able to launch WMP and open and play music from within WMP, only when you double click a downloaded untrusted WMP music file with Explorer, WMP will start but will not play the music file with the default settings. You can get it playing by changing some rules (you can find on the support forum).

With DW you can mark WMP as untrusted, it will give same protection but everything works seamless.

On the other hand GW follows the windows framework and allows for more tweaking. While DW user interface gets some critism and has poor help files. To the benefit of DW, I have never needed help and it is not difficult to use the user interface. Release 2.0 will have an improved GUI.

I think their both great products, with just a little personal preference for DW

Regards Kees

@Baaldrick
Go here
http://www.av-comparatives.org/index.html?http://www.av-comparatives.org/seiten/comparatives.html

Check out the comparatives report for:

"Detection of potentially unwanted programs October 2006"

DW & GES both did good
Read the whole report; interesting stuff in there.

Regards

Hi Kees

Thanks for the explanation. I think that I get it...not sure which one to go for but as wife uses the same PC as me DW may be better as the less user intervention required the better.

Hi Longboard

Thanks for the link. Very interesting. Still not sure which to go for...ah, decisions, decisions.

Cheers



Balders;D

In my quest for a ProcessGuard replacement I saw DefenseWall come out on top in the following review of HIPS applications:

http://www.techsupportalert.com/security_HIPS.htm

hence the reason for following up on it and trying to find out more. Having started out looking for like replacement I have started to understand, as 'Gizmo' Richards clearly expresses in the article all the candidates are "...all notionally HIPS programs they are in fact, as different as they similar". But I like the sound of DW as it appears to be the most non intrusive and easiest to set up HIPS, except that I will have to find all the programs that connect to the internet and, if not put into the trusted list automatically, I will have to decide whether I trust the connection made by each or not. Hopefully I can use the list of applications that have connected, as held by my firewall, ie, that rules have been set up for, as the basis of the analysis.

I am not knocking DW, just trying to make the right choice...if it is possible to make such a thing. GeSWall sounds interesting...does it also look specifically at just Internet-based vectors specifically with one having to manually configure non Internet-based vectors if one does not trust them?:-\

Kees1958: is DW something in between the concepts of GeSWall and Sandboxie? Like saving the file to disk it acts like GeSWall, but the browser session for instance is cleared if you want?

-{ Quote: "Kees1958: is DW something in between the concepts of GeSWall and Sandboxie? Like saving the file to disk it acts like GeSWall, but the browser session for instance is cleared if you want?" }-

No they both are sandboxes protecting trusted sources from being tampered with by untrusted sources. DW has a file and registry tracking option which you can view and rollback when wanted. The average user should never have to look into this part of DW anyway to use the program in a correct way.

GW + DW are more or less poilicy/rights managers HIPS (like you are not allowed to do some things when not logged in as admin). They do not use file virtualisation (to my knowledge) like Sandboxie or Buffferzone does. This provides the advantage of seamless integration (you do not have to be aware in what zone what is).

GW uses isolated as term, DW uses untrusted. DW is more straight forward (knows only trusted - untrusted) than GW (always trusted, trusted with auto isolation, isolation and jail).

I do not known anything of the number of lines coded by either Brian or Ilya, but in general: less functionality means less source code, less source code means easier testing, less testing effort means more rubust applications. To the defense of Brian is that GW follows the Microsft security framework (so Brian might have less trouble launching an Vista version of GW than Ilya with DW).

Oh, ok, now i get it. I thought it had virtualisation and Policy. Only policy as GeSWall, with those differences you mentioned.

Thanks!:thumb:

You know, I still don´t completely understand it, so basically GeSWall and DefenseWall work by restricting processes, kind of like running them in non-admin mode but with even more restrictions. However they don´t prevent untrusted processes from having acces to your real file system and registry, correct?

On the other hand, tools like Sandboxie and BufferZone will make sure that your file system and registry will never get touched by sandboxed processes, the difference between the two is that Sandboxie will contain everything in a separate folder, while BufferZone does not do this, so if you save a file on your desktop it will appear on your real desktop, but it will be marked as "untrusted". Is this all true or not? ::)

-{ Quote: "However they don´t prevent untrusted processes from having acces to your real file system and registry, correct?" }-
As soon any untrusted process tries to access trusted resources (system file, registry, etc), GeSWall creates a copy of it and let the untrusted process do whatever it wants. When that process is terminated, the copy of the accessed trusted resource is deleted.
Link (http://www.gentlesecurity.com/features.html)
-{ Quote: "
GeSWall Restrictions and Effect:
No access to kernel - prevents kernel mode rootkits and key loggers
Read only access to trusted files, registry, processes etc. - prevents user mode rootkits, keyloggers, malware infections.
No local communications to trusted processes, e.g. windows messages, RPC, COM, WMI - prevents shatter attacks, user mode rootkits, keyloggers and malware infections.
No scheduled re-start - prevents backdoors, zombie bots and worms.
No access to confidential files - prevents leaks of confidential information.
" }-
-{ Quote: "
Addtionally, GeSWall's data-flow control policy locks malware or intruder within an isolation layer. For instance, whenever an isolated application creates a file, GeSWall tracks it down. If that file is:

executable - GeSWall classifies a process as posing threat and isolate it on execution;
driver or DLL - GeSWall prevents its loading into kernel and trusted processes;
VBS script - "Windows Script Host" gets isolated on script translation, and so forth.
" }-

-{ Quote: "However they don´t prevent untrusted processes from having acces to your real file system and registry, correct?" }-

Wrong. DefenseWall blocks modifications of sensitive files and registry areas by untrusted processes. Otherwise, it would be not a defense at all!

@ lucas1985

Thanks for the info, GeSWall seems to be a quite powerful tool, their blog is also quite interesting, but I would sure like to have a more attractive GUI and an option to disable the colored title bar. ::)

@ Ilya Rabinovich

So does DW work exactly like GeSWall? I mean there isn´t a lot of info about the way that DW works, it´s all a bit vague. That´s why I´m getting confused, for example, DW also has a "rollback" function right? Can I ask why? I do know that with SBIE, all changes to the file system and registry are kept in the sandbox and will be gone if you erase the sandbox.

Perhaps you can give a bit more info (also on your website), and point out the differences between other similar tools like Sandboxie, GreenBorder, BufferZone, GeSWall and DW, because I´m still not sure what´s the best solution, of course this also depends on what the user wants. But I´m glad that you will redesign the GUI, can you perhaps post some screenshots, perhaps I can come up with suggestions, GUI is one of the most important things to me. ;)

-{ Quote: "So does DW work exactly like GeSWall? " }-

No, simular, but not exactly. Base architectures are different.

-{ Quote: "I mean there isn´t a lot of info about the way that DW works, it´s all a bit vague." }-

I believe I'll be able to fix it, but I need to know exactly what kind of information is in need.

-{ Quote: " That´s why I´m getting confused, for example, DW also has a "rollback" function right? Can I ask why? " }-

To allow advanced users to clean up malware's executable modules from hard drives.

-{ Quote: "
I do know that with SBIE, all changes to the file system and registry are kept in the sandbox and will be gone if you erase the sandbox." }-

Not in the sandbox, but in the virtualization container. You just miss the point. "Sandboxing" means "rights restrictions" like forbiding driver/service loading, file and registry keys access, physical memory access and so on. "Virtualization" means "using of the information, not based on the real staff". You may virtualize hardware, files, registry keys, parts of the OS.

Yes, you can clean up all the SBIE virtualization containers with couple of mouse clicks, but the problem is that you do not control what do you erase exactly! Otherwise, you need to dig inside the containers for the files and registry keys stored there and rescue important ones, that doesn't have to be erased! DW gives you full control under this (highly dangerous!) action and, also, I always recommend it for advenced users only, who understand what are they doing. AV tools are for others.

-{ Quote: "
Perhaps you can give a bit more info (also on your website), and point out the differences between other similar tools like Sandboxie, GreenBorder, BufferZone, GeSWall and DW, because I´m still not sure what´s the best solution, of course this also depends on what the user wants. " }-

In fact, the best solution is different for different users, some are happy with BZ, some with GW, some with DW :) That is why different approaches are in need.

-{ Quote: "
But I´m glad that you will redesign the GUI, can you perhaps post some screenshots, perhaps I can come up with suggestions, GUI is one of the most important things to me. ;)" }-

OK, just come to my forum and take a look at the first alpha version of the 2.0 version's GUI. Next week, I believe, I'll post there second alpha version there.

OK, NOW it's FINAL: i'm going to install VMware Player. I have to test DW and OA:)

@ Ilya Rabinovich

-{ Quote: "OK, just come to my forum and take a look at the first alpha version of the 2.0 version's GUI. Next week, I believe, I'll post there second alpha version there." }-

OK thanks for the feedback, I have found the thread on your forum, but perhaps you can post some screenshots of all windows, it was not really clear.

-{ Quote: "Not in the sandbox, but in the virtualization container. You just miss the point. "Sandboxing" means "rights restrictions" like forbiding driver/service loading, file and registry keys access, physical memory access and so on. "Virtualization" means "using of the information, not based on the real staff". You may virtualize hardware, files, registry keys, parts of the OS." }-

Yes I guess I´m using the terminology in the wrong way, but you know what the thing is, aren´t in fact HIPS like SSM or Neoava Guard also sandboxes then? Because I can also restrict processes from doing a whole lot of stuff with these tools. :blink:

What a bummer, I decided to check out the latest versions of BufferZone, GeSWall, GreenBorder, and Sandboxie but none of them are good enough yet. So I sure hope that DefenseWall will rock because basically I´m looking for a good sandbox HIPS (with a nice GUI) that I can use as a realtime protection tool, sort of like the "Software Restriction Tool" on steroids. ;)

Quick review:

BufferZone: It´s a resource hog plus doesn´t play well with other HIPS.
GeSWall: Interesting tool, but apps didn´t work correctly, plus you need the Pro version for additional rules, unless you´re an expert.
GreenBorder: Won´t run on any of my virtual machines, plus offers only protection for IE and Firefox.
Sandboxie: This is my favorite tool but the "sandboxed folder" can be annoying.

More about Sandboxie:

The virtualization (sandboxed folder) is cool when you want to quickly check out an app without risking any damage to your real system, but if you use SBIE to protect apps from "drive by attacks" and thus constantly run them "sandboxed", it can be annoying. Because everything that you save (in the browser or MS Office for example) will end up in the sandboxed folder. I´m not sure if the latest version does provide a workaround for this by editing the configuration file.

-{ Quote: "More about Sandboxie:

.....everything that you save (in the browser or MS Office for example) will end up in the sandboxed folder. I´m not sure if the latest version does provide a workaround for this by editing the configuration file." }-
It does.

^^^^^

OK this would be really cool, thanks for the feedback. So I guess it will now become a fight between Sandboxie and DefenseWall. ;D

-{ Quote: "OK thanks for the feedback, I have found the thread on your forum, but perhaps you can post some screenshots of all windows, it was not really clear." }-

I will do it as soon as I'll get the next version of the skin. The time line I had to receive it is already crossed, but the person who is responcible for this is still unavailable via e-mail and ICQ. I have no choice- I'm waiting...

-{ Quote: "
Yes I guess I´m using the terminology in the wrong way, but you know what the thing is, aren´t in fact HIPS like SSM or Neoava Guard also sandboxes then? Because I can also restrict processes from doing a whole lot of stuff with these tools. :blink:" }-

No, they are not a sandboxes at all, because they are not based on built-in rulset, you need to create rules manually on each computer.

-{ Quote: "
So I guess it will now become a fight between Sandboxie and DefenseWall." }-

No need to fight, the fact is that both are already the winners! :D http://www.techsupportalert.com/issues/issue140.htm#Section_1.1

Techsupport wrote
" say "accidentally" because DefenseWall allows you to run downloaded files quite safely by selecting the "run as untrusted" option from the mouse right click context menu. In this case they are completely sandboxed and your PC cannot become infected. However if you didn't use this option and absent-mindedly double click an infected download, then you could get infected."

I run DW in normal mode (opposed to expert mode) and if I doubleclick on a downloaded file I expect it to run as untrusted, not as trusted. The behaviour Gizmo explains I thought was true for expert mode, not for normal/default mode.

Pls explain.

Best Regards

-{ Quote: "Techsupport wrote
" say "accidentally" because DefenseWall allows you to run downloaded files quite safely by selecting the "run as untrusted" option from the mouse right click context menu. In this case they are completely sandboxed and your PC cannot become infected. However if you didn't use this option and absent-mindedly double click an infected download, then you could get infected."

I run DW in normal mode (opposed to expert mode) and if I doubleclick on a downloaded file I expect it to run as untrusted, not as trusted. The behaviour Gizmo explains I thought was true for expert mode, not for normal/default mode.

Pls explain.

Best Regards" }-

Yes, there is "untrusted" attribute ingerition (not for all the file types). What was happand in this case- I don't know. This is the question to Gizmo! maybe, it was the bug with 1.73 version- sometimes it doesn't inherites "untrusted" attribute, already fixed and will be released with 1.74 version.

A program-installation-file thats downloaded under say IE untrusted and DW in normal mode shall always inherite the untrusted status.

Right or wrong?

Give some examples of files that dont inherite the untrusted status in future 1.74 and pls also explain why.

Best Regards

-{ Quote: "A program-installation-file thats downloaded under say IE untrusted and DW in normal mode shall always inherite the untrusted status.

Right or wrong?" }-

Right!

-{ Quote: "
Give some examples of files that dont inherite the untrusted status in future 1.74 and pls also explain why." }-

For example, .txt, .pdf, .jpg. Reason- there is could be no malware within. Overflow-based errors with software operates with those files- yes, but this is not a DW's job...

@ Ilya Rabinovich

Perhaps you can post some screenshots of the new version over here or on your forum, I don´t feel like installing the whole app, and other people had problems with the skin the last time. TIA ;)

Done. At my forum...

i give it a total uninstalled.
i get BSOD every day, even i just fire the IE.
btw. i use the latest version w/ expert mode

-{ Quote: "i give it a total uninstalled.
i get BSOD every day, even i just fire the IE.
btw. i use the latest version w/ expert mode" }-

Send me minidump files for those BSOD's via forum- my e-mails are still ain't working.

Thanks for the screenshots Ilya, I think the GUI will be just fine as long as you don´t forget the basic rules like: "Applications must remember its screensize + position, same goes for columns (+ remember column-sorting"). Btw, I now know what I forgot to ask: In Sandboxie, every change to the file system and registry will be made only in the virtual sandbox. So apps are not able to do any damage to the real system. But is this the same with DW? This is what´s bugging me a bit. ::)

-{ Quote: "Btw, I now know what I forgot to ask: In Sandboxie, every change to the file system and registry will be made only in the virtual sandbox. " }-

Correction- will be made within virtualization container. It is standard file system folder and registry key in case of SBIE.

-{ Quote: "So apps are not able to do any damage to the real system. But is this the same with DW? This is what´s bugging me a bit. ::)" }-

No, it is not the same. DW has policy-based file system protection instead of virtualization. Also, registry protection is, mostly, policy-based also (but there is limited virtualization). The point is that if sandbox gives you 95-98% of automatical defense against unknown, 0-day malware. DefenseWall do this job and, in future, will be able to do it even better. As about defense rate- well, maybe, file system virtualization may give some little advantages, but the price for that is standard- simplicity in everyday use and learning curve. In fact, classical HIPS may give you ~99% of defense- but it will be impossible to use it due to huge number of popups. This balance- simplicity and defense rate- is highly important thing!

Ilya - re. the rollback feature, does this mean it's possible to view all changes made to the file system and registry by a process, with detailed info on what it used to be and what it has been changed to ?

Is there a free version of Defensewall?

-{ Quote: "Is there a free version of Defensewall?" }-
No :)
There´s a 30-day trial.

-{ Quote: "Ilya - re. the rollback feature, does this mean it's possible to view all changes made to the file system and registry by a process, with detailed info on what it used to be and what it has been changed to ?" }-

Not all of them. "Time machine" from Apple requires second hard drive!

@ Ilya Rabinovich

But isn´t DefenseWall basicly almost the same as GESwall? So it´s restricting apps with policies so that malicous apps can´t damage a system? But apps can still access certain parts of the real file sytem and registry otherwise they wouldn´t be able to work, and that´s why you need the rollback feature, correct?

I don´t know why but I still can´t visualize it completely, sorry about that. But with Sandboxie I know that the file system and registry will not be touched, with that I mean they will be virtualized and changes are kept in the sandbox. I´m not saying that it´s better, but I´m just trying to figure things out. ;)

-{ Quote: "
But isn´t DefenseWall basicly almost the same as GESwall? So it´s restricting apps with policies so that malicous apps can´t damage a system? But apps can still access certain parts of the real file sytem and registry otherwise they wouldn´t be able to work, and that´s why you need the rollback feature, correct?" }-

Basically- yes, you are correct.

-{ Quote: "
But with Sandboxie I know that the file system and registry will not be touched, with that I mean they will be virtualized and changes are kept in the sandbox." }-

Not in the sandbox, but inside virtualization container. In case of SBIE is it a folder within "Documents and Settings" one.