Please help me with my questions.
I executed a file that I downloaded and thought was a legit program. It was but the install .exe was bundled with some malware that did drop 2 files in a Temp dir. in the Documents and Settings. I executed the original .exe as Untrusted and DW did nothing to tell me (other then in the Log) about those file drops. But Avira did catch them and then I closed Avira so that the two malware-exe:s could land fine on my hdd the second time. Now comes the strange. DW tells me under "Files and registry tracks that there are 2 .exe dropped but when I click "You have x untrusted processes running" only one of the malwares is listed (as untrusted). No sign of the other (I did cancel the original install). When I change view to "Untrusted applications" on top there are no signs of the 2 malwares. "Event Log" shows them and I can see that both tried to delete a service in Windows so they are both active. I don't know if they did succeed in deleting the service because DW don't tell wich one got attacked.
And it continues: when I push "Stop attack" DW tells me that I have 0 untrusted applications running. Fine. But when I search for the two malware-exe:s they are both still on my hdd (in the Temp dir. as before). And DW says both are Trusted when I right click.

So my questions: Why do DW let 2 files drop on my hdd without automatically telling me with a popup (now I need to examine the Log inside the program) and why do DW drop files from a installer that I run as UNTRUSTED? And why are those drops Trusted when the installer that they came from where untrusted?

I have Windows XP SP3, NO firewall and DW 2.56.

Thanks in advance.

When this was the scenario it was not a failure

1, You downloaded the installer

2. Set the installer to trusted (otherwise software would not install properly)

Files (executables etc) created by trusted programs inherite this status, so the two side programs (executables) were also marked as trusted. So DW did what it promises, keep untrusted objects in a policy box

3. Executed the main program as untrusted.
Since the two side programs were created by the installer, this did not change anything in the status of the two site programs

Regards Kees

Kees,
I think you mis-read. "I executed the original .exe as Untrusted"

If Avira cauthg the files, the processes associated with them had to be killed. Anyway, you may just send me that executables and I'll run them against DW V3.

-{ Quote: "Kees,
I think you mis-read. "I executed the original .exe as Untrusted"" }-

I did not undertand whether the original exe was the installer or the executable the installer created. When Eiki ran the installer as untrusted it sure is smells fishy, so he should send it to Ilya as requested.

I don't think anything would have got through. To the original poster, go into file and registry tracks, find a time/date that you are comfortable with (before you installed program), and either:

> select rollback to
> delete all the items in the list created from the the time the installer was launched and after.

Also, you have to be more strict in checking downloads. There are many sites creating legitimate programs as portable, but adding a bit of extra spice to the download. I've been burned, many times.

it may be running in memory but as untrusted so this virus or what ever is doing nothing,is criple already for sure just terminatated or stop attack end of story;)

-{ Quote: "
Originally Posted by Eiki
Is this a failure of DefenseWall?" }-

As a firm believer and a devotee of DW, I fully support the infallibility dogma (http://www.newadvent.org/cathen/07790a.htm) of DefenseWall... :isay:

Sure there are malwares which have got through.

I did like Saraceno wrote: I went into "Files and registry tracks" and first rolled back everything. STILL the 2 malwares was on my hdd. I deleted the malwares manually. I tried again and run the original installer so the malwares dropped once again. Then tried to delete (not Rollback) the 2 (and everything else) inside DW (under Files and registry tracks). It disappeared from the "Rollback-list" but again it was STILL on my hdd.

I'm I wrong or the program is wrong?

To Kees1958: The original .exe I mean the legit program that I was trying to install and then dropped the malware.

What's your Windows version?

Windows XP SP3 and fully updated.

Send the files to me, I'll check them out.

Hmmm..maybe it was me...

When I went into "Files and registry tracks" and deleted everything then OK only one of them deleted I can see now. But one is left on hdd. BUT if I go once again to "Files and registry tracks" the other malware is there again (even if I deleted it before) and NOW I can delete it, the second time.

But where to send the file so we can have a definite answer? Or should I make the file public so other can try?

And Ilya:

Why doesn't DW kill those processes when I click "Stop attack"? Now I must go to "files and registry tracks" to do it manually (2 times btw).
Can that be correct?

Send to the support [at] softsphere [dot] com.

Sending it right now.

But Ilya, please tell me why DW did let the installer put 2 exe:s on my computer that was Trusted. Is this normal? Can they not make my comp infected? Should not DefenseWALL stop infections that way? Or have I misunderstood the meaning of the program? Please tell me the "rules" of the program, how it's working with file-drops like that. So the big question: is DW safe against attacks like that? Does DW stop an attack when the malware-exe hits the hdd, lets say give the exe:s minimal access to my system? Or do the dropped files have access to my whole system? I really want to know that.

Thanks for quick answers before!

1. What's the exes you are referencing to? All are listed as "untrusted".
2. Have had no single issue with deleting all the files created by the sample.

And I strongly recommend you to learn about the difference between sandboxes and sandbox HIPS.

No, only one is listed as untrusted, the setupv.exe. The thefile.exe is NOT listed as untrusted process running. And when you click Stop attack the setupv.exe is still on the computer (like thefile.exe). Look for yourself. You have to manually delete it in the Files and registry tracks. And when I search for the file on my comp and right click, DW tells me they are TRUSTED.

So the answer is. Can they make danger on my system when they are in the Temp dir. or do they have minimal access?

Thnaks anyway!

1. I have both setupv.exe and thefile.exe stated as untrusted.
2. Yes, all is correct, DefenseWall do not erase any file automatically, just marks as untrusted.

so Eiki was right? did DW let somehow this 2 files extract as trusted?

cheers

-{ Quote: "so Eiki was right? did DW let somehow this 2 files extract as trusted?

cheers" }-
??? :(

-{ Quote: "so Eiki was right? did DW let somehow this 2 files extract as trusted?

cheers" }-
My take is no they were untrusted, and could run within the sandbox, but could not adversely affect the system. With DW 3 they would not be able to call home. Remember this is a sandbox with whitelisting not a scanner. It is part of a layered approach. Version 3 will include a firewall.

Ilya mentioned above both files run and are stated as untrusted.

Well, on my computer DW tells me I have one untrusted process running after the 2 malwares hits the hdd. I click Stop attack and the file is still on the hdd even if DW tells me I have 0 untrusted processes running. Like I said before, I have to manually delete it in File and registry tracks. If I go to the files with Explorer after I have clicked Stop attack (but before deleting them in File and registry tracks), right click and choose "File properties" in DW:s "pull down meny", DW says they are both TRUSTED, even if the original install .exe (from where they executed) was untrusted.

Shall I put it here so some other can try? Just make sure to have AA on your computer. I think it is adware and no dangerous virus.

-{ Quote: "Well, on my computer DW tells me I have one untrusted process running after the 2 malwares hits the hdd. I click Stop attack and the file is still on the hdd even if DW tells me I have 0 untrusted processes running. Like I said before, I have to manually delete it in File and registry tracks. If I go to the files with Explorer after I have clicked Stop attack (but before deleting them in File and registry tracks), right click and choose "File properties" in DW:s "pull down meny", DW says they are both TRUSTED, even if the original install .exe (from where they executed) was untrusted.

Shall I put it here so some other can try? Just make sure to have AA on your computer. I think it is adware and no dangerous virus." }-

No, please don't upload malware here :)

DefenseWall does not stop file drops - which is the modules left behind by the malware.

We recommend users, such as you, to run an antivirus scan periodically to remove files such as these. They do not pose a risk to you, however, they can clutter your system.

If it is marked as Trusted, after it has been dropped by malware, please submit the files and the log to support[at]softsphere.com

First of all, I recommend you to download and install the latest V3 build and run the malware against it. Because, with my current setup, everything is working as it should.

Ok, I just tried DefenseWall V3 and I don't have much to say other than I said before. One major difference was that the firewall of DW now asked if one of the malwares could get access to Internet. Of course I said no. And DW now again said that I had 1 Untrusted process running even if there are 2 drops from the original installer. I clicked Stop Attack, DW tells me I have 0 Untrusted processes running but when I look in my hdd both malwares are still there. I go to DW:s File and registry rollback and deletes everything. NOW they got deleted. Just like DW 2.56.

Can it be that the other malware is somehow inactive and DW therefore tells me that I have only one Untrusted application? But DW says the file tried to write to my registry and tried to delete a service so it can't be inactive...

And one more thing that has nothing to do with the above problem. I want my Event Log to be as clean as possible so I made Svchost.exe and Dropbox.exe Trusted. They don't show up in "Untrusted Applications". BUT keeps popping up in the Event Log anyway. For testing I made Firefox Trusted (no Firefox is listed in Untrusted Applications). But still traces from Firefox activity shows up in "File and registry rollback"

You have a lot to do Ilya...

1. DefenseWall is working correctly. You just don't understand how it works.
2. It's imnpossible to remove built-in entries from the untrusted list, DefenseWall add them back.
3. Want to keep the log clean? Just switch off logging and that's it.

i can confirm ilya i install same malware for testing and the rollback took care of bussines and deleted all malware traces and history of the malware;) very easilly:thumb: so it really rollback my system clean again:)

-{ Quote: "i can confirm ilya i install same malware for testing and the rollback took care of bussines and deleted all malware traces and history of the malware;) very easilly:thumb: so it really rollback my system clean again:)" }-

So how does the rollback feature work?

you see all the files/registry/folders in there and just find what you want to delete and it will rollback the system back to the original state,it is very simple to use,then you will noticed the files/registry or what ever traces will be gone even the harder's files to remove such as rootkits,etc etc
you can set the rollback to delete automatic i think it is like every 15 to 30 days(no harm at all
note:the rollback it is like my scaner:) it will remove any files for sure it never fails me,the other day my wife was surfing the web in a legit site and it tried to install a fake antivirus program which prevx ignored:)but defensewall was there to stop attack

-{ Quote: "you see all the files/registry/folders in there and just find what you want to delete and it will rollback the system back to the original state,it is very simple to use,then you will noticed the files/registry or what ever traces will be gone even the harder's files to remove such as rootkits,etc etc
you can set the rollback to delete automatic i think it is like every 15 to 30 days(no harm at all" }-

Hmm,I'll have to install Defensewall again and see how this works ;D

Thanks for the info!

no problem;) you have to feel how it works it's fantastic application and very unique:thumb:

Hello Eiki,

I tested the malware sample in question against the latest version of DefenseWall Personal Firewall v3.00 RC1 under Vista 32 SP2. I concur with Ilya that DW successfully contains(firewall blocks all outbound network attempts, several resource isolation pop-ups gives one the option to "terminate" each and every malicious action, pressing "stop attack" effectively terminates all of the "untrusted" processes and all of the malware related entries that were created can be effectively rolled-back or deleted) all of the possible damage that this sample has to offer.

Keep in mind that DW is a policy restriction sandbox. In other words, all potentially malicious files(application, malware, system, etc...) that are downloaded via or passes through a threatgate(web browser, email client, IM(instant messaging), file compression utility, media player, pdf reader, etc...) inherits "untrusted" status and occupies space on one's "actual" system. Any file that inherits "untrusted" status is prevented from harming or breaching the integrity of one's system unless the user allows it. Since DW employs virtually no virtualization in it's sandbox implementation, all malware related files left behind on one's hard drive can be deleted by DW's built-in "rollback" functionality, manual deletion or with the use of an on-demand scanner such as an anti-virus. In short, DW is essentially a turbocharged limited user account for threatgate applications with none of the weaknesses.

Hopefully, this explanation clarifies things.


Peace & Gratitude,

CogitoErgoSum