Just one small question about DefenseWall...

[CoolWebSearch]

I jumped into another forum and I saw this:
...with DefenseWall you can't customize much, browser cache is left behind. Malware can exist in browser cache.
hat part is familiar to me, however, now the important part:
...worse still if you have system restore on, despite you manually delete your browser cache, the malware will reside in your system restore).
Is this true, should I worry about this?
Thanks to all.

[Melf]

Browser cache?

Hell, you can go to, say, 'www.viruses.com', and download 'really_bad_malware.exe'. Click to run it. It runs untrusted, because your browser was running untrusted, and so too does everything it spawns. Malware.exe will run.... with it's teeth taken out. Can't do anything worth worrying about.

Anyway, system restore has nothing to do with your browser cache (it restores your OS, not your browser...). If you for some reason have malware that is saved in a system restore, it's because you ran it as Trusted under DW, thereby allowing it to potentially mess up the OS.

[Hungry Man]

Malware can't exist in your browser cache. What it can do is put malicious entries into it and if you go to those entries with your browser you may be exploited or whatever.

I don't get why system restore is relevant. I can keep a system restore of a malware infested drive and I'll be fine as long as I don't go back to it.

If you're worried you can clear your cache.

Open an administrative command prompt and type "ipconfig /flushdns" and that's it.

[Ilya Rabinovich]

Quote:

Originally Posted by CoolWebSearch

Is this true, should I worry about this?

I have hundreds and hundreds malware files at my hard drive. Should I worry about it? No, because they are inactive. Also, there is a little misunderstanding about the role of DW as it should be paired with traditional protection technologies, it's not a standalone tool.

[Victek123]

Quote:

Originally Posted by CoolWebSearch

...worse still if you have system restore on, despite you manually delete your browser cache, the malware will reside in your system restore).
Is this true, should I worry about this?
Thanks to all.

The fact that a System Restore point can harbor a virus which may inadvertently become active if you use that restore point is an inherent risk of all snapshot tools, and doesn't have anything to do with the security software you use. Part of cleaning malware from the system is deleting all restore points to eliminate this possibility.

[CoolWebSearch]

Big thanks to all but I still have some more questions.
Is the following true:
I picked this up from ssj100's website:
I'm not an expert, but according to him:
"Also, Sandboxie has the start/run restrictions, which are arguably on its own even more powerful than the containment it (and DefenseWall) primarily provides."

"Also, Malware Defender's developer Xiaolin claims that if you let a program execute, it will be able to bypass your protection sooner or later. Furthermore, everything is allowed to take place on the REAL system with DefenseWall, and everything is allowed initial execution - there is no direct virtualisation or direct anti-execution at all. Without these 2 aspects, I feel that DefenseWall isn't as strong as many people suggest."

I found it here:
-http://ssj100.fullsubject.com/t21-defensewall-personal-firewall-300-released-

Is this true or false? Yes, I do know this is version 3.00 discussed on the forum and right now DefenseWall's latest version is 3.17, so is it changed something?

Also what about Sandboxie's issue with integrity levels-is this issue completely solved with start/run restrictions which completely disable all the malwares regardless of what integrity level each and any/every malware has?

Also, can you block malwares from start/run in the first place in DefenseWall?

Can you block malware's attempt to gain internet access in DefenseWall, like you can in Sandboxie?

Big thanks to all.

[jmonge]

yes you can configure DefenseWall to block run/start like sandboxie

[CoolWebSearch]

Quote:

Originally Posted by jmonge

yes you can configure DefenseWall to block run/start like sandboxie

Do you recommend to me to block everything to access the internet except firefox.exe and iexplore.exe?
What should I block to start/run, everything except firefox.exe and iexplore.exe?
Thanks.

[jmonge]

even if you let it run it will be isolated in a sandbox container you can run what ever you want to run or restrict as DW will protect you in real time for sure dont be afraid i tested DW even againts rootkits and it is safe out the box configuration

[Dark Shadow]

Quote:

Originally Posted by Ilya Rabinovich

I have hundreds and hundreds malware files at my hard drive. Should I worry about it? No, because they are inactive. Also, there is a little misunderstanding about the role of DW as it should be paired with traditional protection technologies, it's not a standalone tool.

Ilya,Your being modest,most of us know DW can beat the snot out of Malware all by it self.Some people can have a bloat load of security and still manage to infest a system. Nothing wrong with traditional back up protection though.

[Ilya Rabinovich]

Quote:

Originally Posted by CoolWebSearch

Is this true or false?

It's true. And it's false. What takes malware from attacking users right within allowed sandboxed processes, without running more processes, like Duku has, for instance? Nothing. If, for example, Flash player has a security hole, your computer can be attacked right from the your browser's process instance. The strength of any sandboxing solution is about correct isolation techniques implementation, not about processes run restrictions.

Quote:

Originally Posted by CoolWebSearch

Also, can you block malwares from start/run in the first place in DefenseWall?

No, because DW is made for an average users, can't configure and use this functionality properly. There is only "Stop attack"/"Stop process" buttons with popup windows are about outbound firewall functionality.

[Melf]

Quote:

Originally Posted by CoolWebSearch

I picked this up from ssj100's website:

ssj100 seems to have a personal like for SBIE and a personal dislike for DW. He has always come across as quite biased to me, in that he points at supposed holes in DW that I don't believe to exist (I suspect this might be why he started his own forums).

Both programs offer, frankly, unbeatable levels of protection, *until* you want to install something on the 'real' system. At this point in SBIE you recover from the sandbox, in DW you choose to run something as trusted. Either way, you have to trust that the thing is safe. I believe that this is what Ilya means when he says DW is not stand-alone - e.g. if you have an AV on hand, you can scan the thing before you run it, etc.

As for which program you choose, try them both and see which you like the best. The approaches and the feel of each program are different, but the end protection is the same despite what ssj100 claims. Personally I prefer DW because it's more 'set and forget'/grandma proof, but many others including obviously ssj100 prefer SBIE (it's quite configurable).

If you're on 64-bit your hands are tied because there is no DW on 64-bit (hint hint @ Ilya).

[Ilya Rabinovich]

Quote:

Originally Posted by Melf

(hint hint @ Ilya).

I remember, I remember.

[CoolWebSearch]

Quote:

Originally Posted by Ilya Rabinovich

I remember, I remember.

When can we expect 64 bit version, Ilya? Did you at least find half-way to the solution?

[CoolWebSearch]

If Sandboxie's protection on 64-bit systems is only 99% like Tzuk says, than does it mean Sandboxie cannot protect fully like it can on 32-bit systems? Sure you can set start/run restrictions to compensate this problem, but will it be 100% effective on 64-bit systems like it is on 32-bit systems?

I wonder how can DW solve this problem?
Hmmm...

[Melf]

I gather that Tzuk has figured out how to bypass PatchGuard, but since there's no documentation for it he's had to rely on reverse engineering and can't be sure that he's closed every loophole. So it might protect just as well as it does on 32-bit, or it might not. The more people that test it, the better we'll know

[Dark Shadow]

Quote:

Originally Posted by CoolWebSearch

If Sandboxie's protection on 64-bit systems is only 99% like Tzuk says, than does it mean Sandboxie cannot protect fully like it can on 32-bit systems? Sure you can set start/run restrictions to compensate this problem, but will it be 100% effective on 64-bit systems like it is on 32-bit systems?

I wonder how can DW solve this problem?
Hmmm...

Ask microsoft to lose patch guard.

[CoolWebSearch]

Quote:

Originally Posted by Ilya Rabinovich

It's true. And it's false. What takes malware from attacking users right within allowed sandboxed processes, without running more processes, like Duku has, for instance? Nothing. If, for example, Flash player has a security hole, your computer can be attacked right from the your browser's process instance. The strength of any sandboxing solution is about correct isolation techniques implementation, not about processes run restrictions.


No, because DW is made for an average users, can't configure and use this functionality properly. There is only "Stop attack"/"Stop process" buttons with popup windows are about outbound firewall functionality.

Hi, Ilya. If The strength of any sandboxing solution is about correct isolation techniques implementation, not about processes run restrictions, does it mean that this is some kind of weakness, since sandboxing is the only thing that stops malware from infecting the real system?
I guess that means that DW's HIPS has the advantage here since it can/it will detect any malicious behavior that?

You said:"The strength of any sandboxing solution is about correct isolation techniques implementation, not about processes run restrictions."
But wouldn't start/run restrictions prevent any browser process that tries to break sandboxing protection?
Cheers.

[Ilya Rabinovich]

Quote:

Originally Posted by CoolWebSearch

HI guess that means that DW's HIPS has the advantage here since it can/it will detect any malicious behavior that?

Any? I believe, no sandboxing HIPS can prevent any malicious behaviour, but most of it- yes, sure.

Quote:

Originally Posted by CoolWebSearch

But wouldn't start/run restrictions prevent any browser process that tries to break sandboxing protection?

You simply didn't understand what I mean. Re-read my post oner more time. Run restrictions are not about preventing known processes from breaking sandboxing protection.

[CoolWebSearch]

Quote:

Originally Posted by Ilya Rabinovich

Any? I believe, no sandboxing HIPS can prevent any malicious behaviour, but most of it- yes, sure.


You simply didn't understand what I mean. Re-read my post oner more time. Run restrictions are not about preventing known processes from breaking sandboxing protection.

I realized my mistakes way too late.
Cheers.

[CoolWebSearch]

Quote:

Originally Posted by Ilya Rabinovich

It's true. And it's false. What takes malware from attacking users right within allowed sandboxed processes, without running more processes, like Duku has, for instance? Nothing. If, for example, Flash player has a security hole, your computer can be attacked right from the your browser's process instance. The strength of any sandboxing solution is about correct isolation techniques implementation, not about processes run restrictions.


No, because DW is made for an average users, can't configure and use this functionality properly. There is only "Stop attack"/"Stop process" buttons with popup windows are about outbound firewall functionality.

So, if I understood right (I'm not sure that I did), would you say that DefenseWall's hips can help against this at all?

Would internet access restrictions protect against these kinds of attacks at all?
Cheers.

[Ilya Rabinovich]

Quote:

Originally Posted by CoolWebSearch

So, if I understood right (I'm not sure that I did), would you say that DefenseWall's hips can help against this at all?

I say than DW can help against most of the cases.

Quote:

Originally Posted by CoolWebSearch

Would internet access restrictions protect against these kinds of attacks at all?

In most of the cases.

[CoolWebSearch]

Quote:

Originally Posted by Ilya Rabinovich

I say than DW can help against most of the cases.


In most of the cases.

Thank you for your reply, I truly hope that I did not offend you, I admit that I needed more time to understand.
I have to say that DW has options for restricting internet access for both trusted and untrusted processes, applications and etc... so I use this only to processes that are familiar to me.
Cheers.

[Ilya Rabinovich]

Quote:

Originally Posted by CoolWebSearch

I truly hope that I did not offend you

Absolutely not.