Question about GeSWall

Discussion in 'other firewalls' started by zopzop, May 18, 2006.

Thread Status:
Not open for further replies.
  1. zopzop

    zopzop Registered Member

    Joined:
    Apr 6, 2006
    Posts:
    642
    hello, has anyone ever tried this firewall/sandbox program? i've searched the forums and there's very little information about it. how well does GeSWall protect vs spyware, rootkits, and other net hazards? has it ever been tested?

    i went on over to the spycar.org website and tried out the tests found there. when GeSWall is active they don't seem to run at all. is this normal?

    any help would be appreciated, thanks in advance.

    edit: i just went to http://www.trustware.com/index.php and tried the "Setup File Test" and the results were horrendous:(

    a keylogger was installed, various processes were attacked and the contents of MyDocuments folder were shown!
     
    Last edited: May 18, 2006
  2. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hi zopzop,
    It as been a while since I looked at this application, but it can take a bit of setting up to protect your system fully. Example: in the test you mention, the program will access your documents folder,..by default installation of Geswall, this folder is not protected, so you would need to place a rule in: Resources- and create a rule to set this folder as "Confidential". You will then be warned of access attempts made on this location.
    If I remember correctly, the only folder set as "confidential" by default is /all users/confidential- which you would need to create to store your private folders/files
     
  3. zopzop

    zopzop Registered Member

    Joined:
    Apr 6, 2006
    Posts:
    642
    hello again and thanks for the info stem! i was checking geswalls log of the attack and i got the following:

    it says the trojandemo had "readonly" and "redirect" access to my pc. how terrible is this?
     
  4. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    As I mentioned, it is quite a while since I installed and used this, but at that time the system files/reg had very little default protection. I cannot find the msi for Geswall, so cannot say which version I had.

    EDIT,
    I downloaded and installed the latest (free) version to have another play,......on running the test I am warned of the execution and the access attempts of the "confidential" folders, but even my attempts to stop access to the system32 files is at this moment not having much success, as Geswall simply redirects (creates a copy of the file) and allows access to the copy, which does stop any alteration to the original files, but does not stop the access, and Geswall is not alerting to the keylogging or the attempted network access.
    I have to go to work now, so I will try to find time later to continue to play,.....
     
    Last edited: May 19, 2006
  5. zopzop

    zopzop Registered Member

    Joined:
    Apr 6, 2006
    Posts:
    642
    kk i'm back again :)

    i keep trying to run tests from various sites to put geswall to the test (since so few people have it/test it) and i came along this one from ghost security:
    http://www.ghostsecurity.com/index.php?page=regtest

    test 1 attempts to write stuff to the registry VERY quickly and these are the results of the test from geswall's log:

    "redirect" comes up a lot in this test and the bufferzone test so i tried to look up what it means on gentle security's website:
    http://gentlesecurity.com/docs/applications.html
    unless i'm understanding this wrong, it means the tests (both the bufferzone one and this one) are only attacking a "dummy" registry while my real registry is safe and sound.

    test 2 attempts to write to various autostart locations then forces a shutdown, these are my results from geswall:
    and a WHOLE bunch of deny type messages like this:
    it couldn't reboot my machine, then once i manually rebooted nothing happened it couldn't affect the registry.
     
  6. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hi zopzop,
    I havnt had time to continue to "play" with Geswall.

    This is correct, I mentioned this in my post#4



    This will be the "block local communications", .... I am curious if this would block the Breakout test
    I will try to find time to re-install, as I still want to see why it didnt pick up on the keylogger (in the "setup file test")
     
  7. zopzop

    zopzop Registered Member

    Joined:
    Apr 6, 2006
    Posts:
    642
    no worries stem.

    i see it now :) sorry stem i'm sorta slow then it comes to this ;)


    i tried the test you linked to stem here are my results from geswall's log:
    i know this is odd, maybe there wasn't really a keylogger installed in the bufferzone test? i tried to email geswall's support team, but they are slow with the responses to the free desktop version of geswall (i don't blame them though).

    edit: i didn't see that there were 2 breakout tests on that page and that i needed to be using IE to test them. updated my post with the ie results for both tests.
     
    Last edited: May 21, 2006
  8. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hi zopzop,
    I didnt try this test with Geswall, I just ran the "trojdemo" (setup file test). Does Geswall intercept API calls? on an isolated application?,.. it appears strange that trojdemo can call API function "createprocess<calc.exe>" (run calc.exe) albeit readonly. This is possibly as the info on Geswall does state that applications are allowed to run normally, just that the "redirect" stops any corruption/damage to the apps/reg used. Blocking this call (blocking calc.exe from being run by trojdemo) will make the trojdemo fail. If this is allowed then trojdemo makes an API function call "setwindowshookEx" (installs system wide hook). It does say at the Geswall website that Geswall blocks keyloggers (but the test results from trojdemo reports that the keylogging was succesfull). I will have a good re-read of the help files, and then re-install on to a new installation of XP to try (just in case any of my apps where causing conflict).

    Re- breakout,... yes it does look like the windows messages are intercepted/blocked (thanks for running the test / posting the info)

    Just for info, when I run the "trojdemo" on a system with SSM installed, the test results are (I did allow calc.exe to be run):-

    EDIT,
    I have re-installed Geswall onto XPsp2-all updates (well up to 10 days ago when I created the image), on the default installation of Geswall (no firewall/av or other hips installed), these are the test results from the running of "Trojdemo" (the test did fail, but due to network connection being blocked by external firewall)

    I am a little surprized that the "local spy test" managed to read the "confidential" folder, and didnt stop the "simple keylogger" So from this, if I hadnt blocked the network connection, the private info would of been sent out.
     
    Last edited: May 21, 2006
  9. zopzop

    zopzop Registered Member

    Joined:
    Apr 6, 2006
    Posts:
    642
    API, hooks, etc..? whoosh over my head :)

    yw, anytime stem!

    SSM? system safety monitor?


    again i'm not too sure about the keylogger. but it's odd that the trojdemo.exe test saw your confidential folder/files. i ran the test on my machine and the trojdemo.exe test did not find my confidential folder/file. here are my results:
    basically that's my documents folder without the confidental folder from geswall. there is something i should mention about this test though, it will not report an empty folder. for example the "My eBooks" and "My muvees" folder did not show up in the original test because they were empty. so i created a garbage file "test.txt" and ran the test again. then they showed up. on my system the trojdemo.exe can't access the geswall confidental folder. it's odd that it can on yours though.
     
  10. Brian Walche

    Brian Walche Registered Member

    Joined:
    May 21, 2006
    Posts:
    3
    You can setup your own confidential directories in GeSWall Console as described here http://www.gentlesecurity.com/docs/resources.html

    As correctly noted, an access to files and registry was redirected to per-process copies. It means that target files stay unmodified. GeSWall VBS demo script http://www.gentlesecurity.com/demo.html uses special method to avoid this false-positive problem. The script starts one process for odification and another process to check result. In that case checking process doesn't see per-process modifications from another process, e.g.:

    copy calc.exe notepad.exe
    fc noteapd.exe calc.exe

    and "reg.exe query" is used to check registry modifications.

    As for key logger, it is blocked. TrojDemo calls SetWindowsHookEx that installs a hook for messages. However, API call requires a DLL that will be loaded into logged process. So whenever some keyboard messages occurs, the system calls HookProcedure within given DLL.

    That is blocked by GeSWall, as it prevents "untrusted" DLLs (created by isolated applications) to be loaded into non-isoalted (trusted) processes. Therefore, key logger will not be able to see any keyboard message of non-isolated processes. TrojDemo specifies itself (trogdemo.exe) as a DLL. Because trogdemo.exe is created by isolated browser GeSWall will block its loading in spite of SetWindowsHookEx doesn't report an error.
     
  11. zopzop

    zopzop Registered Member

    Joined:
    Apr 6, 2006
    Posts:
    642
    thanks for the info brian! :)

    so now i've/we've tested geswall against the spycar.org site and it passed, i've/we've tested it against the ghost security reg test and it passed, i've/we've tested it against both breakout leak tests and it passed.

    brian, stem, and others on this forum; how would geswall fair vs the infamous killdisk virus? VMware (virtualization app), sandboxie (sandbox app), and app defend couldn't stop it. the info was gotten from this thread here:
    https://www.wilderssecurity.com/showthread.php?t=132040

    anyone brave enough to try using geswall vs the killdisk virus?:D
     
  12. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Brian Walche,
    Is there any way to stop an isolated program from accessing files, such as in the /system32/, I did attempt to stop access simply be making the directory "confidential" but the accessing of "redirected" files from the folder still took place.

    EDIT,
    I have been re-looking at Geswall, I note that only "Known applications" are "Isolated".
    I wanted to check on the "keylogging" as trojdemo results indicate keylogging as successful- but from your explanation, I would think that the program believes it was successful (keylogging started) but no windows message would be allowed (no keystrokes monitored).
    I run a simple screen capture utility- Hoversnap, this when started is not monitored by Geswall and installs window hook <hoverkHook.dll>, this is successful and key logging/monitoring is performed with no intervention from Geswall.
    Do I take it from this that any "unknown to Geswall" application that is able to run on the system is ignored and able to do whatever to the system?
     
    Last edited: May 21, 2006
  13. Brian Walche

    Brian Walche Registered Member

    Joined:
    May 21, 2006
    Posts:
    3
    If you mean denying access instead of redirecting then making a directory “confidential” must help. Additionally you may exercise these options:
    1) In application definition, create a rule: “%SystemRoot%\system32\” with “Read Only” permission. You could use “deny” permission but an application may refuse to start because of this.
    2) Set application’s security level to “Untrusted (Jail)”. In that case, you would need to specify explicitly all resources required by the application.

    Yes, GeSWall Personal Edition claims safe use of internet applications by preventing attacks coming via them, particularly via isolated applications. That is limitation of course, but perhaps not sufficient. GeSWall already supports dozens of most popular internet applications such as browsers, messengers, e-mail, p2p cleients, etc. and the process continues http://www.gentlesecurity.com/safe.html Note that “known” applications are identified regardless versions and localizations.

    All these applications considered as “threat gates”, that means they serve as entry points for attacks. GeSWall tracks files created by these isolated applications and isolates them as well.

    GeSWall Enterprise Edition deals with such problems and isolates not only “known” applications. However, there are various options for Personal Edition as well. For sample, please read this tip http://www.gentlesecurity.com/tips.html#sonydrm
     
  14. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Brian Walche.
    Thanks for the the info,

    I did look at the "Threat Gate", but in the Geswall help files, this is stated as "Reserved for internal GeSWall use" so at the time I did not try this. But as you have linked me to an example of the "threat gate" use, I will try this. (does this mean the help file needs an update?)

    Regards,

    EDIT,
    I re-installed to try this this option, but files from the cd/dvd where able to run without being isolated, maybe this option is for the server/enterprise editions only?
     
    Last edited: May 22, 2006
  15. zopzop

    zopzop Registered Member

    Joined:
    Apr 6, 2006
    Posts:
    642

    stem, i tried it and i got mixed results. for example all *.exe type files were isolated but *.zip and *.rar type files were not.
     
  16. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hi zopzop,
    yes, it will only be the executable files,...... I must have conflict somewhere, even when I add an application, this is not isolated. I will, later, move over to another PC, and try there.

    I think, if GeSWall isolates this pgm/virus, then I can see no problems. I dont have access to this virus, so unable to test.
     
  17. zopzop

    zopzop Registered Member

    Joined:
    Apr 6, 2006
    Posts:
    642
    dang it! i linked to the post on this forum where a forum member "crazy4stef" posted a link to the virus, but the forum moderator removed the link :(
    https://www.wilderssecurity.com/showpost.php?p=753917&postcount=7

    want me private message him and get the link then give it to you via private messages? i'm too terrified to test it myself.
     
  18. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    yes, go ahead, no problems this end, PC is sandboxed anyway... and any problems the HD is safe formatted/full backups. (Re-think= I will use an HD that can be removed after running this)

    EDIT,
    This quote taken from the post you linked.
    This must be down to settings within SSM, as if it can be detected by SSM, then it is possible to block it using SSM_ I will try this also

    Note to mods/anyone:-
    I am going to try this, in the full knowledge that this may corrupt/kill my installed system/OS/HD_ and I do not advise anyone try this without full knowledge of the precautions to take, and the possible outcome (unusable HD)

    I will post findings on this_ (from a users point of view_ not technical_ just what happens) on this thread
     
    Last edited: May 22, 2006
  19. zopzop

    zopzop Registered Member

    Joined:
    Apr 6, 2006
    Posts:
    642
    kk but be careful stem, in that same thread crazy4stef said he tested the virus using vmware and sandboxie and the virus still wrecked havoc on his machine. i'm thinking "regular" sandboxing/virtualization is ineffective against "killdisk". on a side note, i asked the creator of "defensewall" if his program could contain "killdisk" and he said v1.55 of defensewall doesn't but v1.56 will. he's an excellent programmer and defensewall is awesome but it's not free.

    is SSM the acronym for the program "system safety monitor"?

    kk stem, i PMed crazy4stef and asked him for the link. i'll PM you as soon as i get it.
     
  20. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Thats o.k., I mentioned that the PC is sandboxed (no virus is speadable) If GeSwall or SSM cannot contain, then the HD is safe format, If the HD is completely unrecoverable, then the HD is binned. Its simply a "see what happens" (I have a HD available for each test, that are disposable)

    Yes,..

    No problem
     
  21. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    Hi Stem,

    Hopefully you will read this before you try. The first time I executed the KillDisk executable, SSM alerted as expected (The call to API function "CreateProcess"...). I blocked it quickly and that was followed by a typical Windows error popup (see screenshot below). I rebooted and all was well. I then executed the file again, but this time I let the alert dialogue sit there for a bit while I set up another screenshot. After about 10 seconds, the file executed anyway with the SSM dialogue still waiting for an allow/block decision. If you see a small popup with only an OK button and some foreign characters, the file will have done its damage. The system indeed was not bootable. Luckily I used a BootIt NG boot CD and some fresh images to recover quickly.

    You should forward that file to the SSM people and let them have a look at it. I have not tried it yet on one of my AppDefend systems, or within VMware.

    Nick
     

    Attached Files:

    Last edited: May 23, 2006
  22. zopzop

    zopzop Registered Member

    Joined:
    Apr 6, 2006
    Posts:
    642
    stem check your private messages, crazy4stef was nice enough to PM me the address of the killdisk virus :)
     
  23. zopzop

    zopzop Registered Member

    Joined:
    Apr 6, 2006
    Posts:
    642
    :thumb: kk guys here's my results of testing geswall vs killdisk: IT PASSED! :thumb:

    somethings worth mentioning:

    1) when i donwloaded the virus to test, avast didn't detect it :( :thumbd:

    2) i made sure the "isolated" window was around my unzipping program, izarc before i continued

    3) this almost gave me a heartattack:
    that was from nick s's post.

    when i ran the test a dialoge box appeared with funky letters and the "ok" button, BUT it was isolated. i restarted the machine and it booted just fine! :)

    here are the results from geswall's security log:
    these results, ie the blocking of killdisk while using an isolated program, were confirmed by Brian Walche in an email he sent me.


    the reason why i almost had a heartattack during #3) was because i didn't make a backup of my hard drive or my files when i ran the virus. LOL that wasn't too smart but geswall saved my butt! :D
     
  24. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    Hi zopzop! interesting and nice work. Thanks for sharing!
    Just few questions/ requests from me,
    Can u please upload teh file to Jotti and Virus total, just to see?
    Also did u contact the author of Sandboxie about this?
    Is it possible to check it with RollbackRx?
    Thansk.
     
  25. zopzop

    zopzop Registered Member

    Joined:
    Apr 6, 2006
    Posts:
    642
    np anytime. know any other tests we can throw at geswall?

    i don't know what jotti is :( but i googled it and i'm ASSuming :) it's this site?
    http://virusscan.jotti.org/
    here are my results -
    so i was right, avast didn't detect it :( but man i'm gettin' me antivir :p

    no and the reason is i didn't test it vs sandboxie, another forumer did. his name is "crazy4stef" and he posted his results here:
    https://www.wilderssecurity.com/showpost.php?p=752380&postcount=1

    i don't have rollbackrx, but my "real life" friend tested this killdisk thing vs deepfreeze and deepfreeze wasn't fazed by it at all.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.