For DefenseWall or GeSWall owners thinking of going naked

[Kees1958]

Hi,

Rising Antivirus is now free, I have it installed with DefenseWall on an XP SP3 system (Athlon 3900). Ironically not set up for its real time AV protection (File protection) but its HIPS capabilities.

DW marks all downloaded files as untrusted, so they can do no harm. I only use Rising to check web based scripts and e-mail.

First level of defense
Hardware router/FW (Nat SPI on message header level), using XP's FW for inbound (because on wireless, extra precaution besides encryption and Mac address control).

Second level of defense
DefenseWall (with one custom addition: mail directory and WebAdressBook as protected resource for Outlook Express, added Foxit reader and Scriptdefender as untrusted, also added the shared directories of LimeWire as untrusted)

Third level of defense
Rising Antivirus with
- Autoprotect ONLY on (web based) scripts and mail, real time file protection not installed
- Active defense, system reinforcement set to high, malicious behavior detection set to low, application protection (added all critical XP processes: winlogon, service.exe, csrss.exe, svchost.exe, wdfmgr.exe, lsass.exe, alg.exe - set first three allows to ask and for ctfmon.exe and explorer.exe also the keylogger, simulated key and sending set to ask), applicaton access control (only explorer.exe : allow start subprocess, aks global hook, driver loading and modification of kernel data)
- scan: enabled (daily memory scan of memory and boot record)

Fourth level of defense
Seperate external harddisk with image copies (Maxxblast free) and data backup (syncback free)

Works like a charm, fast and nearly naked. EDIT NOW ALSO DISABLED MAIL EN SCRIP SCANNER

[Peter2150]

Hi Kees1958

Not sure I understand the point. The term "nearly naked" eludes me a bit. Since we use the term "naked" around here to mean no anti-virus, you aren't running nearly naked, you have an AV installed.

If the point is the rest of the setup is so good you don't need an AV, that's fine.(and I don't disagree with you). To me the price of the AV isn't as much of an issue as the load on the machine, and I don't miss that.

Pete

[Kees1958]

Pete,

You got me there: nearly naked does not exist, is either full monthy or not.

Yep I was addressing the performance issue in three ways

a) Rising is not checking files and executed processes real time against its blacklist, only mails are scanned (which happens not so often, so a performance gain) and for webscanning only scripts are scanned.

b) Rising's OS protection and application access (what intrusions explorer is not allowed to) and application protection is focussed on the core executables of the operating system (in stead of a HIPS or a behavioral blocker looking at everything). This dual independant apprach of target (application protection) and source (application accesss control) really is a smart feature of Rising.

c) So Rising is merely used for its HIPS capabilities focussing on keeping the core lements protected. Assuming that Defensewall limits the threatgates, this would imply that all other processes should stay clean (because defensewall limits the possible origin of malware by caging them in a strong limited user environment). Therefore the behavioral blocking (of other non-core OS aps) is set to minimal to reduce both false poistives and stress on the system.

This combo is a lot faster than TF with DW (mind you setup with TF scored better in CPU benchmark than using Antivir, although CPU time of TF was higher). I now have CPU usage better/equal to to Antivir free and CPU benchmarh better/equal to TF, so it must the fastest setup I have composed yet.

Hope this clarifies the setup.

Regards Kees

Note ad B
Classical HIPS often offer a process based protection feature (such as D+ or SSM) but in these cases you always have to define their access rights first (because it is setup as parent - child control like SSM or in a single rule set like D+), before setting up their protection feature. The other advantage of Rising is what you do not specify is treated neutrally (in D+ you have to define every process or D+ has to learn its behavior, only upcoming version of OA has the option to not notify for new processes AND run those unknow process as SAFER).

[Peter2150]

Quote:

Originally Posted by Kees1958

Pete,

You got me there: nearly naked does not exist, is either full monthy or not.

Yep I was addressing the performance issue in three ways

Snip

......only upcoming version of OA has the option to not notify for new processes AND run those unknow process as SAFER).

Glad you realized I was teasing a bit. As OA improves, for me it's really OA and Sandboxie. I also run SSM, but am slowly shutting down some functions, and just using it for fine tuning.

But your so right, with a bit of care, you can run naked and be safe.

Pete

[Kees1958]

Next OA has this incredible feature, see http://www.wilderssecurity.com/showthread.php?t=212424

I had discussion with Mike over this feature since the first free Beta. It will be such a user friendly and safety improvement. When you have OA paid (with Tony Klein's startup registry protection ), why run SSM any longer?

Regards

[zopzop]

Quote:

Originally Posted by Kees1958

applicaton access control (only explorer.exe : allow start subprocess, aks global hook, driver loading and modification of kernel data)

kees quick question just to be sure i did it right, you are saying here :

allow : start subprocess

ask : global hook, driver loading, and modification of kernel data

right?

[alex_s]

Quote:

Originally Posted by Peter2150

To me the price of the AV isn't as much of an issue as the load on the machine, and I don't miss that.

I agree that BB is more reliable defence comparing to AV. But I use AV because it sometimes allows to recognize the beast in the very beginning of the game, just before it tries to start. Then it saves me some time I could spend reading and analizing BB alerts. And I value this time worth of those extra resources AV takes

[Kees1958]

Quote:

Originally Posted by zopzop

kees quick question just to be sure i did it right, you are saying here :

allow : start subprocess

ask : global hook, driver loading, and modification of kernel data

right?

Correct

[bman412]

Returnil + RAV's active defense modules running on my pc atm. Noticed application loading lag with RAV's on access scanner so figured to just dump file monitor module and email module since I use web based mail. Now my pc's running really fast Oh and I do regular reboots and may download and run Cureit to scan the pc for posterity

[Kees1958]

bman,

With the file protection disabled, you can still run on demand scans. I will dump e-mail also, because my ISP scans them with open source AV ( ), i will check startup of programs.

K

[trjam]

if you are using Defensewall or Geswall you dont need anything else. Either one will keep you secure. When are people going start pulling the frigging "layers" off and realize that most of these products actually keep you safe. Be it these 2, Dr Web, Eset, or any others. How many times a day do you pull a virus out of your computers ass. Been quite awhile hasnt it.

[Kees1958]

Trjam,

Yes indeed, I have asked myself the question what can bypass DW in updates of the what's your setup thread? Now only DW and rising's HIPS (SSDT Hook table show they do not conflict) and Rising's blacklist AV scan on webscripts.

Rising only used to monitor the occasional install of new programs and for my assurance. But I guess with Anvir task manager and AVZ, I could do a post installation check and decide to rollback to a previous image also.

Maybe in a few months DW only, but that would also imply the end finding better setups

regards

[Kees1958]

I use Opera, so disabled the IE stuff, also cut down on file protection, because GW/DW take care of this also

[LoneWolf]

Quote:

Originally Posted by trjam

if you are using Defensewall or Geswall you dont need anything else. Either one will keep you secure. When are people going start pulling the frigging "layers" off and realize that most of these products actually keep you safe. Be it these 2, Dr Web, Eset, or any others. How many times a day do you pull a virus out of your computers ass. Been quite awhile hasnt it.

Maybe.
But I strongly believe in layers.
If one should fail, another may stop.

[Dark Shadow]

Quote:

Originally Posted by LoneWolf

Maybe.
But I strongly believe in layers.
If one should fail, another may stop.

I agree with the layers to a point. It depends on layers and how well there put together.

[Page42]

Quote:

Originally Posted by trjam

How many times a day do you pull a virus out of your computers ass.

I have my pc set to Show hidden files and folders, but how do I configure it to check there?

[trjam]

they are already protected with Geswall.

[bman412]

Quote:

Originally Posted by Kees1958

I use Opera, so disabled the IE stuff, also cut down on file protection, because GW/DW take care of this also

Wouldn't setting System Reninforcement to high automatically protect explorer.exe and other system processes?

[Kees1958]

Quote:

Originally Posted by bman412

Wouldn't setting System Reninforcement to high automatically protect explorer.exe and other system processes?

There might be overlap. The websites states memory tampering as the protection provided with OS reinforcement. I have changed my settings, and tested, it is indeed redundant, so keeping it that way.

Note I found out how registry/process/file acceptions are handled: in the process access control section (WARNING, when you put your exceptions in the whitelist, this means that this program is allowed to do everything). I think the 'not remember' is a bug in the english version. Even after adding this manual allow, the warning popped up. Only by unticking C:\Windows\system32 as a protected directory in OS reinforcement I could prohibit this warning (logical because it does not check now).

I have defensewall gui (dir=defensewall) and defense server (dir=system32) marked as whitelisted programs.

[bman412]

Thanks Kees for the insight as well as the windows update setting

[Kees1958]

After a fews days testing, I have changed most of my Active Defense settings (except behavior blocking kept low setting), also de-installed script and email scanning.

See pics, The program startup control kicks in when not started from the quick launch or explorer, so it's ruleset is quite clever. Protecting your brwser from illegal startup will cause some leak tests to fail Note that application access control for explorer is , allowed to start others, ask for global hook setting, ask for driver loading and ask for kernel data modification. Note that application protection is used to protect all critical XP processes (Vista users may be different), application launch to guard against suspicious starts of your browser/e-mail.

FYI, see my settings (I do not proect IE or its directories from tampering, because DefenseWall already protects handles it as an untrusted resource).

As a stand alone HIPS it is smart, easy to use and very effective. Consider it a configurable DSA with a smarter execution control (not according the classical HIPS do in an execute parent - child scheme, but with seperate protection rules on origin = application access control, malicious behavior AND target = Application startup, Application protection and System Reinforcement), and a bit of Norman Sandbox + ThreatFire combined in its Malicious behavior blocker, in short compared to classical HIPS it is much more user friendly/quiet and covers nearly same protection, Compared to an intelligent behavior blocker it puts less strain on system resources (malicious behaviour is more like an advanced implementation of active heuristics).

Pleased until now, so running without classical AV, while using the HIPS of an advanced AV!

[zopzop]

Quote:

Originally Posted by Kees1958

See pics, The program startup control kicks in when not started from the quick launch or explorer, so it's ruleset is quite clever. Protecting your brwser from illegal startup will cause some leak tests to fail Note that application access control for explorer is , allowed to start others, ask for global hook setting, ask for driver loading and ask for kernel data modification.

kees, thanks for all the effort you put into this thread! now i do have a question though, what exactly does program startup control supposed to do protecton wise?

[Page42]

Quote:

Originally Posted by Kees1958

Rising only used to monitor the occasional install of new programs and for my assurance.

With GeSWall Pro running on default settings, what are the type of activities or files that an AV would protect against that GeSWall wouldn't? Install of new programs, and that's it?

[Kees1958]

Quote:

Originally Posted by zopzop

kees, thanks for all the effort you put into this thread! now i do have a question though, what exactly does program startup control supposed to do protecton wise?

It gives enhanced control of the startup of specified programs. Like SensiveGuard it has cut down the execution monitoring on starting an application by excluding user initiated starts of these programs (like starting from Start-> programs, Explorer or Quick launch task bar).

So by adding your browsers, you are warned on spawning/starting the browsers by other programs. For members interested in Rising and not having DefenseWall or GeSWall, it would also be benificial to add the browsers (IE7, FF, Opera) in the application protection.

Although Rising uses classical HIPS mechanism, it's implementation is really smart: it has source and target (of attack) protection, focussing on the OS core and critical application (to be entered by the user). This approach reduces the pop-ups greatly (normal guarding for all, configurable stricter monitor for a few). This is also the reason why it is the perfect companion for a policy sandbox (focusses on the threatgate applications, while Rising's HIPS focusses on the vulnarable OS parts, or in simple terms DW/GW reduce the attack surface and Rising hardens the vulnarable parts).

In the AV section of Rising on Wilders a link was provided by Maymoons http://www.raymond.cc/blog/archives/...e-alternative/ the conclusion in capital: I am impressed. This is in line with my limited testing.

Regards Kees

[Kees1958]

Quote:

Originally Posted by Page42

With GeSWall Pro running on default settings, what are the type of activities or files that an AV would protect against that GeSWall wouldn't? Install of new programs, and that's it?

Re install:
All user space installs, try for instance a few leaktest programs (I forgot which), even in their untrusted state you can install them. Also (my reason to prefer DW over GW besides its ease of use), when you accidentally move a file from partition A to B, DW changes its state to trusted, so even ring-0 installs are allowed. Our XP box is our shared home pc, so this feature of GW is not acceptable to me. In regard to DW (with total untrusted file control), I also like to control user mode installs which affect the system integity.

Re AV:
I only use the HIPS part of Rising, so in regard to additional benefits of an AV, I am not questioning your statement (although Avast with its incoming data streams scanners provide early recognition of known malware)