Geswall and APT

[Atomas31]

Hi,

So I have tried Application process termination 4.2 (run isolate) against Geswall 2.9 and strangely APT could not kill/terminate any process that where not isolate but could easyly kill/terminate, with any method, any process that where running isolate like my browser (firefox) and email (OE), is this normal or a design flaw?


Thanks,
Atomas31

[aigle]

Normal, as isolated applications can kill other isolated( untrusted) but not non-isolated( rusted) ones.

[Atomas31]

Quote:

Originally Posted by aigle

Normal, as isolated applications can kill other isolated( untrusted) but not non-isolated( rusted) ones.

Hi Aigle,

Does that mean, that if I open a nasty, that nasty would still be able to mess with my browser and my email (wich are run isolated)


Thanks,

[aigle]

Not too much i think.
What specifically you mean by messing?

[Atomas31]

Well, here's what I have done :

I had OE and Firefox open (with Geswall on for both) and I decided to teste APT 4.2 against Geswall. So I run APT 4.2 as isolated by Geswall.

I then choose a process and try every killing/terminate method of APT 4.2 on it and Geswall protected it without a sweet. I tried a few other process same thing.

Then I tried with OE and APT 4.2 could kill it same thing with Firefox. I reopen OE and Firefox (with geswall on for both) a couple of time and try different killing/terminate process with APT 4.2 and they all succeed in killing OE and Firefox.

So my point is : if APT 4.2 would have been a nasty and even running has isolated, it would have been able to, for exemple, kill my OE and Firefox just because this 2 software where also running as isolated

Thanks,
Atomas31

[dell boy]

you shouldnt isolate your anti-malware programs period.
also im sorry but you will have to clean up your post its too confusing. try to lay it out more, your doing the opposite to "pleonasm"

[Atomas31]

Quote:

Originally Posted by dell boy

you shouldnt isolate your anti-malware programs period.
also im sorry but you will have to clean up your post its too confusing. try to lay it out more, your doing the opposite to "pleonasm"

I don't isole my anti-malware programs and I didn't write that did I

Sorry, but I don't understand your second sentence and what you mean

Take note that english is not my native langage so I am really sorry if my english ain't clear enough!

Thanks,
Atomas31

[dell boy]

sorry i read that too fast and thought of application process termination as an antimalware, i think you mean advanced process termination, and yeh i think you got a valid point.
what i meant was your posts arent easy to understand and i know thats hard for people who dont speak english as their first language.

[Atomas31]

Quote:

Originally Posted by dell boy

sorry i read that too fast and thought of application process termination as an antimalware, i think you mean advanced process termination, and yeh i think you got a valid point.
what i meant was your posts arent easy to understand and i know thats hard for people who dont speak english as their first language.

No problem! And yes, APT is for Advanced process termination 4.2 (from DiamondCS)...

You are right my mistakes sorry!

[dell boy]

dont want to split hairs but isnt it advanced not "application process termination"? either way i get what you mean, your point is valid and should be looked into IMO

[aigle]

Your browser is a vector for any infection. It is isolated( sandboxed) by GesWall. Malware can terminate it but can,t breakthrough the sandbox to touch your core system.

That,s the whole point of sandboxing. Your core OS( trusted applications) will always be intact and any malware remnanats will go dormant on reboot.

[Kees1958]

What Aigle says is correct with the following remarks

1. Policy management based HIPS like GeSWall and DefenseWall will allow you to use your browser in a normal functional way. This means that Active X or browser plug-ins can be installed, but they will never harm the integrity of your system.

2. To get an idea of the allowed items a browser is able to 'change' go to the GW monitor and look what the settings are of your favourite browser. Specifically the registry and file items which have allowed. You can make sure that the changes made by nuisance-ware are rolled back by changing the ALLOW option with the REDIRECT option. Redirect is the virtualisation option of GW.

GeSWall is not on my current image, so when you have questions you must include the settings for your browser in posts to get specific answers.

Regards Kees

[aigle]

Quote:

Originally Posted by Atomas31

Hi Aigle,

Does that mean, that if I open a nasty, that nasty would still be able to mess with my browser and my email (wich are run isolated)


Thanks,

Hi, got the answer few days back. GesWall stops loading of malicious dlls in to isolated browsers. So it will not mess up. It will stop any malicious toolbar install also I guess.

From an old mail from their support.