DefenseWall Restrictions

Dregg Heda · #1 September 6th, 2009, 10:50 AM

Can someone explain to me exactly what kind of restrictions DW places on untrusted programs? I know its supposed to be stronger than LUA. But exactly what kind of restrictions are these? Are there any kinds of malware which can run in spite of DW restrictions? I know the DW help file states that certain kinds of advanced keyloggers can run, but is there anything else?

jmonge · #2 September 6th, 2009, 10:53 AM

Quote:

Originally Posted by Dregg Heda

Can someone explain to me exactly what kind of restrictions DW places on untrusted programs? I know its supposed to be stronger than LUA. But exactly what kind of restrictions are these? Are there any kinds of malware which can run in spite of DW restrictions? I know the DW help file states that certain kinds of advanced keyloggers can run, but is there anything else?

malware is basicly criple withing defensewall,they have no rigths to do any harm,they sitting there without any power

Dregg Heda · #3 September 6th, 2009, 11:12 AM

Can they execute? Can they write to C:programs or C:Windows?

jmonge · #4 September 6th, 2009, 11:14 AM

Quote:

Originally Posted by Dregg Heda

Can they execute? Can they write to C:programs or C:Windows?

can not modify nothing,your registry is safe too

if run it as trusted good luck

it is criple

)

Dregg Heda · #5 September 6th, 2009, 11:26 AM

So if I were to run SRP together with DW, the malware wouldnt even be able to run right?

jmonge · #6 September 6th, 2009, 11:30 AM

with DefenseWall the malware is in a cage that has no permition to harm you pc,you are quite safe,dont actually need the SRP and also DW is stronger than lua

the only thing you need to do is get a firewall to protect the outbound connection and learn how to use the rollback feature to remove all the debris or left malware malware leave

Dregg Heda · #7 September 6th, 2009, 11:34 AM

But surely SRP will add greater restrictions in addition to those imposed by DW?

jmonge · #8 September 6th, 2009, 11:46 AM

Quote:

Originally Posted by Dregg Heda

But surely SRP will add greater restrictions in addition to those imposed by DW?

yes it will for sure

arran · #9 September 6th, 2009, 09:09 PM

The best way to see what exactly defense wall protects is to install MD. then run the malware as trusted and from MD see what it does. Then run the malware as Untrusted and see what type of restrictions defense wall puts in place.

Dregg Heda · #10 September 7th, 2009, 12:06 AM

Fantastic Idea Arran!

demoneye · #11 September 7th, 2009, 01:34 AM

Quote:

Originally Posted by arran

The best way to see what exactly defense wall protects is to install MD. then run the malware as trusted and from MD see what it does. Then run the malware as Untrusted and see what type of restrictions defense wall puts in place.

good idea but dont try it on your real system , better play around with malware on VM

also SRP provide a strong protection since it local policy , which are very restricted .

about DW , i think is up to ilya to give a total explantion what DW does to the malware it catches...sure it cripple it , make it in a some sort of cage

arran · #12 September 7th, 2009, 02:15 AM

Quote:

Originally Posted by demoneye

good idea but dont try it on your real system , better play around with malware on VM

Obviously

Quote:

Originally Posted by demoneye

about DW , i think is up to ilya to give a total explantion what DW does to the malware it catches...sure it cripple it , make it in a some sort of cage

yea ilya can give an explanation if he wants to, but no reason why you can't use MD to find out as well.

#13 September 7th, 2009, 02:47 AM

Quote:

Originally Posted by Dregg Heda

Fantastic Idea Arran!

I agree. MD will afford one the ability to "see" key inter-process activity occurring in real time.

Ilya Rabinovich · #14 September 7th, 2009, 05:30 AM

Quote:

Originally Posted by demoneye

about DW , i think is up to ilya to give a total explantion what DW does to the malware it catches...sure it cripple it , make it in a some sort of cage

DefenseWall implies so many restrictions I just can't explain each one. In common, they are far beyond SRP can offer.

aigle · #15 September 7th, 2009, 07:33 AM

Quote:

Originally Posted by arran

The best way to see what exactly defense wall protects is to install MD. then run the malware as trusted and from MD see what it does. Then run the malware as Untrusted and see what type of restrictions defense wall puts in place.

No, it,s not reliable at all IMO. When you run a programme inside a Sandbox, a classical HIPS might not be able to monitor all of its actions correctly. It,s just my observation.

demoneye · #16 September 7th, 2009, 09:38 AM

Quote:

Originally Posted by Ilya Rabinovich

DefenseWall implies so many restrictions I just can't explain each one. In common, they are far beyond SRP can offer.

yes of course , DW got many features far beyond just SRP , provide a solid protection against malware

Ilya Rabinovich · #17 September 7th, 2009, 11:29 AM

Quote:

Originally Posted by aigle

No, it,s not reliable at all IMO. When you run a programme inside a Sandbox, a classical HIPS might not be able to monitor all of its actions correctly. It,s just my observation.

Yes, of course, but only for untrusted processes.

arran · #18 September 7th, 2009, 09:19 PM

Quote:

Originally Posted by aigle

No, it,s not reliable at all IMO. When you run a programme inside a Sandbox, a classical HIPS might not be able to monitor all of its actions correctly. It,s just my observation.

it is reliable.

Run the malware as trusted and then run it as untrusted. and with MD's logs compare the results.

when you run it as untrusted and MD isn't picking up anything then defense wall is fully containing it.

aigle · #19 September 7th, 2009, 09:28 PM

Quote:

Originally Posted by Ilya Rabinovich

Yes, of course, but only for untrusted processes.

Yes, i mean to say that.

Kees1958 · #20 September 8th, 2009, 01:22 AM

Quote:

Originally Posted by Dregg Heda

But surely SRP will add greater restrictions in addition to those imposed by DW?

Only to your own usability of the PC. I would run any malware as untrusted with DW, have not seen it go down yet.

So the deny execute is in theory safer.

Kees1958 · #21 September 8th, 2009, 01:24 AM

Quote:

Originally Posted by arran

The best way to see what exactly defense wall protects is to install MD. then run the malware as trusted and from MD see what it does. Then run the malware as Untrusted and see what type of restrictions defense wall puts in place.

In a virtual machine environment or with a image backup at hand I hope

Because running malware trusted = DW is not protecting

SafetyFirst · #22 September 9th, 2009, 05:45 PM

It seems like I'll have to uninstal DW due to insurmountable problems I face. I just can't make it work properly.

I must say that Ilya was really trying to help and kept answering to my questions with promptness, but I just can't come to a solution.

It must be something with my system because I can't even boot into Safe Mode.

Ilya Rabinovich · #23 September 10th, 2009, 05:55 AM

The problem with Safe Mode is on your side as DefenseWall do not load its driver this case. The issue may be caused by malware infection (past or present) or system's corruption.

SafetyFirst · #24 September 13th, 2009, 10:48 AM

Talking about DefenseWall restrictions, I am more than happy to announce that DW doesn't restrict me to use the right-click context menu any more!

After uninstalling Daemon Tools (and goddamn sptd.sys) I reinstalled DefenseWall and everything seems to work just fine now.

Ilya, I really appreciate effort and time you invested in trying to find the solution to problems I had. Good work!

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search