Beta-testing of the DefenseWall Host Intrusion Prevention System.

[Ilya Rabinovich]

Hello everybody,

I would like to offer my new DefenseWall HIPS program for beta-testing purposes. A registration
period for 100 years is guaranteed to all active testers.

DefenseWall is a full-functional software sandbox for the trojan/adware/spyware protection and
works with Windows 2000/XP operating systems. The program idea is easy and simple. All applications
are divided into trusted ones and untrusted ones. Everything is allowed for the trusted
applications, but there are many restrictions for the untrusted ones. The restrictions are as
follows: modification of the file system sensitive folders (ex., My Documents, Windows, Program
Files), registry keys (ex., autorun, browser and system application settings, etc.), and entire
system (installation/changing/deleting of the drivers and services,
protection of the \\Device\\PhysicalMemory, setting of the global window hooks (against so-called
keyloggers), etc.).

DefenseWall HIPS protects trusted applications from being modified by untrusted ones. All the
processes launched by untrusted appications are also untrusted. In case of dangerous behavior the
untrusted application gets blocked by the DefenseWall HIPS and the program notifies the user about
that by a red icon in the system tray. The main feature of the DefenseWall HIPS is the "Close all
untrusted applications" button. If you feel that the system behavior is strange or there are some
unknown processes in the Task Manager - just push this button and all the untrusted applications
with trojans/advare/spyware inside will be instantly closed. And, because it is impossible for the
untrusted applications to modify autorun settings, they will never be run any more. Later you may
clean them up during the planned antivirus scan.

The program is very light-weight, uses minimum CPU resources, shows no popup windows: everything
is easy and simple.

The program itself is a full-functional 30-days beta.
http://www.softsphere.com/cgi-bin/re...me=DEFENSEWALL


There is no help file by now. Also there is no registration functionality so far.

[WSFuser]

i tried seems like a new concept. instead of sandboxing untrusted apps, it sandboxes trusted apps and lets u close everything else. also is supposed to crash/close if u try adding a lot of entries for trusted apps? i tried adding all my current processes and it closed without saving it.

edit: nvm the list for for untrusted apps and i figured out why it was crashing. u cant add "system" to the list.

It looks very interesting, let´s try it and see what happens

[Ilya Rabinovich]

Quote:

Originally Posted by WSFuser

i tried seems like a new concept. instead of sandboxing untrusted apps, it sandboxes trusted apps and lets u close everything else. also is supposed to crash/close if u try adding a lot of entries for trusted apps? i tried adding all my current processes and it closed without saving it.

The conception of the DefenseWall program is to isolate trusted processes from the untrusted one. Untrusted are the processes witch use potentially dangerous context from the Internet (browsers, e-mail, P2P and IM clients, scripts engins, e.t.c). All the untrusted apps may be closed by "Close all untrusted applications" button.

Quote:

Originally Posted by WSFuser

edit: nvm the list for for untrusted apps and i figured out why it was crashing. u cant add "system" to the list.

You don't have to add system processes ("System","svchost","lsass") to untrusted. Otherwise there will be problems with user/sharings/drivers/services manipulations. To protect system processes you may use firewall (even build-in) or good buffer overflow protection program.

[WSFuser]

how can defensewall protect you from malware? if u aquire malware thru IE then i doubt closing IE would do anything about the malware.

[Ilya Rabinovich]

Quote:

Originally Posted by WSFuser

how can defensewall protect you from malware? if u aquire malware thru IE then i doubt closing IE would do anything about the malware.

Oh, you haven't understand the ideology of the DefenseWall. OK, I explain. If malware was run some additional processes, thay will be untrusted because their parent process is untrusted. So, malware can not modify system and IE settings to autorun. And if we close all the untrusted processes (not only IE, this button close all untrusted!), the malware file will never get run. There is a great difference between malware file (it is harmless) and malware process.

[WSFuser]

Quote:

Originally Posted by Ilya Rabinovich

Oh, you haven't understand the ideology of the DefenseWall. OK, I explain. If malware was run some additional processes, thay will be untrusted because their parent process is untrusted. So, malware can not modify system and IE settings to autorun. And if we close all the untrusted processes (not only IE, this button close all untrusted!), the malware file will never get run. There is a great difference between malware file (it is harmless) and malware process.

so if IE is untrusted then it runs malware, the malware is also untrusted? thus closing IE closes the malware. am i correct?

[Ilya Rabinovich]

Quote:

Originally Posted by WSFuser

so if IE is untrusted then it runs malware, the malware is also untrusted? thus closing IE closes the malware. am i correct?

Not quite. Yes, malware will be untrusted, but it won't be closed if you close IE. It will be closed if you push "Close all untrusted applications" button with the DW.

Basically it works like this

1) You have trusted or untrusted programs

2) Untrusted programs will spawn children processes which are untrusted too.

3) There is a button to close all untrusted programs.

4) Untrusted programs are restricted from doing a list of stuff.

Easy enough to understand.

I'm not certain what's new about the concept. Is it Point 2? Point 2 seems obvious and normal.

I'm unclear about this though. You say

Quote:

DefenseWall HIPS protects trusted applications from being modified by untrusted ones.

How about untrusted applications from being modified by untrusted ones?

Eg Couldn't adware or spyware started by IE , modiy IE (untrusted)?

I suppose it depends a lot on what "modify" means. And if untrusted applications are restricted enough (the list you gives seems to be above the same as a limited user account previlages), it can't do much harm anyway even to another untrusted program

[aintrust]

Quote:

Originally Posted by justanoob

Basically it works like this
1) You have trusted or untrusted programs
2) Untrusted programs will spawn children processes which are untrusted too.
3) There is a button to close all untrusted programs.
4) Untrusted programs are restricted from doing a list of stuff.

Quite right! Just minor corrections:
1) You have trusted or untrusted applications, not programs -- DW has nothing to do with programs (i.e. program files on disks).
2) Untrusted applications may (or may not) spawn child processes. All these "children" will be treated as untrusted too.
3) Correct!
4) Untrusted applications are restricted from doing a lot of stuff (ex., modify valuable registry keys, install/uninstall/start drivers, affect another processes (no matter trusted or untrusted), install system-wide hooks, etc.)

Quote:

Originally Posted by justanoob

I'm not certain what's new about the concept. Is it Point 2? Point 2 seems obvious and normal.

Sure!

Quote:

Originally Posted by justanoob

How about untrusted applications from being modified by untrusted ones?
Eg Couldn't adware or spyware started by IE , modiy IE (untrusted)?

No, it could not (in most cases, I guess )! See point (4).

Quote:

Originally Posted by justanoob

I suppose it depends a lot on what "modify" means. And if untrusted applications are restricted enough (the list you gives seems to be above the same as a limited user account previlages), it can't do much harm anyway even to another untrusted program

Absolutely correct!

[Notok]

I kind of wonder if some of the confusion here comes from the loose usage of the term 'sandbox' around Wilders. Running DefenseWall puts IE in the sandbox, anything that comes through IE cannot affect anything outside the sandbox (meaning drive-by-downloads, this wouldn't include things you manually downloaded, saving to a download directory, and manually started). So if spyware came through, it wouldn't be able to do any of the critical things needed to infect the system, and it wouldn't be able to really even see any processes outside the sandbox. When you restarted windows, that file would be closed and would not restart next boot. I don't know what all registry areas it protects, but I imagine this would mean that you wouldn't be getting BHOs, homepage hijacks, etc., however you would still be able to download Flash player and install it just fine. This has it's ups and downs, but theoretically you won't be getting rootkitted through your browser anytime soon.

[Ilya Rabinovich]

Quote:

Originally Posted by Notok

Running DefenseWall puts IE in the sandbox, anything that comes through IE cannot affect anything outside the sandbox (meaning drive-by-downloads, this wouldn't include things you manually downloaded, saving to a download directory, and manually started)

Not qiute. You may set the downloaded installation executable as untrusted and install the application! Most of them will be correctry installed (I mean, if they don't use drivers or, for example, shell extention modules and need no autorun). It is not possible to overwrite executables, but it is possible to install new one.

[Notok]

DefenseWall is looking good so far, very easy to use. The only issues I'm having are the event log filling up to the point that my system can't load it into memory, and some occassional freezing of untrusted applications. Not bad for a first beta release. I like the concept, though.. I think it will provide good defense against drive-by-downloads especially. Anyone else have any opinions?

[Ilya Rabinovich]

The new beta version is released. Some issues are added and improved. The download link is the same.

[Ilya Rabinovich]

The new beta version is released.

[ErikAlbert]

I can't access the download link. I will try it again at a different time.
This happens regularly with some other websites too, sometimes access, sometimes not.
After all these bytes have to swim through the ocean, before they get in Belgium.

[Ilya Rabinovich]

Quote:

Originally Posted by ErikAlbert

I can't access the download link. I will try it again at a different time.
This happens regularly with some other websites too, sometimes access, sometimes not.
After all these bytes have to swim through the ocean, before they get in Belgium.

Huh, very strange! I've just tryed to download the file and it was OK! And the bytes are don't have to swim to Belgium! www.whois.sc/softsphere.com

If you will be unable to download the file- mail me to support [at] softsphere [dot] com and I will mail it to you.

[ErikAlbert]

Quote:

Originally Posted by Ilya Rabinovich

Huh, very strange! I've just tryed to download the file and it was OK! And the bytes are don't have to swim to Belgium! www.whois.sc/softsphere.com

If you will be unable to download the file- mail me to support [at] softsphere [dot] com and I will mail it to you.

Ilya, I finally got access to the first link and I could download the file in 3 seconds. I had access to the second link too. Case closed.

[richrf]

Hi,

This is a very interesting concept. Could you provide more information about your company. I like to have a good understanding of a company's background before I install its products on any of my machines. For example, does your company have any references? Thanks.

Rich

[ErikAlbert]

Ilya Rabinovich,
I installed DefenseWall (DW) on my win2000proSP4-computer and it seems to work.
I consider myself as a NEWBIE, but I will do my very best to understand DW.
I probably will have more questions in the future, but let's start with simple things, because this is my very first contact with DW (and HIPS software).
Is my reasoning correct or incorrect in the next paragraphs ?
Please tell me, otherwise I will be lost from the beginning.

DW-icon
I have a question about the DW-icon in the system tray, which looks like a white circle with a very little circle in the middle and a light blue small bar through the white circle.
That's how the DW-icon looks after rebooting my computer, but I also saw another DW-icon, that looks exactly the same, but the very little circle is RED.
I don't know when the color changed, but I'm 100% sure you know.
What does that mean exactly and has the DW-icon other changes as well ?

Add/Remove Untrusted window
After installing DW, I had already SEVEN untrusted applications in this window. Is that correct ?

1. C:\Program Files\Internet Explorer\iexplore.exe
2. C:\Program Files\Outlook Express\msimn.exe
3. C:\WINNT\system32\hh.exe
4. C:\WINNT\system32\winhlp32.exe
5. C:\WINNT\system32\system32\tftp.exe
6. C:\WINNT\system32\system32\ftp.exe
7. C:\WINNT\system32\system32\ntvdm.exe

I recognize at least TWO of them :
1. "MS Internet Explorer", which is my DEFAULT browser and I use Mozilla Firefox for surfing.
2. "MS Outlook Express", which I don't use and I also don't use MS Outlook 2000. I use Mozilla Thunderbird.
I assume that DW considers some applications as untrusted by default, but only based on the operation system, because both applications and probably the others too, come with win2000proSP4. Is that correct ?

DW didn't consider the following applications as untrusted by default, because :
1. "MS Outlook 2000" comes with MS Office 2000, which is ANOTHER software, than win2000proSP4.
2. "Mozilla Thunderbird" is also ANOTHER software, than win2000proSP4.
I assume that it is up to the USER, to make a decision (trusted or untrusted) for each software, than doesn't come with win2000proSP4 or any other windows. Is that correct ?

Since "MS Internet Explorer" and "MS Outlook Express" are considered as untrusted softwares by default,
I assume that in my case, I have to do some changes in this window :
1. I have to add "C:\Program Files\Mozilla Firefox\firefox.exe" (my most used browser)
2. I have to add "C:\Program Files\Mozilla Thunderbird\thunderbird.exe (my only email-software)
3. I have to remove "C:\Program Files\Outlook Express\msimn.exe", because I don't use "MS Outlook Express".
Is that correct ?

I also assume that once an application is listed as untrusted, that this application will be treated as untrusted, each time I open this application, even when I start this application in a different way, like clicking on the exe-file in MS Windows Explorer, clicking on an icon on my desktop, ...
All applications, which are NOT listed as untrusted are considered as trusted applications.
Is that correct ?

[Ilya Rabinovich]

Hi,ErikAlbert!

Quote:

Originally Posted by ErikAlbert

DW-icon
I have a question about the DW-icon in the system tray, which looks like a white circle with a very little circle in the middle and a light blue small bar through the white circle.
That's how the DW-icon looks after rebooting my computer, but I also saw another DW-icon, that looks exactly the same, but the very little circle is RED.
I don't know when the color changed, but I'm 100% sure you know.
What does that mean exactly and has the DW-icon other changes as well ?

Icon (will be changed to better one with the release) turned to red if unrtusted application have made some possible dangerous action. See "events log" dialog sheet to see what was happend.

Quote:

Originally Posted by ErikAlbert

Add/Remove Untrusted window
After installing DW, I had already SEVEN untrusted applications in this window. Is that correct ?

1. C:\Program Files\Internet Explorer\iexplore.exe
2. C:\Program Files\Outlook Express\msimn.exe
3. C:\WINNT\system32\hh.exe
4. C:\WINNT\system32\winhlp32.exe
5. C:\WINNT\system32\system32\tftp.exe
6. C:\WINNT\system32\system32\ftp.exe
7. C:\WINNT\system32\system32\ntvdm.exe

I recognize at least TWO of them :
1. "MS Internet Explorer", which is my DEFAULT browser and I use Mozilla Firefox for surfing.
2. "MS Outlook Express", which I don't use and I also don't use MS Outlook 2000. I use Mozilla Thunderbird.
I assume that DW considers some applications as untrusted by default, but only based on the operation system, because both applications and probably the others too, come with win2000proSP4. Is that correct ?

Yes.There is default untrusted executables list into DW. If it find known executable on the disk during installation process, DW adds it into untrusted list. In the future default list will be enhanced with the others browsers, e-mail client, P2P and IM clients, e.t.c..

Quote:

Originally Posted by ErikAlbert

DW didn't consider the following applications as untrusted by default, because :
1. "MS Outlook 2000" comes with MS Office 2000, which is ANOTHER software, than win2000proSP4.
2. "Mozilla Thunderbird" is also ANOTHER software, than win2000proSP4.
I assume that it is up to the USER, to make a decision (trusted or untrusted) for each software, than doesn't come with win2000proSP4 or any other windows. Is that correct ?

Yes.

Quote:

Originally Posted by ErikAlbert

Since "MS Internet Explorer" and "MS Outlook Express" are considered as untrusted softwares by default,
I assume that in my case, I have to do some changes in this window :
1. I have to add "C:\Program Files\Mozilla Firefox\firefox.exe" (my most used browser)
2. I have to add "C:\Program Files\Mozilla Thunderbird\thunderbird.exe (my only email-software)
3. I have to remove "C:\Program Files\Outlook Express\msimn.exe", because I don't use "MS Outlook Express".
Is that correct ?

Yes. 100% correct.

Quote:

Originally Posted by ErikAlbert

I also assume that once an application is listed as untrusted, that this application will be treated as untrusted, each time I open this application, even when I start this application in a different way, like clicking on the exe-file in MS Windows Explorer, clicking on an icon on my desktop, ...

Yes, your assumption is 100% correct.

Quote:

Originally Posted by ErikAlbert

All applications, which are NOT listed as untrusted are considered as trusted applications.
Is that correct ?

Yes.

[ErikAlbert]

Ilya,
Thank you for answering all my questions and I added Firefox and Thunderbird and removed MS Outlook Express, without any trouble.

Quote:

Originally Posted by Ilya Rabinovich

Icon (will be changed to better one with the release) turned to red if unrtusted application have made some possible dangerous action. See "events log" dialog sheet to see what was happend.

I understand now the meaning of red and that's what I really wanted to know.
I agree with you that the icon could be improved, at least the warning part, but this is a minor detail and can be improved much later.

I also took a look at the "Event Log" and they were all "Attempt to create new key" (Event type = Registry) for MSIE and Firefox.
I assume that these new keys weren't created in my registry, because of the word "Attempt" in the message.
You used the expression possible dangerous action, which also means that the action could be innocent too.
That doesn't bother me, BUT is it possible that these un-executed innocent actions can cause a malfunction in my MSIE or Firefox sooner or later ?
I assume not, but I'm not really an expert in registries.
For the record : MSIE and Firefox are still working fine, I'm just asking.

[Ilya Rabinovich]

Quote:

Originally Posted by ErikAlbert

I also took a look at the "Event Log" and they were all "Attempt to create new key" (Event type = Registry) for MSIE and Firefox.
I assume that these new keys weren't created in my registry, because of the word "Attempt" in the message.
You used the expression possible dangerous action, which also means that the action could be innocent too.
That doesn't bother me, BUT is it possible that these un-executed innocent actions can cause a malfunction in my MSIE or Firefox sooner or later ?
I assume not, but I'm not really an expert in registries.
For the record : MSIE and Firefox are still working fine, I'm just asking.

In fact, I have no such events with my MSIE and Firefox. Could you send me the compressed log file (defensewall_log.log in DW folder) I could look at it? Anyway, your assumptions are right.

[ErikAlbert]

Quote:

Originally Posted by Ilya Rabinovich

In fact, I have no such events with my MSIE and Firefox. Could you send me the compressed log file (defensewall_log.log in DW folder) I could look at it? Anyway, your assumptions are right.

I've sent an email to you with the requested file.
Meanwhile, I will try the buttons on each DW-window.

[ErikAlbert]

Ilya,
I played with all the buttons and I only mentioned the buttons with a problem or a question.

Event Log

Filter
This button doesn't work. No reaction at all.
I assume you will program this button in a later version ?

Delete and Delete All
These buttons work fine, but without confirmation and that's not good.

Add/Remove Untrusted
I have two general remarks for this window.
If you don't agree with this, it's 100% OK with me, I'm just telling what I think.
After all you are the boss and it's not my application.
It's not important either, but I design applications myself and we have some rules at work and I'm sooo used to them.

1. Is there a difference between "remove" and "delete" ? If not I would change the title in :
"Add/Delete Untrusted", because "Add - Edit - Delete" are most used in database updatings.
Another reason is that you used "Delete" in the "Event Log window".
Or you use "Remove" all the way, or you use "Delete" all the way, but using two different words for the same action is confusing and certainly for non-English users.

2. I would change the sequence of the Add-options into : Add Application, Add Folder and Add Process.
Most less-knowledgeable users know or will find out what applications and what folders are, but I have many doubts, if these users know or will ever understand what processes are.
A less-knowledgeable user will rather untrust applications and folders, than processes, but keep the button "Add Process" anyway for knowledgeable users.
I know less-knowledgeable users very well, I worked with them all my life and I know in advance what they will think about "Add Process".
That's why I'm not a big fan of HIPS softwares, but DW is userfriendly enough upto now.

Add Application
I fully understand this button.

Add Folder
I understand this button, but what are the consequences when I exclude a folder ?
Can you give me one practical example, why I would exclude a folder ?

Add Process
This one bothers me the most. Can you give me one practical example ?

Remove
If you agree with my first general remark, this button should be called "Delete".
If not leave it, like it is. The button works fine.

Run As Trusted
I assume that this button makes it possible to run an untrusted application as a trusted application for one time only ?

Close All Untrusted
I don't have any problem with the button of this window and it works fine.

I have still questions, but I need some time to formulate them in English.