Beta-testing of the DefenseWall Host Intrusion Prevention System.

I get those as well. I'm not sure what causes it because it only seem to happen randomly.

 

in the HKCR\FTP\shell\open\ddeexec\Application\
I have another app as well as Firefox. This is Directory Opus
which supports ftp and can set as default downloader for ftp's

here's an image from my registry
http://img385.imageshack.us/img385/2773/snap26755dm.jpg

Looks like the reg entries I posted happen when Firefox
is fired up and closed down. Could be an extension in
Firefox maybe?

==================

meant to add

I was trying out some Extensions for Firefox today and set
the download manager to scan files with an anti-virus.
DefenseWall stopped this doing various things

for example
Attempt to open process C:\WINNT\system32\smss.exe
Attempt to open process C:\Program Files\JGsoft\EditPadPro5\EditPadPro.exe

It was Anti-Vir and seems to check all running processes when it's
opening. How can you allow this to run and do it's checking?
The only alert I get from Process Guard is Anti-Vir trying to read
Winlogin which is because I hadn't added Anti-Vir to the Protected
apps section and allowing it to Read. The program did open ok

It wouldn't be a work around to add it to the Untrusted then run
it as Trusted as it's being called by something else. It's no biggy
though but it just struck me that an alert to enable an app as
Trusted might be a good idea. I don't intend to have this anti-virus
do checking for every download - was just trying stuff out

 

I don't know. Maybe....

1. You will be able to install FF extentions under trusted mode only (just caution)!
2. All the processes spawn by untusted are untrusted too. It is not possible to convert untrusted process to trusted one.
3. It is not possible to alert because of the program's ideology (it means no alert windows at all).
So, if you run antivirus as untrusted it wil be untrusted by all means. And it is not possible to make it trusted on-the-fly!

 

Yep, after posting the last part of my previous post I realized this
wouldn't work ;o)

====

Fired up my Win98 box the other day - the good old dayz ;o)
and I still have Kerio v2.15 on there and it reminded me of
one of the main things missing from that proggy. When
you enter rules it automatically gets moved to the end
of the rules and you have to move it up the rules line
by line. A pain in the butt ;o)
Could you add similar move buttons for the Add/Remove
Untrusted Window? I had to remove Firefox from the list
the other day as it didn't seem to update some added
Extensions. Anyway Firefox is now at the bottom of the
added programs and I'd like to be able to move it up so
that it's visible and easy to reach for running as trusted.

:O)

 

Hello,
I wanted to test your application on my test pc. The moment I tried to execute the installer, PestPatrol alerts that a "pest" is loaded into memory: "Downloader.Lunii". Now, I know that PestPatrol is bloated with false positives, and I'm not assuming anything. Could you please explain this?
I can send you the screenshot of the message if it interests you.

Still, I decided to install and see what happens.

Suggestions:
1. I can close DefenseWall with a simple right click on the systray icon. How about you protect the process from closing by user and / or other processes by password?
2. Instead of letting the user decide which applications are untrusted, why not default everything to untrusted (except basic crucial system files). That way, no trouble can happen because the user merely forgot to add a program to the untrusted list.

Cheers,
Mrk

 

Done. You will see the "Move item up" button when release happends.

 

No. That is the problem of the PestPatrol. It could be because of the UPX (standard compression for the RAR SFX modules as mine one).

Thanks, but I don't need it.

The password is not in need, because the protection is independent to GUI.

Well, it is possible to do, but I'm not so sure it will dramatically rise the security level. And I see many troubles, security holes and incompatibilities that way. I suppose, that the smart user will be able to use my program effectively, what is about non-smart one- the computers are made not for them.

 

Fyi - the explorer context menu for defensewall works on shortcuts, So if you happen to have FF shortcut on your desktop, you can right-click - head to the defensewall menu item and choose "Run as Trusted". That will save you having to add it back in your list when you're done updating.

 

'Done. You will see the "Move item up" button when release happens'



------

Toadbee

Cheers for the tip

I actually hadn't noticed that I'm ashamed to say

 

You can also select the program in the Untrusted list and "Run as trusted", which I actually find more convenient

 

Yes I realized that after I posted as well. that's the really big obvious button

You do have to close out of all FF instances first before the "run as trusted" aspect works.

 

LOL, yes.. not as bad as the time I went to the post office during election time and asked if they have voters pamphlets (or something, it was years ago).. the lady just glared at me and then pointed up.. there was a fifty foot long banner right above the window stating the answer to my question.. and this was after I had been waiting in line for 10 mins.

 

Hello,
Several things I need to suggest / ask:

1. First, how much user friendly do you want your application to be? For instance, there is a default set of apps that are set as untrusted. However, there are no explanations about them. It could be useful if you added a short explanation what potential hazard a certain application carries and why running it as untrusted is useful. Now, I know you said the computers are not for illerate, and I agree, but I think that since we cannot prevent the illeterate from using machines, we could make the experience as painless as possible.

2. When running Firefox, I get these, like some other users:
Attempt to delete key HKCR\GOPHER\shell\open\ddeexec\Application\
Attempt to delete key HKCR\CHROME\shell\open\ddeexec\Application\
Attempt to delete key HKCR\FTP\shell\open\ddeexec\Application\
Attempt to delete key HKCR\HTTPS\shell\open\ddeexec\Application\
Attempt to delete key HKCR\http\shell\open\ddeexec\Application\

3. I must ask again: If I kill the Defense Wall process, does the protection remain effective at kernel level? Because once I kill it, the process is gone from Task Manager. Likewise, the user can add or remove processes from the unstrusted list easily. Password protection could be nice, let's say for computers with multiple users. Let's say a parent doesn't want his kids to disable untrsuted apps or close Defense Wall altogether, so a password could come handy to prevent the killing of the process or any changes.

4. What other services / apps do you recommend as untrusted?

5. Haven't checked it yet, but when you run p2p apps as limited windows user, for instance, eMule, then you cannot search servers and such. Is this the case with Defense Wall as well?

Mrk

 

There is a text on the first dialog sheet. Is it not enought for the illerate?

I don't know what is this, I have no such the messages. The only think I can tell- filter it!

The protection is still effective. It is 100% independent from the GUI.

Yes, maybe you're right about parental passwords. I'll think about this feature more deeper after the version 1.0 release.

Browsers,e-mail,IM and P2P clients. Maybe, WinZip/WinRAR if you like to run applications right from the archives.

I'm not sure. DW doesn't limitate the network activity.

 

In the Event Log window it would be very helpful to have the
latest alert at the top of the window - the reverse of the
way it is just now

Also, does DefenseWall check md5 hashes of the
programs in Untrusted? If not, this might be a
good thing - maybe

 

I'll think about this.

I see no reason why.

 

Hello,
How does Defense Wall compare to DropMyRights, if at all?
Mrk

 

DW is much more powerfull and easyer then DropMyRights.

 

Hi,
What I meant is in what way is the protection different? DropMyRights prevents programs runing with it from changing certain tokens. What does Defense Wall do?

 

Block the dangerous actions (security token independent).

 

Hi,
Found a typo:
When you click add untrusted, you have option to add process and application. It reads applicatoin!
Mrk

 

Oops!

 

Today DefenseWall showed 2 Untrusted Apps running - Firefox & Net
Transport. Firefox threw up an error and closed - and Dr DooLittle (watson)
showed his face. I closed Net Transport after it finished downloading
but DefenseWall still showed 1 Untrusted running. I checked with Task
Manager and nothing there so I hit the Close All Untrusted and nothing
happened - there was still 1 untrusted running somewhere

Something to do with Dr Watson perhaps?

 

System debugger (like Dr Watson) runs as a child processes to the crashed one. So, Dr Watson has being runned as untrusted, because theis parent process (FF) is untrusted.

 

Hi, guys!

The DefenseWall HIPS RC1 is released. There are a lot of the improvements!

1. Cool skinned interface.

2. "Secured files" feature (the files and folders unaccessible for the untrusted apps).

3. "Process details" feature.

4. Disable/Enable untrusted feature.

5. More registry keys are protected.

6. Spooler protection.

Averything is in the old place: http://www.softsphere.com/cgi-bin/redirect.pl?Name=DEFENSEWALL

The release is coming soon!