geswall and email client (the bat)

I've been practising with geswall for a couple days now - today I used it to isolate my email client - the bat, just for testing. I found that as the bat downloaded my email, geswall was blocking access to my email directory. I closed the bat, and un-isolated it in geswall, and then re-opened it - the email I had just downloaded was gone - into the ether I assume. It was nothing important, but I need to know how to properly configure my email client with geswall, I noticed there are no rules in geswall for the bat. Anyone have any tips as to where to start reading etc?

thanks,

chrome

 

Chrome,

What is important when using a mail program:
a) make sure the program has full access to the directory where it stores the mails (f.i. I had moved the mail directory of Outlook Express to the D-drive for easy data backup), when this is not the case your mail program downloads them, you can even reply on them, see them in your send items, close down the mail and after closure these mails are gone.
b) make sure y

b) make sure that your identity/access data is allowed to access (problably in the registry or may be a config file of the e-mail)

c) when every thing is working allright, add the above items to the resources part and set them confidential (meaning untrusted sources may only allow them ehen explicitely told in the console)

This is what in the Pro data base
Resource Type Access
%HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache% File Allow
%HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cookies% File Allow
%HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\History% File Allow
%HKEY_CURRENT_USER\Software\RIT\The Bat!\ProgramDir%MAIL\ File Allow
%HKEY_CURRENT_USER\Software\RIT\The Bat!\Working Directory% File Allow
HKEY_CURRENT_USER\Software\RIT\The Bat! Registry Allow

The ones marked green are problably program directory (mentioned in the HKU software hive of bat) and the location where the bat stores identity and mails.

It could be that you have them installed in a different directory, run the application wizzard (increase number of seconds until it works), this will make GW adopt its rules.

Regards Kees

 

Hey Kees - I did run the application wizard, but this did not cause geswall to automatically create rules for the bat. I didn't realize geswall would need quite so much configuration. It seems to me that if you add an application that it doesn't have in it's database, then it has no rule for it and everything the application tries to do is blocked...

Any rate, thanks for the input

 

Maybe I am not understanding the question correctly but I have GeSWall 2.8.3 Pro and The Bat is one of the email applications listed.

 

Well what happened is that I deleted the instance of the bat that was preconfigured in geswall, and ran the application wizard to add it again. This time it had no rules for the bat - I guess it neither auto recognizes an application it supports and auto adds rules for it, nor can download the rules by clicking update. I'll reinstall and report back

 

After reinstalling, I found that rules were once again present for the bat. But now I remember why I deleted the inbuilt instance of the bat and added my own - it's because the instance of the bat built into geswall somehow doesn't function (maybe it's looking for a different version or path?) I tested it and protection doesn't occur. Further, you can't seem to edit the path of a program once there's a rule for it - so I couldn't change the path for the inbuilt instance of the bat. What I had to do is delete the inbuilt instance, and then add my own - I did export the rules for the inbuilt bat before deleting. Once I added the bat myself, protection does indeed occur, but, though I could export rules, I see no way to import rules into the bat?? Without rules geswall will just block everything the bat does, which is useless. Can rules not be imported for applications? It seems strange to have an export function, but no import.

Who the hell would want to do this with several applications, I have no idea why or who.

 

hmm.. better to post at their forums. Problem is that there are not so many users, so many small problems may be undicovered and trouble some.

Persoanlly I never used it except for chat messnegers n browsers etc so can,t say anything.

 

When it is an existing application, do not delete the application, but start it with the Application Window (on say 10 secs at leasy), it will recognise the program and add any rules.

Yep strange logic export without import

Regards Kees

 

i'd rather not, thanks, who's gonna wanna become a windows internals expert just to harden apps that aren't preconfigured in geswall? their board is dead, and they maintain no presence here - better to go with illya's app for these things i'd warrant - dasvadanya

 

Well Chrome,

I like (policy) sandboxing programs/HIPS, because they are such an easy way to deal with the fact that 99% of the users run their home PC as admin (Tlu, Mrkvonic and some others have written excellent tutorials to imply a low CPU cycle eating safe setup with LUA, SRP and ACL).

I frequently check DW forum, e-mail with Ilya when he searches feedback, e.g. when he implemented resource management. First I added some custom rules, Ilya not only assisted but implemented them as the default set (so I have an application which is functioning how I would like it to function all on one aspect).

Brian of GW was a few years ago as eager as Ilya to improve GW. GW uses some internals of Windows, therefore it is such a low CPU overhead application and it does not have DW's total untrusted file control.

For a skilled PC user GW Free is a cheap and fast alternative to Sandboxie, GW Pro withs its Application Wizard is a granular to control Sandbox/HIPS.

SO I think both have programs earn their credits, we have DefenseWall plus ThreatFire running on one PC (a fast laptop with Solid State Disk) and GeSWall Pro and DriveSentry on another (an old Desktp gotten new life for 100 euro's with a cheap motherboard and an E5200 pimped to run 3,06Ghz).

DW is by far the user friendliest HIPS available, so enjoy

Regards Kees

 

As regards sandboxie - well as far as browsers are concerned with it - sandboxie 4-ever (yes I ripped the name from the movie lilja 4-ever)

http://i715.photobucket.com/albums/ww156/pink_moon_drake/Wilders/box.jpg

yet I wanted something more general for apps less likely to be threatvectors, that wouldn't need to be configured to a great extent. geswall I opine, isn't developed to the extent that it can handle such - defensewall (i've tried it) is.

Though I may just dust off sandboxie and tune it towards my needs.


obliged for input

 

Well Sven, your the master of your own PC

 

Chrome sturmen,

Some remarks with respect to what you experienced:

1. It is possible that you have a newer version of the bat with different version info than the one in Geswall's application list. Although the version info being used by GW doesn't change often between versions of the same application, it sometimes does change. In this case the application is not recognised by GW. It happened for instance with Windows Media Player (which you can find twice in applications, each one having different version info). In this case it is better to notify GW support by email (add application and version you have). They can then provide a fix which can be provided to all users by the Update Geswall Applications feature.

2. When you remove an existing application or application group, you will also remove its rules. In addition (even if you add the application again later) the Update Geswall Applications feature will no longer update this application.

3. You most probably used the Export List... function in the context menu that you get if you right click on an application in Applications. This is not the one you have to use when you want to export rules. If you want to export or import rules, you have to use the Application Wizard:
- right click on the application (.exe or shortcut) for which you want to export or import rules
- select Application Wizard
- check Expert mode box
- click Next
- uncheck Autofill rules for this application
- click Next
- use Import Rules or Export Rules buttons shown on the low left side

 

Actually GesWall is a very good application but it still needs a lot of work to make it user friendly for so many people and constant updates for application rules etc etc. If u run just your browsers GesWalled it will eb fine. As you try more and more applications in GesWall, you might complain some problems or loss of functionality. Sadly the support is sluggish. Such an application need a very active support indeed.

 

I agree. Geswall is a goldmine if my buddies would just put some time into it.

 

Hi, Hope this is O.K. to post in this thread. I have GeSWall Pro and I have a couple of questions. How does it update definitions and two when you close out the browser is it O.K. to click the X at the top of page to close or should the application be terminated under isolated Applications? Probably stupid questions but, I want to make sure about how it works. Thanks Also it does not work with Outlook Express. When I try to use GeSWall, windows says my OE is corrupted and re-install, OE works fine without GeSWall.

 

You close ur applications/ browsers just normally with the x button.

 

Thanks guys for the continued advices and thoughts - I haven't given up on geswall yet, i'm still working with it.

I ran the application wizard with the bat and it created some rules for it. What I wonder, is if the rules that geswall creates for a program, are effective in hardening it. For instance, if I were to create rules for a messaging program with the application wizard, would those rules protect my system from a 0day exploits designed to spread via said messaging program. Any thoughts?