Hacking DefenseWall, GeSWall etc in 60 seconds

I'm not sure if this has been posted anywhere on Wilders, but this is quite interesting stuff:

http://www.youtube.com/watch?v=y3HGAQrYCAM
http://www.youtube.com/watch?v=qjN_bMcc38Y
http://www.youtube.com/user/BluePointSecurity

Anyone know who this BluePointSecurity is? According to these tests, BluePoint Security has demonstrated that several popular antivirus software, Threatfire, DefenseWall, GeSWall, and several popular internet security suites (including Kaspersky and Comodo) are bypassed.

Thanks for any comments.

 

BluePointSecurity is nothing but block all unknown files.
Then it asks user to allow or block the application...weird.

See Matt's video for more details

 

When they open IE in Defense Wall test it shows 1 untrusted application,so the keylogger is installed (trusted) .So they don't know or don't want to know how Defense Wall works.Just another marketing video.

 

I don't know either but it's not important becouse as seen in the video the keylogger runs as trusted ,i don't think outbound is important here .

 

DefenseWall,

The advanced options item of defensewall offers the following
a) Run files from USB drive always untrusted
b) Run files from CD/DVD drive always untrusted
c) Run files from network drives always untrusted

I have had a discussion with Ilya about this. During the installation he should have a setup wizzard which asks what the user wants, to enable them or the disable these options.

Also in the right click system tray icon an option protected drives should be visiable, same way as AppGuard offers via the system tray icon to see what is included in the deny execute (= drive by protection) and what is included in the deny access (=privacy option).

These options are now two mouse clicks away (richt click system tray, choose advanced tab). Ilya's opinion is that user should read user manuals.


Problem is that per country the critical 'click border' and willingness to read manuals differs. An example from the past (just for reference, might not be accurate anymore) in Flemish Belgium the critical mouse click border lays at three clicks and they 60-70% read the manuals, in Holland the critical mouse click border is two mouse clicks (or what is equivalent of a mouse click in terms of information at your fingertips) and 20 - 30 % read the manual.

These differences are remarkeable: The Flemish and the Dutch speak the same language and are neigbours, even have provinces with the same name and are tiny geographical areas.

So it is really a storm in a glass of water. I hope Ilya's opinion on the setup wizard and protection scope option of the tray icon will be changed by this deceptive test. After all they have a point, out of the box, these options are not selected, so when you copy something from a network drive it is trusted and DW will allow it do what it wants.



GeSWall
GW is more directed to teh corporate market than the end user market. It has the option to isolate network drives, only this requires some basic knowledge of GW. Again when you run something as trusted from a network drive, GW will not protect like DW. Because GW is more directed to the corporate market, I think few system administrators/network managers/IT managers would be happy with a default setting running the programs from the network drives as untrusted. The network drives are the inner circle of any company, so should in theory be the most protected. When a company gets a keylogger on a network drive, they have bigger problems than GW not blocking it out of the box.

ThreatFire
I am sure that an intelligent behavior blocker would somehow take the consideration mentioned at GW (the network is the inner , most trust worthy circle) into its risk calculation.

Cheers

Regards Kees





Cheers Kees

 

The keylogger was simply double clicked from the desktop as a normal user would. We did not make it trusted or perform any settings changes to the product, it was simply installed with the default settings. If all files are run as untrusted then it was run as untrusted, it did nothing to stop it. We can retest showing installing the product and then running it, but it was not run as trusted in the current video.

I asked how did they test and what if they run it as untrusted.

The file was run just as any normal user would run the file, simply double clicking it from the desktop. We didn't allow or trust the keylogger before running it. We didn't run the keylogger as untrusted as the average user wouldn't know how to do this and we also believe that most of these products involve too many complicated steps to actually prevent new threats. The products were installed with default settings just as they were installed.


Unknown file wilders.exe
Allow / Block?
Complicated?

 

Agree, this test is not professional. They run malware as trusted and they think DW in this case help

 

Their explanation is also funny... All files downloaded by Untrusted processes (DW/GW) got automatically Untrusted status so the average user do not have to remember what files he should run as Untrusted in this case.

 

No but they copied it from a (trusted) network drive, they did not download.

It is a rediculeous test

 

V3 will have firewall module. Yes, it adds protection
V2 is not that vulnerable, but just not so "complete" as I understand. I might be wrong. Lets see what Ilya says.

 

No read my post nr 6. It was copied from a trusted source so ran trusted. Normally network drives are on a back end server. Depends on the way the network manager configured the network, often PC in a network have only access to the central server disks, but sometimes they are allowed to access each other directly in a LAN.

Yep the moon is round, the moon is yellow, it must be a gigantic Gouda cheese.

Come on SSJ, your to bright to make that kind of deductions. Did you also complain at Tzuk when he added policy management protection to SBIE, was SBIE not strong enough before, nonsense.

See my post of january 2008 https://www.wilderssecurity.com/showpost.php?p=1156260&postcount=1. Ilya is just taking the nex step. Combining internet facing policy management (which is a HIPS) with a FireWall, so basically a combo of trends 1 (HIPS and FW) with 2 (threat gate mitigation).

When DW has a FireWall, you do not need anything else anymore (besides a router):
V2 - protects programs against each other like HIPS (that is untrusted versus trusted)
V2 - mitigates virusses in files (paraluses them), sort of same protection an AV has
V3 - filters application level network traffic like an advanced FW ( I have no idea whether it also covers the original functions of a firewall, but nobody seems to care nowadays anyway, since f.i. Comodo by default does not analyse protocols, I bet you have it off also, check your FW intrusion settings )

Cheers

 

GW now has network protection of untrusted objects, DW has not.

Yep only a policy management/virtualisation sandbox programs is a reversed whitelist (in stead of whitelisting to allow, you 'white list' what to untrust/run virtualised), so by copying it from a network drive (when you do not choose to untrust network drives etc) it is basically the same as disabling your HIPS before executing an unknown program. So yes it sort of it is the same.

 

Yes, you are right. Spambots made me make outbound protection, Kido made me do inbound one.

 

Will the FW protection (1) prompt similar to other FWs, or (2) just show a warning that you can skip in the future with automatic block, like the current warnings?

 

"Advanced"->"Options"->"Run from local area network as untrusted".

 

Similar then other FW's, but not the same. The core ideology is very different- it's totally sandbox.

 

I had short discussion with Ilya by email. The solution will be brilliant!

 

Seems the test was designed to make the products fail.

Why not show how they work against a drive-by-download ?

Oh wait , remove-malware already showed that ..

Had a look at their website , hmmm.
Not impressed . Why does a default deny app show 4 screenshots of its virus scanner ? Why does it even have a virus scanner

 

Ridiculous. I would test their software if i didn't have to leave. Someone "hack" their software like they did on youtube and post it as a response video.

 

Well they are running an old version of Drupal with multiple XSS/Injection vulnerabilities, their whole web site could be wiped off the server. Does that count?

But yeah, pretty silly tests. But to answer the original question "Has anyone heard of them", well their site only has 54 others linking to it (many of the 54 are just multiple links from the same sites) so no it appears nobody has.

 

I don't mean attacking them, just to be sure, in case someone misunderstands me. Just "test" the software the way they did for others. That is, a fake test of some sort.

 

Agree with Kees.
I'm not about to get rid of DW, but I wish Ilya would make it easier to use for the techy challenged. I just can't be the only one here.
Yes, we should all read the manuals, but I pay for the software. Nobody is paying me to use it.
Also, there's a good article about DW in the new issue of CPU.
Way to go Ilya.
Hugger

 

I know i was joking, and pointing out it's odd they are poking holes in other products when their own backyard is vulnerable.

Is there any more detailed info about DF's new firewall?

 

I meant outbound, I already explained that

 

Congrats , I swallow my statement

At least your using the FW to its full potential, good on you