OA + GeSWall

Needed together ?
Overkill ?
Or are they a compliment to one another ?
Same question for WinPatrol + OA.

 

Winpatrol = Detects
OA = Prevents

Geswall's main purpose is restricting the rights (untrusted) of user selected programs right? Then you could use OA for this aswell since you can restrict each program as "Run Safer" in the advanced options.

/C.

 

The main reason for myself to use GeSWall is to restrict the policy rights while surfing, whether its with opera or IE.

I don't see where I can do this as "run safer" in advanced mode.

 

1. Right click selected program and choose "Advanced options":




2. Check "Run Safer":




/C.

 

Found it.
Thanks.

 

Hi,

Run safer in OA (like other basic policy based sandbox like DropmyRights) is a very nice feature but not configurable at all. GeSwall is a dedicated Sandbox with both policy restriction using configurable rules and virtualization.
My choice is to not use OA run safer option and focus on sandboxing with GW or DW

Regards,

MaB

 

I have to disagree Pete, anything virtualized by Geswall is redirected in a specific folder ( Windows/geswall) and cleaned after, other files created by a isolated apps (like things you download) are flagged as untrusted.

Regards,

MaB

 

And now in new version, u can even scan all these files and delete as needed.

I agree that GW is not so user friendly as SBIE!

 

GW is much more stonger that just using run safer! However i don,t think WP is needed with OA.

 

Any malware made to work even in limited user mode will bypass run safer but that will not be the case with GW. Am I true?

Also i am not sure how the privilages are transferred from parent to child processes in run safer. In case of GW, prvilages are kept stricly from parent to child, even to downloaded executables unless u mark them trusted manually.

BTW, i am interested to know what nasties u tried and did u used only run safer and no other OA feature in this testing?

 

Run safer means run as limited user. Correct? There are malware which can run even in limited user account restrictions. Restrictions of GW are tighter than just limited user restrictions.

IE must be passing privileges from parent to child. The malware exe had no special privileges, I just invoked it from IE using the file open in IE. One I ran, the virus(don't remember the name), but it was the one I used in the erik albert thread, was able to install it's files, but couldn't make the system changes for it to run. The files were essentially just inert on system

I've also run killdisk, the cleanmbr thing, and that POC bypass this way and they all were neutralized.[/QUOTE]What happens if somehow u click these executables, can they cause their damage? In case of GW, the files are tagged as isolated and running them even manually or somehow by other means can,t harm the system.

Personally I have not tested this feature against malware myself so I can,t be more specific about it but I had tested GW multiple times and it almost always proved solid, and I know that restrictions applied by GW are more than put by a limited user account!

BTW I PMed u!

 

Yes you´re right. If the malware is designed to operate in a restricted user environment, for example scriptbased malware or certain keyloggers, it will also "bypass" OA's "Run Safer" since they work after the same principle (least privilege). They can´t do any harm to your system, but they can steal information that you for example types into financial transaction sites. The value of using GW, DW etc would then be that they add protection to neutralize some of these malwares if I understood you correctly aigle?

/C.

 

You are right. But I believe there must be more malware able to work in limited user account, rather than just keyloggers!

 

But then the malware would have to exploit some "unknown" vulnerability in the OS or known LUA bug applications (where you have to change their permissions for them to be able to work restricted), to be able to elevate their privilege.

/C.

 

In GW, they are tagged automatically, by default unless you un-tag them.

 

Hi all,

I'm sure you will not regret it, Pete

Regards

MaB

 

Malware has access to some autostart reg keys even in LUA. User-mode rootkits work fine under LUA.

 

Not for me. GW makes far more sense than SBIE. What's not friendly in GW ?

 

Aigle,

GW uses Windows poilicy manager, so by design it would not be much stonger than running with limited rights. I suspect GW has made some enhancements over running as Limited User (so I think GW's goal is to offer stronger protection without being more restrictive to the user).

According to Mike Nash running safer inheritates (limited) rights from parent to child. I downloaded an exe and I could not install driver either, so run safer is somewhat stronger than running as limited user. I know Mike has changed something in run safer, because help desk got question things going wrong (driver installation failed). I do not know about the latest freeware.


Regards Kees