GeSWall v2.1

GESwall looks like a simplified Coreforce/tiny firewall to me, allowing you to limit applications so that they can read/write only particular files/registries etc.

Like coreforce it has downloadable settings for popular applications which you can share and download.

In theory, you can create very safe setups by allowing file and registry accesses only when necessary for the specific application and disallowing all else. With the right rules you can even simulate a limited user account i suspect.

The default ruleset is pretty loose though.

I Played with it a bit. Looks okay. A bit rough around the edges, for example, right clicking on the icon does not allow access to the console settings. Makes accessing changes difficult.

It is lighter than bufferzone IMHO.

I think though we can differentiate Coreforce/GESwall/Tiny from Bufferzone/Greenborder/Sandboxie/Defensewall/

The first group allows 'per application restrictions'. You can deny read access to c:\certainfolder for IE, while allowing access for firefox. Of course, if you don't want to be so specific, there is always the default restriction rules (which are themselves changable) when something is 'isolated'.

***********************************************

There are also other restrictions such as injection attacks, hooking, kernel drivers etc which may not have much to do with file/registry control, but for obvious reasons, I think Bufferzone, GESwall, Defensewall, etc have all restricted them when a file is "in the bufferzone"/"isolated"/"untrusted" etc

This seems to be standard for sandboxes.
************************************************

The second group just splits all application into 2 groups (trusted versus untrusted) and all untrusted programs are equally restricted.

E.g While you can set in bufferzone folders to be "confidental", "trusted" to restrict read/modifiy etc just like GESWALL/Coreforce/Tiny , you cannot set it on a per application basis.

If you set c:\mysecrets to 'confidental', all programs in the bufferzone cannot not read it. GESwall however allows more grandular control. Maybe you want to allow your password mananger to access c:\mysecrets, but nothing else can read it. No problem GEsweall/coreforce etc allows it with the specific rules.


Bufferzone's main strength over coreforce/Geswall i think is that it tracks changes made to the registry and file areas made by programs in the BZ. This allows you to blow away changes made by such programs if necessary. So for example if your browser got infected, you can restore it to it original state by resetting the BZ.

Sandboxie, is similar.

It can even be used for testing stuff. Some shareware programs like to stick registry keys in your computer (which is not removed when uninstalled)l, so it can keep track of the fact that you tried it before. This is pretty irriating if you dont like such stuff lying around. Some People try to use stuff like Totaluninstall, which compares changes before and after a software is install, in hopes of keeping the system clean, in the case the uninstaller fouls up.

But this method does not work, because most shareware stick registry keys only after the nth start (as opposed to during the install), so total uninstall
doesn't see that change. But with BZ there is no problem, ALL CHANGES are tracked.

I have tried Defensewall yet, but I think it's closer to the BZ side of things, with 2 groups "trusted" and "none trusted", except without the tracking changes thingie of sandboxie and Bufferzone.


Conclusion

GESwall/Core force/Tiny firewall etc are like MS Windows XP's Software Restriction Policy on steriods. If you are one of those geeky people who like to tweak, control and layout exactly what resources each app can access , this is a dream.

For most people though, I think they will just use whatever the default restrictions are, and specialised ruleset if it is made available by others. In effect they will be just using 2 groups ,trusted/untrusted exactly like Defensewall.bufferzone etc.

Sandboxie/Bufferzone, as stated have a built in insurance policy of allowing you to revert changes, because all changes made by porgrams in the BZ are 'virtual'. This can be very very useful of course if you make a mistake.

Of course, these solutions tend to be 'heavier' in my experience.

 

In fact, there are two major classes of the HIPS applications- application firewall and sandbox. Application firewall allow you to use your own roolset for the each of the application (but first you need to create it by yourself!), sandbox share all the processes into 2 groups (trusted and untrusted) and use build-in restrictions for the untrusted processes group. GesWall is application firewall with the some movement to the sandbox ideology (isolated apps) to decrease the number of popup windows, but it is still application firewall. Application firewall is, mostly, not for the average users, because it require a lot of the technical knowlege.

As about sandbox HIPS- they are very simular in action, some of them are simple in use, some are not simple at all. The only difference between them is registry/file system virtualization. In some cases it is very usefull (as devilish has already described), but, mostly, it is the problem for the average users who have added the bookmark (or save file from the Internet), empty virtual file zone and then can not find it!

 

yes you are right. Application firewall versus sandbox.

Stuff like Processguard,regdefend,SSM,Prevx1,online armor,etc etc would be application firewalls.

You have different policies for each app, e.g you allow program x to terminate other processes, but not program y.

Sandboxes would divide apps into 2, trust versus untrusted. And monitors only untrusted. As you said this reduces popups by focusing only on the untrusted stuff. Stuff like BZ and defensewall don't even show popups, because dangerous stuff just shouldn't be allowed!

Bufferzone and Defensewall would be definitely Sandbox.


Of course the question becomes would someone using an application firewall benefit from using a sandbox (as definied like that)?

 

I believe so, yes. When I run an application in a sandbox, I'm already beyond the application firewall - ie. I am the application firewall... and so at that point I'll take what help I can get.

 

It depends on the person. Somebody like to control all at their computers. They think that security==control. Application firewalls just for them. But, most people don't want to control anything, they just need to be secured while the are surfing porn sites. Sandboxes just for them!

So, different people- different types of the security applications.

 

Lol, you sound like a man with some experience.

 

For those of you that don't know, Ilya is the creator of DefenseWall. I have been using DW for the past week and really like it's simplicity. Iyla is very clever programer and was able to break through BufferZones protection in 5 minutes and claim their reward!

PS - Note to self, quit spending so much time visiting porn sites now just because it is safe to do with DW running!!

 

I have a question about the license of GeSWall.
It is Free but i heard it is only valid for one year.
Is this so ? and why?
Thank you
TA

 

Hi,
The concept is nice, but:
Accessing the console through folder is not smart. The user should not go to the root folder and touch the files. A right-click option should be available.
There is no way to close the application.
What about a right-click - > exit?
I managed to close the application using Task Manager, killing processes? In that aspect, why doesn't the application protect itself?
Tried to restart it -> no option in the Start Menu. Only access to Console. The user has to access the folder and click gswui.exe (or so) to start the application again.
Uninstall via Add Remove only.
What about Windows Updates?

Suggestions:
Allow start application / console via Start Menu.
Allow termination via systray (with password if needed to prevent mistakes, but still some sort of option for user to close the application - like for Windows updates - this could kill two birds with one stone).
Prevent termination via kill process.
Allow Windows Update with the application ON - or a convenient way to switch to full write and access mode (like closing the application with right-click).
Add uninstall in the Start menu.
Add password or strong warnings for tampering with processes and keys. The options are definitely not for average users - and yet everyone can access the console and play with options.

Cheers,
Mrk

 

I don;t understand. Are you arguing the following

I suppose if you do choose to run a sandbox, you are right in that the application firewall probably becomes irrelevant, because it usually cannot see what's happening in the sandbox (it will have to give previlages to the sandbox). But surely this doesn't mean, you need a sandbox

Well but if my application firewall, 'sandboxes' the whole system, treating each and every app has potentially dangerous, there seems little point in using a seperate sandbox.

E.g When programs run in the bufferzone (BZ), is 'isolated' (GESwall), or is 'untrusted' (Defensewall) they can't install drivers. But if I run say PG,appdefend etc etc, no program can do that anyway, unless I allow them. The net effect is the same.

Of course, the advantage of a sandbox is that you can concentrate on only potentially dangerous apps, and focus your energies (comp resources, human resources) on watching only what is most likely going to be important.

Again I'm in love with the bufferzone/sandboxie concept of tracking changes and reversing them if necessary. I suppose it's kind of like the shadowuser thingie but focused only on a subset of stuff.

 

those are some good points Devilish. application firewall is controlling it anyway so why sandboxing .. I can't answer that. I guess if you really want to feel secure and you don't have that feeling allready, everybody will do what he can just to get this feeling .. installing Sandbox or whatever on top of this application firewall.

my moto: add enough layers till you feel secure/protected j/k but sometimes it comes down to that imho

 

I'm saying whether or not I'm running an app firewall, it is ultimately me who decides to run a program or not. That being said it's nice to be able to let them play in a sandbox for a while to see if they behave

 

Well i've being following the "Blue plan" with regards to software security which consists of

1) Antivirus E.g Bitdefender, KAV, NOD32
2) Memory scanner (AT usually) E.g Boclean, Ewido
3) Application firewall E.g Processguard/regdefend, online armor, GSS
4) normal firewall E.g Looknstop, Jetico, Outpost Pro

Now it seems i must add a fifth layer.

5) Sandbox e.g Defensewall, Bufferzone, geswall etc.

Okay, anything to say safe....

 

LOL the problem I have on my system, I don't know if it is related to my 64bit processor (it happens since I have it) is that I cannot install too much of that Kernel Level programs .. I encounter too much hassles, lockups, slow booting .. I tried a session without Tiny2005 and everything went ok but I refuse to uninstall it. In fact Tiny2005 offers everything allready from your points 3 to 5.

It has a nice feature: track n reverse which will bring everything back (something like virtualisation)
http://www.tinysoftware.com/home/ti...A1&&pg=content05&an=track_reverse&cat=cat_tf6

good luck and don't forget to give some feedback when you add that fifth layer DA, looking forward to read your comments

best wishes

 

Here's a copy of an actual email response i received from GentleSecurity support on the matter.


Dear Mr. xxxxx

GeSWall standard edition will remain free for any use. The license it
includes is only for automatic update feature. We could start charging
for
automatic update of Application Database, but the product will stay
free. Actually we don't even have such plans.

--
Best regards,
GeSWall Support
www.gentlesecurity.com


Hth

 

Thank you for the clarification sam_spade.

TA

 

Infinity, build 126 does offer memory protection:



There is a new protection in the currently available build 126.

It covers \Device\physical memory as well as an option to load and run some code in kernel memory through NtSetSystemInformation.
Not all Windows were affected, but some could be...

Since it is new, it is OFF by default. You have to turn it on manually in registry HKLM\...\Services\KmxSbx set value "SystemGuards" (REG_DWORD) to 1. Reboot is needed.

Not implemented on 64bit version of TF.

So maybe you can say Tiny covers (2) to (5)


Tiny is an awesome firewall/sandbox! Set it up correctly, combine it with Processguard, and a decent AV and you have one VERY secure system.

Tiny will restict spawns, access to registry, dlls, files, OLE/COM obects, services, code injection. All entirely configurable.The only problem is that is has a very steep learning curve.... but if you put the effort in you learn so much too.

Shame CA seems to be abandoning it - Tiny was the most complete package out there. I might be moving to KIS eventually.

 

Thanx Yorky35, I'm using Tiny since V5 and now when I finaly had the feeling Tiny is stable, they sell it to CA ..

I knew about the memory protection but as I'm using some other apps for that, I haven't updated it to the latest built...it's solid finaly...but I might go to KIS2006 myself ... it's just the overlap I will encounter when I install KIS...

have a great eve

Infinity

 

Under the blue plan component (2) - Memory scanner has nothing to do with protection of physical memory.

 

Oops, sorry devilsadvocate - was late when I posted, and misread point (2) - I assumed it was relating to memory protection.

 

Just food for thought, but the following was posted by suzi in a thread about GeSWall over on BBR:
------------
said by nonymous See Profile :

no name no telephone no address even a p o box.
You are absolutely right -- there is NO information about the company anywhere on the website.

»www.gentlesecurity.com/about.html

No privacy policy either. Maybe this is a fine upstanding company, but I'm not impressed based on the info, or lack thereof, on their website. Here's the whois:

»www.whois.sc/gentlesecurity.com

Hmm... the cached image isn't impressive either.

quote:Registrant:
Domains by Proxy, Inc.
DomainsByProxy.com
15111 N. Hayden Rd., Ste 160, PMB 353
Scottsdale, Arizona 85260
United States

Registered through: GoDaddy.com
Domain Name: GENTLESECURITY.COM
Created on: 29-Jan-05
Expires on: 29-Jan-07
Last Updated on: 07-Apr-05

»www.whois.sc/205.234.185.62

3 domains found on 205.234.185.62

»www.whois.sc/sazgala.com

quoteomain name: sazgala.com

Registrant Contact:

Andrey Kolishchak ()
315 091 717839
Fax:
st. Korablestroiteley, 22/3
N. Novgorod, 603150
RU

»www.whois.sc/securesize.com

quoteomain name: securesize.com

Registrant Contact:

Andrey Kolishchak ()
315 091 717839
Fax:
st. Korablestroiteley, 22/3
N. Novgorod, 603150
RU

GeSWall Team(Unregistered)@cust.bluew, perhaps you could fill us in on this company since you are apparently a representative.

Maybe the app is ok, but personally, I wouldn't trust a company with no information available, no privacy policy, and using a proxy registrar besides.
----------------------------------------

Again, that was posted & researched by suzi, not me............

 

Has anyone ran leaktests on this?

 

yes,failed most of them. But not surprising to me. You aren't supposed to use GEswall to block leak tests lol.

 

Wait so it fails leaktests? so just how secure is my system if i just use geswall?

 

Safe enough. 'Leak tests' aren't that important IMHO, I would bet most people here have systems that are not protected from public leak tests, much less other methods.