defencewall ?

Just started using defencewall as it sounded like a good product ,normaly use sandboxie for browsing. Can someone explain what defencewall is supposed to do? is it ment to protect from exploits ? i tested defencewall on a website with a wmf exploit that is still efective against internet explorer and unpatched xp machines. When i visited the site with internet explorer "untrusted" the wmf explot ran as usual and launched the windows fax viewer to run the exploit.
Defencewall detected nothing. Is defencewall ment to detect things like this ? i meen files were downloaded automaticly to a temp folder and launced automaticly and the wmf exploit was run and nothing at all was detected by defencewall. what does this meen?. Because the exploit was launched by internet explorer "untrusted" would the exploit be sandboxed or would it have run normaly? either way i would of exspected defencewall to notice all this automatic downloading and executing, or have i got the wrong idea of what this product is ment to do The site with the wmf exploit >>> ~removed link to infected site~

 

defensewall doesnt detect anything. what it does is contain a list of untrusted apps like p2p or browsers which then are restricted in what they can do. any processes they spawn are also untrusted. if u suspect ur infected just click the button to close all untrusted apps and if malware was indeed started by IE or other untrusted app, it will also be terminated. u may want to look over this thread for defensewall

 

so its just a sandbox? lol sandbox can prevent perment damage but do nothing to prevent infomation theft
and it does detect look in the event log to see what it detects an example below, I was wondering why it didnt detect the downlaod and auto executing in my test as it detects importent reg keys,system files that are importent. I guesss it upto us to add all the impotent security risk areas to the secured files area then maybe it will notice? it just made sence to me that if it detects altered registy keys made by msn messenger then detecting a download and auto execution from a tempory folder used by internet explorer should of been top of its list as this is where most adware and toolbars and exploits are first downloaded to, its not very clear exactly what areas of the registry and system this programe is protecting what type of system modifactions is it detecting ?

Attempt to set value LogSessionName within the key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\MSN\MCC\

 

to be generic i just call it a HIPS since im unsure what qualifies a sandbox.

 

LOL for your pleasure http://en.wikipedia.org/wiki/Sandbox_(computer_security)

 

Incorrect. It depends on the type of sandbox. Sandboxie doesn't enforce file reading/directory listing or registry reading protection, but other types of sandbox do. The UNIX chroot does, Core Force for has file reading/executing/writing, directory listing, registry reading/modifying protection (though you do have to enforce them on the executable before running it). So it does prevent information theft (and you can even track down if it's trying to do so).

 

sounds good! but the link is broken. what windows sandboxs's you know of that will prevent registry, file reading when malware is executed in the sandbox? how does that process work,can the sandbox allow keys and files to be read and added to enable software to install via the sandbox, but at the same time prevent any potention malware in that software from reading from the hardisk?

 

Works for me.

Hmmm... only this one, though I'm pretty sure there is some other one

Sure it can... you have to enforce the limits on the installation executable (or the Windows installer, maybe)... the only problem is, you need to really know what to protect and what to allow so that nothing breaks, and it might take an awful long time. What you can do in less time to inspect the behaviour (I guess, I still have to try it) is use Sandboxie and set a policy in Core Force for logging everything the executable does, plus a policy to competely block its access to the Internet. You enable the rule just before you start the executable in Sandboxie; that way you'll be protected from file/registry modification, you'll be able to do an emulated "install" for the executable without it breaking down for lack of permissions, and you'll be able to spot all its attempts at reading/modifying files/registry keys, you'll be protected from it getting at system level, etc. Mind you, I'm not saying you should go and try every malware out there. Don't, unless you really know what you're doing.

 

I have been trying to follow all this on DW and cannot really see the need for such a stand alone program at that price. I have PG Pro and from all that I have read and asked about, does all this and more as standard. Not saying DW is not a good program but in my case cannot see it is warranted.