GesWall and custom rules

As I guess there are quite a few users of GesWall here. I wonder how many of them use custom rules in GesWall console.

I just tried a few custom made rules and found it intereting. So I want to share these( if more users will be inclined towards custom made ruls, that might lead to development of more options in GesWall console as this product is under active development). It,s basically sole purpose of this thread.
To create new rules in GW, open GW console and in left hand column right click Resources> Add Resource and a popup menue will open where u can specify type of rule( Security Class- means confidential folder, untrusted file/ application/ folder, etc). Specify the type of resource( file or device etc) and finally specify the path to that file/ folder. Here are some exmples that I tried.

1- Confidentila folder: U can mark any folder confidential in GW. Isolated applications will have no access to these folders. Bt default GW make a dolder in my documents with the name " Confidential". I renalmed it to " Booklet" and edited the rule for it accordingly.
When u try to access this confidential folder" Booklet" via IE, GW gives a warning popup that IE is trying to access a confidential folder, if u deny access, IE can,t access this folder anymore and no more warning popup for the rest of session. U will only get this pop up again if u repeat same procedure with a new IE session. So one popup per session.

 

2- Deny write to any folder/ partition( Deny Create): U can specify folders or HD partitions etc where isolated applications can,t write and so can,t create any files/ applications etc. I made all my non-system partitions as Deny Create and when I try to save any file on these partitions via isolated IE, IE is denied access to non- system partitiuons. Similarly I made Windows directory on my C drive as deny create, so all isolated applications browsers etc are not-allowed to write/ modify any file in windows directory. By default GW denies any file creation by isolated applications in Windows start up directory.

This gives a very good protection if some driveby download via IE tries to add itself to Windows startup directory or Windows directory or System32 folder.

 

3- U can mark any folder untrusted and all applications/ files in this folder( present at the moment or added later) will be marked untrusted( Jailed) automatically( Jailed Application - an application that has no permissions by default and may access only explicitly granted resources).

 

4- U can mark ur CDRom as ThreatGate, it will mark ur CD/DVD as a source of untrusted( isolated) files. This means everything you start from CD/DVD will be automatically isolated and will not infect your system( including RootKits). ( This featue is not working in curent version of GW but it was working in a previous version and I have notified it to GW support, hoping to be fixed in next version. It is working in the latest non-public beta of GW).

I copied IceSword files on a CD and added an autorun file for it. On CD autoplay, IceSword failed to load its driver and could not initialize.
5- Exactly in the same way you can mark any folder on ur hard disk as ThreatGate and all applications/ files from it will launch isolated.

 

6- U can mark ur CDRom and any folder on ur Hard Disk as untrusted( jailed) in the same way( choose security class as ' Untrusted'. No application will be allowed to execute from this folder or CD Rom.

5- Finally u can stop execution of any application on ur system by putting it in jailed applications in GW console. Yes, one fix for the annoying Antivir nag popup is here as well. Put avnotify.exe as jailed application and u will not get any popup during Antivir,s update. I have tested this with an older version of GW and I didn,t even get any error message about avnotify.exe not initialized properly but can,t say about the latest version. ( BTW I hope it doesn,t violate Antivir,s EULA so I described it here. Pls let me know if my thinking is wrong ).

 

excellent post aigle. the only custom rules i set for geswall are the cdrom one and making "my documents" confidential. this is a nice "how to" for new users (and people like me who are forgetful ).

@lucy85

LOL geswall is the gift that keeps on giving

i freaking love this program. i don't even recall how i came upon it but, am i ever glad that i did!

 

thanks alot for this thred aigle.iam new to geswall and this thred really helped me out...

 

@Zopzop, theshadow, Thanks for ur input.

 

Thanks Aigle,

Just what I was looking for!

 

Hi Aigle,

Nice post. What I like about GW is that you can define confidential folders with exceptions per untrusted applications. I have for ease of backup reasons moved the Outlook Express folder to My documents (as a subdiretory). Personal directories are set to confidential, with the exception of the folder containing the OE messages/contactbook only for OE.

Other sandboxes allow also confidential folders, but provide it as switch for all programs. This reduced the usability because e-mail is an untrusted applicationm, but needs to access the messages recieved.

Other nice trick which a lot of sandboxes offer is to define the shared directories (for P2P) as untrusted (and the also the incomplete folder of LimeWire).

Regards

 

for free or pro version?

 

Sorry Korb,

I was referring to the Pro version.

Regards Kees

 

I was wondering about how to go about setting up programs with "jailed" status.

 

In my limited experience, the application marked as jailed will not execute unless permitted by specific rules. I think u might totally control an application via specific rules for it by this way but it might need a lot of work. I used it to stop avnotify.exe in Antir PE classic.

 

Hi,

How could i miss this thread ?

Great work aigle a very informative post
I don't why this kind of post is not pinned in (the nearly dead) Gentle Security forum

May be my words are a little harsh ?

Thanks aigle

Regards,

MaB

 

It was long ago MaB69. I will consider to post it there if their forums become alive again.

Thanks