For DefenseWall or GeSWall owners thinking of going naked

Discussion in 'other anti-malware software' started by Kees1958, Jun 25, 2008.

Thread Status:
Not open for further replies.
  1. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Hi,

    Rising Antivirus is now free, I have it installed with DefenseWall on an XP SP3 system (Athlon 3900). Ironically not set up for its real time AV protection (File protection) but its HIPS capabilities.

    DW marks all downloaded files as untrusted, so they can do no harm. I only use Rising to check web based scripts and e-mail.

    First level of defense
    Hardware router/FW (Nat SPI on message header level), using XP's FW for inbound (because on wireless, extra precaution besides encryption and Mac address control).

    Second level of defense
    DefenseWall (with one custom addition: mail directory and WebAdressBook as protected resource for Outlook Express, added Foxit reader and Scriptdefender as untrusted, also added the shared directories of LimeWire as untrusted)

    Third level of defense
    Rising Antivirus with
    - Autoprotect ONLY on (web based) scripts and mail, real time file protection not installed
    - Active defense, system reinforcement set to high, malicious behavior detection set to low, application protection (added all critical XP processes: winlogon, service.exe, csrss.exe, svchost.exe, wdfmgr.exe, lsass.exe, alg.exe - set first three allows to ask and for ctfmon.exe and explorer.exe also the keylogger, simulated key and sending set to ask), applicaton access control (only explorer.exe : allow start subprocess, aks global hook, driver loading and modification of kernel data)
    - scan: enabled (daily memory scan of memory and boot record)

    Fourth level of defense
    Seperate external harddisk with image copies (Maxxblast free) and data backup (syncback free)

    Works like a charm, fast and nearly naked. EDIT NOW ALSO DISABLED MAIL EN SCRIP SCANNER
     
    Last edited: Jun 28, 2008
  2. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Hi Kees1958

    Not sure I understand the point. The term "nearly naked" eludes me a bit. Since we use the term "naked" around here to mean no anti-virus, you aren't running nearly naked, you have an AV installed.

    If the point is the rest of the setup is so good you don't need an AV, that's fine.(and I don't disagree with you). To me the price of the AV isn't as much of an issue as the load on the machine, and I don't miss that.

    Pete
     
  3. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Pete,

    You got me there: nearly naked does not exist, is either full monthy or not. :D

    Yep I was addressing the performance issue in three ways

    a) Rising is not checking files and executed processes real time against its blacklist, only mails are scanned (which happens not so often, so a performance gain) and for webscanning only scripts are scanned.

    b) Rising's OS protection and application access (what intrusions explorer is not allowed to) and application protection is focussed on the core executables of the operating system (in stead of a HIPS or a behavioral blocker looking at everything). This dual independant apprach of target (application protection) and source (application accesss control) really is a smart feature of Rising.

    c) So Rising is merely used for its HIPS capabilities focussing on keeping the core lements protected. Assuming that Defensewall limits the threatgates, this would imply that all other processes should stay clean (because defensewall limits the possible origin of malware by caging them in a strong limited user environment). Therefore the behavioral blocking (of other non-core OS aps) is set to minimal to reduce both false poistives and stress on the system.

    This combo is a lot faster than TF with DW (mind you setup with TF scored better in CPU benchmark than using Antivir, although CPU time of TF was higher). I now have CPU usage better/equal to to Antivir free and CPU benchmarh better/equal to TF, so it must the fastest setup I have composed yet.

    Hope this clarifies the setup.

    Regards Kees

    Note ad B
    Classical HIPS often offer a process based protection feature (such as D+ or SSM) but in these cases you always have to define their access rights first (because it is setup as parent - child control like SSM or in a single rule set like D+), before setting up their protection feature. The other advantage of Rising is what you do not specify is treated neutrally (in D+ you have to define every process or D+ has to learn its behavior, only upcoming version of OA has the option to not notify for new processes AND run those unknow process as SAFER).
     
    Last edited: Jun 25, 2008
  4. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Glad you realized I was teasing a bit. As OA improves, for me it's really OA and Sandboxie. I also run SSM, but am slowly shutting down some functions, and just using it for fine tuning.

    But your so right, with a bit of care, you can run naked and be safe.

    Pete
     
  5. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Next OA has this incredible feature, see https://www.wilderssecurity.com/showthread.php?t=212424

    I had discussion with Mike over this feature since the first free Beta. It will be such a user friendly and safety improvement. When you have OA paid (with Tony Klein's startup registry protection :thumb: ), why run SSM any longer?

    Regards
     
  6. zopzop

    zopzop Registered Member

    Joined:
    Apr 6, 2006
    Posts:
    642
    kees quick question just to be sure i did it right, you are saying here :

    allow : start subprocess

    ask : global hook, driver loading, and modification of kernel data

    right?
     
  7. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    I agree that BB is more reliable defence comparing to AV. But I use AV because it sometimes allows to recognize the beast in the very beginning of the game, just before it tries to start. Then it saves me some time I could spend reading and analizing BB alerts. And I value this time worth of those extra resources AV takes :)
     
  8. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Correct
     
  9. bman412

    bman412 Registered Member

    Joined:
    Mar 4, 2008
    Posts:
    261
    Returnil + RAV's active defense modules running on my pc atm. Noticed application loading lag with RAV's on access scanner so figured to just dump file monitor module and email module since I use web based mail. Now my pc's running really fast :D Oh and I do regular reboots and may download and run Cureit to scan the pc for posterity :D
     
  10. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    bman,

    With the file protection disabled, you can still run on demand scans. I will dump e-mail also, because my ISP scans them with open source AV ( :doubt: ), i will check startup of programs.

    K
     
  11. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,102
    Location:
    North Carolina USA
    if you are using Defensewall or Geswall you dont need anything else. Either one will keep you secure. When are people going start pulling the frigging "layers" off and realize that most of these products actually keep you safe. Be it these 2, Dr Web, Eset, or any others. How many times a day do you pull a virus out of your computers ass. Been quite awhile hasnt it.:doubt:
     
  12. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Trjam,

    Yes indeed, I have asked myself the question what can bypass DW in updates of the what's your setup thread? Now only DW and rising's HIPS (SSDT Hook table show they do not conflict) and Rising's blacklist AV scan on webscripts.

    Rising only used to monitor the occasional install of new programs and for my assurance. But I guess with Anvir task manager and AVZ, I could do a post installation check and decide to rollback to a previous image also.

    Maybe in a few months DW only, but that would also imply the end finding better setups :'(

    regards
     
  13. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    I use Opera, so disabled the IE stuff, also cut down on file protection, because GW/DW take care of this also
     

    Attached Files:

  14. LoneWolf

    LoneWolf Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    3,782
    Maybe.
    But I strongly believe in layers.
    If one should fail, another may stop.
     
  15. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    I agree with the layers to a point. It depends on layers and how well there put together.
     
  16. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    6,941
    Location:
    USA
    I have my pc set to Show hidden files and folders, but how do I configure it to check there?
     
  17. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,102
    Location:
    North Carolina USA
    they are already protected with Geswall.
     
  18. bman412

    bman412 Registered Member

    Joined:
    Mar 4, 2008
    Posts:
    261
    Wouldn't setting System Reninforcement to high automatically protect explorer.exe and other system processes?
     
  19. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    There might be overlap. The websites states memory tampering as the protection provided with OS reinforcement. I have changed my settings, and tested, it is indeed redundant, so keeping it that way.

    Note I found out how registry/process/file acceptions are handled: in the process access control section (WARNING, when you put your exceptions in the whitelist, this means that this program is allowed to do everything). I think the 'not remember' is a bug in the english version. Even after adding this manual allow, the warning popped up. Only by unticking C:\Windows\system32 as a protected directory in OS reinforcement I could prohibit this warning (logical because it does not check now).

    I have defensewall gui (dir=defensewall) and defense server (dir=system32) marked as whitelisted programs.
     

    Attached Files:

    Last edited: Jun 28, 2008
  20. bman412

    bman412 Registered Member

    Joined:
    Mar 4, 2008
    Posts:
    261
    Thanks Kees for the insight as well as the windows update setting :D
     
  21. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    After a fews days testing, I have changed most of my Active Defense settings (except behavior blocking kept low setting), also de-installed script and email scanning.

    See pics, The program startup control kicks in when not started from the quick launch or explorer, so it's ruleset is quite clever. Protecting your brwser from illegal startup will cause some leak tests to fail :argh: Note that application access control for explorer is , allowed to start others, ask for global hook setting, ask for driver loading and ask for kernel data modification. Note that application protection is used to protect all critical XP processes (Vista users may be different), application launch to guard against suspicious starts of your browser/e-mail.

    FYI, see my settings (I do not proect IE or its directories from tampering, because DefenseWall already protects handles it as an untrusted resource).

    As a stand alone HIPS it is smart, easy to use and very effective. Consider it a configurable DSA with a smarter execution control (not according the classical HIPS do in an execute parent - child scheme, but with seperate protection rules on origin = application access control, malicious behavior AND target = Application startup, Application protection and System Reinforcement), and a bit of Norman Sandbox + ThreatFire combined in its Malicious behavior blocker, in short compared to classical HIPS it is much more user friendly/quiet and covers nearly same protection, Compared to an intelligent behavior blocker it puts less strain on system resources (malicious behaviour is more like an advanced implementation of active heuristics).

    Pleased until now, so running without classical AV, while using the HIPS of an advanced AV!
     

    Attached Files:

    • SP2.JPG
      SP2.JPG
      File size:
      156.5 KB
      Views:
      149
    • ap2.JPG
      ap2.JPG
      File size:
      239.9 KB
      Views:
      253
    • Xp2.JPG
      Xp2.JPG
      File size:
      151.5 KB
      Views:
      83
    Last edited: Jun 28, 2008
  22. zopzop

    zopzop Registered Member

    Joined:
    Apr 6, 2006
    Posts:
    642
    kees, thanks for all the effort you put into this thread! now i do have a question though, what exactly does program startup control supposed to do protecton wise?
     
  23. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    6,941
    Location:
    USA
    With GeSWall Pro running on default settings, what are the type of activities or files that an AV would protect against that GeSWall wouldn't? Install of new programs, and that's it?
     
  24. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    It gives enhanced control of the startup of specified programs. Like SensiveGuard it has cut down the execution monitoring on starting an application by excluding user initiated starts of these programs (like starting from Start-> programs, Explorer or Quick launch task bar).

    So by adding your browsers, you are warned on spawning/starting the browsers by other programs. For members interested in Rising and not having DefenseWall or GeSWall, it would also be benificial to add the browsers (IE7, FF, Opera) in the application protection.

    Although Rising uses classical HIPS mechanism, it's implementation is really smart: it has source and target (of attack) protection, focussing on the OS core and critical application (to be entered by the user). This approach reduces the pop-ups greatly (normal guarding for all, configurable stricter monitor for a few). This is also the reason why it is the perfect companion for a policy sandbox (focusses on the threatgate applications, while Rising's HIPS focusses on the vulnarable OS parts, or in simple terms DW/GW reduce the attack surface and Rising hardens the vulnarable parts).

    In the AV section of Rising on Wilders a link was provided by Guest http://www.raymond.cc/blog/archives...ivirus-worthy-of-praise-avg-free-alternative/ the conclusion in capital: I am impressed. This is in line with my limited testing.

    Regards Kees
     
  25. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Re install:
    All user space installs, try for instance a few leaktest programs (I forgot which), even in their untrusted state you can install them. Also (my reason to prefer DW over GW besides its ease of use), when you accidentally move a file from partition A to B, DW changes its state to trusted, so even ring-0 installs are allowed. Our XP box is our shared home pc, so this feature of GW is not acceptable to me. In regard to DW (with total untrusted file control), I also like to control user mode installs which affect the system integity.

    Re AV:
    I only use the HIPS part of Rising, so in regard to additional benefits of an AV, I am not questioning your statement (although Avast with its incoming data streams scanners provide early recognition of known malware)
     
    Last edited: Jun 28, 2008
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.