A quick DefenseWall question.

Discussion in 'other anti-malware software' started by Lebowsky, Sep 28, 2009.

Thread Status:
Not open for further replies.
  1. Lebowsky

    Lebowsky Registered Member

    Joined:
    Dec 3, 2004
    Posts:
    161
    I have added a folder using the 'Add' tab under the 'untrusted applications' tab in Dwall 2.56.
    It then shows up in the 'untrusted applications' list.
    However, when i then browse to the folder,
    i dont see the * and the (DefenseWall Status: Untrusted) message.
    Why is that?!

    Also, i have kept a few MP3 files in this folder.
    Winamp is my audio player, and i have not added it as an 'untrusted application'.
    So, if i browse to this folder,
    and double-click the MP3 file,
    it opens up Winamp to play the file,
    and i dont get any message telling me that the MP3 file is running as 'untrusted'.

    :blink:
     
  2. SIR****TMG

    SIR****TMG Registered Member

    Joined:
    May 31, 2004
    Posts:
    757
  3. Windchild

    Windchild Registered Member

    Joined:
    Jun 16, 2009
    Posts:
    571

    That's probably because the MP3 file isn't running at all. It's not being executed, so it isn't "running" in the sense that a program runs but data files are only read or written to. I would think DefenseWall doesn't "untrust" mp3 files or other such files that aren't programs. It would be pretty pointless to do.
     
  4. Lebowsky

    Lebowsky Registered Member

    Joined:
    Dec 3, 2004
    Posts:
    161
    @ SIR****TMG
    Its strange, but im still not recieved the activation code in my email.
    I guess i will try again.

    Ah, this is interesting.
    After what you said, i first went to another folder that was not being monitored, or didnt have the 'untrusted' tag in the list.
    Then i created a .rar file.
    Opened it in winrar,
    ofcourse DefenseWall didnt say anything.

    Ok, then i copy this rar archive,
    take it to the 'untrusted' folder (whuch dosent actively show up as untrusted, like in firefox or ie)
    and paste the rar file in there.
    Then i again open it in Winrar,
    and then immediately it is marked as untrusted in DefenseWall. :D

    Edit: ooh!! and not only that, now once it is tagged by DefenseWall as 'untrusted' just by being placed in the folder,
    now i can move it anywhere else, on my desktop or any drive,
    and it is now still marked as untrusted!!
    Awesome!
     
  5. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Nope DW trusts and untrust objects, including data files, so you can have an untrusted word document while word is a trusted application.

    DW should mark the MP3 file played with Winamp as untrusted, because the directory is marked untrusted where the MP3 file is located.

    Logic behind it: code and data are not strictly seperated anymore, Some data formats have metadata which looks like scripting code or some formats (XML) contain executable code. Remember the WMF or PDF exploits?
     
  6. Lebowsky

    Lebowsky Registered Member

    Joined:
    Dec 3, 2004
    Posts:
    161
    Hmm, so then the MP3 file should be marked as untrusted?

    But then, if winamp itself is not in the untrusted list,
    then the mp3 will play in winamp (as its NOT untrusted),
    so then......o_O
     
  7. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Have a look with right context menu of DW for that MP3 file, what does it say?

    As far as I know, but you should ask Ilya, when an untrusted document is processes by a trusted application, the document is still contained in a stronger than LUA environment.

    Regards Kees
     
  8. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Yep DW has total untrusted file control
     
  9. Windchild

    Windchild Registered Member

    Joined:
    Jun 16, 2009
    Posts:
    571
    I really don't know what logic DW uses to trust or untrust objects or containers - I'm not a DW user. While anything can be executable when thrown in the right interpreter, and this has always been so, most often security products make some distinction between "safe" data files and executables. Some of course don't, and I don't know if DW is one of the latter. However, my point is, MP3 files aren't programs. If you open an MP3 in Winamp, you're not running a program or creating a process out of the MP3 file. It's just a data file being read. So, it would be strange for a security product to prevent playing an MP3 file in Winamp or somehow warn about it.

    Sure, I remember the WMF exploits, and it's rather impossible not to remember the PDF exploits that are still going on in full force. But those don't really mean that an MP3 or a TXT file should be considered executable and somehow untrusted. I wouldn't spend my time worrying about such files. In any case, the DefenseWall dev Ilya can surely explain how DefenseWall works with MP3 files. Perhaps the original poster has made some sort of configuration error while trying to make a folder untrusted.
     
  10. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    The logic is as you say some data formats also contain script/code. Defensewall has a build in list of data formats which are automatically unrusted when downloaed by an untrusted program (f.i. a P2P program downloading a MP3 file). The idea is that DefenseWall users do not care, Ilya will figure this out.

    I know he does not contain txt files with DW, Some time ago there was some noise about codec downloads of MP3 files and some POC or exploit (i believe) related to Quicktime. So maybe MP3 files are also contained for that reason.

    Making a shared folder (for P2P program) untrusted is a good idea, because it is a possible entry point of executable code.
     
    Last edited: Sep 28, 2009
  11. Lebowsky

    Lebowsky Registered Member

    Joined:
    Dec 3, 2004
    Posts:
    161
    Whoa, check this out:
    http://i36.tinypic.com/1449v2f.png
    Thats what it says when i right-click the MP3 file,
    and go to DefenseWall-File Properties.

    Thanks for your reply Kees1958,
    man does this forum has a high concentration of security experts!!
     
  12. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    In fact, the answer is very simple:
    1. You browse the folder with trusted file manager (Windows Explorer your case, as I suspect), so, there is no untrusted status should be visible.
    2. mp3 files are not executable, but Winamp is. So, Winamp is within built-in untrusted list and marked as untrusted. The same way as Windows Media Player, for instance... In fact, if a file is potentially dangerous, but not executable by itself, it's controlling executable is untrusted (media player, your case) or covered by the untrusted ruleset (.bat/.cmd files, for instance).
     
  13. Windchild

    Windchild Registered Member

    Joined:
    Jun 16, 2009
    Posts:
    571
    Makes sense. :thumb: Thanks for posting!
     
  14. Lebowsky

    Lebowsky Registered Member

    Joined:
    Dec 3, 2004
    Posts:
    161
    :blink: yes it is, i now notice it!:gack:
     
Thread Status:
Not open for further replies.