A quick DefenseWall question.

I have added a folder using the 'Add' tab under the 'untrusted applications' tab in Dwall 2.56.
It then shows up in the 'untrusted applications' list.
However, when i then browse to the folder,
i dont see the * and the (DefenseWall Status: Untrusted) message.
Why is that?!

Also, i have kept a few MP3 files in this folder.
Winamp is my audio player, and i have not added it as an 'untrusted application'.
So, if i browse to this folder,
and double-click the MP3 file,
it opens up Winamp to play the file,
and i dont get any message telling me that the MP3 file is running as 'untrusted'.

 

Here is the forum for defense wall, half way down the forum you'll see it. Post your question here. http://gladiator-antivirus.com/forum/index.php?

 

That's probably because the MP3 file isn't running at all. It's not being executed, so it isn't "running" in the sense that a program runs but data files are only read or written to. I would think DefenseWall doesn't "untrust" mp3 files or other such files that aren't programs. It would be pretty pointless to do.

 

@ SIR****TMG
Its strange, but im still not recieved the activation code in my email.
I guess i will try again.

Ah, this is interesting.
After what you said, i first went to another folder that was not being monitored, or didnt have the 'untrusted' tag in the list.
Then i created a .rar file.
Opened it in winrar,
ofcourse DefenseWall didnt say anything.

Ok, then i copy this rar archive,
take it to the 'untrusted' folder (whuch dosent actively show up as untrusted, like in firefox or ie)
and paste the rar file in there.
Then i again open it in Winrar,
and then immediately it is marked as untrusted in DefenseWall.

Edit: ooh!! and not only that, now once it is tagged by DefenseWall as 'untrusted' just by being placed in the folder,
now i can move it anywhere else, on my desktop or any drive,
and it is now still marked as untrusted!!
Awesome!

 

Nope DW trusts and untrust objects, including data files, so you can have an untrusted word document while word is a trusted application.

DW should mark the MP3 file played with Winamp as untrusted, because the directory is marked untrusted where the MP3 file is located.

Logic behind it: code and data are not strictly seperated anymore, Some data formats have metadata which looks like scripting code or some formats (XML) contain executable code. Remember the WMF or PDF exploits?

 

Hmm, so then the MP3 file should be marked as untrusted?

But then, if winamp itself is not in the untrusted list,
then the mp3 will play in winamp (as its NOT untrusted),
so then......

 

Have a look with right context menu of DW for that MP3 file, what does it say?

As far as I know, but you should ask Ilya, when an untrusted document is processes by a trusted application, the document is still contained in a stronger than LUA environment.

Regards Kees

 

Yep DW has total untrusted file control

 

I really don't know what logic DW uses to trust or untrust objects or containers - I'm not a DW user. While anything can be executable when thrown in the right interpreter, and this has always been so, most often security products make some distinction between "safe" data files and executables. Some of course don't, and I don't know if DW is one of the latter. However, my point is, MP3 files aren't programs. If you open an MP3 in Winamp, you're not running a program or creating a process out of the MP3 file. It's just a data file being read. So, it would be strange for a security product to prevent playing an MP3 file in Winamp or somehow warn about it.

Sure, I remember the WMF exploits, and it's rather impossible not to remember the PDF exploits that are still going on in full force. But those don't really mean that an MP3 or a TXT file should be considered executable and somehow untrusted. I wouldn't spend my time worrying about such files. In any case, the DefenseWall dev Ilya can surely explain how DefenseWall works with MP3 files. Perhaps the original poster has made some sort of configuration error while trying to make a folder untrusted.

 

The logic is as you say some data formats also contain script/code. Defensewall has a build in list of data formats which are automatically unrusted when downloaed by an untrusted program (f.i. a P2P program downloading a MP3 file). The idea is that DefenseWall users do not care, Ilya will figure this out.

I know he does not contain txt files with DW, Some time ago there was some noise about codec downloads of MP3 files and some POC or exploit (i believe) related to Quicktime. So maybe MP3 files are also contained for that reason.

Making a shared folder (for P2P program) untrusted is a good idea, because it is a possible entry point of executable code.

 

Whoa, check this out:
http://i36.tinypic.com/1449v2f.png
Thats what it says when i right-click the MP3 file,
and go to DefenseWall-File Properties.

Thanks for your reply Kees1958,
man does this forum has a high concentration of security experts!!

 

In fact, the answer is very simple:
1. You browse the folder with trusted file manager (Windows Explorer your case, as I suspect), so, there is no untrusted status should be visible.
2. mp3 files are not executable, but Winamp is. So, Winamp is within built-in untrusted list and marked as untrusted. The same way as Windows Media Player, for instance... In fact, if a file is potentially dangerous, but not executable by itself, it's controlling executable is untrusted (media player, your case) or covered by the untrusted ruleset (.bat/.cmd files, for instance).

 

Makes sense. Thanks for posting!

 

yes it is, i now notice it!