Any way to disable logging in Geswall

I tried Geswall freeware and currently trying professional. A Sandbox would be ideal for my wife, who spends a lot of time on foreign sites that sometimes have issues with malware, and I would not mind surfing in one myself.

The good. Geswall does not slow surfing at all, and is the only sandbox I have tried that does not, and I have tried several. Sandboxie, I like, but slows browsing a second or two, which gets annoying after a while. Greenborder was great for speed but corrupted links and thus unusable. Several others slowed browsing considerably.

The bad, Geswall logs essentially every internet site you visit, every file, etc and apparently saves this info for years. This is more intrusive than any spyware I have seen. I was going to get the pro version, til I saw the logging. What were they smoking? Is there not any way to disable this? wtf with all the firewall, etc needing to log everything. If it can be turned off, fine, if not, I have no need for spyware.

 

From GeSWall's FAQ:

When you terminate the browser, the logs are cleaned

 

Hi all,

GeSwall never logged my surfing only when apps breaking policy rules

MaB

 

QUESTION: Is GESwall consistently being updated with improvements and/or bug fixes. Sorry if anyone feels like "why don't you have a look yourself", i have tried this one in the distant past and liked it, but ATM, sandboxie is working so well i don't have the heart to test any changes in GESwall for fear i'll be lured away after waiting eons for a perfect stable Sandboxie version that now works like a charm.

Still, my eye always runs to every GESwall post & reply because i really found it unique back then and can only summate that it must be even better by now.

 

Spamyou,

GesWall free and ThreatFire free make an excellent couple

 

All the banking, financial, etc sites I visited via my links, were all visible in the log, and no way easy way to delete that information. 10% of my free disk space would be about 60 GB, long wait prior to deletion, and log was still there after closing browser. Most AV and firewalls have a check box that allows you to turn off logging, would have been nice for Geswall to have as well. I suggested that to them via their site, but as a single suggestion, not holding my breath. Back to the drawing board for now.

Easter, they have a 2.7 beta version, so apparently they are actively improving it.

Threatfire not familiar with, will look at that.

 

I am testing Geswall free right now and looked at the log in Geswall, all I see is the stuff Geswall has isolated. Nothing about any websites I´ve been visiting today Exactly what log are you referring to? Are there more logs than one in Geswall?

 

hello easter i've been using geswall for a while and i'll try to answer your question the best way i can

1) is it be updated with improvements? yes, like a previous user mentioned they are currently testing geswall beta 2.7 (new features include tracking isolated files created by applications and a window showing all applications that are running isolated where you can do things like terminate them or whatever). the thing i love about geswall is that it's super effective without being bloated. the download is like 5 megs and i've never seen the thing use more than 8-9 megs of ram TOTAL (and half of that is for the geswall effects, you can safely shut that sucker down and have geswall still work flawlessly).

2) bug fixes : like i said been using geswall for a while and the only 2 major bugs that i am aware of (and have been fixed) were the "explorer isolation" bug (that never happened to me) which would cause the machine to freeze and the "isolated task manager is capable of shutting down unisolated applications" and both have been fixed. they are really on the ball over there at gentlesecurity. more importantly they actually take suggestions you make about the software seriously.

 

Well if I still had it installed, I would post a print screen. But after installing it, first thing I did was check to see if it slowed surfing. I clicked on ~15 links (IE 7 my Links under URL bar), and when later found log, all links were listed as something like "documentandsettings/my name/name of link then lot of other info. Also I had visited toms hardware page and it was visible there. There was some little policy indicator flashing in bottom right, which I turned off, and the irritating flashing browser thing turned off. Then tried to delete the log entries that had my bank names etc in there, and could not, so deleted program. cant tell you more than that.

 

Hmm...maybe you have som kind of logging malware (BHO?) that Geswall isolates?
The pic below shows what my Geswall log has. That is what is happening when I surf around. I restarted my computer 8 this morning and have been surfing around now and then whole day (even to my bank to see if it got logged) but the whole log looks like the pic - no www addresses are recorded...

 

No malware on my computer. Ok, just to double check redownloaded and did same thing. This is what I am talking about, just clicked on my IE 7 links and listed in log just as I previously said. You are using firefox, maybe that is the difference. Or maybe it is an issue with my dropmyrights IE7.

 

I'm using IE7 as well and I get no access attempts to favorites files (I have my links bar filled with shortcuts to programs that I use in Explorer). Try running IE without dropmyrights.

 

Ok, tried using actual internet explorer icon (which does not surf via dropmyrights), and getting same problem.

If no one else is getting this, what am I doing different? I am using the browser isolated, which I assume everyone is (checked yes to running isolated).

Playing around somemore, I have 17 links across the top, 14 when I click on give me the policy window bottom right and hence entered in log, 3 neither give a policy prompt nor log entry. However, all 17 if I right click on shortcut and click properties, I get policy prompt.

I tried surfing from a seach in google, and it did not record any sites, only seem to get policy window and logs when click on saved links.

Could you try putting shortcut to google on links, if not already there, and see if it gives you a policy alert right or left clicking on it. If not, then maybe I need to completely delete dropmyrights (its a pain to set up), or I have something else that is different.

 

When I click on a google link in IE7 links bar, I get these 4 log entries:

Hav you used any security hardening utils on that system?

 

First, thanks for taking the time to do that.

I have ZAP installed but its turned off. Nod32, dropmyrights, lot of ms services turned off. No hardening or other programs though.

I guess I need to completely uninstall dropmyrights and see if that helps, (have to get in the mood to set that back up first though). clearly there is something different, but dont know what.

 

Hi spamyou,

I'm not a IE user.
Your favorites are sandboxed so GW virtualize each access to this folder (by clicking on a link for example)

Try this : in GeSWall mmc, add this rule to Internet Explorer :

%HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Favorites%

Ressource type : File
Permission : Allow

or use the Wizard if you are using 2.6 Pro

Hope this helps you

MaB

 

Thank You zopzop for sharing your finds and suggestions. I must say it does seem work as claimed but how would you compare this to say Sandboxie?

The reason i ask is that as you know, every product developer always jockeys to make theirs the most sought after in user satisfaction. Personally, like i said before, i did try GESwall for a time and i really did see satisfying results but for some reason at the time i felt it was just more than i needed. Possibly my own confusion regarding it's settings because i run into similiar frustrations with other programs. Guess i'm one that used to quickly dismiss anything that i couldn't understand right away.

Thats what i felt about the HIPS system safety monitor at first, then after weeks of tweaking and observing the results it became more familiar. I'm going to give GESwall a try on one of my snapshots and see what develops.

Thanks ever so much for your reply and others for your comments and sharing your concerns & honest opinions.

 

you're welcome easter

as to how i'd compare this to sandboxie (which the last version i tried was 2.x), i'd say i like geswall slightly better. there are just somethings about sandboxie that irk me, nothing major mind you, just minor stuff. stuff like keyloggers like martin's still recording keys of unsandboxed programs while it's running inside the sandbox, things like the 2nd registry test by ghostsecurity that simulates a shutdown actually shutting down or freezing explorer even when the registry test is sandboxed, etc.... i mean these aren't life and death issues since you can have a seperate antikeylogger to assist sandboxie and freezing/shutting down explorer isn't gonna wreck your system.

i like to use the LEAST amount of security software as possible, because i don't want to put a huge hit on my system resources. geswall (8 megs of ram), comodo (18-20 megs of ram), and antivir (8 megs of ram) play well together, don't strain the CPU, and use a total of like 40 megs (give or take a few megs) of ram (this will go down even more when comodo PFW version 3 is released, the beta only uses like 8 megs or something of RAM total!).

 

So in your opinion, you would recommend free or Pro version? Surely Pro version covers more real estate and affords additional useful protective features no doubt.

Right now i'm head over heels with Sandboxie's latest version because just like you, "ALL" the previous builds "irked" me with various small issues but disturbing enough that i gave up on it. I gave up on Snoopfree too because of BSOD's, but as soon as they went freeware and i installed to try it again, whatta ya know, it became perfectly stable and still is. Same applies to Sandboxie right now, but i do take serious credence in the fact there are "misses" in Sandboxie whereas not in GESwall, and that just might be enough to turn my attention in GES's favor.

 

GeSWall is lighter, probably the lightest sandbox next to Defensewall. I also like its architecture (I don't like file virtualization, although there's nothing wrong with this approach), the custom rules and it fits perfectly in my vision of security setup. I've developed a great affection towards GeSWall.
You should be fine with the free version and some custom rules if you like, but the Pro version is a worthwhile purchase.

 

Thanks for the suggestion, that might well work, but someone from geswall emailed me back, and I can turn off the log via change in registry value, which I did, and no logging now (also disables application wizard, but that does not bother me).

EDIT: Actually adding that rule did fix the problem. thanks, now I have two solutions to try.

 

My concern with Geswall is with something I ran across at their site, FAQ, or somewhere. It was asked what the impact of just flagging files as untrusted, jailed and such by Geswall, if later Geswall was removed. The reply was something to the effect that uninstalling Geswall would permit all the "bad guys" under restraint go about doing their madness unrestrained. Since Geswall wasn't there any longer, they would be allowed full access.

 

Empath,
Malware instaled under isolated mode is crippled malware (no autostart, no service, no kernel driver, etc) On the other hand, if I'm going to uninstall GeSWall, I'll delete untrusted files first.
But your concern is a logical one, that's why sandboxes which create a virtual container (i.e. Sandboxie) may fit better some users.

 

Are you absolutely sure Sanboxie is slow? I thoroughly tested it and it takes3 to 4 seconds longer to load Firefox, however, then using the FasterFox timer, sites rendered less than .2 seconds slower and some .0X slower only. I used seven randomly selected sites with a clean cache over several days.