Beta-testing of the DefenseWall Host Intrusion Prevention System.

Discussion in 'other anti-malware software' started by Ilya Rabinovich, Sep 19, 2005.

Thread Status:
Not open for further replies.
  1. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    Hello everybody,

    I would like to offer my new DefenseWall HIPS program for beta-testing purposes. A registration
    period for 100 years is guaranteed to all active testers.

    DefenseWall is a full-functional software sandbox for the trojan/adware/spyware protection and
    works with Windows 2000/XP operating systems. The program idea is easy and simple. All applications
    are divided into trusted ones and untrusted ones. Everything is allowed for the trusted
    applications, but there are many restrictions for the untrusted ones. The restrictions are as
    follows: modification of the file system sensitive folders (ex., My Documents, Windows, Program
    Files), registry keys (ex., autorun, browser and system application settings, etc.), and entire
    system (installation/changing/deleting of the drivers and services,
    protection of the \\Device\\PhysicalMemory, setting of the global window hooks (against so-called
    keyloggers), etc.).

    DefenseWall HIPS protects trusted applications from being modified by untrusted ones. All the
    processes launched by untrusted appications are also untrusted. In case of dangerous behavior the
    untrusted application gets blocked by the DefenseWall HIPS and the program notifies the user about
    that by a red icon in the system tray. The main feature of the DefenseWall HIPS is the "Close all
    untrusted applications" button. If you feel that the system behavior is strange or there are some
    unknown processes in the Task Manager - just push this button and all the untrusted applications
    with trojans/advare/spyware inside will be instantly closed. And, because it is impossible for the
    untrusted applications to modify autorun settings, they will never be run any more. Later you may
    clean them up during the planned antivirus scan.

    The program is very light-weight, uses minimum CPU resources, shows no popup windows: everything
    is easy and simple.

    The program itself is a full-functional 30-days beta.
    http://www.softsphere.com/cgi-bin/redirect.pl?Name=DEFENSEWALL


    There is no help file by now. Also there is no registration functionality so far.
     
  2. WSFuser

    WSFuser Registered Member

    Joined:
    Oct 7, 2004
    Posts:
    10,632
    i tried seems like a new concept. instead of sandboxing untrusted apps, it sandboxes trusted apps and lets u close everything else. also is supposed to crash/close if u try adding a lot of entries for trusted apps? i tried adding all my current processes and it closed without saving it.

    edit: nvm the list for for untrusted apps and i figured out why it was crashing. u cant add "system" to the list.
     
    Last edited: Sep 20, 2005
  3. It looks very interesting, let´s try it and see what happens
     
  4. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    The conception of the DefenseWall program is to isolate trusted processes from the untrusted one. Untrusted are the processes witch use potentially dangerous context from the Internet (browsers, e-mail, P2P and IM clients, scripts engins, e.t.c). All the untrusted apps may be closed by "Close all untrusted applications" button.
    You don't have to add system processes ("System","svchost","lsass") to untrusted. Otherwise there will be problems with user/sharings/drivers/services manipulations. To protect system processes you may use firewall (even build-in) or good buffer overflow protection program.
     
  5. WSFuser

    WSFuser Registered Member

    Joined:
    Oct 7, 2004
    Posts:
    10,632
    how can defensewall protect you from malware? if u aquire malware thru IE then i doubt closing IE would do anything about the malware.
     
  6. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    Oh, you haven't understand the ideology of the DefenseWall. OK, I explain. If malware was run some additional processes, thay will be untrusted because their parent process is untrusted. So, malware can not modify system and IE settings to autorun. And if we close all the untrusted processes (not only IE, this button close all untrusted!), the malware file will never get run. There is a great difference between malware file (it is harmless) and malware process.
     
  7. WSFuser

    WSFuser Registered Member

    Joined:
    Oct 7, 2004
    Posts:
    10,632
    so if IE is untrusted then it runs malware, the malware is also untrusted? thus closing IE closes the malware. am i correct?
     
  8. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    Not quite. Yes, malware will be untrusted, but it won't be closed if you close IE. It will be closed if you push "Close all untrusted applications" button with the DW.
     
  9. justanoob

    justanoob Guest

    Basically it works like this

    1) You have trusted or untrusted programs

    2) Untrusted programs will spawn children processes which are untrusted too.

    3) There is a button to close all untrusted programs.

    4) Untrusted programs are restricted from doing a list of stuff.

    Easy enough to understand.

    I'm not certain what's new about the concept. Is it Point 2? Point 2 seems obvious and normal.

    I'm unclear about this though. You say

    How about untrusted applications from being modified by untrusted ones?

    Eg Couldn't adware or spyware started by IE , modiy IE (untrusted)?

    I suppose it depends a lot on what "modify" means. And if untrusted applications are restricted enough (the list you gives seems to be above the same as a limited user account previlages), it can't do much harm anyway even to another untrusted program
     
  10. aintrust

    aintrust Registered Member

    Joined:
    Sep 6, 2005
    Posts:
    1
    Quite right! Just minor corrections:
    1) You have trusted or untrusted applications, not programs -- DW has nothing to do with programs (i.e. program files on disks).
    2) Untrusted applications may (or may not) spawn child processes. All these "children" will be treated as untrusted too.
    3) Correct!
    4) Untrusted applications are restricted from doing a lot of stuff (ex., modify valuable registry keys, install/uninstall/start drivers, affect another processes (no matter trusted or untrusted), install system-wide hooks, etc.)

    Sure!

    No, it could not (in most cases, I guess :))! See point (4).

    Absolutely correct!
     
    Last edited: Sep 22, 2005
  11. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    I kind of wonder if some of the confusion here comes from the loose usage of the term 'sandbox' around Wilders. Running DefenseWall puts IE in the sandbox, anything that comes through IE cannot affect anything outside the sandbox (meaning drive-by-downloads, this wouldn't include things you manually downloaded, saving to a download directory, and manually started). So if spyware came through, it wouldn't be able to do any of the critical things needed to infect the system, and it wouldn't be able to really even see any processes outside the sandbox. When you restarted windows, that file would be closed and would not restart next boot. I don't know what all registry areas it protects, but I imagine this would mean that you wouldn't be getting BHOs, homepage hijacks, etc., however you would still be able to download Flash player and install it just fine. This has it's ups and downs, but theoretically you won't be getting rootkitted through your browser anytime soon.
     
    Last edited: Sep 24, 2005
  12. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    Not qiute. You may set the downloaded installation executable as untrusted and install the application! Most of them will be correctry installed (I mean, if they don't use drivers or, for example, shell extention modules and need no autorun). It is not possible to overwrite executables, but it is possible to install new one.
     
  13. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    DefenseWall is looking good so far, very easy to use. The only issues I'm having are the event log filling up to the point that my system can't load it into memory, and some occassional freezing of untrusted applications. Not bad for a first beta release. I like the concept, though.. I think it will provide good defense against drive-by-downloads especially. Anyone else have any opinions?
     
  14. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    The new beta version is released. Some issues are added and improved. The download link is the same.
     
  15. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    The new beta version is released.
     
  16. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    I can't access the download link. I will try it again at a different time.
    This happens regularly with some other websites too, sometimes access, sometimes not.
    After all these bytes have to swim through the ocean, before they get in Belgium.
     
  17. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    Huh, very strange! I've just tryed to download the file and it was OK! And the bytes are don't have to swim to Belgium! www.whois.sc/softsphere.com

    If you will be unable to download the file- mail me to support [at] softsphere [dot] com and I will mail it to you.
     
  18. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Ilya, I finally got access to the first link and I could download the file in 3 seconds. I had access to the second link too. Case closed. :)
     
  19. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Hi,

    This is a very interesting concept. Could you provide more information about your company. I like to have a good understanding of a company's background before I install its products on any of my machines. For example, does your company have any references? Thanks.

    Rich
     
  20. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Ilya Rabinovich,
    I installed DefenseWall (DW) on my win2000proSP4-computer and it seems to work.
    I consider myself as a NEWBIE, but I will do my very best to understand DW.
    I probably will have more questions in the future, but let's start with simple things, because this is my very first contact with DW (and HIPS software).
    Is my reasoning correct or incorrect in the next paragraphs ?
    Please tell me, otherwise I will be lost from the beginning.

    DW-icon
    I have a question about the DW-icon in the system tray, which looks like a white circle with a very little circle in the middle and a light blue small bar through the white circle.
    That's how the DW-icon looks after rebooting my computer, but I also saw another DW-icon, that looks exactly the same, but the very little circle is RED.
    I don't know when the color changed, but I'm 100% sure you know.
    What does that mean exactly and has the DW-icon other changes as well ?

    Add/Remove Untrusted window
    After installing DW, I had already SEVEN untrusted applications in this window. Is that correct ?

    1. C:\Program Files\Internet Explorer\iexplore.exe
    2. C:\Program Files\Outlook Express\msimn.exe
    3. C:\WINNT\system32\hh.exe
    4. C:\WINNT\system32\winhlp32.exe
    5. C:\WINNT\system32\system32\tftp.exe
    6. C:\WINNT\system32\system32\ftp.exe
    7. C:\WINNT\system32\system32\ntvdm.exe

    I recognize at least TWO of them :
    1. "MS Internet Explorer", which is my DEFAULT browser and I use Mozilla Firefox for surfing.
    2. "MS Outlook Express", which I don't use and I also don't use MS Outlook 2000. I use Mozilla Thunderbird.
    I assume that DW considers some applications as untrusted by default, but only based on the operation system, because both applications and probably the others too, come with win2000proSP4. Is that correct ?

    DW didn't consider the following applications as untrusted by default, because :
    1. "MS Outlook 2000" comes with MS Office 2000, which is ANOTHER software, than win2000proSP4.
    2. "Mozilla Thunderbird" is also ANOTHER software, than win2000proSP4.
    I assume that it is up to the USER, to make a decision (trusted or untrusted) for each software, than doesn't come with win2000proSP4 or any other windows. Is that correct ?

    Since "MS Internet Explorer" and "MS Outlook Express" are considered as untrusted softwares by default,
    I assume that in my case, I have to do some changes in this window :
    1. I have to add "C:\Program Files\Mozilla Firefox\firefox.exe" (my most used browser)
    2. I have to add "C:\Program Files\Mozilla Thunderbird\thunderbird.exe (my only email-software)
    3. I have to remove "C:\Program Files\Outlook Express\msimn.exe", because I don't use "MS Outlook Express".
    Is that correct ?

    I also assume that once an application is listed as untrusted, that this application will be treated as untrusted, each time I open this application, even when I start this application in a different way, like clicking on the exe-file in MS Windows Explorer, clicking on an icon on my desktop, ...
    All applications, which are NOT listed as untrusted are considered as trusted applications.
    Is that correct ?
     
  21. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    Hi,ErikAlbert!

    Icon (will be changed to better one with the release) turned to red if unrtusted application have made some possible dangerous action. See "events log" dialog sheet to see what was happend.

    Yes.There is default untrusted executables list into DW. If it find known executable on the disk during installation process, DW adds it into untrusted list. In the future default list will be enhanced with the others browsers, e-mail client, P2P and IM clients, e.t.c..

    Yes.

    Yes. 100% correct.

    Yes, your assumption is 100% correct.

    Yes.
     
  22. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Ilya,
    Thank you for answering all my questions and I added Firefox and Thunderbird and removed MS Outlook Express, without any trouble.
    I understand now the meaning of red and that's what I really wanted to know.
    I agree with you that the icon could be improved, at least the warning part, but this is a minor detail and can be improved much later.

    I also took a look at the "Event Log" and they were all "Attempt to create new key" (Event type = Registry) for MSIE and Firefox.
    I assume that these new keys weren't created in my registry, because of the word "Attempt" in the message.
    You used the expression possible dangerous action, which also means that the action could be innocent too.
    That doesn't bother me, BUT is it possible that these un-executed innocent actions can cause a malfunction in my MSIE or Firefox sooner or later ?
    I assume not, but I'm not really an expert in registries.
    For the record : MSIE and Firefox are still working fine, I'm just asking.
     
  23. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    In fact, I have no such events with my MSIE and Firefox. Could you send me the compressed log file (defensewall_log.log in DW folder) I could look at it? Anyway, your assumptions are right.
     
  24. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    I've sent an email to you with the requested file.
    Meanwhile, I will try the buttons on each DW-window.
     
  25. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Ilya,
    I played with all the buttons and I only mentioned the buttons with a problem or a question.

    Event Log

    Filter
    This button doesn't work. No reaction at all.
    I assume you will program this button in a later version ?

    Delete and Delete All
    These buttons work fine, but without confirmation and that's not good.

    Add/Remove Untrusted
    I have two general remarks for this window.
    If you don't agree with this, it's 100% OK with me, I'm just telling what I think.
    After all you are the boss and it's not my application.
    It's not important either, but I design applications myself and we have some rules at work and I'm sooo used to them.

    1. Is there a difference between "remove" and "delete" ? If not I would change the title in :
    "Add/Delete Untrusted", because "Add - Edit - Delete" are most used in database updatings.
    Another reason is that you used "Delete" in the "Event Log window".
    Or you use "Remove" all the way, or you use "Delete" all the way, but using two different words for the same action is confusing and certainly for non-English users.

    2. I would change the sequence of the Add-options into : Add Application, Add Folder and Add Process.
    Most less-knowledgeable users know or will find out what applications and what folders are, but I have many doubts, if these users know or will ever understand what processes are.
    A less-knowledgeable user will rather untrust applications and folders, than processes, but keep the button "Add Process" anyway for knowledgeable users.
    I know less-knowledgeable users very well, I worked with them all my life and I know in advance what they will think about "Add Process".
    That's why I'm not a big fan of HIPS softwares, but DW is userfriendly enough upto now.

    Add Application
    I fully understand this button.

    Add Folder
    I understand this button, but what are the consequences when I exclude a folder ?
    Can you give me one practical example, why I would exclude a folder ?

    Add Process
    This one bothers me the most. Can you give me one practical example ?

    Remove
    If you agree with my first general remark, this button should be called "Delete".
    If not leave it, like it is. The button works fine.

    Run As Trusted
    I assume that this button makes it possible to run an untrusted application as a trusted application for one time only ?

    Close All Untrusted
    I don't have any problem with the button of this window and it works fine.

    I have still questions, but I need some time to formulate them in English.
     
    Last edited: Oct 3, 2005
Loading...
Thread Status:
Not open for further replies.