Beta-testing of the DefenseWall Host Intrusion Prevention System.

No, it is not. AV will be able to scan e-mails.

If somebody will need it in-the-wild- I'll add it.

 

Something I don't understand is why FireFox:
Attempt to open process C:\Program Files\ESET\nod32kui.exe

 

Also, here is a scenario in which it would be usefull for the user to be able to allow exeptions for certain programs(This is FireFox again):
Attempt to overwrite file C:\Documents and Settings\*****\Application Data\Mozilla\Firefox\Profiles\lrkiveb8.default\search.rdf

In this situation it would be beneficial for the user to be able to allow FireFox to write to its own directory and all sub-directorys.
*But not instances launched by FireFox.

 

And The Bat!(www.ritlabs.com):
Attempt to set value DLLPath within the key HKLM\SOFTWARE\Clients\Mail\The Bat!\

Attempt to set value within the key HKLM\SOFTWARE\Clients\Mail\The Bat!\Protocols\mailto\

Attempt to set value EditFlags within the key HKLM\SOFTWARE\Clients\Mail\The Bat!\Protocols\mailto\

Attempt to set value URL Protocol within the key HKLM\SOFTWARE\Clients\Mail\The Bat!\Protocols\mailto\

Attempt to set value within the key HKLM\SOFTWARE\Clients\Mail\The Bat!\Protocols\mailto\DefaultIcon\

Attempt to set value within the key HKLM\SOFTWARE\Clients\Mail\The Bat!\Protocols\mailto\shell\open\command\

These are scenarios in which it would be usefull for the user to be able to allow exeptions for The Bat! to be able to modify its own registry entries.

A small error I just found(very small) is that when DW says "Attempt to set value within" there are two spaces between value and within. This is not anything that could affect the user, just thought I would let you know, incase you don't already.

 

Sonork(www.sonork.com, the client messaging software):
Attempt to create global windows hook with module C:\Program Files\Sonork\bin\srkhook.dll

 

Just a suggestion: Option to have small window temporarely appear with list of recent events for given time(maybe 30-60 sec. after event occurs the notification could dissapear)

 

Regarding attempts John:

You are actually pointing out the filter command. Select all, and then filter. Next, delete all and apply as to not be bothered with such nonsense again.

ie. DW's stronge point.

If you like to be bothered etc. try PG or App Defend.
Else, If you need those settings, run the bat as trusted (once)

 

What? The events I posted above are required for the applications to work correctly. If I leave them as trusted, I will not be using DW for security. If I leave them as untrusted they can't work correctly. What I am asking for is a way to allow for exeptions in rules. This option could simply be overlooked by users who do not need it, however it would be of great use to some.

 

NOD32 components.

It is not a bug. You haven't applyed the changes. The events haven't being deleted.

search.rdf- is fixed.

As about Sonork- I'll add it's module into "white list" of the global hook modules.

Now about TheBat. The idea is simple. You run TheBat as trusted one time during the installation, it set up all the parameters it need for the correct work. Then you set it as untrusted and work as usuall. There is no need any "exception rules", everything is work correctly. If you don't want to see TheBat events- just filter them. The program is already designed the way you don't need to set up any "rules" or answer questions with the popup windows, everything is already working. Just add your application as untrusted and enjoy safe Internet. Yes, the ideology is different from the classic HIPS, but it's works!

 

And it's OK for DW to be blocking these? Shouldn't AntiVirus be allowed?

Cool

Thanks

 

Ilya,

I have been trying your DW app for the past few days, really appreciate your nice clean approach in your HIPS. Working great so far, and I plan an registering (paying) at the end of my 30 day trial as long as no unforseen complications arise.

One sugestion for an added feature, It would be nice if there were an option for an audible beep/alarm when a suspicious event is recorded in the event log. I know you have the wall icon in the tray turn red, but sometimes you can miss that if you are not paying attention to the tray area.

Does anyone use the secured files option, if the HIPS is working propperly this should not be needed because malware should not be able to execute and spy my data. Could you please give some examples of how setting up the Secured Files area will better protect us.

Thanks for the great HIPS app, hope you do well with it!!!!

 

Are there any plans to allow for users to view or edit the 'white-list'?

 

It is just one of the AV components. I suppose, that AV will be working anyway, because most part of the any AV is within the driver level.

 

OK. I'll add it in one of the next releases.

"Secured files" are the files or folders untrusted processes can not access. It could be everything you add there. It is 100% depends on you what to add. But don't add windows or program files fiolders- your programs won't start!

 

No. The white-list are only hashes within the driver. Anyway, not many users will be able to add it by themself, it will be much easyer for them if I will be adding hashes by myself on-demand (as I have made with the Sonork client).

 

What about an auto-update feature, or is that only implemented for registered users?

 

I think about it night and days! It is not so simple to implement. There a lot of the underground mines within this feature implementation process. But, anyway, it will be done. It is #2 in my todo list (#1 is bug fix+immidiate feature requests).

 

Well I just going to say that you have a nice product in the works, only thing keeping me away from it is lack of exeptions and the hidden white-list thing you have going. Good Luck and I wish you the best.

 

I don't know If I should have created a whole new thread for this, I have a question. Are the following dll's and others associated with defense wall and/or defence plus: user321.dll
oleaut321rav.tmp
kernel321.rav.tmp
ntdll.rav.tmp
If not does anyone recognize these, I already tried searching for them.

 

This are DefencePlus temporary files.

 

Just installed the beta and havent found any problems yet, but I got to say that this is a nice piece of software for me too add to my setup

 

It is not beta. It is release. v1.11.

 

Ilya Rabonivich, temporary files? They are dll's mostly and they have to load with every application I use, can you maybe point me to a page that can explain why they have to load with every application or if you could take time to expain to me I would greatly appreciate it.

 

There are two different types of the temp files. Some of them (user32.rav, for instance) created on each reboot and allow DefencePlus to randomly change the base of the main system dlls to prevent return-into-libc attacks, the other (kernel321.rav.tmp, for instance ) are used within the ring3-hooks engine to decrease the virtual memory usage.

 

As weell as the occasional Firefox problem. I have been geting Opera problems when many tabs are open - DF and Opera take the whole CPU until reboot


I have Outpost firewall, NOD32, Online Armor and RegRun Platinum 4.5 with AntiHack, Process Guard and Proxomitron running when this happen.


Quite sure Online Armor and RegRun Platinum 4.5 with AntiHack, Process Guard and Proxomitron cause no problems

Any Idea? Might be NOD / Opera/ DW?