Discussion in 'other anti-malware software' started by Ilya Rabinovich, Sep 19, 2005.
I'm working on it. I'll mail you the latest driver to check it out.
I have been reading this thread for a while, and have now downloaded v1.11 for testing.
- Windows XP Pro SP2 English + most hotfixes, system installed with nLite (zapped Outlook, Messenger, MediaPlayer 9, and quite a few more)
- added later: Linksys router[/edit]
- Outpost v3.0.557.5918 (437) with pretty tight application settings
- Process Guard v1.150
- NOD32 v2.51.8
My first comments:
1. Great idea, nice addition to the defense toolchest.
2. Firefox and Opera, although added to Untrusted, NEVER show up in the Event Log (IE does)
3. Minor typo: if you click Filter on the Event Log without specifying anything to filter, a message box comes up with "Tou have not..." - should be "You have not...".
4. . In the About box, I'd drop "the" in front of DefenseWall (i.e. it should read: "This version of DefenseWall...").
Will do some more testing, but I feel I'll have questions
I'll try out tomorrow - Thanks for a great program
Hi, I just downloaded DW 1.11 from softphere and installed it on my XP PC which had Online Armor 1.1 build 595 running. After I rebooted it, DW would display an error dialogbox saying that "driver cannot be properly initialized". Right after it OA would display a similar dialogbox and OA's GUI trayicon would not appear. I went to the Windows task manager and noticed that OA's service was already loaded and running but OA's GUI component could not be launched. If I proceeded to uninstalled DW, OA would pop up and ask for my permission to do so. If I said "yes" and rebooted my PC, the same sequence of events would happen again. I had to boot into Windows safe mode to uninstall DW. I think there are conflicts between DW 1.11 and OA 1.1. After I uninstalled DW 1.11, OA 1.1 functioned properly once again.
These are my event log entries for The Bat! Professional v3.64.01. I am posting them because they are slightly different from those posted by AJohn.
Attempt to set value within the key HKLM\SOFTWARE\Clients\Mail\The Bat!\
Attempt to set value EditFlags within the key HKLM\SOFTWARE\Clients\Mail\The Bat!\Protocols\mailto\
Attempt to set value URL Protocol within the key HKLM\SOFTWARE\Clients\Mail\The Bat!\Protocols\mailto\
Attempt to set value within the key HKLM\SOFTWARE\Clients\Mail\The Bat!\Protocols\mailto\DefaultIcon\
Attempt to set value within the key HKLM\SOFTWARE\Clients\Mail\The Bat!\Protocols\mailto\shell\open\command\
Attempt to set value within the key HKLM\SOFTWARE\Clients\Mail\The Bat!\Protocols\mailto\
Attempt to set value within the key HKLM\SOFTWARE\Clients\Mail\The Bat!\Shell\open\command\
DW does not allow system processes to be added as untrusted.
However, e.g. SVCHOST.EXE and RUNDLL.EXE may start unwanted communication. In Outpost Pro I can (and want to) limit what these system processes may do. So if I didn't have Outpost running, DW would allow such unwanted communication.
Or am I missing something?
Well, I don't know. I'm not a native men.... Life will show!
Yes, I know about the conflict. I'll see if I can do something.
Different TheBat version- different logs. It is normal. The cure is the same- just filter it!
Yes, you are. DefenseWall is not a firewall, it is sandbox HIPS! So, it doesn't control network connections at all. It creates virtual "untrusted processes" zone with the limited rights. If malware runs inside this zone it won't be able to out from this zone and to break the system integrity (to set up service/driver, set themself autostarted and so on).
Thank you for the clarification. The idea needs some getting used to
Another question: Is there any way to UNfilter an event (i.e. make an event appear again after having filtered it earlier) ? Or is there a way to delete all filters? Or, better yet, to edit them?
So how does it differ from e.g. Process Guard in terms of what I can achieve with it? Is there anything PG can not do that DF can, or can do better? My apologies for the possibly dumb question, but I didn't find anything about this in this thread.
DW isolates untrusted apps so that they can't see any other apps on the system, other than whatever else is in the Untrusted list. DW will also prevent untrusted apps from modifying vulnerable files (PG doesn't protect any files) and you can select folders to be totally protected from untrusted apps. I'm sure there are probably a couple things I'm missing, but that's the main things DW can do that PG cannot.
All good so far - it is hard to get the problem to re-occur on quue but no probs with this version so far
Thanks Ilya for your answer. Does the price of Defensewall include that of annual updates? How does the current pricing work? How about any plans of integrating the function of DefencePlus into future versions of Defensewall?
Thank you for the clarification.
As for now, you can delete filters.bat and restart GUI- it will delete all the filters. There is now other ways yet.
PG and DefenseWall are different types HIPS. Ideologycaly PG is an application firewall (you can set your own roolset for the each application, but it need you a lot of the technical knowlege), DefenseWall is sandbox HIPS (it divides all the processes to "trusted" and "untrusted" and use build-in roolset for the "untrusted" one). Application firewall is for the professionals who want to control everything at their computers, sandbox is for the regular non-technical users. DefenseWall is much nore easy and simple in work for the user that PG. You see, it is always possible to make PG's control functionality as DW, but ideologicaly they are different!
1. The price is $29 for the defense core+one year of the first-queue tech. support, online updates (I'll implement it in the 1.20+ version) and new version notification. After the license's time will expires, the defense core will be working (you've paid for it!), but all the extra advantages (online updates, first-queue tech. support, e.t.c) won't be available + one nag screen during program's start notifing you that your license's period is expired. It is $10 per year to switch the extra advantages on. If you don't need extra advantages- it is OK. The defense will be in working state anyway!
2. Yes, I have plans to integrate my buffer overflow defense into DefenseWall, but it need more time to have test it (I have the reports about DefencePlus unstable work at some computers, it should be fixed)+ I think that first I need to implement online updates functionality, it is more important feature.
Thanks for your replies.
That's an interesting batch file you have there
Not exactly the runnable type, is it? (I only saw paths and binary zeroes in it.)
It is made to prevent filter file from being modified by the untrusted processes. That is why it is .bat extention!
Thanks Ilya for all your answers. I really like your program but have to wait until it works with my Online Armor before I will place an order.
Keep going Ilya. This looks promising. I think your product will be a fully featured monster by 1.5 or so.... Good luck!
You may want to think about renaming this thread title to something like "Official Support thread for DefenseWall HIPS" and edit your first post describing when the product was released and keep a brief release history going in the first post.
You may be losing potential customers because they think the product is still beta when they see this thread going, after conducting a search of defensewall on this forum, and they may not read through all of this thread to realize it is now a released product. Some people will stay away from an app and not try it if they think it is still beta.
Well, life will show...... I do my best! Thanks!
Separate names with a comma.