Beta-testing of the DefenseWall Host Intrusion Prevention System.

Discussion in 'other anti-malware software' started by Ilya Rabinovich, Sep 19, 2005.

Thread Status:
Not open for further replies.
  1. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    I'm working on it. I'll mail you the latest driver to check it out.
     
  2. eager2no

    eager2no Registered Member

    Joined:
    Jan 14, 2006
    Posts:
    8
    I have been reading this thread for a while, and have now downloaded v1.11 for testing.

    Setup:
    - Windows XP Pro SP2 English + most hotfixes, system installed with nLite (zapped Outlook, Messenger, MediaPlayer 9, and quite a few more)
    - [edit]added later: Linksys router[/edit]
    - Outpost v3.0.557.5918 (437) with pretty tight application settings
    - Process Guard v1.150
    - NOD32 v2.51.8

    My first comments:

    1. Great idea, nice addition to the defense toolchest.

    2. Firefox and Opera, although added to Untrusted, NEVER show up in the Event Log (IE does)

    3. Minor typo: if you click Filter on the Event Log without specifying anything to filter, a message box comes up with "Tou have not..." - should be "You have not...".

    4. . In the About box, I'd drop "the" in front of DefenseWall (i.e. it should read: "This version of DefenseWall...").

    Will do some more testing, but I feel I'll have questions :)
     
    Last edited: Jan 15, 2006
  3. starfish_001

    starfish_001 Registered Member

    Joined:
    Jan 31, 2005
    Posts:
    1,046

    I'll try out tomorrow - Thanks for a great program
     
  4. simple_user

    simple_user Guest

    Hi, I just downloaded DW 1.11 from softphere and installed it on my XP PC which had Online Armor 1.1 build 595 running. After I rebooted it, DW would display an error dialogbox saying that "driver cannot be properly initialized". Right after it OA would display a similar dialogbox and OA's GUI trayicon would not appear. I went to the Windows task manager and noticed that OA's service was already loaded and running but OA's GUI component could not be launched. If I proceeded to uninstalled DW, OA would pop up and ask for my permission to do so. If I said "yes" and rebooted my PC, the same sequence of events would happen again. I had to boot into Windows safe mode to uninstall DW. I think there are conflicts between DW 1.11 and OA 1.1. After I uninstalled DW 1.11, OA 1.1 functioned properly once again.

    Thanks,
    Lu Chin
     
  5. eager2no

    eager2no Registered Member

    Joined:
    Jan 14, 2006
    Posts:
    8
    These are my event log entries for The Bat! Professional v3.64.01. I am posting them because they are slightly different from those posted by AJohn.

    Attempt to set value within the key HKLM\SOFTWARE\Clients\Mail\The Bat!\
    Attempt to set value EditFlags within the key HKLM\SOFTWARE\Clients\Mail\The Bat!\Protocols\mailto\
    Attempt to set value URL Protocol within the key HKLM\SOFTWARE\Clients\Mail\The Bat!\Protocols\mailto\
    Attempt to set value within the key HKLM\SOFTWARE\Clients\Mail\The Bat!\Protocols\mailto\DefaultIcon\
    Attempt to set value within the key HKLM\SOFTWARE\Clients\Mail\The Bat!\Protocols\mailto\shell\open\command\
    Attempt to set value within the key HKLM\SOFTWARE\Clients\Mail\The Bat!\Protocols\mailto\
    Attempt to set value within the key HKLM\SOFTWARE\Clients\Mail\The Bat!\Shell\open\command\
     
  6. eager2no

    eager2no Registered Member

    Joined:
    Jan 14, 2006
    Posts:
    8
    DW does not allow system processes to be added as untrusted.
    However, e.g. SVCHOST.EXE and RUNDLL.EXE may start unwanted communication. In Outpost Pro I can (and want to) limit what these system processes may do. So if I didn't have Outpost running, DW would allow such unwanted communication.
    Or am I missing something?
     
  7. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    Yup, thanks!

    Well, I don't know. I'm not a native men.... Life will show!

    Always welcome!
     
  8. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    Yes, I know about the conflict. I'll see if I can do something.
     
  9. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    Different TheBat version- different logs. It is normal. The cure is the same- just filter it!
     
  10. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    Yes, you are. DefenseWall is not a firewall, it is sandbox HIPS! So, it doesn't control network connections at all. It creates virtual "untrusted processes" zone with the limited rights. If malware runs inside this zone it won't be able to out from this zone and to break the system integrity (to set up service/driver, set themself autostarted and so on).
     
  11. eager2no

    eager2no Registered Member

    Joined:
    Jan 14, 2006
    Posts:
    8
    Ilya Rabinovich,
    Thank you for the clarification. The idea needs some getting used to :)

    Another question: Is there any way to UNfilter an event (i.e. make an event appear again after having filtered it earlier) ? Or is there a way to delete all filters? Or, better yet, to edit them?
     
  12. eager2no

    eager2no Registered Member

    Joined:
    Jan 14, 2006
    Posts:
    8
    So how does it differ from e.g. Process Guard in terms of what I can achieve with it? Is there anything PG can not do that DF can, or can do better? My apologies for the possibly dumb question, but I didn't find anything about this in this thread.
     
  13. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    DW isolates untrusted apps so that they can't see any other apps on the system, other than whatever else is in the Untrusted list. DW will also prevent untrusted apps from modifying vulnerable files (PG doesn't protect any files) and you can select folders to be totally protected from untrusted apps. I'm sure there are probably a couple things I'm missing, but that's the main things DW can do that PG cannot.
     
  14. starfish_001

    starfish_001 Registered Member

    Joined:
    Jan 31, 2005
    Posts:
    1,046
    All good so far - it is hard to get the problem to re-occur on quue but no probs with this version so far
     
  15. simple_user

    simple_user Guest

    Thanks Ilya for your answer. Does the price of Defensewall include that of annual updates? How does the current pricing work? How about any plans of integrating the function of DefencePlus into future versions of Defensewall?
     
  16. eager2no

    eager2no Registered Member

    Joined:
    Jan 14, 2006
    Posts:
    8
    Notok,
    Thank you for the clarification.
     
  17. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    As for now, you can delete filters.bat and restart GUI- it will delete all the filters. There is now other ways yet.
     
  18. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    PG and DefenseWall are different types HIPS. Ideologycaly PG is an application firewall (you can set your own roolset for the each application, but it need you a lot of the technical knowlege), DefenseWall is sandbox HIPS (it divides all the processes to "trusted" and "untrusted" and use build-in roolset for the "untrusted" one). Application firewall is for the professionals who want to control everything at their computers, sandbox is for the regular non-technical users. DefenseWall is much nore easy and simple in work for the user that PG. You see, it is always possible to make PG's control functionality as DW, but ideologicaly they are different!
     
  19. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    1. The price is $29 for the defense core+one year of the first-queue tech. support, online updates (I'll implement it in the 1.20+ version) and new version notification. After the license's time will expires, the defense core will be working (you've paid for it!), but all the extra advantages (online updates, first-queue tech. support, e.t.c) won't be available + one nag screen during program's start notifing you that your license's period is expired. It is $10 per year to switch the extra advantages on. If you don't need extra advantages- it is OK. The defense will be in working state anyway!
    2. Yes, I have plans to integrate my buffer overflow defense into DefenseWall, but it need more time to have test it (I have the reports about DefencePlus unstable work at some computers, it should be fixed)+ I think that first I need to implement online updates functionality, it is more important feature.
     
  20. eager2no

    eager2no Registered Member

    Joined:
    Jan 14, 2006
    Posts:
    8
    Ilya Rabinovich,
    Thanks for your replies.
    That's an interesting batch file you have there :)
    Not exactly the runnable type, is it? (I only saw paths and binary zeroes in it.)
     
  21. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    It is made to prevent filter file from being modified by the untrusted processes. That is why it is .bat extention!
     
    Last edited: Jan 16, 2006
  22. simple_user

    simple_user Guest

    Thanks Ilya for all your answers. I really like your program but have to wait until it works with my Online Armor before I will place an order.

     
  23. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    10,029
    Hi,
    Keep going Ilya. This looks promising. I think your product will be a fully featured monster by 1.5 or so.... Good luck!
    Mrk
     
  24. richard_rd

    richard_rd Registered Member

    Joined:
    Jan 3, 2006
    Posts:
    6
    Ilya,

    You may want to think about renaming this thread title to something like "Official Support thread for DefenseWall HIPS" and edit your first post describing when the product was released and keep a brief release history going in the first post.

    You may be losing potential customers because they think the product is still beta when they see this thread going, after conducting a search of defensewall on this forum, and they may not read through all of this thread to realize it is now a released product. Some people will stay away from an app and not try it if they think it is still beta.
     
  25. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    Well, life will show...... I do my best! Thanks!
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.