DefenceWall 1.56

Discussion in 'other anti-malware software' started by WilliamP, May 26, 2006.

Thread Status:
Not open for further replies.
  1. WilliamP

    WilliamP Registered Member

    Joined:
    Jun 1, 2003
    Posts:
    2,201
    Location:
    Fayetteville, Ga
    I have been trying DefenceWall for a couple of weeks now . I am now running version 1.56 which hasn't actually been released yet. Ilya just keeps improving it. I feel that this type of sand box program is one of the best security set ups there is. Of course to back it up I have FirstDefence ISR. These two can give you unlimited courage.
     
  2. comma dor dash

    comma dor dash Registered Member

    Joined:
    Jun 5, 2005
    Posts:
    146
    After the developer mentioned this application in another topic I actually gave it a try (V1.55). It's nice if you want to test relatively harmless malware because you simply need to run it as "untrusted" software so that changes to the registry and the creation of new files are monitored and can be undone. Moreover, DefenseWall will prevent malware from using various hooks & low level functions as well as the installation of services.

    So far, so good. But would I actually use it to run malware? Certainly not. DefenseWall is still not reliable. And that's mandatory for such kind of application.

    For instance, malware (although it is executed in an "untrusted" environment) can easily kill DefenseWall and then do all kinds of mischief. This is because DefenseWall does apparently not hook or protect itself from EndTask function ( http://msdn.microsoft.com/library/d...s/windowreference/windowfunctions/endtask.asp ).

    I have not tried so far whether DefenseWall can stop file infectors (viruses).
     
  3. Kenjin

    Kenjin Registered Member

    Joined:
    Sep 29, 2004
    Posts:
    63
    What you can kill with those functions is just the GUI process. The protection is implemented as a kernel mode driver and even works when the user mode process has been terminated.
     
  4. comma dor dash

    comma dor dash Registered Member

    Joined:
    Jun 5, 2005
    Posts:
    146
    I had the same feeling and, therefore, tried to execute malware after DefenseWall.exe was killed. Subsequently, I started DefenseWall but was unable remove the malware.

    Kenjin, can you please check whether "DefenseWall internal service" (see services.msc) is permanently running on your computer?

    EDITED: Tried it again. Killed DefenseWall & then executed Optix Lite (which copies server.exe to Windows dir and sets a respective autostart entry). Thereafter, I started DefenseWall and was able to remove all the nasty stuff. Am I stupid?? Dunno. Tried it again. Same procedure. This time, server.exe was not deleted from the Windows directory... what's going one here?
     
    Last edited: May 27, 2006
  5. WilliamP

    WilliamP Registered Member

    Joined:
    Jun 1, 2003
    Posts:
    2,201
    Location:
    Fayetteville, Ga
    I have never tried any malware. I did download some Microsoft Office updates and tried to install. I had to shut down DW then exit DW. Then I was able to install. DW doesn't prevent something from getting in your computer. It is supposed to prevent it from doing anything. Then it can be removed by DW, your AV or your AT. Ilya can answer better than I can.
     
  6. Kenjin

    Kenjin Registered Member

    Joined:
    Sep 29, 2004
    Posts:
    63
    No, DefenseWall service is not running permanently, and according to Ilya it is only required during Windows' startup phase.

    Don't know why you had mixed results in your tests. I doubt this is because of the not running GUI process. DW's protection is designed to work without it. What you experienced might be a bug in the Rollback function. You should address this issue to Ilya if it is reproducible.
     
  7. comma dor dash

    comma dor dash Registered Member

    Joined:
    Jun 5, 2005
    Posts:
    146
    "No, DefenseWall service is not running permanently, and according to Ilya it is only required during Windows' startup phase."

    Good. That's what I thought.

    "Don't know why you had mixed results in your tests. I doubt this is because of the not running GUI process. DW's protection is designed to work without it. What you experienced might be a bug in the Rollback function. You should address this issue to Ilya if it is reproducible."

    So far I could not reliably reproduce it. But the problem occurred from time to time. There are many variables (e.g., running in expert mode or not, terminating the trojan server first or erasing the traces first, starting the trojan server as an untrusted program or adding it to the untrusted group, etc.). In addition, I noticed some kind of an exclude list in the registry where the trojan server's name appeared. Is this correct or might this be the cause of the problem? Need to further investigate this issue.
     
  8. comma dor dash

    comma dor dash Registered Member

    Joined:
    Jun 5, 2005
    Posts:
    146
    O.k. I have performed many additional tests. It seems to me that DefenseWall works reasonably well and there are generally no big realiability issues. I really start to like this application.

    Notwithstanding the above, I have the following comments:

    1.
    Rollback does not work (but this has already been mentioned)

    2.
    The distinction between REMOVE and ERASE can be misleading. REMOVE should be renamed into "CLEAR LOG" or something.

    3.
    There should be an option (or is there an option?) to run ANY applications by default as untrusted apps. In other words, an accidental double click should not result in malware being automatically enrolled to the trusted group so that no log (file & registry tracks) is created. (Apparently, this happened to my optix lite server). At least, there should be a warning like "Do you really want to run this application as a trusted application and enroll it to the trusted group?"
     
  9. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    1. DefenseWall's protection is pure driver-level. GUI is only for it's control. That is why you may shut down GUI as many time as you wish- it will change nothing.

    2. Service is running only during Windows start. After that it is useless as being running. That is why it is not :D

    3. There is an error with 1.55 within rollback routine- some of the entryes may stay there inspite that the file themself is erased.

    4. "Exclude" list is the list of the controlled files that may be modified. Entryes contains there for 15 days and then removes is they are insilde you "My Documents" and "Desktop" folders. After that those files are unable to be modified by untrusted processes. It is made this way because those folders are standard downloaded files storage, and I need keep entryes for the installed as "untrusted" programs that it's uninstall routine would run propertly.

    P.S. In fact, I've already implemented strong shatter attack protection and EndTask shutdown protection (I may block now all the APT methods but #9), but I think to unlock it with 2.0 version due to marketing reasons. :D
     
    Last edited: May 28, 2006
  10. c0ltran3

    c0ltran3 Registered Member

    Joined:
    Nov 8, 2003
    Posts:
    172
    Does DefenceWall work together KAV 6? I've tried to install a trial of DefenceWall but the program didn't work properly.
     
  11. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    Yes, it does. Maybe, there are some problems with 1.55. I PM you link to 1.56.
     
  12. c0ltran3

    c0ltran3 Registered Member

    Joined:
    Nov 8, 2003
    Posts:
    172
    Thank you Ilya.
     
  13. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    Report if something goes wrong!
     
  14. c0ltran3

    c0ltran3 Registered Member

    Joined:
    Nov 8, 2003
    Posts:
    172
    Now i haven't any problem with the new version of DefenceWall.
     
  15. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    I'm very glad that the problem is gone! Hope, you will like my program! :D Anyway, if you have anything to report (bugs, suggestions, etc)- report ASAP!
     
  16. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Hi Ilya, does it has something to do with MBR? Can I use it with RollBackRx( from HorizonDatasys) safely?
     
  17. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    Yes, you are.
     
  18. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Thanks.
     
  19. comma dor dash

    comma dor dash Registered Member

    Joined:
    Jun 5, 2005
    Posts:
    146
    I have stopped using Defense Wall 1.56/1.60 . I believe that it SIGNIFICANTLY slows down my Opera browser.

    (I have also stopped using Altiris SVS which is very nice but still too buggy. It completely f*c*s up my desktop icons as well as my start menu entries.)

    In principle, a stable, fast and reliable virtualization solution/HIPS would be very cool.
     
  20. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    They have a forum. U can discusss it.
    BTW u tried sandboxie? It,s good also.
    I did not use DW but i think I will try it later.
     
  21. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    Write me - support [at] softsphere [dot] com and let's together fix the problem. It should be solved, not hidden!
     
  22. comma dor dash

    comma dor dash Registered Member

    Joined:
    Jun 5, 2005
    Posts:
    146
    @Ilya

    Very good that you see it this way. How can we proceed?

    1.
    How can I determine whether my browser is really slowed down? Probably I should do a speed test with DW enabled and compare it with the results when DW is not running? Unfortunately, I do not know any reliable speed tests. Currently, I just "feel" that my browser is slowed down when I have opened multiple tabs, download stuff, and try to switch from one tab to the other etc. (I have a very fast internet connection.)

    2.
    Let's assume my browser is slowed down...how can we identify what's going on?

    3.
    Do you think this might be a bug or is it just "normal" that DW slows down my browser? (I read posts about sandboxie also slowing down browsers.)

    EDITED 1: I have performed several speed tests @ http://www.wieistmeineip.de/speedtest-alt/ Regardless of whether DW is enabled or not I can get download speeds of up to approx. 5.000 kbits/s (although my bandwidth is much bigger). Consequently, I do NOT believe that DW slows down my download speed. I will now further test why I "feel" that DW slows down my browser. For instance, I will switch between tabs etc.

    EDITED 2: I believe that you can replicate what I "feel" if you do the following. Use Opera 8.54, open about 10 tabs (i.e., 10 different websites) with links to content like mp3s, videos (or malware ;-). Start to massively click the links and download the content from the various websites. Click the close tab icon if you have finished downloading content. Open new websites and start downloading content ... and so on. With DW enabled the browser frequently stops for a short while if I switch to another tab or close a tab. Can someone confirm?
     
    Last edited: Jun 10, 2006
Thread Status:
Not open for further replies.