DefenceWall 1.56

I have been trying DefenceWall for a couple of weeks now . I am now running version 1.56 which hasn't actually been released yet. Ilya just keeps improving it. I feel that this type of sand box program is one of the best security set ups there is. Of course to back it up I have FirstDefence ISR. These two can give you unlimited courage.

 

After the developer mentioned this application in another topic I actually gave it a try (V1.55). It's nice if you want to test relatively harmless malware because you simply need to run it as "untrusted" software so that changes to the registry and the creation of new files are monitored and can be undone. Moreover, DefenseWall will prevent malware from using various hooks & low level functions as well as the installation of services.

So far, so good. But would I actually use it to run malware? Certainly not. DefenseWall is still not reliable. And that's mandatory for such kind of application.

For instance, malware (although it is executed in an "untrusted" environment) can easily kill DefenseWall and then do all kinds of mischief. This is because DefenseWall does apparently not hook or protect itself from EndTask function ( http://msdn.microsoft.com/library/d...s/windowreference/windowfunctions/endtask.asp ).

I have not tried so far whether DefenseWall can stop file infectors (viruses).

 

What you can kill with those functions is just the GUI process. The protection is implemented as a kernel mode driver and even works when the user mode process has been terminated.

 

I had the same feeling and, therefore, tried to execute malware after DefenseWall.exe was killed. Subsequently, I started DefenseWall but was unable remove the malware.

Kenjin, can you please check whether "DefenseWall internal service" (see services.msc) is permanently running on your computer?

EDITED: Tried it again. Killed DefenseWall & then executed Optix Lite (which copies server.exe to Windows dir and sets a respective autostart entry). Thereafter, I started DefenseWall and was able to remove all the nasty stuff. Am I stupid?? Dunno. Tried it again. Same procedure. This time, server.exe was not deleted from the Windows directory... what's going one here?

 

I have never tried any malware. I did download some Microsoft Office updates and tried to install. I had to shut down DW then exit DW. Then I was able to install. DW doesn't prevent something from getting in your computer. It is supposed to prevent it from doing anything. Then it can be removed by DW, your AV or your AT. Ilya can answer better than I can.

 

No, DefenseWall service is not running permanently, and according to Ilya it is only required during Windows' startup phase.

Don't know why you had mixed results in your tests. I doubt this is because of the not running GUI process. DW's protection is designed to work without it. What you experienced might be a bug in the Rollback function. You should address this issue to Ilya if it is reproducible.

 

"No, DefenseWall service is not running permanently, and according to Ilya it is only required during Windows' startup phase."

Good. That's what I thought.

"Don't know why you had mixed results in your tests. I doubt this is because of the not running GUI process. DW's protection is designed to work without it. What you experienced might be a bug in the Rollback function. You should address this issue to Ilya if it is reproducible."

So far I could not reliably reproduce it. But the problem occurred from time to time. There are many variables (e.g., running in expert mode or not, terminating the trojan server first or erasing the traces first, starting the trojan server as an untrusted program or adding it to the untrusted group, etc.). In addition, I noticed some kind of an exclude list in the registry where the trojan server's name appeared. Is this correct or might this be the cause of the problem? Need to further investigate this issue.

 

O.k. I have performed many additional tests. It seems to me that DefenseWall works reasonably well and there are generally no big realiability issues. I really start to like this application.

Notwithstanding the above, I have the following comments:

1.
Rollback does not work (but this has already been mentioned)

2.
The distinction between REMOVE and ERASE can be misleading. REMOVE should be renamed into "CLEAR LOG" or something.

3.
There should be an option (or is there an option?) to run ANY applications by default as untrusted apps. In other words, an accidental double click should not result in malware being automatically enrolled to the trusted group so that no log (file & registry tracks) is created. (Apparently, this happened to my optix lite server). At least, there should be a warning like "Do you really want to run this application as a trusted application and enroll it to the trusted group?"

 

1. DefenseWall's protection is pure driver-level. GUI is only for it's control. That is why you may shut down GUI as many time as you wish- it will change nothing.

2. Service is running only during Windows start. After that it is useless as being running. That is why it is not

3. There is an error with 1.55 within rollback routine- some of the entryes may stay there inspite that the file themself is erased.

4. "Exclude" list is the list of the controlled files that may be modified. Entryes contains there for 15 days and then removes is they are insilde you "My Documents" and "Desktop" folders. After that those files are unable to be modified by untrusted processes. It is made this way because those folders are standard downloaded files storage, and I need keep entryes for the installed as "untrusted" programs that it's uninstall routine would run propertly.

P.S. In fact, I've already implemented strong shatter attack protection and EndTask shutdown protection (I may block now all the APT methods but #9), but I think to unlock it with 2.0 version due to marketing reasons.

 

Does DefenceWall work together KAV 6? I've tried to install a trial of DefenceWall but the program didn't work properly.

 

Yes, it does. Maybe, there are some problems with 1.55. I PM you link to 1.56.

 

Thank you Ilya.

 

Report if something goes wrong!

 

Now i haven't any problem with the new version of DefenceWall.

 

I'm very glad that the problem is gone! Hope, you will like my program! Anyway, if you have anything to report (bugs, suggestions, etc)- report ASAP!

 

Hi Ilya, does it has something to do with MBR? Can I use it with RollBackRx( from HorizonDatasys) safely?

 

Yes, you are.

 

Thanks.

 

I have stopped using Defense Wall 1.56/1.60 . I believe that it SIGNIFICANTLY slows down my Opera browser.

(I have also stopped using Altiris SVS which is very nice but still too buggy. It completely f*c*s up my desktop icons as well as my start menu entries.)

In principle, a stable, fast and reliable virtualization solution/HIPS would be very cool.

 

They have a forum. U can discusss it.
BTW u tried sandboxie? It,s good also.
I did not use DW but i think I will try it later.

 

Write me - support [at] softsphere [dot] com and let's together fix the problem. It should be solved, not hidden!

 

@Ilya

Very good that you see it this way. How can we proceed?

1.
How can I determine whether my browser is really slowed down? Probably I should do a speed test with DW enabled and compare it with the results when DW is not running? Unfortunately, I do not know any reliable speed tests. Currently, I just "feel" that my browser is slowed down when I have opened multiple tabs, download stuff, and try to switch from one tab to the other etc. (I have a very fast internet connection.)

2.
Let's assume my browser is slowed down...how can we identify what's going on?

3.
Do you think this might be a bug or is it just "normal" that DW slows down my browser? (I read posts about sandboxie also slowing down browsers.)

EDITED 1: I have performed several speed tests @ http://www.wieistmeineip.de/speedtest-alt/ Regardless of whether DW is enabled or not I can get download speeds of up to approx. 5.000 kbits/s (although my bandwidth is much bigger). Consequently, I do NOT believe that DW slows down my download speed. I will now further test why I "feel" that DW slows down my browser. For instance, I will switch between tabs etc.

EDITED 2: I believe that you can replicate what I "feel" if you do the following. Use Opera 8.54, open about 10 tabs (i.e., 10 different websites) with links to content like mp3s, videos (or malware ;-). Start to massively click the links and download the content from the various websites. Click the close tab icon if you have finished downloading content. Open new websites and start downloading content ... and so on. With DW enabled the browser frequently stops for a short while if I switch to another tab or close a tab. Can someone confirm?