DefenseWall as a HIPS

Discussion in 'other anti-malware software' started by Baldrick, Jan 7, 2007.

Thread Status:
Not open for further replies.
  1. Baldrick

    Baldrick Registered Member

    Joined:
    May 11, 2002
    Posts:
    2,301
    Location:
    South Wales, UK
    Any of you learned people out there like to comment on DefenseWall and how good or not it is as a HIPS? It seems to offer the universal pancea, ie, protection without alrming numbers of popups, but how good is it. From what I have read in reviews it sems to be the business but I trust the feedback from the members of this forum.

    How does it compare to GesWall?

    Any thoughts gratefully accepted.:D
     
  2. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Hi we have different paid sandboxed running on different PC's':

    GeSWall 2.5 pro on son's PC, DefenseWall on Wife's PC.

    DefenseWall has two options trusted and un-trusted, GeSWall Pro has four. DW runs out of the box, GW needs more configuration, even for the listed aps.

    For instance when you "auto-isolate" WindowsMediaPlayer as an untrusted ap, you will be able to launch WMP and open and play music from within WMP, only when you double click a downloaded untrusted WMP music file with Explorer, WMP will start but will not play the music file with the default settings. You can get it playing by changing some rules (you can find on the support forum).

    With DW you can mark WMP as untrusted, it will give same protection but everything works seamless.

    On the other hand GW follows the windows framework and allows for more tweaking. While DW user interface gets some critism and has poor help files. To the benefit of DW, I have never needed help and it is not difficult to use the user interface. Release 2.0 will have an improved GUI.

    I think their both great products, with just a little personal preference for DW

    Regards Kees
     
    Last edited: Jan 8, 2007
  3. Longboard

    Longboard Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    3,187
    Location:
    Sydney, Australia
  4. Baldrick

    Baldrick Registered Member

    Joined:
    May 11, 2002
    Posts:
    2,301
    Location:
    South Wales, UK
    Hi Kees

    Thanks for the explanation. I think that I get it...not sure which one to go for but as wife uses the same PC as me DW may be better as the less user intervention required the better.

    Hi Longboard

    Thanks for the link. Very interesting. Still not sure which to go for...ah, decisions, decisions.

    Cheers



    Balders:D
     
  5. Baldrick

    Baldrick Registered Member

    Joined:
    May 11, 2002
    Posts:
    2,301
    Location:
    South Wales, UK
    In my quest for a ProcessGuard replacement I saw DefenseWall come out on top in the following review of HIPS applications:

    http://www.techsupportalert.com/security_HIPS.htm

    hence the reason for following up on it and trying to find out more. Having started out looking for like replacement I have started to understand, as 'Gizmo' Richards clearly expresses in the article all the candidates are "...all notionally HIPS programs they are in fact, as different as they similar". But I like the sound of DW as it appears to be the most non intrusive and easiest to set up HIPS, except that I will have to find all the programs that connect to the internet and, if not put into the trusted list automatically, I will have to decide whether I trust the connection made by each or not. Hopefully I can use the list of applications that have connected, as held by my firewall, ie, that rules have been set up for, as the basis of the analysis.

    I am not knocking DW, just trying to make the right choice...if it is possible to make such a thing. GeSWall sounds interesting...does it also look specifically at just Internet-based vectors specifically with one having to manually configure non Internet-based vectors if one does not trust them?:doubt:
     
  6. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    Kees1958: is DW something in between the concepts of GeSWall and Sandboxie? Like saving the file to disk it acts like GeSWall, but the browser session for instance is cleared if you want?
     
  7. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    No they both are sandboxes protecting trusted sources from being tampered with by untrusted sources. DW has a file and registry tracking option which you can view and rollback when wanted. The average user should never have to look into this part of DW anyway to use the program in a correct way.

    GW + DW are more or less poilicy/rights managers HIPS (like you are not allowed to do some things when not logged in as admin). They do not use file virtualisation (to my knowledge) like Sandboxie or Buffferzone does. This provides the advantage of seamless integration (you do not have to be aware in what zone what is).

    GW uses isolated as term, DW uses untrusted. DW is more straight forward (knows only trusted - untrusted) than GW (always trusted, trusted with auto isolation, isolation and jail).

    I do not known anything of the number of lines coded by either Brian or Ilya, but in general: less functionality means less source code, less source code means easier testing, less testing effort means more rubust applications. To the defense of Brian is that GW follows the Microsft security framework (so Brian might have less trouble launching an Vista version of GW than Ilya with DW).
     
    Last edited: Jan 9, 2007
  8. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    Oh, ok, now i get it. I thought it had virtualisation and Policy. Only policy as GeSWall, with those differences you mentioned.

    Thanks!:thumb:
     
  9. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    You know, I still don´t completely understand it, so basically GeSWall and DefenseWall work by restricting processes, kind of like running them in non-admin mode but with even more restrictions. However they don´t prevent untrusted processes from having acces to your real file system and registry, correct?

    On the other hand, tools like Sandboxie and BufferZone will make sure that your file system and registry will never get touched by sandboxed processes, the difference between the two is that Sandboxie will contain everything in a separate folder, while BufferZone does not do this, so if you save a file on your desktop it will appear on your real desktop, but it will be marked as "untrusted". Is this all true or not? :rolleyes:
     
  10. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    As soon any untrusted process tries to access trusted resources (system file, registry, etc), GeSWall creates a copy of it and let the untrusted process do whatever it wants. When that process is terminated, the copy of the accessed trusted resource is deleted.
    Link
     
  11. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    Wrong. DefenseWall blocks modifications of sensitive files and registry areas by untrusted processes. Otherwise, it would be not a defense at all!
     
  12. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    @ lucas1985

    Thanks for the info, GeSWall seems to be a quite powerful tool, their blog is also quite interesting, but I would sure like to have a more attractive GUI and an option to disable the colored title bar. :rolleyes:

    @ Ilya Rabinovich

    So does DW work exactly like GeSWall? I mean there isn´t a lot of info about the way that DW works, it´s all a bit vague. That´s why I´m getting confused, for example, DW also has a "rollback" function right? Can I ask why? I do know that with SBIE, all changes to the file system and registry are kept in the sandbox and will be gone if you erase the sandbox.

    Perhaps you can give a bit more info (also on your website), and point out the differences between other similar tools like Sandboxie, GreenBorder, BufferZone, GeSWall and DW, because I´m still not sure what´s the best solution, of course this also depends on what the user wants. But I´m glad that you will redesign the GUI, can you perhaps post some screenshots, perhaps I can come up with suggestions, GUI is one of the most important things to me. ;)
     
    Last edited: Jan 11, 2007
  13. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    No, simular, but not exactly. Base architectures are different.

    I believe I'll be able to fix it, but I need to know exactly what kind of information is in need.

    To allow advanced users to clean up malware's executable modules from hard drives.

    Not in the sandbox, but in the virtualization container. You just miss the point. "Sandboxing" means "rights restrictions" like forbiding driver/service loading, file and registry keys access, physical memory access and so on. "Virtualization" means "using of the information, not based on the real staff". You may virtualize hardware, files, registry keys, parts of the OS.

    Yes, you can clean up all the SBIE virtualization containers with couple of mouse clicks, but the problem is that you do not control what do you erase exactly! Otherwise, you need to dig inside the containers for the files and registry keys stored there and rescue important ones, that doesn't have to be erased! DW gives you full control under this (highly dangerous!) action and, also, I always recommend it for advenced users only, who understand what are they doing. AV tools are for others.

    In fact, the best solution is different for different users, some are happy with BZ, some with GW, some with DW :) That is why different approaches are in need.

    OK, just come to my forum and take a look at the first alpha version of the 2.0 version's GUI. Next week, I believe, I'll post there second alpha version there.
     
  14. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    OK, NOW it's FINAL: i'm going to install VMware Player. I have to test DW and OA:)
     
  15. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    @ Ilya Rabinovich

    OK thanks for the feedback, I have found the thread on your forum, but perhaps you can post some screenshots of all windows, it was not really clear.

    Yes I guess I´m using the terminology in the wrong way, but you know what the thing is, aren´t in fact HIPS like SSM or Neoava Guard also sandboxes then? Because I can also restrict processes from doing a whole lot of stuff with these tools. :blink:
     
  16. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    What a bummer, I decided to check out the latest versions of BufferZone, GeSWall, GreenBorder, and Sandboxie but none of them are good enough yet. So I sure hope that DefenseWall will rock because basically I´m looking for a good sandbox HIPS (with a nice GUI) that I can use as a realtime protection tool, sort of like the "Software Restriction Tool" on steroids. ;)

    Quick review:

    BufferZone: It´s a resource hog plus doesn´t play well with other HIPS.
    GeSWall: Interesting tool, but apps didn´t work correctly, plus you need the Pro version for additional rules, unless you´re an expert.
    GreenBorder: Won´t run on any of my virtual machines, plus offers only protection for IE and Firefox.
    Sandboxie: This is my favorite tool but the "sandboxed folder" can be annoying.

    More about Sandboxie:

    The virtualization (sandboxed folder) is cool when you want to quickly check out an app without risking any damage to your real system, but if you use SBIE to protect apps from "drive by attacks" and thus constantly run them "sandboxed", it can be annoying. Because everything that you save (in the browser or MS Office for example) will end up in the sandboxed folder. I´m not sure if the latest version does provide a workaround for this by editing the configuration file.
     
    Last edited: Jan 13, 2007
  17. Bob D

    Bob D Registered Member

    Joined:
    Apr 18, 2005
    Posts:
    1,150
    Location:
    Mass., USA
    It does.
     
  18. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    ^^^^^

    OK this would be really cool, thanks for the feedback. So I guess it will now become a fight between Sandboxie and DefenseWall. :D
     
  19. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    I will do it as soon as I'll get the next version of the skin. The time line I had to receive it is already crossed, but the person who is responcible for this is still unavailable via e-mail and ICQ. I have no choice- I'm waiting...

    No, they are not a sandboxes at all, because they are not based on built-in rulset, you need to create rules manually on each computer.

    No need to fight, the fact is that both are already the winners! :D http://www.techsupportalert.com/issues/issue140.htm#Section_1.1
     
  20. Rivalen

    Rivalen Registered Member

    Joined:
    Oct 18, 2005
    Posts:
    413
    Techsupport wrote
    " say "accidentally" because DefenseWall allows you to run downloaded files quite safely by selecting the "run as untrusted" option from the mouse right click context menu. In this case they are completely sandboxed and your PC cannot become infected. However if you didn't use this option and absent-mindedly double click an infected download, then you could get infected."

    I run DW in normal mode (opposed to expert mode) and if I doubleclick on a downloaded file I expect it to run as untrusted, not as trusted. The behaviour Gizmo explains I thought was true for expert mode, not for normal/default mode.

    Pls explain.

    Best Regards
     
  21. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    Yes, there is "untrusted" attribute ingerition (not for all the file types). What was happand in this case- I don't know. This is the question to Gizmo! maybe, it was the bug with 1.73 version- sometimes it doesn't inherites "untrusted" attribute, already fixed and will be released with 1.74 version.
     
  22. Rivalen

    Rivalen Registered Member

    Joined:
    Oct 18, 2005
    Posts:
    413
    A program-installation-file thats downloaded under say IE untrusted and DW in normal mode shall always inherite the untrusted status.

    Right or wrong?

    Give some examples of files that dont inherite the untrusted status in future 1.74 and pls also explain why.

    Best Regards
     
  23. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    Right!

    For example, .txt, .pdf, .jpg. Reason- there is could be no malware within. Overflow-based errors with software operates with those files- yes, but this is not a DW's job...
     
  24. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    @ Ilya Rabinovich

    Perhaps you can post some screenshots of the new version over here or on your forum, I don´t feel like installing the whole app, and other people had problems with the skin the last time. TIA ;)
     
  25. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    Done. At my forum...
     
Loading...
Thread Status:
Not open for further replies.