DefenseWall Is Preventing Me From Installing RegRun Platinum 4.5

Discussion in 'other anti-malware software' started by CogitoErgoSum, Dec 31, 2005.

Thread Status:
Not open for further replies.
  1. CogitoErgoSum

    CogitoErgoSum Registered Member

    Joined:
    Aug 22, 2005
    Posts:
    641
    Location:
    Cerritos, California
    What do I have to do with DefenseWall that will allow me to install RegRun Platinum 4.5? Any comments or advice would be greatly appreciated.


    Peace & Love,

    CogitoErgoSum
     
  2. muf

    muf Registered Member

    Joined:
    Dec 30, 2003
    Posts:
    926
    Location:
    Manchester, England
    Well, if any application was stopping me then i would close down that application and then install Regrun. I'm sure you will be well protected by your other apps while DW is closed down.

    By the way, I just registered Regrun Platinum today. What a cracking application. It's my fave.

    muf
     
  3. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    I know that it does automatically put a lot of zip files in the untrusted area, so that's most likely what's happening. Unfortunately DW runs at the driver level, so just closing the UI won't do anything. What I would do is open the zip file, then look at the list of untrusted processes that are running, figure out which one it's keeping untrusted, and disable protection for that process (and close/reopen the zip file).
     
  4. muf

    muf Registered Member

    Joined:
    Dec 30, 2003
    Posts:
    926
    Location:
    Manchester, England
    Yeah, but surely it has the option to close it down completely. I mean Online Armor has an option from the system tray that allows me to close down the GUI and the application itself. Are you saying that Defencewall won't allow this?

    muf
     
  5. CogitoErgoSum

    CogitoErgoSum Registered Member

    Joined:
    Aug 22, 2005
    Posts:
    641
    Location:
    Cerritos, California
    Notok,

    I determined that there are two untrusted processes running when I open the zip file and click on the regrunplat450.exe file. Unfortunately, these two untrusted processes are temp files that change their file name or directory every time I close and open the zip file and click on the regrunplat450.exe file. It is because of this that I cannot disable the protection for these processes. The only thing that I can think of is to uninstall DefenseWall during the install of RRP and reinstall it afterwards. Please advise.


    Peace & Love,

    CogitoErgoSum
     
  6. WSFuser

    WSFuser Registered Member

    Joined:
    Oct 7, 2004
    Posts:
    10,639
    have u tried installing safe mode?
     
  7. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    Nope.. unfortunately the only way to disable protection is to uninstall it.

    I think the easiest way of doing this would be to just extract regrunplat450.exe somewhere and then run it, rather than just running it from your zip program. Just make sure that you didn't set the folder that you're running it from as Untrusted.
     
  8. muf

    muf Registered Member

    Joined:
    Dec 30, 2003
    Posts:
    926
    Location:
    Manchester, England
    Uw, bummer. And there was me thinking of giving Defencewall a whirl. Just off to put on my re-think cap. :)

    muf
     
  9. CogitoErgoSum

    CogitoErgoSum Registered Member

    Joined:
    Aug 22, 2005
    Posts:
    641
    Location:
    Cerritos, California
    Notok,

    FYI, I downloaded "regrunplat.zip" into "My Documents" folder. Before I clicked "regrunplat.zip" which revealed "regrunplat450.exe", I right-clicked "regrunplat.zip" and selected "run as trusted". I guess that means that I am using the standard resident WinXP zip program. Unfortunately, after clicking "regrunplat450.exe", I can still clearly see that DefenseWall considers this file as "untrusted".

    To quote your latest post, "I think the easiest way of doing this would be to just extract regrunplat450.exe somewhere and then run it, rather than just running it from your zip program. Just make sure you didn't set the folder that you're running it from as Untrusted." What can I specifically do differently to conform to your recommendation? I greatly appreciate your help and patience.


    Peace & Love,

    CogitoErgoSum
     
  10. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    That is strange... I would contact the developer.

    Just double click on "regrunplat.zip" and drag-and-drop "regrunplat450.exe" to the desktop, then just run "regrunplat450.exe" from the desktop :)
     
  11. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    Hi!

    The main problem of the runnnig application from the archive- it is impossible to trace the source for the extracted file. That is why the only choise I have is to put applications running from the %TEMP% directory by the processes I know as unpackers (Explorer, WinZIP,WinRAR, 7-zip) into the untrusted zone automatically, because I don't know if they are trusted or not. The only siggestion is to extract application from the archive DefenseWall could know how to run it (trusted or untrusted). I'll think if I can do something to make this process easyer and more understandable. Any suggestions?

    P.S. All this things are described in the FAQ section of the Help file.
     
  12. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    Well, the main aim was if it is impossible to switch off the protection from the ring3- mode it will be impossible for the malware to switch off the defense. Even if you close GUI the defense will be working anyway (and protecting you!). That is why DefenseWall is designed this way!
    As about running applications directly from the archives- I've designed it this way because I have no other choise. Just put yourself on my place- what would you do if it is impossible to trace the source of the unpacked application file?
     
  13. muf

    muf Registered Member

    Joined:
    Dec 30, 2003
    Posts:
    926
    Location:
    Manchester, England
    Yeah but this way you also stop the user from closing it down. This basically means that the user has no control over DW. I don't like that. There should be a way for the user to shut it down completely. i.e When you install Defencewall you have to set up a password and then when you want to close it down it asks you enter the password to verify it.



    CogitoErgoSum,
    Could you not disable DW from starting up. Disable the service and GUI from ever starting, then once you get Regrun installed you can re-enable the DW startup of the service and GUI. Or is DW resistant to this as well?

    muf
     
  14. starfish_001

    starfish_001 Registered Member

    Joined:
    Jan 31, 2005
    Posts:
    1,046
    "Quote:
    Originally Posted by Ilya Rabinovich
    Well, the main aim was if it is impossible to switch off the protection from the ring3- mode it will be impossible for the malware to switch off the defense. Even if you close GUI the defense will be working anyway (and protecting you!). That is why DefenseWall is designed this way!

    Yeah but this way you also stop the user from closing it down. This basically means that the user has no control over DW. I don't like that. There should

    be a way for the user to shut it down completely. i.e When you install Defencewall you have to set up a password and then when you want to close it down it asks you enter the password to verify it.


    CogitoErgoSum,
    Could you not disable DW from starting up. Disable the service and GUI from ever starting, then once you get Regrun installed you can re-enable the DW startup of the service and GUI. Or is DW resistant to this as well?"




    muf It seems that the service won't be read - but you can change it to a manual start - install and then change back as you suggest.
     
  15. I must agree with muf. Defesencewall is hardly the first and only program to run in ring zero, and not allowing the user to temporarily shut it down is silly.
     
  16. I must agree with muf. Defesencewall is hardly the first and only program to run in ring zero, and not allowing the user to temporarily shut it down is silly.
     
  17. CogitoErgoSum

    CogitoErgoSum Registered Member

    Joined:
    Aug 22, 2005
    Posts:
    641
    Location:
    Cerritos, California
    Notok,

    Thanks for the help as I was able to install RegRun Platinum 4.5. I followed your advice with a slight twist. I set "regrunplat.zip" to "run as trusted" before opening it. I then copied and pasted "regrunplat450.exe" to the desktop. Next, I set "regrunplat450.exe" to "run as trusted" before running it from the desktop.


    Peace & Love,

    CogitoErgoSum
     
  18. CogitoErgoSum

    CogitoErgoSum Registered Member

    Joined:
    Aug 22, 2005
    Posts:
    641
    Location:
    Cerritos, California
    Thanks muf and Ilya for your advice.


    Peace & Love,

    CogitoErgoSum
     
  19. muf

    muf Registered Member

    Joined:
    Dec 30, 2003
    Posts:
    926
    Location:
    Manchester, England
    Just glad you got it sorted. Pity you had to go through all that faffing around to do so. At least you got there in the end. :)

    muf
     
  20. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    Glad to hear it :) You should be able to extract to the desktop without disabling protection on the zip file itself in the future, but at least you know what to do from now on :)
     
  21. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    Well, I'm afraid, you are wrong. Just think: how many _real_ users will set up the password? No-no, just let me guess- non of them?

    I'm afraid, you are wrong one more time. If CogitoErgoSum need to disable DW, he should set "Start" field of the "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dwall" registry key to "3" and restart. The DW driver won't be loaded at startup.
     
  22. muf

    muf Registered Member

    Joined:
    Dec 30, 2003
    Posts:
    926
    Location:
    Manchester, England
    Firstly, the password suggestion was just a "on-the-fly" suggestion. There are other ways you could accomodate user termination.

    Secondly, users usually have to tamper with the registry when they are infected with something that is difficult to remove. Ring any bells? This Defensewall is sounding more and more like a piece of malware itself. Needless to say i've deleted the installer as i prefer something on my computer that I have control over.

    muf
     
  23. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    Just name me one of them that could be used in the real world with the real users.

    It is very easy to remove DW. With three mouse clicks. Ring any bells?

    I'm afraid, you still don't know the defenition of the "malicious software". Google will help you!

    Then you should delete your Windows OS from your hard disk, because it give you non of the chance to being controled over! Linux forever!
     
  24. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    Disabling Defensewall from startup with Winpatrol seems to work without going into the registry.

    Great to see that Defensewall protects against the latest WMF exploit.
     
  25. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    No, you are wrong. There are two ways to disable DW from protecting the system.
    1. Delete dwall.sys into "Recicle bin" and restart (later it will be very easy to restore file and restart to rise up the protection).
    2. Set "Start" field of the "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dwall" registry key to "3" and restart.
    All those actions are not allowed for the untrusted processes and, also, restart will close untrusted processes zone. That is why it is 100% safe method instead of the disabling the protection on-the-fly.

    DefenseWall doesn't protect against WMF exploit themself. It protect you from the malware consequences. It put them inside the untrusted processes zone and doesn't allow to modify system's parameters, to break thought the sandbox and to autorun.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.