DefenseWall protect against email attachments?

Discussion in 'other anti-malware software' started by kvernick, Jan 10, 2007.

Thread Status:
Not open for further replies.
  1. kvernick

    kvernick Registered Member

    Joined:
    Jan 10, 2007
    Posts:
    6
    Maybe I missed something, but DW makes Eudora untrusted, which it should be, it's internet-facing. However, why is an email client a potential problem? - partly because of potentially infected downloaded attachments, rigght? But the files downloded by this untrusted application have the property of "trusted". This looks like a problem to me. Eudora really is running as untrusted, it has the banner on the top of the window that says so. And the downloaded files really are all trusted, by right-clicking to DW file properties. I can double-click on any of the downloaded files and they open in their application (e.g., Word), which is then a trusted application running a trusted file downloaded straight from outside by an untrusted application. Is this really the leak that it appears to be?

    I know, don't open any attachments, but I have to open some and I would hope that these processes could be inside the DW protection.

    Would it solve this if I make the whole download directory untrusted? That is, will everything saved into that directory also become untrusted?

    Thanks for any help.
     
  2. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    1. Yes, e-mail clients are the well-known gates of infection. Two possible ways- running attachments and using e-mial clints vulnerabilities.

    2. As about "trusted" applications downloaded via untrusted application- DefenseWall will start support MS Office files "untrusted" attribute inherition with 1.74 version.

    3. Yes, it is possible to make whole the download directory untrusted.
     
  3. kvernick

    kvernick Registered Member

    Joined:
    Jan 10, 2007
    Posts:
    6
    I verified that if I make a whole directory untrusted, then all of the files already existing or written into that directory acquire the property of untrusted. Although as you point out, the gain is limited because such files still open in Office apps with the app (for example Word) running as trusted. The update you mentioned (Office apps inheriting the file property) would be a big help.

    So to summarize, it seems like for now the best thing would be to make the download directory untrusted, but still be careful because files can be run by trusted apps. Is that right?

    BTW, DW is a great program, powerful and transparent to use. I am using now DW on desktop and Greenborder on laptop, to figure out which one will work best for me overall. Right now, GB is really just a browser sandbox. GB currently has no way to do what I am asking, protect against email downloads. The GB support said this:
    Running Eudora inside GreenBorder may result in mail downloaded to be permanently lost when the virtual environment is reset.
    What you can do is right click the downloaded attachments and add protection to them before you run them. ​

    Right-clicking and protecting every download file by hand before you run it is not reasonable, and since it needs a manual step (which you can forget) is not really security either.
     
  4. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    Well, yes. Yes are right. For some types of files "untrusted" attribute inherition is not supported. There is no need, for example, to inherite "untrusted" for .txt files, for instance- I hardly believe they could be infected. Problems with MS Word files are quite new.

    Thanks, I do my best with the help of my beta testers and users.
     
  5. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Ilya,

    I like your program very much and rate you an excellent security expert but "problems with office are quite new" does make me wonder.

    Word related macro virusses are around some time, so please explain

    Regars Kees
     
  6. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    Well, macro viruses are dead for a long time (since 2000 if I remember it right way) . Right now MS Office allows to execute only signed macroses by default. This have finished with any kind of macro viruses within MS Office files.

    Current MS Office files security problems are about OLE2 containers frameworks, they were discovered in the middle/end of 2006, they are not concerns macroses and I thought it was just a single vulnerability, but there are a huge number of them right now and some of them are unpatched. That is the reason I add MS Office files to the group of the files that inherites "untrusted" attributes.
     
Loading...
Thread Status:
Not open for further replies.