DefenseWall protection

Discussion in 'other anti-malware software' started by n8chavez, May 16, 2008.

Thread Status:
Not open for further replies.
  1. n8chavez

    n8chavez Registered Member

    Joined:
    Jul 19, 2003
    Posts:
    2,302
    Location:
    Location Unknown
    Recently I've been trying to find a solution that will allow to to protect certain applicayion processes from termination; such as LnS. That is possible with Sandboxie, but protecting SBIE's processes are not. Ideally I am looking for a stand-alone application, no HIPS, and that's what brings me to DefenseWall. I understand that DW is also able to protect certain files/processes from termination but is it able to protect its own? Out of the box I would say no, as APT was able to easily terminate them.

    How good is DW at self-protection, with the right configuration against threats that may not be running as untrusted?
     
  2. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    N8Chavez,


    Try defensewall as it is intended, run APT as untrusted. When APT is a trusted program it has admin rights (when you run as admin).

    DW is a HIPS, so it would not qualify according to your criteria.

    Concept of DW = all internet facing applications run with limited rights (policy sandbox), files downloaded by an untrusted program are also marked untrusted. To enable this kind of saftety, ONLY thing to do is install DW, NO configuration, just use it as intended OUT OF THE BOX.

    Why don't you downlad APT again (you had problably downloaded it before you installed DW), to see for yourself.

    See pic
     

    Attached Files:

    • DW.JPG
      DW.JPG
      File size:
      92.7 KB
      Views:
      2
    Last edited: May 17, 2008
  3. n8chavez

    n8chavez Registered Member

    Joined:
    Jul 19, 2003
    Posts:
    2,302
    Location:
    Location Unknown
    Touche, DW is indeed an HIPS. Perhaps I should be more clear with wat I meant to say. I would prefer not to use a classical HIPS, which DW is not.

    My reasoning for wanting to know if a trusted application, and by that I mean a "threat" that might not be run as untrusted, could terminate the DW processes is because I don't trust this application, or any for that matter, to function as it is intended all the time. In short, what it there is a thread out there, now or in the future, that DW doesn't protect against? What then? You could either take never-ending scanner approach and add more signatures and improved heuristics or take the scannerless approach and add self-protection. So, in essence, I wanted to tet DW's defenses in case it screws up. It's not alone in doing so either. SBIE lacks this ability too.

    "As it is intended" does not allow for the possibility for malfunction. Which, if you are relying on it as I might be, would leave the user totally screwed and vulnerable.
     
  4. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    N8chavez,

    You just started a chicken or the egg discussion (what was first?).

    When you use DW as intended, extrernal source programs will run as untrusted/unprotected (meaning the untrusted program itself is not protected), unless you told DW to do otherwise.

    When a programs is able to break this policy containment layer, it means that the defense of DW is broken. In such situations sellf protection would be useless also, since the malware was able to deceive DW in the first place (having untrusted status, but being able to run as trusted), so it will likely break DW self protection also (in this theoretical situation).

    Knowing Ilya's he will not spend intellect and time to hypothetical situations in which DW would fail (providing a second chance safety net), he will only invest in improving DW in its core functionality.

    Another core element of DW is that is unintrusive and easy to use, self protection of DW by trusted processes, problably would pop a question (do you really . ... ). DW is a quiet and easy to use HIPS, lets keep it this way.

    So again DW dows not qualify your criteria, move on in your quest, but do not post wrong interpretations: DW's self defense is quite good out of the box (gainst untrusted processes/downloaded programs/drive by code infection).
     
    Last edited: May 18, 2008
Loading...
Thread Status:
Not open for further replies.