DefenseWall protection

Recently I've been trying to find a solution that will allow to to protect certain applicayion processes from termination; such as LnS. That is possible with Sandboxie, but protecting SBIE's processes are not. Ideally I am looking for a stand-alone application, no HIPS, and that's what brings me to DefenseWall. I understand that DW is also able to protect certain files/processes from termination but is it able to protect its own? Out of the box I would say no, as APT was able to easily terminate them.

How good is DW at self-protection, with the right configuration against threats that may not be running as untrusted?

 

N8Chavez,


Try defensewall as it is intended, run APT as untrusted. When APT is a trusted program it has admin rights (when you run as admin).

DW is a HIPS, so it would not qualify according to your criteria.

Concept of DW = all internet facing applications run with limited rights (policy sandbox), files downloaded by an untrusted program are also marked untrusted. To enable this kind of saftety, ONLY thing to do is install DW, NO configuration, just use it as intended OUT OF THE BOX.

Why don't you downlad APT again (you had problably downloaded it before you installed DW), to see for yourself.

See pic

 

Touche, DW is indeed an HIPS. Perhaps I should be more clear with wat I meant to say. I would prefer not to use a classical HIPS, which DW is not.

My reasoning for wanting to know if a trusted application, and by that I mean a "threat" that might not be run as untrusted, could terminate the DW processes is because I don't trust this application, or any for that matter, to function as it is intended all the time. In short, what it there is a thread out there, now or in the future, that DW doesn't protect against? What then? You could either take never-ending scanner approach and add more signatures and improved heuristics or take the scannerless approach and add self-protection. So, in essence, I wanted to tet DW's defenses in case it screws up. It's not alone in doing so either. SBIE lacks this ability too.

"As it is intended" does not allow for the possibility for malfunction. Which, if you are relying on it as I might be, would leave the user totally screwed and vulnerable.

 

N8chavez,

You just started a chicken or the egg discussion (what was first?).

When you use DW as intended, extrernal source programs will run as untrusted/unprotected (meaning the untrusted program itself is not protected), unless you told DW to do otherwise.

When a programs is able to break this policy containment layer, it means that the defense of DW is broken. In such situations sellf protection would be useless also, since the malware was able to deceive DW in the first place (having untrusted status, but being able to run as trusted), so it will likely break DW self protection also (in this theoretical situation).

Knowing Ilya's he will not spend intellect and time to hypothetical situations in which DW would fail (providing a second chance safety net), he will only invest in improving DW in its core functionality.

Another core element of DW is that is unintrusive and easy to use, self protection of DW by trusted processes, problably would pop a question (do you really . ... ). DW is a quiet and easy to use HIPS, lets keep it this way.

So again DW dows not qualify your criteria, move on in your quest, but do not post wrong interpretations: DW's self defense is quite good out of the box (gainst untrusted processes/downloaded programs/drive by code infection).