Defensewall

I have an issue:

Window walking
R-click DW tray icon/Main/Untrusted or Events Log or Advanced

How do you get back to Main and the Big Naked Button?

Intentionally installed some malware and couldn't find many modifications in DW.
The malware was flagged by Prevx 3.0 free.

It wrote memory in another process:
msctf.dll, lpk.dll, usp10.dll, uxtheme.dll, setupapi.dll, secur32.dll, propsys.dll,
clbcatq.dll, linkinfo.dll, ntshrui.dll, netapi32.dll, psapi.dll, cscapi.dll, slc.dll

What I did find in DW were some registry modifications, about 8.
Attempted to visit Dr. Web Cure It, refused to load site even after deleting registry traces in DW.

Using an autorun tool, I was able to delete some drivers and was now allowed to go to the Dr. Web site. After another reboot, was able to download the AV.

Does DW allow me to delete autorun driver entries like other tool?
Is there a stored list of autorun locations similar to the registry traces?

My Poker Client:
How can I install it as untrusted? It was making the same modifications as the malware, writing memory of another process, from same list as above.

It doesn't try to connect to internet until after install.
What if the installer is installing a rootkit, I don't want it to have trusted access.

A2 Anti-Malware was installed as untrusted, it was 'unable to install "asquared antimalware free service" '. Scans OK. Detected malware installers.

Just a few things I noticed.

 

How about Geswall ,it has no rollback feature so what happens to file and reg tracks,are they left on the system or does it have another way of clearing them

 

"Stop Attack" sheet of the main dialog.

Did you install as untrusted?

That are dlls, not processes.

Did you stop untrusted processes before visiting DrWeb site?

If you mean malicious drivers, they just couldn't be installed if untrusted. So, my question is still here: did you install that malicious software as untrusted?

No, such that tools are not for novice users.

I have no idea.

All the security software should be installed as trusted.

 

Searching, as Ilya pointed out, you install your software including your poker client and AV programs as 'trusted'.

That means when the installer is downloaded, you must right-click on the file and select 'change status to trusted'.

A2 will then run fine. Regarding the poker client, once the file is installed, right-click on the exe file of the poker program, and select 'change status to untrusted' - that way it is installed correctly, but any additional changes by the program or anything it downloads will be monitored by DefenseWall.

 

Also, with CureIt, make sure you don't just click on the download and run it in the browser (I'm assuming it won't be able to run properly, as the browser and all files within it are untrusted).

Always 'right-click and save the file' on the desktop. Then right-click and change status to trusted, and then run the file.

 

It has an untrusted file scan feature too and you can delete files from there.

 

Thanks agile,i notice it redirect access sometimes ,what is it doing?

 

Seems like a simple thing. Click the "stop attack" tab to go back to main.
Hey, they are tabs. Without the skin they look like buttons.

Installed via browser, never gave it trusted status.

OA called them processes, not me. I know processes are .exe's.
Can an .scr be a process? or any other executable extension?

I clicked on the Big Naked Button after I could visit the site. Tried to visit the site again, no go. So I broke out the autorun cleaner.
Should I have rebooted after Stop Attack?

Not only did I not trust it, I was also using SBIE. Deleting SBIE contents didn't solve.

So why not make it "List Only"?

My bad. I'm still learning about DW.
I have deleted all of the registry traces, do I need to do any thing else?
Would rollback have been a better option to choose?

 

But I don't trust my poker client. I don't trust anybody where large sums of money are involved.

I ran A2 as untrusted...oops. Now what do I do to fix it?

How am I protected if the installer, that I run as trusted, is installing a rootkit?
Poker Clients don't trust people either. They are trying to stay ahead of hackers.

 

Upload to rapishare and send me a link. I'll check out what is wrong.

 

Simple- uninstall and install as trusted.

 

Uninstalling a program does not remove the files location from the untrusted group.
Was still getting install errors with A2. Fixed now by removing file folders from untrusted group.

Not able to visit a security website is not a security tool conflict issue.
That is a malware not wanting me to kick it's butt issue!

How was it able to do this while I had DW installed?
It must have installed other things that DW didn't catch or continued to run within DW.

If it continued to run, How do I track changes?
How do I revert to the point before the infection?
Is removing registry and traces all that is required?

 

I'd pick a poker client you know is reputable, install it as trusted. Now if after running it, it behaves in a 'dodgy' way, which they can start to do, that's why running it as 'untrusted' will prevent it from doing any harm.

Ilya, some options if you ever rename:

trusted as 'good' and untrusted as 'bad'.

trusted as 'safe' and untrusted as 'dangerous'.

I like it how it is (trusted/untrusted), but might be easier for some to understand (good/bad or safe/dangerous)

 

What programs, in addition to the default list, do you guys add to untrusted for continual protection?

 

Any programs such as limewire or frostwire, programs sharing files and downloads. Any messenger clients such as msn. Your PDF reader, if it is different to Adobe Reader, such as Foxit reader.

Whichever program you're using to browse/share/download files that may cause harm to your system.

 

Uninstall A2 and install again.

 

new skin in rc version looks like the old skin in 2.09.
i really like it

 

So the only thing missing is the skin? Everything else works perfectly? Skins is overrated anyway imo.

 

A lot of listening ports.

Server farm...
edit: was a tool I used. Hehe....ok. My bad.

 

redirect is the virtualization of reg and some files by geswall.

 

no it can't protect in this way if the installer installs a driver etc.

 

I think his best bet would be to run either returnil or shadow defender.

Enter shadow mode, install the program, play poker for a day or two, or even a week. Then reboot. And system back to normal.

Just keep the installer file on the desktop. If you're paranoid about the installer file, just enter shadow mode and download installer, setup program.

If you're worried about the installer that much, shouldn't be using the program in the first place. It'd be like me running a rootkit just because it played me music videos and entertained me. Not worth it, I say.

 

Regarding file and registry tracks, I've decided not to bother with it anymore.

I search the list from time to time, to see if there's anything I want to delete.

But otherwise, I just let defensewall do its thing (throw in scan with hitman pro and a-squared free). Works better that way.

 

I found out how to keep the utorrent settings.Now i am more used to it and after trying others and installing again,i have paid for it.After using Sandboxie it takes some getting used to but i can now run all my programmes easily .I had problems with Windows live and Sandboxie.