Defensewall

Discussion in 'other anti-malware software' started by waters, Nov 24, 2009.

Thread Status:
Not open for further replies.
  1. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    I have an issue:

    Window walking
    R-click DW tray icon/Main/Untrusted or Events Log or Advanced

    How do you get back to Main and the Big Naked Button?

    Intentionally installed some malware and couldn't find many modifications in DW.
    The malware was flagged by Prevx 3.0 free.

    It wrote memory in another process:
    msctf.dll, lpk.dll, usp10.dll, uxtheme.dll, setupapi.dll, secur32.dll, propsys.dll,
    clbcatq.dll, linkinfo.dll, ntshrui.dll, netapi32.dll, psapi.dll, cscapi.dll, slc.dll

    What I did find in DW were some registry modifications, about 8.
    Attempted to visit Dr. Web Cure It, refused to load site even after deleting registry traces in DW.

    Using an autorun tool, I was able to delete some drivers and was now allowed to go to the Dr. Web site. After another reboot, was able to download the AV.

    Does DW allow me to delete autorun driver entries like other tool?
    Is there a stored list of autorun locations similar to the registry traces?

    My Poker Client:
    How can I install it as untrusted? It was making the same modifications as the malware, writing memory of another process, from same list as above. :eek: :'(

    It doesn't try to connect to internet until after install.
    What if the installer is installing a rootkit, I don't want it to have trusted access. ;)

    A2 Anti-Malware was installed as untrusted, it was 'unable to install "asquared antimalware free service" '. Scans OK. Detected malware installers.

    Just a few things I noticed. :D
     
  2. waters

    waters Registered Member

    Joined:
    Nov 8, 2004
    Posts:
    958
    How about Geswall ,it has no rollback feature so what happens to file and reg tracks,are they left on the system or does it have another way of clearing them
     
  3. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    "Stop Attack" sheet of the main dialog.

    Did you install as untrusted?

    That are dlls, not processes.

    Did you stop untrusted processes before visiting DrWeb site?

    If you mean malicious drivers, they just couldn't be installed if untrusted. So, my question is still here: did you install that malicious software as untrusted?

    No, such that tools are not for novice users.

    I have no idea.

    All the security software should be installed as trusted.
     
  4. Saraceno

    Saraceno Registered Member

    Joined:
    Mar 24, 2008
    Posts:
    2,404
    Searching, as Ilya pointed out, you install your software including your poker client and AV programs as 'trusted'.

    That means when the installer is downloaded, you must right-click on the file and select 'change status to trusted'.

    A2 will then run fine. Regarding the poker client, once the file is installed, right-click on the exe file of the poker program, and select 'change status to untrusted' - that way it is installed correctly, but any additional changes by the program or anything it downloads will be monitored by DefenseWall.
     
  5. Saraceno

    Saraceno Registered Member

    Joined:
    Mar 24, 2008
    Posts:
    2,404
    Also, with CureIt, make sure you don't just click on the download and run it in the browser (I'm assuming it won't be able to run properly, as the browser and all files within it are untrusted).

    Always 'right-click and save the file' on the desktop. Then right-click and change status to trusted, and then run the file.
     
  6. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,161
    Location:
    UK / Pakistan
    It has an untrusted file scan feature too and you can delete files from there.
     
  7. waters

    waters Registered Member

    Joined:
    Nov 8, 2004
    Posts:
    958
    Thanks agile,i notice it redirect access sometimes ,what is it doing?
     
  8. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    Seems like a simple thing. Click the "stop attack" tab to go back to main.
    Hey, they are tabs. :oops: Without the skin they look like buttons.

    Installed via browser, never gave it trusted status.

    OA called them processes, not me. I know processes are .exe's.
    Can an .scr be a process? or any other executable extension?

    I clicked on the Big Naked Button after I could visit the site. Tried to visit the site again, no go. So I broke out the autorun cleaner.
    Should I have rebooted after Stop Attack?

    Not only did I not trust it, I was also using SBIE. Deleting SBIE contents didn't solve.

    So why not make it "List Only"?

    My bad. :ouch: I'm still learning about DW.
    I have deleted all of the registry traces, do I need to do any thing else?
    Would rollback have been a better option to choose?
     
    Last edited: Nov 29, 2009
  9. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    But I don't trust my poker client. I don't trust anybody where large sums of money are involved.

    I ran A2 as untrusted...oops. Now what do I do to fix it?

    How am I protected if the installer, that I run as trusted, is installing a rootkit?
    Poker Clients don't trust people either. They are trying to stay ahead of hackers. :doubt:
     
  10. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    Upload to rapishare and send me a link. I'll check out what is wrong.
     
  11. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    Simple- uninstall and install as trusted.
     
  12. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    Uninstalling a program does not remove the files location from the untrusted group.
    Was still getting install errors with A2. Fixed now by removing file folders from untrusted group.

    Not able to visit a security website is not a security tool conflict issue.
    That is a malware not wanting me to kick it's butt issue!

    How was it able to do this while I had DW installed?
    It must have installed other things that DW didn't catch or continued to run within DW.

    If it continued to run, How do I track changes?
    How do I revert to the point before the infection?
    Is removing registry and traces all that is required?
     
  13. Saraceno

    Saraceno Registered Member

    Joined:
    Mar 24, 2008
    Posts:
    2,404
    I'd pick a poker client you know is reputable, install it as trusted. Now if after running it, it behaves in a 'dodgy' way, which they can start to do, that's why running it as 'untrusted' will prevent it from doing any harm.

    Ilya, some options if you ever rename:

    trusted as 'good' and untrusted as 'bad'.

    trusted as 'safe' and untrusted as 'dangerous'.

    I like it how it is (trusted/untrusted), but might be easier for some to understand (good/bad or safe/dangerous) ;)
     
  14. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    What programs, in addition to the default list, do you guys add to untrusted for continual protection?
     
  15. Saraceno

    Saraceno Registered Member

    Joined:
    Mar 24, 2008
    Posts:
    2,404
    Any programs such as limewire or frostwire, programs sharing files and downloads. Any messenger clients such as msn. Your PDF reader, if it is different to Adobe Reader, such as Foxit reader.

    Whichever program you're using to browse/share/download files that may cause harm to your system.
     
  16. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    Uninstall A2 and install again.
     
  17. ViVek

    ViVek Registered Member

    Joined:
    Aug 7, 2008
    Posts:
    575
    Location:
    Moon
    new skin in rc version looks like the old skin in 2.09.
    i really like it
     
  18. Lebowsky

    Lebowsky Registered Member

    Joined:
    Dec 3, 2004
    Posts:
    161
    So the only thing missing is the skin? Everything else works perfectly? Skins is overrated anyway imo.
     
  19. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    A lot of listening ports.

    Server farm...
    edit: was a tool I used. Hehe....ok. My bad.
     
    Last edited: Nov 30, 2009
  20. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,161
    Location:
    UK / Pakistan
    redirect is the virtualization of reg and some files by geswall.
     
  21. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,161
    Location:
    UK / Pakistan
    no it can't protect in this way if the installer installs a driver etc.
     
    Last edited: Nov 30, 2009
  22. Saraceno

    Saraceno Registered Member

    Joined:
    Mar 24, 2008
    Posts:
    2,404
    I think his best bet would be to run either returnil or shadow defender.

    Enter shadow mode, install the program, play poker for a day or two, or even a week. Then reboot. And system back to normal.

    Just keep the installer file on the desktop. If you're paranoid about the installer file, just enter shadow mode and download installer, setup program.

    If you're worried about the installer that much, shouldn't be using the program in the first place. It'd be like me running a rootkit just because it played me music videos and entertained me. Not worth it, I say.
     
  23. Saraceno

    Saraceno Registered Member

    Joined:
    Mar 24, 2008
    Posts:
    2,404
    Regarding file and registry tracks, I've decided not to bother with it anymore. ;)

    I search the list from time to time, to see if there's anything I want to delete.

    But otherwise, I just let defensewall do its thing (throw in scan with hitman pro and a-squared free). Works better that way. :)
     
  24. waters

    waters Registered Member

    Joined:
    Nov 8, 2004
    Posts:
    958
    I found out how to keep the utorrent settings.Now i am more used to it and after trying others and installing again,i have paid for it.After using Sandboxie it takes some getting used to but i can now run all my programmes easily .I had problems with Windows live and Sandboxie.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.