For DefenseWall or GeSWall owners thinking of going naked

Sounds really interesting and was almost tempted myself to try it untill noticing the installer rests at a hefty 51+MB, much too much space for me but then it IS also a full fledged AV even though the user can opt for On-Demand Only with it and just use the HIPS which looks very promising.

But, i think i'll just do some reading reviews and settle for the time being with "Lite" installations of HIPS!

 

But it's not a statement, it's a question...

 

You are right it is a question, my interpretation was wrong due to Trjam's statement (you only need GW).

Regards K

 

Yep, good old Easter's "Lite" HIPS setup only consists of
- Surun
- CyberHawk
- Virtualisation: Returnil/PowerShadow/Sandboxie
- HIPS: AE and EQS

Do you have this in different setups/images/PC's or do you have programmed a smart EASTER behavioral auto repeat clicker (to answer all pop-ups with one mouse click) You are problably the only one at Wilders who has all hooks covered (at least) twice

K

 

And I still say it.

 

Haha Trjam, you can say it, but are you actually doing it? I see you changing avitar so often. . . . .

 

Anybody?

To ask it another way, what will GeSWall Pro miss that an AV will catch?

 

Sorry, I was not clear, try for yourself

Download AWFT (a leaktest)
Install it (it installs in user space)
Run it

So an AV will protect you from know malware not needing Admin rights

It gets even worse with GW (note not DW), when the executable is moved to another partition. Then GW will change the untrusted state to trusted, now this malware has admin rights and get full control over your system. An AV will warn you for known baddies.

 

Need Kees' insight once again with RAV

I can't seem to figure out how to limit access to programs. If I put opera.exe on Application Access Control list and set all rules to ask, naturally it will ask if opera spawns another application such as a download manager or pdf viewer for instance. But this happens even if opera is set to allow spawning of such applications via Program Startup Control rules. Would that suggest that some modules takes precedence over another?


Another note is that even with System Reinforcement set to high, system.ini and win.ini file modification is set to Accept as default. Shouldn't that be set to Ask?

 

See attached images for Opera. Yes it looks like the hierarchy of System reinforcement is also the rules hierarchy. When you have DW or GW on baord, you do not need to add Opera in Application Access Control.

Yep, that is why I set it to custom, I have this set to ASK, also format set to Refuse, other settings are okay by default.

 

nice catch! i just checked and you are right, i changed it to 'ask'.

good idea. i changed mine to refuse to.

 

kees1958, thank you very much for the Rising tutorial.

Dave

Please keep the photos coming; I'm a HIPS dunce!

 

@ kees is there anything you can not tweak or configure. When is your own security app being release.

 

Strange habit of mine.

Tweaking security aps, motor bikes, everything.

I have not programmed in 25 years or so, may be when I retire in 15 years.



I really like DW + Rising HIPS combined, see pic. You can use teh AV + VM engine for heuristics and schedule a two hour memory + boot record sweep (sort of like old Boclean did only limited to a sweep once every two hours). Because Rising HISPS concentrates on static parts of your OS, it is a quiet HIPS (also the split source - target protection is an improvement over the classic HIPS scheme). The risky area's are trapped in a strong LUA environment, the weak area's have an extra guard, all other just a low level interference. Defenses strength and risk (chance) is coupled, so it is a user friendly and effecient setup.

 

Motor bikes, did you say motorbikes. Care to see my new Nomad.

 

Ya I tweaked or should I say pimped my harley Davidson sporster out to about 95 percent crome.Talk about upkeep I spent more time cleaning and waxing then ridding.

 

I've downloaded Rising AV and their firewall. I'm not sure whether it's a step forward or backward from AE and DeepFreeze. They, and Threatfire are running smoothly. It's been so long since I've used a firewall, having both router and modem hardware firewalls, that I'm kind of re-learning how to use one. So far, I'm very happy with Rising products.

Star Silverado motorcycle here. Love it.

 

Another nubie querry

Is there an option to use RAV to scan files only at write and not on execute?

 

So there is a correlation between motor bikes and security

@Chuck

Better to check your router settings than adding a software firewall, see general note https://www.wilderssecurity.com/showpost.php?p=1272813&postcount=6.

When not spending money on a policy based HIPS like DefenseWall or GeSWall, try GeSWall free (replace RFW for GW free).

Try configurating the HIPS of rising as described in this thread. Together with DW it only fails ONE leaktest = DNSTESTER, others all pass see https://www.wilderssecurity.com/showthread.php?t=213968 , so why bother with outbound firewall?

Regards Kees

 

Yep, browse through the file protection settings.

 

It's in my nature to steer away from any installers pushing more than 30MB, just can't help myself, and it's not for lack of space for sure, plenty of that.

I do like everything i seen so far in Rising's HIPS (great screenshots) and would be thrilled if they split that app up and just offer the HIPS. AV's for me are a system weight and resource hog, even though they have improved over the years, but still i find HIPS much more efficient because i am very much familiar with the identities of interactions within the system and what is acceptable compared to what's not. I need no more blacklists to help make those determinations or spend time stacking up a huge list of a local blacklist database, when a whitelist will do nicely.

 

Easter,

The combo Rising + Policy sandbox is based on whitelisting, but differently implemented than in classical HIPS or AntiExecutables.

D+/SSM/EQS they all look at the process first, next a the attack vector in a parent - child relation. The ask you what to trust/whitelist on a per exception/intrusion basis.

GW/DW focusses only on untrusted processes/files and limits rights/policies on a quiet (deny) basis, so zero to very few pop-ups

Rising's classical HIPS has a very smart setup, it limits its protection to process specified (and part of the System with predefined process/file/registry protection) using a startup monitor (starting application X by other programs), protection a specific application (against dll/code injection, memory modification, sending/simulating keys/hooking=keylogging, suspend/terminate), and limiting access of application (starting up others, driver install, kernal data tampering, setting global hooks) and a heuristics analysis (I have set to low). You can protect the vulnable parts from within and get zero to few pop-ups.

 

Well,

Stopped playing with, back to the old trusted combo DW + TF, reason for going back?

None, I managed to get a bug out of BIOS, so memory of the PC is recognised right (for the first time in three years, near at of life time of an averag PC), just lazyness and old habits keeping TF on.

Bottem line
- Rising is a lean AV, with good (close to first tier AV) results
- Rising's HIPS makes it stand out. It is a candy box to configure, so for the average experienced user, willing to invest some time, it is a great application (good alternative to ThreatFire)
- Best free AV, for me Rising is the only free AV which can compete for Antivir for effectiveness.

Rising versus TF + Antivir combo:
Pro Rising
- as effective, less CPU power needed
- fully configurable (you know what is protected)

Downside Rising
- it has much options, also due to some defaults are set to deny, you should invest time on these options

 

Kees1958, would using Rising AV along with DriveSentry go overboard or do they compliment each other well? Also, I know you've used Rising, but not sure about DriveSentry, but do you have any good configuration tips for either of these programs for someone who wants the full protection and is willing to learn, but would prefer a quieter learning period?

My setup, if it will work well, is to be DriveSentry, Rising (to replace Avast now that Rising has been put through some tests here and come out alright), Returnil Premium and SandBoxIE. Would you consider this too much or just about right? I understand Defensewall to be a great app, but right now I'm trying to keep things free if I can.

 

DW426,

Note that my opinion upon setups is colored by preferences

Limit your current setup to
A) Rising AV+HIPS and use either SBIE or Returnil, not both, you should add your webbrowser in the startup control, aAccess control and Applicaton protection of Rising. Have you looked at GeSWall free (when you are happy with SBIE you do not need to).

B) Freeware alternative
Next OA release (set allow unknow programs to start, do not prompt and run unknown programs as run-safer) + Freeware DriveSentry, freeware versions fit well together, althou I had some problems with DS free release 1 (few unstable, non re-producable memory exceptions, but this will be fixed over time, after all it is the first full freeware release).

Regards Kees