GesWall 2.5.1 Fails Martin's Undetectable Keylogger

Discussion in 'other anti-malware software' started by Thankful, Jan 25, 2007.

Thread Status:
Not open for further replies.
  1. Thankful

    Thankful Savings Monitor

    Joined:
    Feb 28, 2005
    Posts:
    3,736
    Location:
    New York City
    I am able to isolate the archive (compressed ZIP) but not the underlying executable. Is there a way to isolate the underlying executable? I have posted in the GesWall forum but have not received a response.
     
  2. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Srry as I can,t understand what u mean exactly.
    U can right click the exe and opt for run isolated. It stops keyboard loging but not the mouse clicks.
     
  3. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    If it's from an "untrusted" source (browser, p2p, etc), it should be isolated by default. Only if you run it as trusted. No?
     
  4. Thankful

    Thankful Savings Monitor

    Joined:
    Feb 28, 2005
    Posts:
    3,736
    Location:
    New York City
    Aigle and Someone,

    Thank you both for responding. Martin's Undetectable Keylogger is downloaded as an archive (Compressed ZIP). I chose the most secure option for GesWall (Auto-Isolate,no pop-ups). The archive is isolated (has a 'G' on it). However, the underlying executable is not. There is no choice to isolate the underlying executable using 'right click'. It seems to me that the underlying executable should have the same security as its parent archive.
     
  5. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    That is something strange.

    I get totaly different. Pls put on medium security with pop up mode and retry.
     

    Attached Files:

    • g.jpg
      g.jpg
      File size:
      81.5 KB
      Views:
      6
  6. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    The assumption is the exe will run untrusted.
    If you get the same results as Aigle, and only "the mouse clicks" fail, it's GeSWall failing to protect you in that area, but it's running as untrusted.
     
  7. Thankful

    Thankful Savings Monitor

    Joined:
    Feb 28, 2005
    Posts:
    3,736
    Location:
    New York City
    I believe my problem is my misunderstanding of how archives work. If I do an 'extract' of the archive to a new folder, I get the same results as Aigle and everything works fine. If I run the executable by double clicking without an 'extract', I can't isolate the executable.
     
  8. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Actually I get different results as if I don,t use winrar. As far as I know windows builtin zip utility is still not in GesWall application rules they are working on it.

    It is short answer and personally I asked few Qs about ZIP files etc in the past and got some replies but never became clear, it is always a confusing issue for me and I did not bother much on this matter.

    U should write to their support for details.
     
  9. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    That's why i'm tending towards virtualization, and the fact that i can't clean the session.
    With policies, too much can be overlooked when programing. They have more work, and things can slip by. Virtualization tends to be simpler. Everything is in one place, nothing's real.
    It's always work in progress i guess. Not that anything escapes this problem...
     
  10. Thankful

    Thankful Savings Monitor

    Joined:
    Feb 28, 2005
    Posts:
    3,736
    Location:
    New York City
    Aigle and Someone,

    I finally got a response in their forum (link below). Apparently, the Windows built-in unpacker is not supported. This doesn't make sense to me since one of the features of Windows XP is you don't need a third party ZIP utility. Thanks for your help in this matter.

    http://www.gentlesecurity.com/board/viewtopic.php?t=131
     
  11. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Brian told me that they are working on it.
     
  12. zopzop

    zopzop Registered Member

    Joined:
    Apr 6, 2006
    Posts:
    632
    a ha! i noticed something funny last night when i was installing geswall free at my cousin's house. he didn't have an unzipping program installed, so when i downloaded and ran martin's keylogger as a demo of geswall's abilities, geswall didn't isolate it. i was gonna email the devs but i see they are already aware of the problem.
     
  13. duke1959

    duke1959 Very Frequent Poster

    Joined:
    Jul 21, 2006
    Posts:
    1,238
    After hearing more about the free version of Geswall I would like to try it, but I saw in one of it's reviews about it being only for Advanced Users, and that you had to be careful or your PC may not start. I don't believe everything I read especially in some of the software review sites, but it still gives me some pause. Any help with opinions and information from Geswall users would be appreciated. Thanks.
     
  14. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Workaround

    Download 7zip manager, associate zip files with 7zip. Make 7Zip an untrusted program, give 7zip the windows zip file icon, no one will notice.
     
  15. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I starting using it when I had no idea of sandboxes and got little problem. BTW it never stoped my PC. It,s easy to use on default settings.

    Remember each software might have serious conflicts on different machines. I don,t see much complains about GW from users here.
     
  16. duke1959

    duke1959 Very Frequent Poster

    Joined:
    Jul 21, 2006
    Posts:
    1,238
    Hey aigle, I just now saw your post here, but had already asked you in another thread on the XP Killer trojan thing, about how easy GesWall is to use if I leave my hands off of it and use the existing rules it has. I believe you just answered it here though. LOL. Thanks. I have Cyberhawk which I see you do too, and AVG ISS which works with just about anything, so there shouldn't be any conflicts i would think. Is adding GesWall overkill though? I saw where Keese1958 thinks it would add to my security from what he posted in the other thread.
     
  17. KikiBibi

    KikiBibi Registered Member

    Joined:
    Oct 23, 2006
    Posts:
    173
  18. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Not ofcourse. I consider it my strongest line of defence so far, that is non-signature based. U need not worry of rotkits even.
     
  19. duke1959

    duke1959 Very Frequent Poster

    Joined:
    Jul 21, 2006
    Posts:
    1,238
    Thanks aigle and KikiBibi. I do have one more question for you KikiBibi since you mentioned USB rules. I do use a USB Pen Drive device if I'm calling this the correct thing, that I insert into one of my front USB Ports on my PC to save a particular document I add to every day. This is a Corel WordPerfect Office file, so is there anything I should be concerned about? I read the GesWall website you posted, but I'm still not sure that any of what it reads applies to my situation. Thanks.
     
  20. KikiBibi

    KikiBibi Registered Member

    Joined:
    Oct 23, 2006
    Posts:
    173
    duke1959,

    "For example, in case of network shares use the steps:"

    I made a mistake, that's not the USB rule.

    http://www.gentlesecurity.com/tips.html#sonydrm

    This situation can be applied to usb drive but I do not know yet how to create the rule. :(
    Still new to GesWall.

    Sorry for being OT.
     
  21. duke1959

    duke1959 Very Frequent Poster

    Joined:
    Jul 21, 2006
    Posts:
    1,238
    Noproblem KikiBibi. I appreciate any help i get. I may wait a little longer to try GesWall until I know my WordPerfect document won't be affected,. If it even will of course. I will wait to hear for more help.
     
  22. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    U have to try to know. If problems happen u can even run it outside GesWall.
     
  23. duke1959

    duke1959 Very Frequent Poster

    Joined:
    Jul 21, 2006
    Posts:
    1,238
    Thanks again aigle, I may go ahead and install GesWall soon to see what it's all about, but is it easy to run a program outside Geswall?
     
    Last edited: Mar 1, 2007
  24. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    I have removed GeSwall from my system, despite it offering good protection. There was a bug in it, which caused Geswall to isolate THE ENTIRE SYSTEM and I had to use Last Known Good Configuration to revert my system back to just a few minutes before the bug occurred.

    When I booted into Safe Mode, every single account which I used was isolated! The entire system was crippled and I did not find it nice at all!

    The earliest symptom started back late last year, when I logged on to my computer, the desktop wouldn't load at all! A dialog box came out which said: Windows- Virtual Minimum Memory Too Low.

    Desperate, I tried many times until when I finally got in, I tried to start PerfectDisk, and knocked my own head when I remembered I set it's service to Disabled, because I was trying to slash down on the number of processes on my computer.

    I went into safe mode and set PerfectDisk's service to Manual. But then, the stupid out of mem. error kept stopping me from doing what I was trying to do, so if normal mode kept displaying an error like this and not loading the desktop, I tried defragmenting via the command line in safe mode. I was getting frustrated, and kept rebooting until I finally got to my desktop and started perfectdisk and defragmented the hell out of my system. 5 page file fragments.

    That was not the end of it all, when they first released GeSwall 2.5.1, I installed the FREEWARE version over my existing version of Geswall at that time. And guess what, I was shocked to find that the freeware version I had contained all the features of the professional version!

    Shortly after this, I rebooted my system and found that the whole system was isolated! It was so powerful even the administrator account in safe mode on my computer was crippled seriously.

    Final resort:
    Last Known Good Configuration. I restored my system back to just a few minutes before the bug occurred, and wasted no time in using Eraser to erase all of GesWall's files and folders off my system. Then, I went to the section of the registry with all the local machine services, and deleted all keys with the name GeSWall.


    Now, my computer is working normal, I only have two accounts:
    I've renamed and password-protected the built-in administrator account in safe mode.
    The only account in normal mode is running as a Limited User to prevent damage.
     
  25. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Yes, there are multiple ways to do that.

    1- If just for once u can restart a GesWaled application temoporarily out of GW from Caption button menue at any time.

    2- In free version there is no tray icon option to disable GesWal policy but setting GesWall security level to low( Isolate Jailed applications only) will disable GesWall,s policy and all aplications will run out of GesWall.( Assuming u don,t have any jailed applications and that is true in most cases and in al cases if u are using default rules-set).
     

    Attached Files:

    • 1.jpg
      1.jpg
      File size:
      44.9 KB
      Views:
      260
    • 2.jpg
      2.jpg
      File size:
      21.1 KB
      Views:
      264
    Last edited: Mar 2, 2007
Loading...
Thread Status:
Not open for further replies.