Geswall and APT

Discussion in 'other anti-malware software' started by Atomas31, Aug 2, 2009.

Thread Status:
Not open for further replies.
  1. Atomas31

    Atomas31 Registered Member

    Joined:
    Sep 7, 2004
    Posts:
    923
    Location:
    Montreal, Quebec
    Hi,

    So I have tried Application process termination 4.2 (run isolate) against Geswall 2.9 and strangely APT could not kill/terminate any process that where not isolate but could easyly kill/terminate, with any method, any process that where running isolate like my browser (firefox) and email (OE), is this normal or a design flaw?


    Thanks,
    Atomas31
     
  2. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Normal, as isolated applications can kill other isolated( untrusted) but not non-isolated( rusted) ones.
     
  3. Atomas31

    Atomas31 Registered Member

    Joined:
    Sep 7, 2004
    Posts:
    923
    Location:
    Montreal, Quebec
    Hi Aigle,

    Does that mean, that if I open a nasty, that nasty would still be able to mess with my browser and my email (wich are run isolated)o_O o_O


    Thanks,
     
  4. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Not too much i think.
    What specifically you mean by messing?
     
  5. Atomas31

    Atomas31 Registered Member

    Joined:
    Sep 7, 2004
    Posts:
    923
    Location:
    Montreal, Quebec
    Well, here's what I have done :

    I had OE and Firefox open (with Geswall on for both) and I decided to teste APT 4.2 against Geswall. So I run APT 4.2 as isolated by Geswall.

    I then choose a process and try every killing/terminate method of APT 4.2 on it and Geswall protected it without a sweet. I tried a few other process same thing.

    Then I tried with OE and APT 4.2 could kill it same thing with Firefox. I reopen OE and Firefox (with geswall on for both) a couple of time and try different killing/terminate process with APT 4.2 and they all succeed in killing OE and Firefox.

    So my point is : if APT 4.2 would have been a nasty and even running has isolated, it would have been able to, for exemple, kill my OE and Firefox just because this 2 software where also running as isolated :(

    Thanks,
    Atomas31
     
  6. dell boy

    dell boy Registered Member

    Joined:
    Apr 13, 2009
    Posts:
    240
    Location:
    uk, england
    you shouldnt isolate your anti-malware programs period.
    also im sorry but you will have to clean up your post its too confusing. try to lay it out more, your doing the opposite to "pleonasm"
     
  7. Atomas31

    Atomas31 Registered Member

    Joined:
    Sep 7, 2004
    Posts:
    923
    Location:
    Montreal, Quebec

    I don't isole my anti-malware programs and I didn't write that did Io_O

    Sorry, but I don't understand your second sentence and what you mean :oops:

    Take note that english is not my native langage so I am really sorry if my english ain't clear enough!

    Thanks,
    Atomas31
     
    Last edited: Aug 2, 2009
  8. dell boy

    dell boy Registered Member

    Joined:
    Apr 13, 2009
    Posts:
    240
    Location:
    uk, england
    sorry i read that too fast and thought of application process termination as an antimalware, i think you mean advanced process termination, and yeh i think you got a valid point.
    what i meant was your posts arent easy to understand and i know thats hard for people who dont speak english as their first language.
     
  9. Atomas31

    Atomas31 Registered Member

    Joined:
    Sep 7, 2004
    Posts:
    923
    Location:
    Montreal, Quebec

    No problem! And yes, APT is for Advanced process termination 4.2 (from DiamondCS)...

    You are right my mistakes sorry!
     
    Last edited: Aug 2, 2009
  10. dell boy

    dell boy Registered Member

    Joined:
    Apr 13, 2009
    Posts:
    240
    Location:
    uk, england
    dont want to split hairs but isnt it advanced not "application process termination"? either way i get what you mean, your point is valid and should be looked into IMO
     
  11. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Your browser is a vector for any infection. It is isolated( sandboxed) by GesWall. Malware can terminate it but can,t breakthrough the sandbox to touch your core system.

    That,s the whole point of sandboxing. Your core OS( trusted applications) will always be intact and any malware remnanats will go dormant on reboot.
     
  12. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    What Aigle says is correct with the following remarks

    1. Policy management based HIPS like GeSWall and DefenseWall will allow you to use your browser in a normal functional way. This means that Active X or browser plug-ins can be installed, but they will never harm the integrity of your system.

    2. To get an idea of the allowed items a browser is able to 'change' go to the GW monitor and look what the settings are of your favourite browser. Specifically the registry and file items which have allowed. You can make sure that the changes made by nuisance-ware are rolled back by changing the ALLOW option with the REDIRECT option. Redirect is the virtualisation option of GW.

    GeSWall is not on my current image, so when you have questions you must include the settings for your browser in posts to get specific answers.

    Regards Kees
     
  13. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Hi, got the answer few days back. GesWall stops loading of malicious dlls in to isolated browsers. So it will not mess up. It will stop any malicious toolbar install also I guess.

    From an old mail from their support.
     
Loading...
Thread Status:
Not open for further replies.