GeSWall and Chrome

Discussion in 'other anti-malware software' started by Kees1958, Jan 25, 2009.

Thread Status:
Not open for further replies.
  1. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Dear all,

    I finally got internet protection working with GeSWall (2.8.3. still dumps when testing Comodo Leak Tests running untrusted).

    Pitty the untrusted file control issue is not solved yet. But GW also has advantages.

    Currently running GeSWall in high protection, disabled all the warnings, set protection to auto terminate.

    Am using Chrome with the following extra rules (GW default rules let Chrome function properly)


    D:\ File Read Only [this is my data partition]
    D:\Downloads File Allow [this is my download directory withing Chrome]
    D:\TEMP File Allow [this is my default Temporary directory withing Windows]
    HKEY_CURRENT_USER\ Registry Redirect [virtualise all HKU keys!]
    HKEY_CURRENT_USER\Software\Google Registry Allow [to save settings]

    Other extra's
    C:\WINDOWS\system32\USB001 File Allow [to solve printing problems, beter than redirecting or allowing named pipe lssas]
    * Network Allow [to grant Chrome internet Access]

    So now I am browsing using Chrome's internal sandbox (of the rendering engine) and I am tightening access to data and registry of Chrome on top of that.

    ==> Registry is virtualised
    ==> Only file access allowed to D:\Downloads and temp directory



    GeSWall tip
    Note (this extra is provided by DefenseWall out of the box):
    - I have set my Outlook Express directories containing the (*.dbx files) emails to confidential and allowed Outlook Access full access rights
    - same for WAB (Windows Address Book)

    ==> other untrused processes are not allowed to access my e-mail and addresses


    I run this together with Avira (smart list check at write only) and Online Armor (firewall de-installed, because I am behind FW/Router, also the allow when unknow program runs disabled) in Dutch (free version). Oasrv uses a lotmore CPU compared to Malware Defender, but like the way OA dealt with latest worm (thanks to Aigle's post). EDIT, added all those HKU registr entries as confidential (plus added the last one to Outlook Express to allow), entries mentioned in https://www.wilderssecurity.com/showpost.php?p=1392138&postcount=220

    Crispy and Safe setup (with only GeSWall and Avira write check)

    Cheers
     
    Last edited: Jan 26, 2009
  2. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Hmmm... seems you have a lot of time( n knowledg) to play with all this.:thumb: :D
     
  3. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Well time is relative. Others spend two hours browsing the internet doing all the fun stuff (e.g. wife ordering a flight to friends). I spend those two hours busting my PC and when succesfull, looking for a different setup. I agreed with your critism on Comodo, Malware Defender sort of gave teh same message, that i swhy I looked further (so you are to blame really :eek: )

    Keep those malware test posting, I appreciate them :thumb:
     
  4. Henk1956

    Henk1956 Registered Member

    Joined:
    Dec 3, 2007
    Posts:
    55
    Just a note:

    Isolated applications will not be able to change or add anything to the registry (default is that every operation with the registry is virtualised for isolated apps).

    So, the rule
    HKEY_CURRENT_USER\ Registry Redirect [virtualise all HKU keys!]
    is redundant.


    An extension to your Geswall tip for Outlook Express:
    If you want to be able to use Send Link/Page by email in IE (without giving IE access to your Inbox, etc.) add the rules noted at the last post in: http://gentlesecurity.com/board/viewtopic.php?t=256
     
  5. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Thanks. I love to do that but keep such type of clever malware coming out in the wild. :D
     
  6. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Henk1956 (jee wat ben jij oud van 1956 zeg :)

    I see it in the logs, HKU is virtualised, I thought GeSWall virtualised only HKLM.

    Any idea why the rule below is included in the default rules of GW?

    %ANYHKU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Startup% Deny Create

    (all users and current user, so when it virtualises why a deny create?, that is why I thought HKLM was virrtualised only)

    Cheers Kees

    Running just GW and Avira with check at write, rediculess low system impact <after 1.5 hour browsing < 3 secs total CPU of the combined security aps, together 100MB data read, 80% of the CPU load is of Avira).
     
    Last edited: Jan 26, 2009
  7. Henk1956

    Henk1956 Registered Member

    Joined:
    Dec 3, 2007
    Posts:
    55
    Hi Kees,

    If you look careful you will see that

    %ANYHKU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Startup% Deny Create

    has type: file.

    The % signs mean that the actual folder is obtained from the registry.
     
Loading...
Thread Status:
Not open for further replies.