GesWall and custom rules

Discussion in 'other anti-malware software' started by aigle, Jul 19, 2007.

Thread Status:
Not open for further replies.
  1. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    As I guess there are quite a few users of GesWall here. I wonder how many of them use custom rules in GesWall console.

    I just tried a few custom made rules and found it intereting. So I want to share these( if more users will be inclined towards custom made ruls, that might lead to development of more options in GesWall console as this product is under active development). It,s basically sole purpose of this thread.
    To create new rules in GW, open GW console and in left hand column right click Resources> Add Resource and a popup menue will open where u can specify type of rule( Security Class- means confidential folder, untrusted file/ application/ folder, etc). Specify the type of resource( file or device etc) and finally specify the path to that file/ folder. Here are some exmples that I tried.

    1- Confidentila folder: U can mark any folder confidential in GW. Isolated applications will have no access to these folders. Bt default GW make a dolder in my documents with the name " Confidential". I renalmed it to " Booklet" and edited the rule for it accordingly.
    When u try to access this confidential folder" Booklet" via IE, GW gives a warning popup that IE is trying to access a confidential folder, if u deny access, IE can,t access this folder anymore and no more warning popup for the rest of session. U will only get this pop up again if u repeat same procedure with a new IE session. So one popup per session.

    confidential folder1.jpg
    confidential folder 2.jpg
    confidential folder3.jpg
     
  2. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    2- Deny write to any folder/ partition( Deny Create): U can specify folders or HD partitions etc where isolated applications can,t write and so can,t create any files/ applications etc. I made all my non-system partitions as Deny Create and when I try to save any file on these partitions via isolated IE, IE is denied access to non- system partitiuons. Similarly I made Windows directory on my C drive as deny create, so all isolated applications browsers etc are not-allowed to write/ modify any file in windows directory. By default GW denies any file creation by isolated applications in Windows start up directory.

    This gives a very good protection if some driveby download via IE tries to add itself to Windows startup directory or Windows directory or System32 folder.
     

    Attached Files:

  3. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    3- U can mark any folder untrusted and all applications/ files in this folder( present at the moment or added later) will be marked untrusted( Jailed) automatically( Jailed Application - an application that has no permissions by default and may access only explicitly granted resources).
     

    Attached Files:

  4. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    4- U can mark ur CDRom as ThreatGate, it will mark ur CD/DVD as a source of untrusted( isolated) files. This means everything you start from CD/DVD will be automatically isolated and will not infect your system( including RootKits). ( This featue is not working in curent version of GW but it was working in a previous version and I have notified it to GW support, hoping to be fixed in next version. It is working in the latest non-public beta of GW).

    I copied IceSword files on a CD and added an autorun file for it. On CD autoplay, IceSword failed to load its driver and could not initialize.
    5- Exactly in the same way you can mark any folder on ur hard disk as ThreatGate and all applications/ files from it will launch isolated.

    CD isolation1.jpg
    CD isolation2.jpg
     
  5. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    6- U can mark ur CDRom and any folder on ur Hard Disk as untrusted( jailed) in the same way( choose security class as ' Untrusted'. No application will be allowed to execute from this folder or CD Rom.

    5- Finally u can stop execution of any application on ur system by putting it in jailed applications in GW console. Yes, one fix for the annoying Antivir nag popup is here as well. Put avnotify.exe as jailed application and u will not get any popup during Antivir,s update. I have tested this with an older version of GW and I didn,t even get any error message about avnotify.exe not initialized properly but can,t say about the latest version. ( BTW I hope it doesn,t violate Antivir,s EULA so I described it here. Pls let me know if my thinking is wrong ).
     

    Attached Files:

  6. zopzop

    zopzop Registered Member

    Joined:
    Apr 6, 2006
    Posts:
    632
    excellent post aigle. the only custom rules i set for geswall are the cdrom one and making "my documents" confidential. this is a nice "how to" for new users (and people like me who are forgetful :) ).

    @lucy85

    LOL geswall is the gift that keeps on giving :)

    i freaking love this program. i don't even recall how i came upon it but, am i ever glad that i did!
     
  7. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,802
    Location:
    Texas
    A couple of off topic posts removed. Advocating means to bypass shareware program limitations by whatever means is not what these forums are about and violate the Terms Of Service for using these forums.
     
  8. theshadow247

    theshadow247 Registered Member

    Joined:
    Nov 14, 2004
    Posts:
    323
    Location:
    ontario.canada
    thanks alot for this thred aigle.iam new to geswall and this thred really helped me out...
     
  9. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    @Zopzop, theshadow, Thanks for ur input.
     
  10. Yoda1953

    Yoda1953 Registered Member

    Joined:
    Nov 1, 2007
    Posts:
    162
    Location:
    Netherlands
    Thanks Aigle,

    Just what I was looking for! :D
     
  11. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Hi Aigle,

    Nice post. What I like about GW is that you can define confidential folders with exceptions per untrusted applications. I have for ease of backup reasons moved the Outlook Express folder to My documents (as a subdiretory). Personal directories are set to confidential, with the exception of the folder containing the OE messages/contactbook only for OE.

    Other sandboxes allow also confidential folders, but provide it as switch for all programs. This reduced the usability because e-mail is an untrusted applicationm, but needs to access the messages recieved.

    Other nice trick which a lot of sandboxes offer is to define the shared directories (for P2P) as untrusted (and the also the incomplete folder of LimeWire).

    Regards
     
  12. korb

    korb Registered Member

    Joined:
    Mar 13, 2006
    Posts:
    150
    Location:
    singapore-thailand
    for free or pro version?
     
  13. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Sorry Korb,

    I was referring to the Pro version.

    Regards Kees
     
  14. ShadeGTR

    ShadeGTR Registered Member

    Joined:
    Jan 12, 2008
    Posts:
    4
    I was wondering about how to go about setting up programs with "jailed" status.
     
  15. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    In my limited experience, the application marked as jailed will not execute unless permitted by specific rules. I think u might totally control an application via specific rules for it by this way but it might need a lot of work. I used it to stop avnotify.exe in Antir PE classic.
     
  16. MaB69

    MaB69 Registered Member

    Joined:
    Dec 9, 2005
    Posts:
    540
    Location:
    Paris
    Hi,

    How could i miss this thread ?

    Great work aigle :thumb: a very informative post
    I don't why this kind of post is not pinned in (the nearly dead) Gentle Security forum :cautious:

    May be my words are a little harsh ?

    Thanks aigle

    Regards,

    MaB
     
  17. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    It was long ago MaB69. I will consider to post it there if their forums become alive again.

    Thanks
     
Loading...
Thread Status:
Not open for further replies.