GesWall and DefenceWall Bypass?

Discussion in 'other anti-malware software' started by aigle, Feb 27, 2010.

Thread Status:
Not open for further replies.
  1. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I was offered this rouge installer to test by a forum member. I tested it on Win 7 Home Premium 32 bit in Vbox.

    It,s very interesting. It installs itself without any UAC prompt and opens a fake action centre window.

    There is a partial bypass when I tried it inside GesWall and DefenceWall latest beta as untrsuted. As long as malware is running, it will not let you open the original Action Centre window. Rather it will open a fake Action Centre window.

    It,s not a big issue in practice as a system reboot or killing malware via GesWall/ DefnceWall will cure the problem but it,s important in a way that Action centre window is part of explorer.exe( I guess).m Explorer.exe is trusted in Geswall and DefenceWall and should not be affected by an untrusted process.

    BTW Sandboxie was not bypassed in this aspect. :thumb:

    Capture1.JPG
    Capture2.JPG
    Capture3.JPG
     
  2. Ibrad

    Ibrad Registered Member

    Joined:
    Dec 8, 2009
    Posts:
    1,949
    You did make sure rebooting removes the malware correct? I know one type of malware destroyed Defencewall on reboot,
     
  3. raven211

    raven211 Registered Member

    Joined:
    May 4, 2005
    Posts:
    2,567
    Cool fact about SB. I guess deny execution-approach would prevent this thing from even running in the first place. (?) :)
     
  4. tipo

    tipo Registered Member

    Joined:
    Dec 29, 2008
    Posts:
    408
    Location:
    romania
    hmmmm... a few month ago i tested geswall with some viruses. adware, a rootkit. last week i tested it it with the zeus trojan...nothing happened. a couple of days later kaspersky told me that he found zeus bot in system32. i don`t know what to say...could it be the one i tested with geswall or something else, from elsewhere.
     
  5. raven211

    raven211 Registered Member

    Joined:
    May 4, 2005
    Posts:
    2,567
    Doesn't matter if the malware is running or just lying on your PC. As long as GW is watching it can't do any harm, and it will ask you if it tries to. GW doesn't remove, it blocks its actions through policy.
     
  6. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    No, geswall stops any file creation in system32 folder by an untrusted process.
     
  7. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    Thanks for your report, the issue is improved with the new V3 build of DefenseWall.
     
  8. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Hmmm... You are not sure about the origin of file. Best is to test in a VM and monitor any file creation by a HIPS. Then you can be sure.

    If you want I can test the sample.
     
  9. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Ok, will try that. Is it already released?
     
  10. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    Just a quick note in that this rogue can use several different skins on which ever system it's installed on.

    A few screenies here and there are other skins as well.
     
  11. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    It's not released, but published.
     
  12. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    thanks eagle buddy for testing defensewall:thumb:
     
  13. Chuck57

    Chuck57 Registered Member

    Joined:
    Sep 2, 2002
    Posts:
    1,422
    Location:
    New Mexico, USA
    Defensewall, with Sandboxie, geswall or Shadow Defender, to my thinking is about as bulletproof as you can get on a computer.

    I usually run just DW, but if I'm going anywhere online other than the forums on which I post, I engage Sandboxie just for that extra protection, even for just checking history sites or research type places I use. These days, with what's out there, paranoia can be a good thing.
     
  14. kasperking

    kasperking Registered Member

    Joined:
    Nov 21, 2008
    Posts:
    406
    ummm.......what was the UAC level....default or max ?
    properly configured SB rules
    hey jmonge.....he may be eagle eyed but he is agile...not eagle :D :D :D
     
  15. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Default.
    Used default settings for all.
    Hmmm... read my nick again. :)
     
  16. Threedog

    Threedog Registered Member

    Joined:
    Mar 20, 2005
    Posts:
    1,125
    Location:
    Nova Scotia, Canada
    Thanks for posting this Aigle. Even with the best security measures we still have to be on our toes.

    @ jmonge......maybe Eagle is Trojam's brother.
     
  17. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,139
    Wrong,

    it isn't possible to have both defense wall and sandboxie Isolating the same virus sample at the same time.
     
  18. ruinebabine

    ruinebabine Registered Member

    Joined:
    Aug 6, 2007
    Posts:
    1,097
    Location:
    QC
    Yes, you're right. But properly set, one will very nicely complement the other (without taxing your pc). They won't and should not overlap together.

    btw, aigle is eagle's french name, and i thought it was thirdjam...
     
  19. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,875
    Location:
    New England
    A number of posts were reported as being off-topic, (regarding messed up quoting of member names), and have been removed as requested.
     
  20. Brocke

    Brocke Registered Member

    Joined:
    Mar 16, 2008
    Posts:
    2,191
    Location:
    USA,IA
    should have went with AppGuard :argh: Just kidding :)
     
Loading...
Thread Status:
Not open for further replies.