GesWall and DefenceWall Bypass?

I was offered this rouge installer to test by a forum member. I tested it on Win 7 Home Premium 32 bit in Vbox.

It,s very interesting. It installs itself without any UAC prompt and opens a fake action centre window.

There is a partial bypass when I tried it inside GesWall and DefenceWall latest beta as untrsuted. As long as malware is running, it will not let you open the original Action Centre window. Rather it will open a fake Action Centre window.

It,s not a big issue in practice as a system reboot or killing malware via GesWall/ DefnceWall will cure the problem but it,s important in a way that Action centre window is part of explorer.exe( I guess).m Explorer.exe is trusted in Geswall and DefenceWall and should not be affected by an untrusted process.

BTW Sandboxie was not bypassed in this aspect.

 

You did make sure rebooting removes the malware correct? I know one type of malware destroyed Defencewall on reboot,

 

Cool fact about SB. I guess deny execution-approach would prevent this thing from even running in the first place. (?)

 

hmmmm... a few month ago i tested geswall with some viruses. adware, a rootkit. last week i tested it it with the zeus trojan...nothing happened. a couple of days later kaspersky told me that he found zeus bot in system32. i don`t know what to say...could it be the one i tested with geswall or something else, from elsewhere.

 

Doesn't matter if the malware is running or just lying on your PC. As long as GW is watching it can't do any harm, and it will ask you if it tries to. GW doesn't remove, it blocks its actions through policy.

 

No, geswall stops any file creation in system32 folder by an untrusted process.

 

Thanks for your report, the issue is improved with the new V3 build of DefenseWall.

 

Hmmm... You are not sure about the origin of file. Best is to test in a VM and monitor any file creation by a HIPS. Then you can be sure.

If you want I can test the sample.

 

Ok, will try that. Is it already released?

 

Just a quick note in that this rogue can use several different skins on which ever system it's installed on.

A few screenies here and there are other skins as well.

 

It's not released, but published.

 

thanks eagle buddy for testing defensewall

 

Defensewall, with Sandboxie, geswall or Shadow Defender, to my thinking is about as bulletproof as you can get on a computer.

I usually run just DW, but if I'm going anywhere online other than the forums on which I post, I engage Sandboxie just for that extra protection, even for just checking history sites or research type places I use. These days, with what's out there, paranoia can be a good thing.

 

ummm.......what was the UAC level....default or max ?

properly configured SB rules

hey jmonge.....he may be eagle eyed but he is agile...not eagle

 

Default.

Used default settings for all.

Hmmm... read my nick again.

 

Thanks for posting this Aigle. Even with the best security measures we still have to be on our toes.

@ jmonge......maybe Eagle is Trojam's brother.

 

Wrong,

it isn't possible to have both defense wall and sandboxie Isolating the same virus sample at the same time.

 

Yes, you're right. But properly set, one will very nicely complement the other (without taxing your pc). They won't and should not overlap together.

btw, aigle is eagle's french name, and i thought it was thirdjam...

 

should have went with AppGuard Just kidding