Geswall and printing

Ok, Aigle, you really want to sell me. If I have something opened and encased in Geswall and ask it to print, it says it cant find printer. You tell me how to fix that and I will dump all I have and forever be a Geswall user. Go for it my friend.

 

sounds like normal to deny access to physical devices by default..you should look into the application rules for the program u want to print from (e.g MS word)

p.s: can't fool us again

 

Hmmm.. i don,t want you to dump any thing. And you can,t ofcourse.

I am not using a printer so can,t say anything. You need to add some custom rules as chris2busy posted already. Check the GW log, see what is being blocked and make that rules( as redirect or allow if redirect not working).

There was a thread before here about this issue.

https://www.wilderssecurity.com/showthread.php?t=207537&highlight=Geswall
https://www.wilderssecurity.com/showthread.php?t=209825&highlight=Geswall

 

ok, read all of them and nothing. In order to print I have to start a unprotected session which isnt good. Come on, how could you create something and not set up a user friendly way to print.

My offer stands because my daughters computer has to be able to use the wireless printer, and I will go with Geswall and nothing else.

You also might want to check why AntiSpamSniper for email doesnt work either. One of the best antispam programs but not with Geswall. I know Geswall is the best out there, but there are some basic functions that need simplification.

And I have already disposed of all AV and Suite licences as the reality is, there day has past if you think they will ever protect you in this day.

 

Would be nice if you could delete GW log file,try to print to reproduce failure and post the log here,maybe we can see stuff more clear.

 

Good idea.

 

After reading about your problem I hit print screen and then printed the page without any trouble.
Hugger

 

here, just cant print from anything encased in Geswall. All other is fine.

 

Hmmmm..... where is the GesWall,s log?

 

the logs are 50 pages long.

 

Ah-Ha, the Dummy found it. It would print in Windows Mail with Geswall around it but not IE7. So I compared the resources for Mail against Internet Explorer. I found that \Device\NamedPipe\Isass was not included under Internet Explorer so I created a rule for it and Damn, it printed the web page.

Ok, ok, I keep my word, but it seems that rule should be automatically created under the Web Browser section.

 

That,s good to know. From log I meanst only the log for last IE run, you can know it from timings on the log.

Anyway it,s not needed now. Seems u did not read the links I posted as I think same rule was added there by the user to make prinetr work.

BTW I am not sure if the rule should be made as Allow or just Redirect? Redirect will supposedly give more security I guess, but not sure.

 

Yep that was me. I had tried redirect at first and it seemed to work but after a reboot it no longer worked. I had to allow it.

Ice

 

Yes,that is because redirect is making it through virtualisation..probably dumps changes after a while..Is that with IE7 on vista trjam?it could be because of protected mode+GW (a total down on privileges )

 

In case of \Device\NamedPipe\Isass

LSA is the local Security Authorisation, LSASS = Local Security Administration Sub System.

Lsass.exe is a system process of the Microsoft Windows security mechanisms. It deals with local security and login policies.

Lsass.exe is the local security authentication server, and it generates the process responsible for authenticating users for the Winlogon service. Lsass generates the user's access token, which is used to launch the initial shell.

To give you an idea how essential it is, I show you the super shortened sequence of events of a XP log-on

Master Boot Record -> NTldr (boot strap loader) -> NTdetect(which detects hardware) ->NToskrnl (Operating System Kernel) -> Winlogon -> Lsass (displays welcome screen, users with user/password entry for credentials)

The sasser worm used LSASS for instance.

I have always been able to use redirect for NamedPipe Lsass with GeSWall.

Only problem what sometimes occured that when the printer generates a service call (e.g. calibrate colors or clean print heads), this was virtualised also. So every time you used the printer the printer was waiting for a user response which was 'drowned through the toilet' by GeSWall. Remedy for this (when printer seems to 'hang') is to disable GesWall, re-boot, re-print, answer the printer generated pop-ups and enable GeSWall again. Especially inkjet printers are vulnarable to this, because the default pop-up to all problems is a service call asking to calibrate/clean heads/ say "please buy new cartridges". To compensate income of the manifacturer for low print device price.

Cheers Kees

 

Thanks Kees, very informative.

As I know usually GesWall applies default policy to any child process of IE, so I assume if any malware is executed through IE, still it will not be able to exploit lsass as default policy for lsass is Not Allowed. It,s my guess, I can,t be sure though. What do u think?

Thanks

 

With Vista on my computer, it will hold the redirect setting on reboot but will not print. Same message. It has to be set to allow to work.

 

Also with Windows Mail the default setting is allow.

 

What I know, it can not be exploited for sure with Not Allowed and Redirect. I really have not tried it with Allowed. There was an old thread initiated by knowledgeable chinese guy (Solcroft). He had a malware using an lssas exploit. I tested it against DefenseWall and GesWall (redirect). I do not have it any more (I do not have any malwares anymore, since I promised my wife to NOT perform self destruct tests on our home PC)

 

you dont have too kees malware will visit you any way in limewire you could get the nasties of the nasties of malware infections

 

Hmmm... can u find the thread?

Thanks

 

Not sure if this is relevant but this is how I fixed my printer woes for my Epson CS5000 printer using Geswall in a isolated IE 7 browser session:

Under Resources I changed:

\Device\NamedPipe\lsass File Trusted to
\Device\NamedPipe\lsass File System

Now the printer works perfectly. I'm not sure what this does to security for the isolated browser session but it seems things are getting redirected etc. when I browse.

Did I breach geswall's security for my ie browser sessions? Someone more experienced than me concerning this, agile, kees??

thanks
Ice

 

Hi, I am not sure. I am really not so expert to say anything here.

 

No reducing lsass to system is better than forcing an allow with printing.

Try lsass = system at resources and lsass redirect at web browser, that is even better (when it works)

 

thank you for the idea. I will try tonight and post back.

Ice