Geswall and printing

Discussion in 'other anti-malware software' started by trjam, Jan 9, 2009.

Thread Status:
Not open for further replies.
  1. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    Ok, Aigle, you really want to sell me. If I have something opened and encased in Geswall and ask it to print, it says it cant find printer. You tell me how to fix that and I will dump all I have and forever be a Geswall user. Go for it my friend.
     
  2. chris2busy

    chris2busy Registered Member

    Joined:
    Jun 14, 2007
    Posts:
    477
    sounds like normal to deny access to physical devices by default..you should look into the application rules for the program u want to print from (e.g MS word)

    p.s: can't fool us again :p
     
  3. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
  4. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    ok, read all of them and nothing. In order to print I have to start a unprotected session which isnt good. Come on, how could you create something and not set up a user friendly way to print.:thumbd:

    My offer stands because my daughters computer has to be able to use the wireless printer, and I will go with Geswall and nothing else.

    You also might want to check why AntiSpamSniper for email doesnt work either. One of the best antispam programs but not with Geswall. I know Geswall is the best out there, but there are some basic functions that need simplification.

    And I have already disposed of all AV and Suite licences as the reality is, there day has past if you think they will ever protect you in this day.
     
  5. chris2busy

    chris2busy Registered Member

    Joined:
    Jun 14, 2007
    Posts:
    477
    Would be nice if you could delete GW log file,try to print to reproduce failure and post the log here,maybe we can see stuff more clear.
     
  6. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Good idea.
     
  7. Hugger

    Hugger Registered Member

    Joined:
    Oct 27, 2007
    Posts:
    1,003
    Location:
    Hackensack, USA
    After reading about your problem I hit print screen and then printed the page without any trouble.
    Hugger
     
  8. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    here, just cant print from anything encased in Geswall. All other is fine.
     

    Attached Files:

  9. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Hmmmm..... where is the GesWall,s log?
     
  10. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    the logs are 50 pages long.
     
  11. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    Ah-Ha, the Dummy found it. It would print in Windows Mail with Geswall around it but not IE7. So I compared the resources for Mail against Internet Explorer. I found that \Device\NamedPipe\Isass was not included under Internet Explorer so I created a rule for it and Damn, it printed the web page.

    Ok, ok, I keep my word, but it seems that rule should be automatically created under the Web Browser section.
     
  12. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    That,s good to know. From log I meanst only the log for last IE run, you can know it from timings on the log.

    Anyway it,s not needed now. Seems u did not read the links I posted as I think same rule was added there by the user to make prinetr work.

    BTW I am not sure if the rule should be made as Allow or just Redirect? Redirect will supposedly give more security I guess, but not sure.
     
  13. IceCube1010

    IceCube1010 Registered Member

    Joined:
    Apr 26, 2008
    Posts:
    963
    Location:
    Earth
    Yep that was me. I had tried redirect at first and it seemed to work but after a reboot it no longer worked. I had to allow it.

    Ice
     
  14. chris2busy

    chris2busy Registered Member

    Joined:
    Jun 14, 2007
    Posts:
    477
    Yes,that is because redirect is making it through virtualisation..probably dumps changes after a while..Is that with IE7 on vista trjam?it could be because of protected mode+GW (a total down on privileges :p )
     
  15. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    In case of \Device\NamedPipe\Isass

    LSA is the local Security Authorisation, LSASS = Local Security Administration Sub System.

    Lsass.exe is a system process of the Microsoft Windows security mechanisms. It deals with local security and login policies.

    Lsass.exe is the local security authentication server, and it generates the process responsible for authenticating users for the Winlogon service. Lsass generates the user's access token, which is used to launch the initial shell.

    To give you an idea how essential it is, I show you the super shortened sequence of events of a XP log-on

    Master Boot Record -> NTldr (boot strap loader) -> NTdetect(which detects hardware) ->NToskrnl (Operating System Kernel) -> Winlogon -> Lsass (displays welcome screen, users with user/password entry for credentials)

    The sasser worm used LSASS for instance.

    I have always been able to use redirect for NamedPipe Lsass with GeSWall.

    Only problem what sometimes occured that when the printer generates a service call (e.g. calibrate colors or clean print heads), this was virtualised also. So every time you used the printer the printer was waiting for a user response which was 'drowned through the toilet' by GeSWall. Remedy for this (when printer seems to 'hang') is to disable GesWall, re-boot, re-print, answer the printer generated pop-ups and enable GeSWall again. Especially inkjet printers are vulnarable to this, because the default pop-up to all problems is a service call asking to calibrate/clean heads/ say "please buy new cartridges". To compensate income of the manifacturer for low print device price.

    Cheers Kees
     
    Last edited: Jan 10, 2009
  16. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Thanks Kees, very informative.

    As I know usually GesWall applies default policy to any child process of IE, so I assume if any malware is executed through IE, still it will not be able to exploit lsass as default policy for lsass is Not Allowed. It,s my guess, I can,t be sure though. What do u think?

    Thanks
     
  17. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    With Vista on my computer, it will hold the redirect setting on reboot but will not print. Same message. It has to be set to allow to work.
     
  18. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    Also with Windows Mail the default setting is allow.
     
  19. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    What I know, it can not be exploited for sure with Not Allowed and Redirect. I really have not tried it with Allowed. There was an old thread initiated by knowledgeable chinese guy (Solcroft). He had a malware using an lssas exploit. I tested it against DefenseWall and GesWall (redirect). I do not have it any more (I do not have any malwares anymore, since I promised my wife :oops: to NOT perform self destruct tests on our home PC)
     
  20. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    you dont have too kees:D malware will visit you:) any way in limewire you could get the nasties of the nasties of malware infections:D
     
  21. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Hmmm... can u find the thread?

    Thanks
     
  22. IceCube1010

    IceCube1010 Registered Member

    Joined:
    Apr 26, 2008
    Posts:
    963
    Location:
    Earth
    Not sure if this is relevant but this is how I fixed my printer woes for my Epson CS5000 printer using Geswall in a isolated IE 7 browser session:

    Under Resources I changed:

    \Device\NamedPipe\lsass File Trusted to
    \Device\NamedPipe\lsass File System

    Now the printer works perfectly. I'm not sure what this does to security for the isolated browser session but it seems things are getting redirected etc. when I browse.

    Did I breach geswall's security for my ie browser sessions? Someone more experienced than me concerning this, agile, kees??

    thanks
    Ice
     
  23. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Hi, I am not sure. I am really not so expert to say anything here.
     
  24. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    No reducing lsass to system is better than forcing an allow with printing.

    Try lsass = system at resources and lsass redirect at web browser, that is even better (when it works)
     
  25. IceCube1010

    IceCube1010 Registered Member

    Joined:
    Apr 26, 2008
    Posts:
    963
    Location:
    Earth
    thank you for the idea. I will try tonight and post back.

    Ice
     
Loading...
Thread Status:
Not open for further replies.