GesWall - some news/ tests

Discussion in 'other anti-malware software' started by aigle, Mar 10, 2008.

Thread Status:
Not open for further replies.
  1. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I had requested Brian to test GW agaianst some malware samples.

    1- Some samples of Robodog trojan that bypasses protection of many Instant Recovery Softwares like ShadowUser, Returnil etc
    2- Clean MBR tool, it destroys the MBR and makes system unbootable, again it was bypassing some ISR software.
    3- Some MBR and Sector Editor tools.

    Robodog: I got three samples from some members, not sure if all were for Robodog but one( Conimel.exe) was sure.

    - cinimel.exe
    - happy new year.exe
    - x.exe

    For conimel.exe and "Happy new year" GeSWall displayed attack notifications- see snapshots.

    Happy New Year also gave attack notifications and created a autorun.inf in c:\. See snapshots and GW log attached.

    GeSWall showed no notifications for x.exe. Logs reveal its activity in sending messages in order to conduct shatter attacks.
    Clean MBR Tool:

    GeSWall displays notification:And then tool failed( crashed). See snapshot.

    MBR and Sector Editor tools

    It was not possible to open a disk or valume by the tools:

    Sandboxie has an option. that nothing inside the sandbox can access the internet except if allowed by specific rules. Such a feature is there in GW and rules can be made about this.

    http://www.gentlesecurity.com/blog/index.php/2008/02/03/blocking-network-access

    Now what,s new. They plan to release a bug-fixing update as a 2.7.x or 2.8. And that would be last release with the current engine. The next version 3.0 would be driven by new code, compatible with x64. It is expected later this year. USB storages handling is a part of 3.0.

    conimel exe.JPG
    happy new year.JPG
    CleanMBR.JPG
     

    Attached Files:

    Last edited: Mar 10, 2008
  2. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Very nice and a expected outcome :)
     
  3. MaB69

    MaB69 Registered Member

    Joined:
    Dec 9, 2005
    Posts:
    540
    Location:
    Paris
    Hi,

    Thank you aigle, nice tests and very valuable infos

    Regards,

    MaB
     
  4. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I just hope that they can release the new engine.

    2.7 though might be enough for a solid protection.
     
  5. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,632
    Location:
    U.S.A. (South)
    I second and third the thanks aigle.

    It is nice to see renewed interest in GesWall again and new improvements certainly go a long way in making users do a double take and reconsider.

    All Sandboxes are IMO extremely beneficial, so looks like the race is back on with these useful apps again.
     
  6. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Thanks all of U.

    Actually the ploicy based Sandboxes are my favourite and there are not too many- GW n DW only I think.

    EQSsecure sandbox is unique as I think u will be able to modify its rules as u like( full virtualization or just policy based) but there seems no way to add exception rules for sandboxed applications to make theur use smoother while inside sandbox.
     
  7. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    SafeSpace is an hybrid between policy and virtualization-based sandbox. GW virtualizes few things (access to system files and some parts of the registry) and DW virtualizes even less.
     
  8. innerpeace

    innerpeace Registered Member

    Joined:
    Jan 15, 2007
    Posts:
    2,095
    Location:
    Mountaineer Country
    Agreed! Isolating anything that is potentially risky is a great idea.

    aigle,

    Thanks and nice work! It's always interesting seeing a security app. put to the test.
     
  9. Wake2

    Wake2 Registered Member

    Joined:
    Apr 30, 2005
    Posts:
    205
    Aigle,

    Once again I am most impressed with your testing,
    and thanks for posting your results.

    Wake
     
  10. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Hi testing not done by me, I just posted it.
     
  11. LoneWolf

    LoneWolf Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    3,408
    GeSWall is definantly an excellant app. :thumb:
    Happy with sandboxie but really liked GeSWall while it was on my box. :D
    To bad they didn't get along, I know that would be sandboxing a sandbox. :rolleyes:
     
  12. Perman

    Perman Registered Member

    Joined:
    Nov 23, 2005
    Posts:
    2,160
    Hi,

    I did not know that SBIE and GesWall do not get along well.

    If you like the idea of snadboxing a sandbox, perhaps you could consider

    putting SBIE in DW. :)
     
  13. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,632
    Location:
    U.S.A. (South)
    It's great that users security environment is now much more expanded thanks in large part to these type apps combined with others.

    I accepted long ago that the Layered Approach proves very beneficial against potential forced intrusions to sabatage users Windows machines as well as makes it more unlikely to resort to the need for a backup image.

    So this is some good news but i also agree that compatibility with other "like" apps is nice and should be made compatible, in event that some users make a practice of running a sandbox into another one.

    Right now i have at least one combo that is pretty much iron-clad. There are of course others. I'd like to impliment GesWall also if possible because i found it ran well before but haven't bothered with it since then, that was several versions ago i think.

    So yeah, if you think running a sandbox in a sandbox is extreme, this is one of my favorite setups that i enjoy where all apps co-exist without problems, performance/memory hits, or issues.

    FD-ISR snapshot covered by virtualization with Returnil/Power Shadow Master + EQS (HIPS)/DefenseWall + SandboxIE.

    I'd like to expand into implimenting GesWall if continues to improve.
     
  14. zopzop

    zopzop Registered Member

    Joined:
    Apr 6, 2006
    Posts:
    632
    thanks for the test results aigle! geswall is a rock solid app that uses almost nothing in the way of resources. i only hope geswall stays this "lite" forever :D
     
  15. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Thanks. Nice to see u zopzop. :)
     
  16. LoneWolf

    LoneWolf Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    3,408
    Yes, unforchantly they do not. Sandboxie will not start with Geswall protection on. I can turn Geswall on low setting to get Sandboxie started but if Geswall is than put on med or high security setting IE crashes.
    I have not tried it with Firefox which is what i'm tring now, hmmmm maybe i'll give that a shot and see how it go's. Did try DW but that did not work well on my box.

    EDIT: Yep, Geswall and Sandboxie, Not a good combo. Thank you Rollback Rx saved my a** again. :D
     
    Last edited: Mar 13, 2008
  17. greenhorn113

    greenhorn113 Registered Member

    Joined:
    Nov 14, 2006
    Posts:
    149
    Location:
    England
    I am new to GesWall, only installed the 15 day trial tonight but If I understand its functions, in theory limited other software is required although I currently prefer the layered approach, I am currently assuming that having a real time anti virus/spyware and firewall HIPS should suffice, in my case Antivir Premium and OA paid, also Returnil when surfing.

    Clarification by a more knowledgable user would be appreciated but I am trying to reduce my security software to a minimum.
     
  18. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Not sure what kind of clarification you're looking for, but if this gives you confidence, I'll tell you that GeSWall free (and a firewall) is my only real-time security software.
     
  19. Huupi

    Huupi Registered Member

    Joined:
    Sep 2, 2006
    Posts:
    2,024
    Yeah that only, but what if GesWall fail,not having a layer behind to catch if it happen and ondemand scan is too late.So you are at mercy of your foes,bad idea !!

    But sure i know you did it on purpose and i guess there is nothing short on knowledge at your end. ;)
     
  20. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    I'm close to moving to LUA + SRP, so if a malware manages to bypass GeSWall, it won't execute. Before (in the chain of events) GeSWall, I have Firefox + NoScript which keep me far away from remote code execution.
    If something breaches FF/NS, GW and LUA/SRP, integrity checking (which only takes a few minutes) will catch any intrusion and I will restore a clean image to clean the system partition and the data partition will be restored from backups.
     
  21. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    GesWall will stop any thing coming from entery points like browsers, messengers etc effectively( more than a HIPS, AV, AS etc).

    Only problem is what user will execute yourself and the executables comming from resources that are marked trsuted like the USB sticks, ur trusted downloads etc. One needs to cover these areas also.
     
  22. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    * Disable autorun and don't trust the content of a removable drive until you check it meticulously.
    ** Common sense (download from author's website, do a research before installing, gather users' opinions, etc), Virustotal/Jotti, online sandbox, checking of hashes/digital signatures (if available), running in a VM first, EULAlyzer, etc.
     
  23. Huupi

    Huupi Registered Member

    Joined:
    Sep 2, 2006
    Posts:
    2,024
    i know,but question was,if GesWall fail .

    from Lucas explanation i see that he already added an smart defence as was expected.
     
  24. Henk1956

    Henk1956 Registered Member

    Joined:
    Dec 3, 2007
    Posts:
    55
    In Resources you can create rules to mark external devices as Threat Gates.
    The resource rule to be used is:

    Identity: \Device\XXX
    Type: File
    Class: Threat Gates

    XXX depends on the number of harddisks and the number of CD/DVD player/writers you have on your machine, as follows.

    If you have for example two harddrives, then for the first harddrive XXX = Harddisk0 and for the second harddrive XXX = Harddisk1.
    In this case, for the first USB-stick you put in a USB-port of your machine XXX = Harddisk2, for the second USB-stick XXX = Harddisk3, etc.

    The same holds for CD/DVD player/writers. If you have a single CD/DVD player/writer XXX = CdRom0.
    Some USB sticks have U3 system on it. For the first U3 system part XXX = CdRom1 (use the same numbering scheme as for Harddisk).
    You can also cover all CD/DVD player/writers and U3 system parts of USB-sticks in one rule using XXX = CdRom

    Furthermore, I use Virtual CD-ROM Control Panel v2.0.1.1 (from MS) to mount iso files as virtual CD-ROM. This one can be marked as Threat Gate using XXX = VirtualCdRom

    For netwok shares you use XXX = LanmanRedirector.
     
  25. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    It wil not work for flash sticks as they are FAT.
     
Loading...
Thread Status:
Not open for further replies.