Geswall Test

I have just been testing Geswall against 22 unknown malware threats. I ran each one in isolated mode, then terminated the process.

What I am left with are several newly created files in c:\, c:\windows\system32\, c:\program files\ and 5 new registry entries into \CurrentVersion\Run\. Also, one of the executed malware apps managed to remove itself after executing.

I was under the impression that Geswall should stop applications writing to \Run\?

Secondly, is the a rollback feature like in DW?

 

Hmm, Something also edited the internet settings too.
Thats not good

 

Andy,

Unlike DefenseWall, which has total untrusted file control, GesWall sets a status from untrusted to trusted when it is moved or copied by a trusted source (e.g. copying with explorer from one partition to another). Also using some context menu options of for instance 7-zip, will change the unpacked files of an untristed zip-file, trusted.

But Andy, XL, yes in stead of XS, , you did a great job. I have never seen this weakness exploited by malware. A friend of mine does something in networks and security for soho and mid sized companies, occasionally I get some zero day samples of his honeypot, but they were never able to exploit this limitation of GW (caused by using NTFS internals).

I do not complain about GW, having this limitation, only for novice users I think DW is a far better option. For skilled users GW has the advantage of a granularity, freeware version and it is a faster (because it seems to use windows internal mechanismes).

I know it is not allowed to spread malware, but I am so curious, so could you reveal the classification or generic/family names?

Cheers

 

GW does not have a roll back function, in stead it has a limited virtualisation funtion (use REDIRECT). This option makes all the changes in a coipy version, which is thrown away after the isolated program closes.

 

A lot of the malware is unknown at the moment.

The test yesterday was a complete failure for Geswall as my system was completely infected. I am going to do the test again tonight to make sure I didn't miss anything or do something wrong.

I'll post my results later.

 

make sure security level is at medium or high without pop ups

 

Yes, i used medium last time.
I shall be using high this time.

Just tested DW, passed with flying colors

 

cool,with defensewall you can also roll back files delete alot of junks

are you testing the free version or paid?

 

Any updates for us? Especially as pertains to,

Thanks!

 

Hmmm... there seems some serious flaw in the testing. I am sure. I am too busy now a days and can,t test all but I will be interested to test few of these esp the one which changed internet settings and the one which was able to create files in system32 folder and the one that was able to add some reg enteries. PM me pls.

BTW are u using NTFS or FAT32?

 

For Rollback function, use GesWall,s untrusted files scanner and you can delete manually any files u want.

 

There are two reason for GW to fail.

First reason (see pic1), is the simple fact that GW is configured to behave this way (see for example the allowed HKEY_CURRENT_USER registry access and the added allowed file access to DRM).

Second reason could be the lack of total untrusted file control (which DefenseWall does has).
See pic 2. When you double click an archive and unzip the files with the 7-zip menu option. The unzip action is performed by 7-zip (green 2) and the file gets the status untrusted. When you use the context menu option (red 1), than explorer initiates this action (a trusted application) and the file gets teh status trusted (see red 1 below). Same happens when you copy a file from one partition to another.

As said tested with a lot of POFC and some real zero day malware, but have never seen a malware using this GW weakness.

Other reason I do not know, so Andy, please give us your test results.

 

It would be a good idea to contact GeSWall support with this information. If there is indeed a serious weakness I'm sure they would want to know. You should contact them and send them samples of the malware that bypassed GW.

 

+1

GeSWall support are a friendly bunch. I'm quite positive that they will entertain any findings/bugs/exploits that you discover, and try to apply fixes ASAP.

 

not sure they are so fast , actually they are dead slow, release 1 version per year ,according to site info, so dont count on them fix it "asap" better buy DEFENSEWALL HIPS which ilya fixes bugs during a 1 day top

 

Agree that they are too slow now.

But let me say I am almost sure that there is a testing flaw here. These type of failures are not at all expected by GW.
@
AndyXS I am waiting for samples via PM pls.