Geswall Test

Discussion in 'other anti-malware software' started by AndyXS, Mar 29, 2009.

Thread Status:
Not open for further replies.
  1. AndyXS

    AndyXS Registered Member

    Joined:
    Mar 17, 2009
    Posts:
    44
    I have just been testing Geswall against 22 unknown malware threats. I ran each one in isolated mode, then terminated the process.

    What I am left with are several newly created files in c:\, c:\windows\system32\, c:\program files\ and 5 new registry entries into \CurrentVersion\Run\. Also, one of the executed malware apps managed to remove itself after executing.

    I was under the impression that Geswall should stop applications writing to \Run\?

    Secondly, is the a rollback feature like in DW?
     
    Last edited: Mar 29, 2009
  2. AndyXS

    AndyXS Registered Member

    Joined:
    Mar 17, 2009
    Posts:
    44
    Hmm, Something also edited the internet settings too.
    Thats not good :(
     
  3. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Andy,

    Unlike DefenseWall, which has total untrusted file control, GesWall sets a status from untrusted to trusted when it is moved or copied by a trusted source (e.g. copying with explorer from one partition to another). Also using some context menu options of for instance 7-zip, will change the unpacked files of an untristed zip-file, trusted.

    But Andy, XL, yes in stead of XS, ;) , you did a great job. I have never seen this weakness exploited by malware. A friend of mine does something in networks and security for soho and mid sized companies, occasionally I get some zero day samples of his honeypot, but they were never able to exploit this limitation of GW (caused by using NTFS internals).

    I do not complain about GW, having this limitation, only for novice users I think DW is a far better option. For skilled users GW has the advantage of a granularity, freeware version and it is a faster (because it seems to use windows internal mechanismes).

    I know it is not allowed to spread malware, but I am so curious, so could you reveal the classification or generic/family names?

    Cheers
     
  4. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    GW does not have a roll back function, in stead it has a limited virtualisation funtion (use REDIRECT). This option makes all the changes in a coipy version, which is thrown away after the isolated program closes.
     
  5. AndyXS

    AndyXS Registered Member

    Joined:
    Mar 17, 2009
    Posts:
    44
    A lot of the malware is unknown at the moment.

    The test yesterday was a complete failure for Geswall as my system was completely infected. I am going to do the test again tonight to make sure I didn't miss anything or do something wrong.

    I'll post my results later.
     
  6. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    make sure security level is at medium or high without pop ups:thumb:
     
  7. AndyXS

    AndyXS Registered Member

    Joined:
    Mar 17, 2009
    Posts:
    44
    Yes, i used medium last time.
    I shall be using high this time.

    Just tested DW, passed with flying colors ;)
     
  8. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    cool,with defensewall you can also roll back files:D delete alot of junks;)

    are you testing the free version or paid?
     
  9. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,828
    Location:
    Last Breath Farm
    Any updates for us? Especially as pertains to,
    Thanks!
     
  10. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Hmmm... there seems some serious flaw in the testing. I am sure. I am too busy now a days and can,t test all but I will be interested to test few of these esp the one which changed internet settings and the one which was able to create files in system32 folder and the one that was able to add some reg enteries. PM me pls.

    BTW are u using NTFS or FAT32?
     
  11. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    For Rollback function, use GesWall,s untrusted files scanner and you can delete manually any files u want.
     
  12. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    There are two reason for GW to fail.

    First reason (see pic1), is the simple fact that GW is configured to behave this way (see for example the allowed HKEY_CURRENT_USER registry access and the added allowed file access to DRM).

    Second reason could be the lack of total untrusted file control (which DefenseWall does has).
    See pic 2. When you double click an archive and unzip the files with the 7-zip menu option. The unzip action is performed by 7-zip (green 2) and the file gets the status untrusted. When you use the context menu option (red 1), than explorer initiates this action (a trusted application) and the file gets teh status trusted (see red 1 below). Same happens when you copy a file from one partition to another.

    As said tested with a lot of POFC and some real zero day malware, but have never seen a malware using this GW weakness.

    Other reason I do not know, so Andy, please give us your test results.
     

    Attached Files:

    • gw.JPG
      gw.JPG
      File size:
      55.4 KB
      Views:
      436
    • gw2.JPG
      gw2.JPG
      File size:
      117.6 KB
      Views:
      5
  13. 1000db

    1000db Registered Member

    Joined:
    Jan 9, 2009
    Posts:
    718
    Location:
    Missouri
    It would be a good idea to contact GeSWall support with this information. If there is indeed a serious weakness I'm sure they would want to know. You should contact them and send them samples of the malware that bypassed GW.
     
  14. nomarjr3

    nomarjr3 Registered Member

    Joined:
    Jul 31, 2007
    Posts:
    502
    +1

    GeSWall support are a friendly bunch. I'm quite positive that they will entertain any findings/bugs/exploits that you discover, and try to apply fixes ASAP.
     
  15. demoneye

    demoneye Registered Member

    Joined:
    Dec 30, 2007
    Posts:
    1,356
    Location:
    ISRHell
    not sure they are so fast , actually they are dead slow, release 1 version per year ,according to site info, so dont count on them fix it "asap" better buy DEFENSEWALL HIPS which ilya fixes bugs during a 1 day top :D
     
  16. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Agree that they are too slow now.

    But let me say I am almost sure that there is a testing flaw here. These type of failures are not at all expected by GW.
    @
    AndyXS
    I am waiting for samples via PM pls.
     
Loading...
Thread Status:
Not open for further replies.