GeSWall v2.1

Discussion in 'other anti-malware software' started by AvianFlux, Nov 30, 2005.

Thread Status:
Not open for further replies.
  1. devilish

    devilish Guest

    GESwall looks like a simplified Coreforce/tiny firewall to me, allowing you to limit applications so that they can read/write only particular files/registries etc.

    Like coreforce it has downloadable settings for popular applications which you can share and download.

    In theory, you can create very safe setups by allowing file and registry accesses only when necessary for the specific application and disallowing all else. With the right rules you can even simulate a limited user account i suspect.

    The default ruleset is pretty loose though.

    I Played with it a bit. Looks okay. A bit rough around the edges, for example, right clicking on the icon does not allow access to the console settings. Makes accessing changes difficult.

    It is lighter than bufferzone IMHO.

    I think though we can differentiate Coreforce/GESwall/Tiny from Bufferzone/Greenborder/Sandboxie/Defensewall/

    The first group allows 'per application restrictions'. You can deny read access to c:\certainfolder for IE, while allowing access for firefox. Of course, if you don't want to be so specific, there is always the default restriction rules (which are themselves changable) when something is 'isolated'.

    ***********************************************

    There are also other restrictions such as injection attacks, hooking, kernel drivers etc which may not have much to do with file/registry control, but for obvious reasons, I think Bufferzone, GESwall, Defensewall, etc have all restricted them when a file is "in the bufferzone"/"isolated"/"untrusted" etc

    This seems to be standard for sandboxes.
    ************************************************

    The second group just splits all application into 2 groups (trusted versus untrusted) and all untrusted programs are equally restricted.

    E.g While you can set in bufferzone folders to be "confidental", "trusted" to restrict read/modifiy etc just like GESWALL/Coreforce/Tiny , you cannot set it on a per application basis.

    If you set c:\mysecrets to 'confidental', all programs in the bufferzone cannot not read it. GESwall however allows more grandular control. Maybe you want to allow your password mananger to access c:\mysecrets, but nothing else can read it. No problem GEsweall/coreforce etc allows it with the specific rules.


    Bufferzone's main strength over coreforce/Geswall i think is that it tracks changes made to the registry and file areas made by programs in the BZ. This allows you to blow away changes made by such programs if necessary. So for example if your browser got infected, you can restore it to it original state by resetting the BZ.

    Sandboxie, is similar.

    It can even be used for testing stuff. Some shareware programs like to stick registry keys in your computer (which is not removed when uninstalled)l, so it can keep track of the fact that you tried it before. This is pretty irriating if you dont like such stuff lying around. Some People try to use stuff like Totaluninstall, which compares changes before and after a software is install, in hopes of keeping the system clean, in the case the uninstaller fouls up.

    But this method does not work, because most shareware stick registry keys only after the nth start (as opposed to during the install), so total uninstall
    doesn't see that change. But with BZ there is no problem, ALL CHANGES are tracked.

    I have tried Defensewall yet, but I think it's closer to the BZ side of things, with 2 groups "trusted" and "none trusted", except without the tracking changes thingie of sandboxie and Bufferzone.


    Conclusiono_O

    GESwall/Core force/Tiny firewall etc are like MS Windows XP's Software Restriction Policy on steriods. If you are one of those geeky people who like to tweak, control and layout exactly what resources each app can access , this is a dream.

    For most people though, I think they will just use whatever the default restrictions are, and specialised ruleset if it is made available by others. In effect they will be just using 2 groups ,trusted/untrusted exactly like Defensewall.bufferzone etc.

    Sandboxie/Bufferzone, as stated have a built in insurance policy of allowing you to revert changes, because all changes made by porgrams in the BZ are 'virtual'. This can be very very useful of course if you make a mistake.

    Of course, these solutions tend to be 'heavier' in my experience.
     
  2. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    In fact, there are two major classes of the HIPS applications- application firewall and sandbox. Application firewall allow you to use your own roolset for the each of the application (but first you need to create it by yourself!), sandbox share all the processes into 2 groups (trusted and untrusted) and use build-in restrictions for the untrusted processes group. GesWall is application firewall with the some movement to the sandbox ideology (isolated apps) to decrease the number of popup windows, but it is still application firewall. Application firewall is, mostly, not for the average users, because it require a lot of the technical knowlege.

    As about sandbox HIPS- they are very simular in action, some of them are simple in use, some are not simple at all. The only difference between them is registry/file system virtualization. In some cases it is very usefull (as devilish has already described), but, mostly, it is the problem for the average users who have added the bookmark (or save file from the Internet), empty virtual file zone and then can not find it!
     
    Last edited: Jan 11, 2006
  3. devilish

    devilish Guest

    yes you are right. Application firewall versus sandbox.

    Stuff like Processguard,regdefend,SSM,Prevx1,online armor,etc etc would be application firewalls.

    You have different policies for each app, e.g you allow program x to terminate other processes, but not program y.

    Sandboxes would divide apps into 2, trust versus untrusted. And monitors only untrusted. As you said this reduces popups by focusing only on the untrusted stuff. Stuff like BZ and defensewall don't even show popups, because dangerous stuff just shouldn't be allowed!

    Bufferzone and Defensewall would be definitely Sandbox.


    Of course the question becomes would someone using an application firewall benefit from using a sandbox (as definied like that)?
     
  4. toadbee

    toadbee Registered Member

    Joined:
    Nov 10, 2003
    Posts:
    123
    I believe so, yes. When I run an application in a sandbox, I'm already beyond the application firewall - ie. I am the application firewall... and so at that point I'll take what help I can get.
     
  5. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    It depends on the person. Somebody like to control all at their computers. They think that security==control. Application firewalls just for them. But, most people don't want to control anything, they just need to be secured while the are surfing porn sites. Sandboxes just for them!

    So, different people- different types of the security applications.
     
  6. surferking

    surferking Guest

    Lol, you sound like a man with some experience. ;) :D
     
  7. richard_rd

    richard_rd Registered Member

    Joined:
    Jan 3, 2006
    Posts:
    6
    For those of you that don't know, Ilya is the creator of DefenseWall. I have been using DW for the past week and really like it's simplicity. Iyla is very clever programer and was able to break through BufferZones protection in 5 minutes and claim their reward!

    PS - Note to self, quit spending so much time visiting porn sites now just because it is safe to do with DW running!! :) :p :)
     
  8. TheAnalyzer

    TheAnalyzer Guest

    I have a question about the license of GeSWall.
    It is Free but i heard it is only valid for one year.
    Is this so ? and why?
    Thank you
    TA
     
  9. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    9,766
    Hi,
    The concept is nice, but:
    Accessing the console through folder is not smart. The user should not go to the root folder and touch the files. A right-click option should be available.
    There is no way to close the application.
    What about a right-click - > exit?
    I managed to close the application using Task Manager, killing processes? In that aspect, why doesn't the application protect itself?
    Tried to restart it -> no option in the Start Menu. Only access to Console. The user has to access the folder and click gswui.exe (or so) to start the application again.
    Uninstall via Add Remove only.
    What about Windows Updates?

    Suggestions:
    Allow start application / console via Start Menu.
    Allow termination via systray (with password if needed to prevent mistakes, but still some sort of option for user to close the application - like for Windows updates - this could kill two birds with one stone).
    Prevent termination via kill process.
    Allow Windows Update with the application ON - or a convenient way to switch to full write and access mode (like closing the application with right-click).
    Add uninstall in the Start menu.
    Add password or strong warnings for tampering with processes and keys. The options are definitely not for average users - and yet everyone can access the console and play with options.

    Cheers,
    Mrk
     
  10. devilish

    devilish Guest

    I don;t understand. Are you arguing the following

    I suppose if you do choose to run a sandbox, you are right in that the application firewall probably becomes irrelevant, because it usually cannot see what's happening in the sandbox (it will have to give previlages to the sandbox). But surely this doesn't mean, you need a sandboxo_O

    Well but if my application firewall, 'sandboxes' the whole system, treating each and every app has potentially dangerous, there seems little point in using a seperate sandbox.

    E.g When programs run in the bufferzone (BZ), is 'isolated' (GESwall), or is 'untrusted' (Defensewall) they can't install drivers. But if I run say PG,appdefend etc etc, no program can do that anyway, unless I allow them. The net effect is the same.

    Of course, the advantage of a sandbox is that you can concentrate on only potentially dangerous apps, and focus your energies (comp resources, human resources) on watching only what is most likely going to be important.

    Again I'm in love with the bufferzone/sandboxie concept of tracking changes and reversing them if necessary. I suppose it's kind of like the shadowuser thingie but focused only on a subset of stuff.
     
  11. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    those are some good points Devilish. application firewall is controlling it anyway so why sandboxing .. I can't answer that. I guess if you really want to feel secure and you don't have that feeling allready, everybody will do what he can just to get this feeling .. installing Sandbox or whatever on top of this application firewall.

    my moto: add enough layers till you feel secure/protected :p j/k but sometimes it comes down to that imho
     
  12. toadbee

    toadbee Registered Member

    Joined:
    Nov 10, 2003
    Posts:
    123
    I'm saying whether or not I'm running an app firewall, it is ultimately me who decides to run a program or not. That being said it's nice to be able to let them play in a sandbox for a while to see if they behave :)
     
  13. Well i've being following the "Blue plan" with regards to software security which consists of

    1) Antivirus E.g Bitdefender, KAV, NOD32
    2) Memory scanner (AT usually) E.g Boclean, Ewido
    3) Application firewall E.g Processguard/regdefend, online armor, GSS
    4) normal firewall E.g Looknstop, Jetico, Outpost Pro

    Now it seems i must add a fifth layer.

    5) Sandbox e.g Defensewall, Bufferzone, geswall etc.

    Okay, anything to say safe....
     
  14. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    LOL the problem I have on my system, I don't know if it is related to my 64bit processor (it happens since I have it) is that I cannot install too much of that Kernel Level programs .. I encounter too much hassles, lockups, slow booting .. I tried a session without Tiny2005 and everything went ok but I refuse to uninstall it. In fact Tiny2005 offers everything allready from your points 3 to 5.

    It has a nice feature: track n reverse which will bring everything back (something like virtualisation)
    http://www.tinysoftware.com/home/ti...A1&&pg=content05&an=track_reverse&cat=cat_tf6

    good luck and don't forget to give some feedback when you add that fifth layer DA, looking forward to read your comments

    best wishes
     
  15. sam_spade

    sam_spade Guest


    Here's a copy of an actual email response i received from GentleSecurity support on the matter.


    Dear Mr. xxxxx

    GeSWall standard edition will remain free for any use. The license it
    includes is only for automatic update feature. We could start charging
    for
    automatic update of Application Database, but the product will stay
    free. Actually we don't even have such plans.

    --
    Best regards,
    GeSWall Support
    www.gentlesecurity.com


    Hth
     
  16. TheAnalyzer

    TheAnalyzer Guest

    Thank you for the clarification sam_spade.

    TA
     
  17. Yorky35

    Yorky35 Registered Member

    Joined:
    Jan 11, 2006
    Posts:
    13

    Infinity, build 126 does offer memory protection:



    There is a new protection in the currently available build 126.

    It covers \Device\physical memory as well as an option to load and run some code in kernel memory through NtSetSystemInformation.
    Not all Windows were affected, but some could be...

    Since it is new, it is OFF by default. You have to turn it on manually in registry HKLM\...\Services\KmxSbx set value "SystemGuards" (REG_DWORD) to 1. Reboot is needed.

    Not implemented on 64bit version of TF.

    So maybe you can say Tiny covers (2) to (5)


    Tiny is an awesome firewall/sandbox! Set it up correctly, combine it with Processguard, and a decent AV and you have one VERY secure system.

    Tiny will restict spawns, access to registry, dlls, files, OLE/COM obects, services, code injection. All entirely configurable.The only problem is that is has a very steep learning curve.... but if you put the effort in you learn so much too.

    Shame CA seems to be abandoning it - Tiny was the most complete package out there. I might be moving to KIS eventually.
     
  18. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    Thanx Yorky35, I'm using Tiny since V5 and now when I finaly had the feeling Tiny is stable, they sell it to CA ..

    I knew about the memory protection but as I'm using some other apps for that, I haven't updated it to the latest built...it's solid finaly...but I might go to KIS2006 myself ... it's just the overlap I will encounter when I install KIS...

    have a great eve

    Infinity
     

  19. Under the blue plan component (2) - Memory scanner has nothing to do with protection of physical memory.
     
  20. Yorky35

    Yorky35 Registered Member

    Joined:
    Jan 11, 2006
    Posts:
    13
    Oops, sorry devilsadvocate - was late when I posted, and misread point (2) - I assumed it was relating to memory protection.
     
  21. feverfive

    feverfive Registered Member

    Joined:
    Jun 17, 2005
    Posts:
    121
    Just food for thought, but the following was posted by suzi in a thread about GeSWall over on BBR:
    ------------
    said by nonymous See Profile :

    no name no telephone no address even a p o box.
    You are absolutely right -- there is NO information about the company anywhere on the website.

    »www.gentlesecurity.com/about.html

    No privacy policy either. Maybe this is a fine upstanding company, but I'm not impressed based on the info, or lack thereof, on their website. Here's the whois:

    »www.whois.sc/gentlesecurity.com

    Hmm... the cached image isn't impressive either.

    quote:Registrant:
    Domains by Proxy, Inc.
    DomainsByProxy.com
    15111 N. Hayden Rd., Ste 160, PMB 353
    Scottsdale, Arizona 85260
    United States

    Registered through: GoDaddy.com
    Domain Name: GENTLESECURITY.COM
    Created on: 29-Jan-05
    Expires on: 29-Jan-07
    Last Updated on: 07-Apr-05

    »www.whois.sc/205.234.185.62

    3 domains found on 205.234.185.62

    »www.whois.sc/sazgala.com

    quote:Domain name: sazgala.com

    Registrant Contact:

    Andrey Kolishchak ()
    315 091 717839
    Fax:
    st. Korablestroiteley, 22/3
    N. Novgorod, 603150
    RU

    »www.whois.sc/securesize.com

    quote:Domain name: securesize.com

    Registrant Contact:

    Andrey Kolishchak ()
    315 091 717839
    Fax:
    st. Korablestroiteley, 22/3
    N. Novgorod, 603150
    RU

    GeSWall Team(Unregistered)@cust.bluew, perhaps you could fill us in on this company since you are apparently a representative.

    Maybe the app is ok, but personally, I wouldn't trust a company with no information available, no privacy policy, and using a proxy registrar besides.
    ----------------------------------------

    Again, that was posted & researched by suzi, not me............
     
  22. AJohn

    AJohn Registered Member

    Joined:
    Sep 29, 2004
    Posts:
    935
    Has anyone ran leaktests on this?
     
  23. yes,failed most of them. But not surprising to me. You aren't supposed to use GEswall to block leak tests lol.
     
  24. FatalChaos

    FatalChaos Registered Member

    Joined:
    Aug 6, 2005
    Posts:
    98
    Wait so it fails leaktests? so just how secure is my system if i just use geswall?
     
  25. Safe enough. 'Leak tests' aren't that important IMHO, I would bet most people here have systems that are not protected from public leak tests, much less other methods.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.