Hacking DefenseWall, GeSWall etc in 60 seconds

Discussion in 'other anti-malware software' started by ssj100, Aug 18, 2009.

Thread Status:
Not open for further replies.
  1. ssj100

    ssj100 Guest

    I'm not sure if this has been posted anywhere on Wilders, but this is quite interesting stuff:

    http://www.youtube.com/watch?v=y3HGAQrYCAM
    http://www.youtube.com/watch?v=qjN_bMcc38Y
    http://www.youtube.com/user/BluePointSecurity

    Anyone know who this BluePointSecurity is? According to these tests, BluePoint Security has demonstrated that several popular antivirus software, Threatfire, DefenseWall, GeSWall, and several popular internet security suites (including Kaspersky and Comodo) are bypassed.

    Thanks for any comments.
     
  2. LagerX

    LagerX Registered Member

    Joined:
    Apr 16, 2008
    Posts:
    540
    BluePointSecurity is nothing but block all unknown files.
    Then it asks user to allow or block the application...weird.

    See Matt's video for more details :)
     
  3. virtumonde

    virtumonde Registered Member

    Joined:
    Jan 18, 2008
    Posts:
    501
    When they open IE in Defense Wall test it shows 1 untrusted application,so the keylogger is installed (trusted) .So they don't know or don't want to know how Defense Wall works.Just another marketing video.
     
  4. virtumonde

    virtumonde Registered Member

    Joined:
    Jan 18, 2008
    Posts:
    501
    I don't know either but it's not important becouse as seen in the video the keylogger runs as trusted ,i don't think outbound is important here .
     
  5. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    DefenseWall,

    The advanced options item of defensewall offers the following
    a) Run files from USB drive always untrusted
    b) Run files from CD/DVD drive always untrusted
    c) Run files from network drives always untrusted

    I have had a discussion with Ilya about this. During the installation he should have a setup wizzard which asks what the user wants, to enable them or the disable these options.

    Also in the right click system tray icon an option protected drives should be visiable, same way as AppGuard offers via the system tray icon to see what is included in the deny execute (= drive by protection) and what is included in the deny access (=privacy option).

    These options are now two mouse clicks away (richt click system tray, choose advanced tab). Ilya's opinion is that user should read user manuals.


    Problem is that per country the critical 'click border' and willingness to read manuals differs. An example from the past (just for reference, might not be accurate anymore) in Flemish Belgium the critical mouse click border lays at three clicks and they 60-70% read the manuals, in Holland the critical mouse click border is two mouse clicks (or what is equivalent of a mouse click in terms of information at your fingertips) and 20 - 30 % read the manual.

    These differences are remarkeable: The Flemish and the Dutch speak the same language and are neigbours, even have provinces with the same name and are tiny geographical areas.

    So it is really a storm in a glass of water. I hope Ilya's opinion on the setup wizard and protection scope option of the tray icon will be changed by this deceptive test. After all they have a point, out of the box, these options are not selected, so when you copy something from a network drive it is trusted and DW will allow it do what it wants.



    GeSWall
    GW is more directed to teh corporate market than the end user market. It has the option to isolate network drives, only this requires some basic knowledge of GW. Again when you run something as trusted from a network drive, GW will not protect like DW. Because GW is more directed to the corporate market, I think few system administrators/network managers/IT managers would be happy with a default setting running the programs from the network drives as untrusted. The network drives are the inner circle of any company, so should in theory be the most protected. When a company gets a keylogger on a network drive, they have bigger problems than GW not blocking it out of the box. :D

    ThreatFire
    I am sure that an intelligent behavior blocker would somehow take the consideration mentioned at GW (the network is the inner , most trust worthy circle) into its risk calculation. :p

    Cheers

    Regards Kees





    Cheers Kees
     
    Last edited: Aug 18, 2009
  6. LagerX

    LagerX Registered Member

    Joined:
    Apr 16, 2008
    Posts:
    540
    The keylogger was simply double clicked from the desktop as a normal user would. We did not make it trusted or perform any settings changes to the product, it was simply installed with the default settings. If all files are run as untrusted then it was run as untrusted, it did nothing to stop it. We can retest showing installing the product and then running it, but it was not run as trusted in the current video.

    I asked how did they test and what if they run it as untrusted.

    The file was run just as any normal user would run the file, simply double clicking it from the desktop. We didn't allow or trust the keylogger before running it. We didn't run the keylogger as untrusted as the average user wouldn't know how to do this and we also believe that most of these products involve too many complicated steps to actually prevent new threats. The products were installed with default settings just as they were installed.

    :D
    Unknown file wilders.exe
    Allow / Block?
    Complicated?
     
  7. Creer

    Creer Registered Member

    Joined:
    Jun 29, 2008
    Posts:
    1,345
    Agree, this test is not professional. They run malware as trusted and they think DW in this case help :thumbd:
     
  8. Creer

    Creer Registered Member

    Joined:
    Jun 29, 2008
    Posts:
    1,345
    Their explanation is also funny... All files downloaded by Untrusted processes (DW/GW) got automatically Untrusted status so the average user do not have to remember what files he should run as Untrusted in this case.
     
  9. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    No but they copied it from a (trusted) network drive, they did not download.

    It is a rediculeous test
     
  10. LagerX

    LagerX Registered Member

    Joined:
    Apr 16, 2008
    Posts:
    540
    V3 will have firewall module. Yes, it adds protection
    V2 is not that vulnerable, but just not so "complete" as I understand. I might be wrong. Lets see what Ilya says.
     
  11. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    No read my post nr 6. It was copied from a trusted source so ran trusted. Normally network drives are on a back end server. Depends on the way the network manager configured the network, often PC in a network have only access to the central server disks, but sometimes they are allowed to access each other directly in a LAN.

    Yep the moon is round, the moon is yellow, it must be a gigantic Gouda cheese.

    Come on SSJ, your to bright to make that kind of deductions. Did you also complain at Tzuk when he added policy management protection to SBIE, was SBIE not strong enough before, nonsense.

    See my post of january 2008 https://www.wilderssecurity.com/showpost.php?p=1156260&postcount=1. Ilya is just taking the nex step. Combining internet facing policy management (which is a HIPS) with a FireWall, so basically a combo of trends 1 (HIPS and FW) with 2 (threat gate mitigation).

    When DW has a FireWall, you do not need anything else anymore (besides a router):
    V2 - protects programs against each other like HIPS (that is untrusted versus trusted)
    V2 - mitigates virusses in files (paraluses them), sort of same protection an AV has
    V3 - filters application level network traffic like an advanced FW ( I have no idea whether it also covers the original functions of a firewall, but nobody seems to care nowadays anyway, since f.i. Comodo by default does not analyse protocols, I bet you have it off also, check your FW intrusion settings :p )

    Cheers
     
    Last edited: Aug 18, 2009
  12. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    GW now has network protection of untrusted objects, DW has not.

    Yep only a policy management/virtualisation sandbox programs is a reversed whitelist (in stead of whitelisting to allow, you 'white list' what to untrust/run virtualised), so by copying it from a network drive (when you do not choose to untrust network drives etc) it is basically the same as disabling your HIPS before executing an unknown program. So yes it sort of it is the same.
     
  13. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    Yes, you are right. Spambots made me make outbound protection, Kido made me do inbound one.
     
  14. raven211

    raven211 Registered Member

    Joined:
    May 4, 2005
    Posts:
    2,567
    Will the FW protection (1) prompt similar to other FWs, or (2) just show a warning that you can skip in the future with automatic block, like the current warnings?
     
  15. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    "Advanced"->"Options"->"Run from local area network as untrusted".
     
  16. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    Similar then other FW's, but not the same. The core ideology is very different- it's totally sandbox.
     
  17. ako

    ako Registered Member

    Joined:
    Nov 16, 2006
    Posts:
    627
    I had short discussion with Ilya by email. The solution will be brilliant!:thumb:
     
  18. Joeythedude

    Joeythedude Registered Member

    Joined:
    Apr 19, 2007
    Posts:
    519
    Seems the test was designed to make the products fail.

    Why not show how they work against a drive-by-download ?

    Oh wait , remove-malware already showed that .. :blink:

    Had a look at their website , hmmm.
    Not impressed . Why does a default deny app show 4 screenshots of its virus scanner ? Why does it even have a virus scanner :)
     
  19. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    Ridiculous. I would test their software if i didn't have to leave. Someone "hack" their software like they did on youtube and post it as a response video. :rolleyes:
     
  20. 1boss1

    1boss1 Registered Member

    Joined:
    Jun 26, 2009
    Posts:
    401
    Location:
    Australia
    Well they are running an old version of Drupal with multiple XSS/Injection vulnerabilities, their whole web site could be wiped off the server. Does that count? :eek:

    But yeah, pretty silly tests. But to answer the original question "Has anyone heard of them", well their site only has 54 others linking to it (many of the 54 are just multiple links from the same sites) so no it appears nobody has.
     
  21. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    I don't mean attacking them, just to be sure, in case someone misunderstands me. Just "test" the software the way they did for others. That is, a fake test of some sort.
     
  22. Hugger

    Hugger Registered Member

    Joined:
    Oct 27, 2007
    Posts:
    1,003
    Location:
    Hackensack, USA
    Agree with Kees.
    I'm not about to get rid of DW, but I wish Ilya would make it easier to use for the techy challenged. I just can't be the only one here.
    Yes, we should all read the manuals, but I pay for the software. Nobody is paying me to use it.
    Also, there's a good article about DW in the new issue of CPU.
    Way to go Ilya.
    Hugger
     
    Last edited by a moderator: Aug 18, 2009
  23. 1boss1

    1boss1 Registered Member

    Joined:
    Jun 26, 2009
    Posts:
    401
    Location:
    Australia
    I know i was joking, and pointing out it's odd they are poking holes in other products when their own backyard is vulnerable.

    Is there any more detailed info about DF's new firewall?
     
  24. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    I meant outbound, I already explained that :D
     
  25. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
Loading...
Thread Status:
Not open for further replies.