Hacking DefenseWall, GeSWall etc in 60 seconds

Can you share the keylogger via PM. I have not seen the videos. I am assuming that it was the one used to wrongly test the products.

Let us test it in the correct way.

 

hi is bluepointsecurity a behabiuor blocker?

 

As I have stated before, Matt's review wasn't really a review at all. It appears that Matt posted his review to retaliate rather than actually review the product. He has reviewed other AE style apps with glowing reviews (with far less features, no av and flawed security models). It was obvious from our point of view he didn't have an understanding of how the product even worked.

As far as the keylogger videos I'm quite surprised at the reactions. I can actually understand why people questioned the GesWall and DefenseWall tests. What about the rest of them? However, please keep in mind the entire point of the tests was not to see if these products could be tweaked and modified into preventing it. The test was performed to prove that most of these products fail to actually prevent newly created (we created it) threats with out of the box settings. Threats don't play by rules such as network drives and servers should be trusted as was demonstrated. I've seen many many organizations infected via their network drives and a security product should be capable of protecting from things like that out of the box imho. Everyone is quite focused on these two products with no real mention of the rest of the AV products. 90% of the general public is running them. Everyone one of them failed to the execution and the outbound network traffic. This is a serious problem.

It's unfortunate many think these tests were "attacking", unfair or that we purposely set them up to fail as we certainly didn't. I've been a programmer for over 10 years, which puts me in the position of actually being able to create threats and truly test these products. I would really like to run the top 10 products through more real world tests with newly created threats but it seems they would be attacked any way you look at it.

The keylogger was less than 30 lines of code and took about 30 minutes to create, very simple. The fact that I can sit down and compile up a threat and it not be detected by 95% of the products out there has always bothered me. That was the reason for the videos and the reason for our product. Anyone with basic programming skills could easily confirm this fact.

Just my 2 cents

 

"1. Never run a file (no matter what the file type) from an unknown/untrusted source on your real system, until you've verified it to be safe."

I absolutely agree, that's the point behind BluePoint. You can't do that with any of the mainstream market leading products.

 

"Matts right most would chose allow."

That's why our product isn't for everyone. Keep in mind, you won't be given the allow/deny if you attempt to execute an in the wild threat. These are the same users that would setup GesWall and DefenseWall incorrectly and end up unprotected. I have a feeling there are many on this forum that are very capable of using our product effectively. In my opinion GesWall and DefenseWall are quite a bit more complicated to operate than our product. Our product isn't necessarily for everyone although it's not out of the realm of many average users.

 

how the hell do you setup Geswall and Defensewall incorrectly. They are setup right out of the box. Even a idiot likes me knows how to use them. Are you even familiar with the products you "talk" about.

 

Here I run unknown/untrusted source files all the time on the real system and harvest any droppers utilising Sandboxie.

Possible to do with your app?

 

Trjam:

Trusting network servers and drives out of the box is what I consider setup incorrectly.

Keep in mind, I am primarily here to answer any questions you may have about our product.

 

"Matts right most would chose allow."

You said this.

"Trusting network servers and drives out of the box is what I consider setup incorrectly."

You said this.

Am I missing something here.

 

One of the products we tested trusts network/remote drives by default as mentioned earlier in this thread. This setting can easily be changed however (if the user realizes this is an issue). I hope we can stick to mostly QA. I am not here to put down any other vendors product, only to help out where I can.

Mods should I create a new thread for QA at this point?

 

Is your product an anti-executable? Does it recognise all binary executable types? What about script executables?

 

Installed BluePoint into an XP VM where I received a prompt on Sandboxie's start.exe which I allowed.

Installed the newish rogue BlockDefense which I allowed at BluePoint's prompt then did a full scan with BluePoint.

 

Yes, BluePoint is technically an anti-executable type of security product. We do protect against all binarys including but not limited to .scr (screen savers), .vbs (vbscripts) and .bat (batch) files. BluePoint does properly handle .vbs files individually rather than simply blocking the scripting host.

Thanks!

 

this one can be easilly deteted by appranger

 

Looks like BlockDefense isn't included in our database. I'll see what we can do about adding it. It's pretty tough keeping up with all of the rogues out there, I'm glad to hear it did atleast ask for permission to install first!

 

This is actually a good example of the rapid release rate of malware and rogues and one of the reasons why we don't rely on heuristics or signatures to prevent these type of apps. You would have to actually give things like this permission to install in the first place, granted the average clueless user may not know how to handle that but the product isn't really designed for them

 

this is really true,cause of the name one can easilly guez is bad ''unknown to my eyes''

 

You have no argument from me on that point!

 

he says he will add it to the bluepoint security database

 

Interesting,

If your aren't receiving any alerts I'm guessing either something may be conflicting (the other security apps?) or protection isn't enabled for some reason. Would you mind checking the status page to see if it states secure? If any executable runs without prompting you something is probably not right with it. Check to make sure the service is running also.

 

I setup a new QA thread here, would be glad to help out.

https://www.wilderssecurity.com/showthread.php?t=252299

 

Can you give me a run down of all the script executables you protect against? Thanks!

EDIT: Can your product be configured to Default Deny only allowing executables on a whitelist?