Is this a failure of DefenseWall?

Please help me with my questions.
I executed a file that I downloaded and thought was a legit program. It was but the install .exe was bundled with some malware that did drop 2 files in a Temp dir. in the Documents and Settings. I executed the original .exe as Untrusted and DW did nothing to tell me (other then in the Log) about those file drops. But Avira did catch them and then I closed Avira so that the two malware-exe:s could land fine on my hdd the second time. Now comes the strange. DW tells me under "Files and registry tracks that there are 2 .exe dropped but when I click "You have x untrusted processes running" only one of the malwares is listed (as untrusted). No sign of the other (I did cancel the original install). When I change view to "Untrusted applications" on top there are no signs of the 2 malwares. "Event Log" shows them and I can see that both tried to delete a service in Windows so they are both active. I don't know if they did succeed in deleting the service because DW don't tell wich one got attacked.
And it continues: when I push "Stop attack" DW tells me that I have 0 untrusted applications running. Fine. But when I search for the two malware-exe:s they are both still on my hdd (in the Temp dir. as before). And DW says both are Trusted when I right click.

So my questions: Why do DW let 2 files drop on my hdd without automatically telling me with a popup (now I need to examine the Log inside the program) and why do DW drop files from a installer that I run as UNTRUSTED? And why are those drops Trusted when the installer that they came from where untrusted?

I have Windows XP SP3, NO firewall and DW 2.56.

Thanks in advance.

 

When this was the scenario it was not a failure

1, You downloaded the installer

2. Set the installer to trusted (otherwise software would not install properly)

Files (executables etc) created by trusted programs inherite this status, so the two side programs (executables) were also marked as trusted. So DW did what it promises, keep untrusted objects in a policy box

3. Executed the main program as untrusted.
Since the two side programs were created by the installer, this did not change anything in the status of the two site programs

Regards Kees

 

Kees,
I think you mis-read. "I executed the original .exe as Untrusted"

 

If Avira cauthg the files, the processes associated with them had to be killed. Anyway, you may just send me that executables and I'll run them against DW V3.

 

I did not undertand whether the original exe was the installer or the executable the installer created. When Eiki ran the installer as untrusted it sure is smells fishy, so he should send it to Ilya as requested.

 

I don't think anything would have got through. To the original poster, go into file and registry tracks, find a time/date that you are comfortable with (before you installed program), and either:

> select rollback to
> delete all the items in the list created from the the time the installer was launched and after.

Also, you have to be more strict in checking downloads. There are many sites creating legitimate programs as portable, but adding a bit of extra spice to the download. I've been burned, many times.

 

it may be running in memory but as untrusted so this virus or what ever is doing nothing,is criple already for sure just terminatated or stop attack end of story

 

As a firm believer and a devotee of DW, I fully support the infallibility dogma of DefenseWall...

 

Sure there are malwares which have got through.

I did like Saraceno wrote: I went into "Files and registry tracks" and first rolled back everything. STILL the 2 malwares was on my hdd. I deleted the malwares manually. I tried again and run the original installer so the malwares dropped once again. Then tried to delete (not Rollback) the 2 (and everything else) inside DW (under Files and registry tracks). It disappeared from the "Rollback-list" but again it was STILL on my hdd.

I'm I wrong or the program is wrong?

To Kees1958: The original .exe I mean the legit program that I was trying to install and then dropped the malware.

 

What's your Windows version?

 

Windows XP SP3 and fully updated.

 

Send the files to me, I'll check them out.

 

Hmmm..maybe it was me...

When I went into "Files and registry tracks" and deleted everything then OK only one of them deleted I can see now. But one is left on hdd. BUT if I go once again to "Files and registry tracks" the other malware is there again (even if I deleted it before) and NOW I can delete it, the second time.

But where to send the file so we can have a definite answer? Or should I make the file public so other can try?

 

And Ilya:

Why doesn't DW kill those processes when I click "Stop attack"? Now I must go to "files and registry tracks" to do it manually (2 times btw).
Can that be correct?

 

Send to the support [at] softsphere [dot] com.

 

Sending it right now.

But Ilya, please tell me why DW did let the installer put 2 exe:s on my computer that was Trusted. Is this normal? Can they not make my comp infected? Should not DefenseWALL stop infections that way? Or have I misunderstood the meaning of the program? Please tell me the "rules" of the program, how it's working with file-drops like that. So the big question: is DW safe against attacks like that? Does DW stop an attack when the malware-exe hits the hdd, lets say give the exe:s minimal access to my system? Or do the dropped files have access to my whole system? I really want to know that.

Thanks for quick answers before!

 

1. What's the exes you are referencing to? All are listed as "untrusted".
2. Have had no single issue with deleting all the files created by the sample.

And I strongly recommend you to learn about the difference between sandboxes and sandbox HIPS.

 

No, only one is listed as untrusted, the setupv.exe. The thefile.exe is NOT listed as untrusted process running. And when you click Stop attack the setupv.exe is still on the computer (like thefile.exe). Look for yourself. You have to manually delete it in the Files and registry tracks. And when I search for the file on my comp and right click, DW tells me they are TRUSTED.

So the answer is. Can they make danger on my system when they are in the Temp dir. or do they have minimal access?

Thnaks anyway!

 

1. I have both setupv.exe and thefile.exe stated as untrusted.
2. Yes, all is correct, DefenseWall do not erase any file automatically, just marks as untrusted.

 

so Eiki was right? did DW let somehow this 2 files extract as trusted?

cheers

 

My take is no they were untrusted, and could run within the sandbox, but could not adversely affect the system. With DW 3 they would not be able to call home. Remember this is a sandbox with whitelisting not a scanner. It is part of a layered approach. Version 3 will include a firewall.

 

Ilya mentioned above both files run and are stated as untrusted.

 

Well, on my computer DW tells me I have one untrusted process running after the 2 malwares hits the hdd. I click Stop attack and the file is still on the hdd even if DW tells me I have 0 untrusted processes running. Like I said before, I have to manually delete it in File and registry tracks. If I go to the files with Explorer after I have clicked Stop attack (but before deleting them in File and registry tracks), right click and choose "File properties" in DW:s "pull down meny", DW says they are both TRUSTED, even if the original install .exe (from where they executed) was untrusted.

Shall I put it here so some other can try? Just make sure to have AA on your computer. I think it is adware and no dangerous virus.

 

No, please don't upload malware here

DefenseWall does not stop file drops - which is the modules left behind by the malware.

We recommend users, such as you, to run an antivirus scan periodically to remove files such as these. They do not pose a risk to you, however, they can clutter your system.

If it is marked as Trusted, after it has been dropped by malware, please submit the files and the log to support[at]softsphere.com