Is this a failure of DefenseWall?

Discussion in 'other anti-malware software' started by Eiki, Mar 27, 2010.

Thread Status:
Not open for further replies.
  1. Eiki

    Eiki Registered Member

    Joined:
    Sep 20, 2008
    Posts:
    9
    Please help me with my questions.
    I executed a file that I downloaded and thought was a legit program. It was but the install .exe was bundled with some malware that did drop 2 files in a Temp dir. in the Documents and Settings. I executed the original .exe as Untrusted and DW did nothing to tell me (other then in the Log) about those file drops. But Avira did catch them and then I closed Avira so that the two malware-exe:s could land fine on my hdd the second time. Now comes the strange. DW tells me under "Files and registry tracks that there are 2 .exe dropped but when I click "You have x untrusted processes running" only one of the malwares is listed (as untrusted). No sign of the other (I did cancel the original install). When I change view to "Untrusted applications" on top there are no signs of the 2 malwares. "Event Log" shows them and I can see that both tried to delete a service in Windows so they are both active. I don't know if they did succeed in deleting the service because DW don't tell wich one got attacked.
    And it continues: when I push "Stop attack" DW tells me that I have 0 untrusted applications running. Fine. But when I search for the two malware-exe:s they are both still on my hdd (in the Temp dir. as before). And DW says both are Trusted when I right click.

    So my questions: Why do DW let 2 files drop on my hdd without automatically telling me with a popup (now I need to examine the Log inside the program) and why do DW drop files from a installer that I run as UNTRUSTED? And why are those drops Trusted when the installer that they came from where untrusted?

    I have Windows XP SP3, NO firewall and DW 2.56.

    Thanks in advance.
     
  2. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    When this was the scenario it was not a failure

    1, You downloaded the installer

    2. Set the installer to trusted (otherwise software would not install properly)

    Files (executables etc) created by trusted programs inherite this status, so the two side programs (executables) were also marked as trusted. So DW did what it promises, keep untrusted objects in a policy box

    3. Executed the main program as untrusted.
    Since the two side programs were created by the installer, this did not change anything in the status of the two site programs

    Regards Kees
     
  3. kjdemuth

    kjdemuth Registered Member

    Joined:
    Jul 29, 2005
    Posts:
    2,960
    Location:
    Boston, MA
    Kees,
    I think you mis-read. "I executed the original .exe as Untrusted"
     
  4. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    If Avira cauthg the files, the processes associated with them had to be killed. Anyway, you may just send me that executables and I'll run them against DW V3.
     
  5. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    I did not undertand whether the original exe was the installer or the executable the installer created. When Eiki ran the installer as untrusted it sure is smells fishy, so he should send it to Ilya as requested.
     
  6. Saraceno

    Saraceno Registered Member

    Joined:
    Mar 24, 2008
    Posts:
    2,404
    I don't think anything would have got through. To the original poster, go into file and registry tracks, find a time/date that you are comfortable with (before you installed program), and either:

    > select rollback to
    > delete all the items in the list created from the the time the installer was launched and after.

    Also, you have to be more strict in checking downloads. There are many sites creating legitimate programs as portable, but adding a bit of extra spice to the download. I've been burned, many times.
     
  7. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    it may be running in memory but as untrusted so this virus or what ever is doing nothing,is criple already for sure just terminatated or stop attack end of story;)
     
  8. SafetyFirst

    SafetyFirst Registered Member

    Joined:
    Jan 26, 2007
    Posts:
    462
    As a firm believer and a devotee of DW, I fully support the infallibility dogma of DefenseWall... :isay:
     
  9. Eiki

    Eiki Registered Member

    Joined:
    Sep 20, 2008
    Posts:
    9
    Sure there are malwares which have got through.

    I did like Saraceno wrote: I went into "Files and registry tracks" and first rolled back everything. STILL the 2 malwares was on my hdd. I deleted the malwares manually. I tried again and run the original installer so the malwares dropped once again. Then tried to delete (not Rollback) the 2 (and everything else) inside DW (under Files and registry tracks). It disappeared from the "Rollback-list" but again it was STILL on my hdd.

    I'm I wrong or the program is wrong?

    To Kees1958: The original .exe I mean the legit program that I was trying to install and then dropped the malware.
     
  10. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    What's your Windows version?
     
  11. Eiki

    Eiki Registered Member

    Joined:
    Sep 20, 2008
    Posts:
    9
    Windows XP SP3 and fully updated.
     
  12. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    Send the files to me, I'll check them out.
     
  13. Eiki

    Eiki Registered Member

    Joined:
    Sep 20, 2008
    Posts:
    9
    Hmmm..maybe it was me...

    When I went into "Files and registry tracks" and deleted everything then OK only one of them deleted I can see now. But one is left on hdd. BUT if I go once again to "Files and registry tracks" the other malware is there again (even if I deleted it before) and NOW I can delete it, the second time.

    But where to send the file so we can have a definite answer? Or should I make the file public so other can try?
     
  14. Eiki

    Eiki Registered Member

    Joined:
    Sep 20, 2008
    Posts:
    9
    And Ilya:

    Why doesn't DW kill those processes when I click "Stop attack"? Now I must go to "files and registry tracks" to do it manually (2 times btw).
    Can that be correct?
     
  15. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    Send to the support [at] softsphere [dot] com.
     
  16. Eiki

    Eiki Registered Member

    Joined:
    Sep 20, 2008
    Posts:
    9
    Sending it right now.

    But Ilya, please tell me why DW did let the installer put 2 exe:s on my computer that was Trusted. Is this normal? Can they not make my comp infected? Should not DefenseWALL stop infections that way? Or have I misunderstood the meaning of the program? Please tell me the "rules" of the program, how it's working with file-drops like that. So the big question: is DW safe against attacks like that? Does DW stop an attack when the malware-exe hits the hdd, lets say give the exe:s minimal access to my system? Or do the dropped files have access to my whole system? I really want to know that.

    Thanks for quick answers before!
     
  17. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    1. What's the exes you are referencing to? All are listed as "untrusted".
    2. Have had no single issue with deleting all the files created by the sample.

    And I strongly recommend you to learn about the difference between sandboxes and sandbox HIPS.
     
  18. Eiki

    Eiki Registered Member

    Joined:
    Sep 20, 2008
    Posts:
    9
    No, only one is listed as untrusted, the setupv.exe. The thefile.exe is NOT listed as untrusted process running. And when you click Stop attack the setupv.exe is still on the computer (like thefile.exe). Look for yourself. You have to manually delete it in the Files and registry tracks. And when I search for the file on my comp and right click, DW tells me they are TRUSTED.

    So the answer is. Can they make danger on my system when they are in the Temp dir. or do they have minimal access?

    Thnaks anyway!
     
  19. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    1. I have both setupv.exe and thefile.exe stated as untrusted.
    2. Yes, all is correct, DefenseWall do not erase any file automatically, just marks as untrusted.
     
  20. demoneye

    demoneye Registered Member

    Joined:
    Dec 30, 2007
    Posts:
    1,356
    Location:
    ISRHell
    so Eiki was right? did DW let somehow this 2 files extract as trusted?

    cheers
     
  21. Lebowsky

    Lebowsky Registered Member

    Joined:
    Dec 3, 2004
    Posts:
    161
    o_O :(
     
  22. G1111

    G1111 Registered Member

    Joined:
    May 11, 2005
    Posts:
    2,127
    Location:
    USA
    My take is no they were untrusted, and could run within the sandbox, but could not adversely affect the system. With DW 3 they would not be able to call home. Remember this is a sandbox with whitelisting not a scanner. It is part of a layered approach. Version 3 will include a firewall.
     
  23. Saraceno

    Saraceno Registered Member

    Joined:
    Mar 24, 2008
    Posts:
    2,404
    Ilya mentioned above both files run and are stated as untrusted.
     
  24. Eiki

    Eiki Registered Member

    Joined:
    Sep 20, 2008
    Posts:
    9
    Well, on my computer DW tells me I have one untrusted process running after the 2 malwares hits the hdd. I click Stop attack and the file is still on the hdd even if DW tells me I have 0 untrusted processes running. Like I said before, I have to manually delete it in File and registry tracks. If I go to the files with Explorer after I have clicked Stop attack (but before deleting them in File and registry tracks), right click and choose "File properties" in DW:s "pull down meny", DW says they are both TRUSTED, even if the original install .exe (from where they executed) was untrusted.

    Shall I put it here so some other can try? Just make sure to have AA on your computer. I think it is adware and no dangerous virus.
     
  25. BrendanK.

    BrendanK. Registered Member

    Joined:
    Jun 23, 2008
    Posts:
    520
    Location:
    Australia
    No, please don't upload malware here :)

    DefenseWall does not stop file drops - which is the modules left behind by the malware.

    We recommend users, such as you, to run an antivirus scan periodically to remove files such as these. They do not pose a risk to you, however, they can clutter your system.

    If it is marked as Trusted, after it has been dropped by malware, please submit the files and the log to support[at]softsphere.com
     
Thread Status:
Not open for further replies.