Is this a failure of DefenseWall?

First of all, I recommend you to download and install the latest V3 build and run the malware against it. Because, with my current setup, everything is working as it should.

 

Ok, I just tried DefenseWall V3 and I don't have much to say other than I said before. One major difference was that the firewall of DW now asked if one of the malwares could get access to Internet. Of course I said no. And DW now again said that I had 1 Untrusted process running even if there are 2 drops from the original installer. I clicked Stop Attack, DW tells me I have 0 Untrusted processes running but when I look in my hdd both malwares are still there. I go to DW:s File and registry rollback and deletes everything. NOW they got deleted. Just like DW 2.56.

Can it be that the other malware is somehow inactive and DW therefore tells me that I have only one Untrusted application? But DW says the file tried to write to my registry and tried to delete a service so it can't be inactive...

And one more thing that has nothing to do with the above problem. I want my Event Log to be as clean as possible so I made Svchost.exe and Dropbox.exe Trusted. They don't show up in "Untrusted Applications". BUT keeps popping up in the Event Log anyway. For testing I made Firefox Trusted (no Firefox is listed in Untrusted Applications). But still traces from Firefox activity shows up in "File and registry rollback"

You have a lot to do Ilya...

 

1. DefenseWall is working correctly. You just don't understand how it works.
2. It's imnpossible to remove built-in entries from the untrusted list, DefenseWall add them back.
3. Want to keep the log clean? Just switch off logging and that's it.

 

i can confirm ilya i install same malware for testing and the rollback took care of bussines and deleted all malware traces and history of the malware very easilly so it really rollback my system clean again

 

So how does the rollback feature work?

 

you see all the files/registry/folders in there and just find what you want to delete and it will rollback the system back to the original state,it is very simple to use,then you will noticed the files/registry or what ever traces will be gone even the harder's files to remove such as rootkits,etc etc
you can set the rollback to delete automatic i think it is like every 15 to 30 days(no harm at all
note:the rollback it is like my scaner it will remove any files for sure it never fails me,the other day my wife was surfing the web in a legit site and it tried to install a fake antivirus program which prevx ignoredbut defensewall was there to stop attack

 

Hmm,I'll have to install Defensewall again and see how this works

Thanks for the info!

 

no problem you have to feel how it works it's fantastic application and very unique

 

Hello Eiki,

I tested the malware sample in question against the latest version of DefenseWall Personal Firewall v3.00 RC1 under Vista 32 SP2. I concur with Ilya that DW successfully contains(firewall blocks all outbound network attempts, several resource isolation pop-ups gives one the option to "terminate" each and every malicious action, pressing "stop attack" effectively terminates all of the "untrusted" processes and all of the malware related entries that were created can be effectively rolled-back or deleted) all of the possible damage that this sample has to offer.

Keep in mind that DW is a policy restriction sandbox. In other words, all potentially malicious files(application, malware, system, etc...) that are downloaded via or passes through a threatgate(web browser, email client, IM(instant messaging), file compression utility, media player, pdf reader, etc...) inherits "untrusted" status and occupies space on one's "actual" system. Any file that inherits "untrusted" status is prevented from harming or breaching the integrity of one's system unless the user allows it. Since DW employs virtually no virtualization in it's sandbox implementation, all malware related files left behind on one's hard drive can be deleted by DW's built-in "rollback" functionality, manual deletion or with the use of an on-demand scanner such as an anti-virus. In short, DW is essentially a turbocharged limited user account for threatgate applications with none of the weaknesses.

Hopefully, this explanation clarifies things.


Peace & Gratitude,

CogitoErgoSum