OA + GeSWall

Discussion in 'other anti-malware software' started by LoneWolf, Feb 2, 2008.

Thread Status:
Not open for further replies.
  1. LoneWolf

    LoneWolf Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    3,408
    Needed together ?
    Overkill ?
    Or are they a compliment to one another ?
    Same question for WinPatrol + OA.
     
  2. Cerxes

    Cerxes Registered Member

    Joined:
    Sep 6, 2005
    Posts:
    581
    Location:
    Northern Europe
    Winpatrol = Detects
    OA = Prevents

    Geswall's main purpose is restricting the rights (untrusted) of user selected programs right? Then you could use OA for this aswell since you can restrict each program as "Run Safer" in the advanced options.

    /C.
     
  3. LoneWolf

    LoneWolf Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    3,408
    The main reason for myself to use GeSWall is to restrict the policy rights while surfing, whether its with opera or IE.



    I don't see where I can do this as "run safer" in advanced mode.
     
  4. Cerxes

    Cerxes Registered Member

    Joined:
    Sep 6, 2005
    Posts:
    581
    Location:
    Northern Europe
    1. Right click selected program and choose "Advanced options":

    1.png


    2. Check "Run Safer":

    2.png


    /C.
     
  5. LoneWolf

    LoneWolf Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    3,408
    Found it.
    Thanks. :D
     
  6. MaB69

    MaB69 Registered Member

    Joined:
    Dec 9, 2005
    Posts:
    540
    Location:
    Paris
    Hi,

    Run safer in OA (like other basic policy based sandbox like DropmyRights) is a very nice feature but not configurable at all. GeSwall is a dedicated Sandbox with both policy restriction using configurable rules and virtualization.
    My choice is to not use OA run safer option and focus on sandboxing with GW or DW

    Regards,

    MaB
     
  7. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,040
    I played around a bit with Geswall, but didn't like it. I use Sandboxie which really sandboxies, and OA's Runsafer, and it's a good combo.

    Geswall doesn't allow getting rid of what might have come down. That's what I don't like.
     
  8. MaB69

    MaB69 Registered Member

    Joined:
    Dec 9, 2005
    Posts:
    540
    Location:
    Paris
    I have to disagree Pete, anything virtualized by Geswall is redirected in a specific folder ( Windows/geswall) and cleaned after, other files created by a isolated apps (like things you download) are flagged as untrusted.

    Regards,

    MaB
     
  9. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,040
    Okay, I didn't figure that out.
     
  10. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    And now in new version, u can even scan all these files and delete as needed.

    I agree that GW is not so user friendly as SBIE!
     
  11. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    GW is much more stonger that just using run safer! However i don,t think WP is needed with OA.
     
  12. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,040
    Not sure I'd totally agree with you on the Run Safer. I set IE7 to run safer in OA, and invoked some of our favorite nasties from with IE. None of them could do anything(I did disable Sandboxie).

    Pete
     
  13. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Any malware made to work even in limited user mode will bypass run safer but that will not be the case with GW. Am I true?

    Also i am not sure how the privilages are transferred from parent to child processes in run safer. In case of GW, prvilages are kept stricly from parent to child, even to downloaded executables unless u mark them trusted manually.

    BTW, i am interested to know what nasties u tried and did u used only run safer and no other OA feature in this testing?
     
  14. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,040
    Not sure what you mean by the first statement.

    IE must be passing privileges from parent to child. The malware exe had no special privileges, I just invoked it from IE using the file open in IE. One I ran, the virus(don't remember the name), but it was the one I used in the erik albert thread, was able to install it's files, but couldn't make the system changes for it to run. The files were essentially just inert on system

    I've also run killdisk, the cleanmbr thing, and that POC bypass this way and they all were neutralized.

    Pete
     
  15. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Run safer means run as limited user. Correct? There are malware which can run even in limited user account restrictions. Restrictions of GW are tighter than just limited user restrictions.

    IE must be passing privileges from parent to child. The malware exe had no special privileges, I just invoked it from IE using the file open in IE. One I ran, the virus(don't remember the name), but it was the one I used in the erik albert thread, was able to install it's files, but couldn't make the system changes for it to run. The files were essentially just inert on system

    I've also run killdisk, the cleanmbr thing, and that POC bypass this way and they all were neutralized.[/QUOTE]What happens if somehow u click these executables, can they cause their damage? In case of GW, the files are tagged as isolated and running them even manually or somehow by other means can,t harm the system.

    Personally I have not tested this feature against malware myself so I can,t be more specific about it but I had tested GW multiple times and it almost always proved solid, and I know that restrictions applied by GW are more than put by a limited user account!

    BTW I PMed u!
     
  16. Cerxes

    Cerxes Registered Member

    Joined:
    Sep 6, 2005
    Posts:
    581
    Location:
    Northern Europe
    Yes you´re right. If the malware is designed to operate in a restricted user environment, for example scriptbased malware or certain keyloggers, it will also "bypass" OA's "Run Safer" since they work after the same principle (least privilege). They can´t do any harm to your system, but they can steal information that you for example types into financial transaction sites. The value of using GW, DW etc would then be that they add protection to neutralize some of these malwares if I understood you correctly aigle?

    /C.
     
  17. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    You are right. But I believe there must be more malware able to work in limited user account, rather than just keyloggers!
     
  18. Cerxes

    Cerxes Registered Member

    Joined:
    Sep 6, 2005
    Posts:
    581
    Location:
    Northern Europe
    But then the malware would have to exploit some "unknown" vulnerability in the OS or known LUA bug applications (where you have to change their permissions for them to be able to work restricted), to be able to elevate their privilege.

    /C.
     
    Last edited: Feb 2, 2008
  19. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,040
    You are right they aren't tagged, and if you invoked them they could run. But even in GW that would be the case if you didn't know to tag them. What I can also do is right click them and run them sandboxed.
     
  20. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    In GW, they are tagged automatically, by default unless you un-tag them.
     
  21. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,040
    Drat you guys. You are going to make me take another look at Geswall. :argh: :D
     
  22. MaB69

    MaB69 Registered Member

    Joined:
    Dec 9, 2005
    Posts:
    540
    Location:
    Paris
    Hi all,

    I'm sure you will not regret it, Pete

    Regards

    MaB
     
  23. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Malware has access to some autostart reg keys even in LUA. User-mode rootkits work fine under LUA.
     
  24. Long View

    Long View Registered Member

    Joined:
    Apr 30, 2004
    Posts:
    2,295
    Location:
    Cromwell Country
    Not for me. GW makes far more sense than SBIE. What's not friendly in GW ?
     
  25. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Aigle,

    GW uses Windows poilicy manager, so by design it would not be much stonger than running with limited rights. I suspect GW has made some enhancements over running as Limited User (so I think GW's goal is to offer stronger protection without being more restrictive to the user).

    According to Mike Nash running safer inheritates (limited) rights from parent to child. I downloaded an exe and I could not install driver either, so run safer is somewhat stronger than running as limited user. I know Mike has changed something in run safer, because help desk got question things going wrong (driver installation failed). I do not know about the latest freeware.


    Regards Kees
     
Loading...
Thread Status:
Not open for further replies.