Question about GeSWall

It was already not set on read only.
BTW, rebooting the windows made this settings work. No more pop up. Again weired. Seems a bit buggy or my be some conflicts!
I feel user manual/ help to be not detailed and no forums support makes it more difficult.
Just wonder if anybody can tel how it compares to the paid product DefenceWall?

 

ITA! i think that gentlesecurity has got a real winner with this product but they are marketing it horribly.

no clue, but i do know 2 things:
1) that geswall with the default settings stopped killdisk dead in its tracks but the current version of defensewall (v1.55) doesn't
2) that ilya is one monster of a programmer. he took the bufferzone security challenge and cracked their software! so he definitely knows his stuff. he's aware of the current problem defensewall is having with killdisk type virii and he said v1.56 of defensewall will handle them properly. he's extremely fast with the responses on his message board! IMHO defensewall is probably the best sandboxing program out there bar none.

 

stem and aigle if you guys still care i found and ran some more tests

1) the "zapass" test, geswall blocked it successfully
http://www.whirlywiryweb.com/article.asp?id=/trojanimplant
my geswall log

2) ProcX. these aren't really tests, they are just really powerful process termination programs and geswall stopped it from terminating geswall
some of the log (it's too long to post the whole thing but it was basically a whole bunch of readonly and deny's)

3) it seems to have failed this keyhook test though
http://diamondcs.com.au/processguard/index.php?page=attack-keystroke-loggers

i'm emailing brian the results of test #3 to see if he can make any sense out of it. i'm trying to find a spyware quake and cws website to try geswall on. if anyone on this board knows any, PM me the links

edit didn't try diamondcs's test my bad that was only procx.

 

Hi, nice tests and intersting results. Pls keep updated as u go ahead. Thanks.

 

To me failing of DefenceWall is not good sign. He can fix it right today but this doesn,t change anything. These are not signature based programmes. So if they fail today against one malware, 2morrow they can fail against any other one. This behaviour is more acceptable from signature based appliances.
Just my thoughts. I am not expert at all in these things.

 

aigle and stem have you seen this thread?
https://www.wilderssecurity.com/showthread.php?t=128594

about processguard (and appdefend) failing to stop a program protected by ICE from shutting down regmon.exe?

this is what joe3563 said:

well i downloaded the zheadware program called Music Video Downloader 4.0 from here:
http://www.zheadware.com/products.htm
this is the one that comes with the vlprs.exe file. i installed it and went to geswall and followed these steps from geswall on adding new programs to geswall's safe applications:
http://gentlesecurity.com/docs/applications.html

just to see if geswall can stop it from shutting down regmon.exe
here are the results from geswall's log:

it stopped it COLD! regmon.exe was NOT shut down!

i'm trying to get my hands on the xpkiller trojan cause i heard that is a nasty av killing virus and appdefend and processguard were having issues with it.

 

Hi zopzop. Great job. I am happy to see it as u know PG and AntiHook failed here and it was one cause of dealy of PG release as I read.
Did u tried GeSWall itself aginst advanced process termination. Can it defend itself like PG?

 

edit no i didn't sorry i confused procx with diamondcs's test my bad ;(

re-re-edit! i found Advanced Process Termination and i ran a few tests, these are my results:

so to update:
1) gswserv.exe is IMMUNE to ALL attempts to kill/suspend/crash it running the advanced process termination program!
2) other processes are IMMUNE to ALL attempts to kill/suspend/crash them EXCEPT to "kill 6" attempt.


hope that helps.

 

Thansk. I think it will be a good idea to inform the writer about this so that he can manage it in next version.

 

aigle good news, geswall DOES indeed STOP the "kernel kill" attempt. I had originally run apt.exe (the advanced process terminator) unisolated to see how powerful it was, unknown to me, it (apt.exe) install a file in my windows/system folder. since the program was unisolated at the time, the file it installed was also considered unisolated and that's how the "kernel kill" attempt was shutting down processes. Deleting the file, dcsprocx.sys, and re-running the test, geswall stopped the kernel kill attempt (since apt.exe and dcsprocx.sys were fully isolated)!

here is my geswall log:

so to update:
1) gswserv.exe is IMMUNE to ALL attempts to kill/suspend/crash it running the advanced process termination program!
2) other process are IMMUNE to ALL attempts to kill/suspend/crash them EXCEPT to "kill 6" attempt.

 

Great work. Really nice. Thanks for the update.

 

I've new about such the attack, but I've mada a mistake at programming stage. Now it is already fixed as many other errors. The fact is that there are errors within any product, but the only important thing is how fast you fix it.

 

Just a quick follow-up to my previous post. After more testing, KillDisk is, in fact, not able to bypass SSM execution protection. From my report to SSM support:

"First, I could not duplicate KillDisk bypassing the SSM alert. I let the alert hang for about 30 minutes, twice. I believe the error I reported was caused by pressing Enter while HyperSnap-DX "appeared" to have focus on the Desktop. Here, it takes 10-15 seconds before an SSM alert makes the Desktop non-functional. Within that 10-15 seconds, I had...taken a screenshot, and started the "Save as" dialogue. But when I pressed Enter to save the screenshot, HyperSnap-DX no longer had the focus and the keystroke was directed at the SSM alert. Since my alert config was "Allow-this action just once", I allowed KillDisk to execute. I was able to duplicate this application focus event."

Beyond execution protection, though, SSM cannot yet stop KillDisk's attack on the partition table.

Nick

 

Is there any benefit from using GeSWall if I'm using ProcessGuard (full version) and KAV, with the proactive defense module enabled?

 

Unsure about GeSWall

I am not quite sure what GeSWall is. I have read this thread and Gentle Security.

Is this a complete firewall, or should it run alongside a firewall?

 

I have got one problem with GesWall. Whenever I start the GesWall Console, i receive the following error message. I tried to repair the installation but no benefit. Don,t know how can I fix this and what is the reason for this error. I need some advice. Thanks.

Just another issue, after putting Opera in GesWall Trusted( isolated) appliances, " post quick reply button " on wilders forum is not working!

 

aigle, i wish i knew what was going on with that error ;( have you tried emailing geswall support?

ps do you know anyone with the xpkiller trojan?

 

Thanks.
I will mail to them.
About the second one I will try to search though I don,t have it.
If somebody is kind enough he may donate us the link.

 

kk guys i've tested the xpkiller trojan vs geswall and to my amazement, geswall did not stop it. it disabled both my windows firewall and the automatic update feature

this was tested in geswall 2.2.5 personal edition

EDIT:

gentlesecurity already has released a fix. apparently it was working on all previous verions up to 2.2.5 but it broke in 2.2.5 I CAN CONFIRM GESWALL STOPS IT COLD, here's proof from my geswall log:

just make sure if you have geswall 2.2.5 installed to UPDATE it first before attempting to run this test. right click the geswall icon in the taskbar, then select "update geswall".

nice job gentlesecurity!
ps i also tested bufferzone home against xpkiller and bufferzone stopped it, i will post a message on ilya's site to see if defensewall works against xpkiller.

 

Again I will say that the bugs in a sandbox are too serious to me than the bugs in an AV, AT or AS type software. See u tried just few malware samples--- Sandboxie, DefenceWall and GeSWall failed against at least one of them( even the bug might be fixed now). BufferZone and DeepFreeze have revealed their weakness already.
I can,t imagine what will happen if u put these sandboxes against hunfreds of malware samples( as is done while testring AV)!!
Either the sandbox technology is premature currently or more dangerously windows OS is prooving to be persistantly vulnerable in this regard as well( as it is in case of traditional defence by AV, firewall etc).
That,s computer life! We have to live with it.

 

That is life, but not only computer related ;-) nearly the same rules are applied everywhere.

You are right, bugs in “prevention solutions” are more serious then AV’s ones. However, there is one important difference.

In computer security, there is a notion of Trusted Computer Base (TCB). That is something you inevitably have to rely on. For example, windows kernel and drivers are TCB. A security bug within kernel will compromise the whole security. The best when TCB as small as possible. The good when you can enumerate exactly what TCB is. So, you at least know if there is a bug in one of these components, the security will not work. The problem with AV and some other “traditional solutions” that they have an infinite TCB by definition. Even if your AV is perfect and has no any bug, you are still at danger. The security is definitely gaining from turning this AV’s uncertainty into engineering problems.

 

We can expect there to be bugs, but we can then try to put together a reasonable layered defense so that hopefully if something gets past, another will stop it. This is not paranioa and not a reason to not have HIPS at all. No sandbox producer can claim a perfect product, but they can distinguish themselves as one of the best available.

Now, if they can agree that bugs can happen, watch this: What if HIPS can be honest and market as -always- a double. But look, what if Ges and DW both say they do their best but once in a while there could be a bug or something and therefore the fact is a double technology nested HIPS: DW + GeSWall. It's fun not being a programmer because I have no idea how this would work , but it seems logical: 2 separate technologies, independantly produced but compatible on the machine means that if one tech has an unknown hole, the other maybe does not.

Ever watch Star Trek: Deep Space Nine? Only a difference in Klingon technology allowed their ships immunity to a weapon that ruined the tech of the others. This saved that whole part of the galaxy from the attacker.

Read up on biodiversity: habitats or organisms with little biodiversity are more vulnerable to change. The more diversity, the better chance of survival. http://www.britannica.com/ebc/article-9357293?query=biodiversity&ct=
Computer security -requires- technodiversity!

 

aigle, keep in mind that other non-sandboxing programs failed to stop the xpkiller trojan. heck avast! and AVG didn't even detect killdisk (another trojan)on my machine when i ran it! i wish there was a way to get our hands on more virii so we can put the sandboxes to the test. geswall, bufferzone, sandboxie, and defensewall are awesome first lines of defense against malware IMHO. but that's why many on this board recommend layered defense. see my sig for mine

ps i need more virii/trojans/malware to test. if you have any PM me

 

Well, I have both GeSWall and DefenseWall 1.56 on this cpu together now.
Yay! TechnoDiversified HIPS!
Well, they seem ok, so far.

Any comments from the developers as to, say, what specific things to look out for or what specific things might cause resource problems?

I just put them on the way they are so far, have not changed anything. DW is in basic mode.

For those who are testing virii, if it passes one of these, try with both on and see what happens!

 

Hi all,

Answer to Aigle:
Bufferzone has not revealed its weakness already if you refer only to the bypass trick of Ilya. It was a POC aimed at proving BZ is not fully ring0 and therefore can easily be bypassed. Now it is fully ring0. I talk under the control of master Ilya.

As Geswall and DW, it is still in beta or in developpment. Let it time to improve!

Second, you shouldn't count by hundreds of thousands of malwares to test these technologies, but by number of tech to make an infection or %$# behaviour. You then restrict drastically the number of tests: installing driver and/or service, communicating with outside, registering keystrokes (at the moment for example, BZ has a developpment bug: last version lets some kind of keylogger work, whereas previous versions didn't - fixed in next version), stealing info., deleting files...

To puddingalien:
I disagree with your comparison with biodiversity: so far you multi layered protection (actually mono layered with impression more is better) didn't face enough situations to be "selected" as competitive option by environment. Time will tell if your approach is right. Think anyway about the risk the 2 products conflict and let unprotected some areas... even without you realising it...