Questions On GeSWall

Discussion in 'other anti-malware software' started by metalforlife, May 6, 2009.

Thread Status:
Not open for further replies.
  1. metalforlife

    metalforlife Registered Member

    Joined:
    Mar 29, 2009
    Posts:
    96
    I have a few GeSWall related questions I want to ask. Please answers them. Even simple yes/no answers will be enough -

    1] Will an isolated media player be able to communicate with my MP3 player, i.e., be able to sync files, etc.?

    2] If I manage to terminate GeSWall, will all the resitrictions imposed on applications by it, be lifted?

    3] Since child applications inherit rules applied to the their parent applications, will an executable spawned by my .pdf viewer have access to files/folders set as confidential, if my .pdf viewer has access to them?

    4] Will one isolated application have access to another isolate application and it's resources?

    5] What is the difference between jailing an application and isolating an application?

    6] Assumed that the answer to the 4th question is "no", then if my web browser - not having access to resources tagged as "confidential" - spawns a keylogger, will the keylogger be able to log keystrokes and access confidential data that then is being accessed by my text editor? Or will it depend upon GeSWall's detection capabilities?

    7] Is it possible to block internet access and deny execution permissions to newly spawned executables, or will it depend upon the restrictions imposed upon their parent applications?

    8] Can a jailed application's newly created data be retained to the real system?

    9] I am using CIS as my HIPS as of now. Will CIS have complete access to GeSWall and all applications running under it, and will it intercept an executable - running under GeSWall - launch?

    10] This question is not directly related to GeSWall, but very important to me; I hope someone answers it. I believe that for any malicious code (rootkits, keylogger) to pull out it's tricks - hide itself, infect files, etc. - it cannot do it before execution. So will such a file be in complete control (have knowledge of it's existence....) before it executes?

    11] What type of restrictions will be imposed on untrusted resources created by isolated applications? I am probably rephrasing the 3rd question, I believe the answer to both the questions would be the same.

    12] Will files and applications having no rules set themselves (not treated as trusted, untrusted or confidential) be completely accessible to isolated applications? For ex. If "C:\WINDOWS\system32" is not under the control of GeSWall, will my isolated web browser have complete access to it?

    13] Final question, is GeSWall too buggy? I have had the "....management snap-in..." errors in the past and had to uninstall it, which didn't go very smoothly. And is GeSWall compatible with CIS 3.5?
     
  2. MagisDing

    MagisDing Registered Member

    Joined:
    Jan 6, 2009
    Posts:
    41
    Wow,so many questions;) Maybe it is better for you to be familiar with the useguide.pdf firstly:p
    Okey, let me have a try, one by one:
    1.Well, it seems like the HKEY_CLASSES_ROOT\%HKEY_CLASSES_ROOT\.Mp3\%\CLSID Registry Key is not mentioned in "Resource" be treated as "confidential",so it is treated as "trusted" by default. The isolated media player can read it but not modify it. I think it is impossible to associate the Mp3 files with it(need modifying the Key);
    2.After terminate the service related process named"gswserv.exe", yes ,the restriction are lifted;
    3.No, i think. In my hypothesis, the confidential is specified to certain programmes. The inherition in Geswall means that an executable spawned by an isolated programme is also isolated but doesn't also inherit it's all access rights. This question must be tested in practise;
    4.Yes, it can read and modify it unless the resource was set "confidential" to a specific application;
    5.jailed application has no permission by default and may access only explicitly granted resources, isolated applications are given more rights. They are restricted by the rules in "Resource" and "Application". But I am still confused by the priority of the rules, maybe I should pose a thread in the official forum;
    6.Certainly the keyloggers can't finish their nasty jobs;)
    7. According to question "3", let's make a test;
    8. see the answer for "5"
    9.Well, it involves many settings. I strongly recommend this combination, because CIS has an excellent packet filtering firewall, and Geswall can make up the "weakness" of CIS, like: you can't make a flexible FD restriction(divided by "read","write","create" to a single application which is available by using Geswall. Besides that, CIS can set more convenient AD(application restiction) than Geswall does. And I haven't found any conflict by using them both. Forgive for my irrelvant topics. Now get back to the discussion, CIS is treated as a trusted application by default, so it can read modify all the resources except" restricted for trusted" and "confidential". Of course you can set a custom application rule for Comodo to raise its privilege. And by default, it will intercept the following behaviors after running an isolated applicaition by Geswall. So I recommend you making a predefined rule for those applications by making "allow" rules in some items like" protected File/Folder","protected registry" etc. And it worth furthing discussion since it will bring much more convenience.:cool:
    10.I am not sure I've got what you meaned, do you refer to some methods to get all the behaivor of an file even you don't run it? I think it's impossible. But some online sandboxie can analyze the file without running it on your PC. And you can get all the information by inspecting the detailed log of MD or EQ after running the file if you set rigorous and proper rules;
    11.The restriction is imposed according the Application Rules and the "Global Resource Rules";
    12.Actually, "C:\WINDOWS\system32" is set to be "Deny Create" by default; an isolate application cannot creat resources in this specified path;
    13.So far as I know, it has worked perfect with CIS 3.8. Buggy? No, error popups seemed don't like me:blink: They seldom show up.

    Forgive some incompetence word and grammar flaws for English is not my native language. Hope my answer can help you:) And please feel free to point out my errors.

    Regards
     
    Last edited: May 7, 2009
  3. Joeythedude

    Joeythedude Registered Member

    Joined:
    Apr 19, 2007
    Posts:
    519
    Could you re-phrase question 10) ?
    Its an interesting area , but I'm not 100% clear what your asking.

    I've posted a few questions about executatables on wilders ,& there are some good threads on how they work.
     
  4. metalforlife

    metalforlife Registered Member

    Joined:
    Mar 29, 2009
    Posts:
    96
    I have been very hesitant on settling with either Sandboxie or GeSWall. Having tried Sandboxie "free" for a week, I have found out that it doesn't cover all that I am looking for. Even then, I haven't done a full-fledged testing. Now that I have come back to GeSWall, I don't want to jump to conclusions, half-informed. That is why this insanely huge and excessively inquisitive thread.

    A sandbox-like application is a must for my setup. I'll decide onto the better between the two.

    A big thanks for answering all my questions. You have cleared most of my doubts. I'd like to question again about some of the replies I haven't completely understood -

    "1.Well, it seems like the HKEY_CLASSES_ROOT\%HKEY_CLASSES_ROOT\.Mp3\%\CLSID Registry Key is not mentioned in "Resource" be treated as "confidential",so it is treated as "trusted" by default. The isolated media player can read it but not modify it. I think it is impossible to associate the Mp3 files with it(need modifying the Key);"

    Okay, so, in layman's terms, my media player will be able to play - read the files from my MP3 player, but not add - modify it, right?

    "6.Certainly the keyloggers can't finish their nasty jobs;)"

    "4.Yes, it can read and modify it unless the resource was set "confidential" to a specific application;"

    Those two quotes seem to contradict each other. If you mean that executables spawned by an isolated application, though cannot access "confidential" resources, can access another isolated application; a spawned keylogger should be able to hook(?) my word processor to log keystrokes.
    I hope you can clarify further.

    "12.Actually, "C:\WINDOWS\system32" is set to be "Deny Create" by default; an isolate application cannot creating resources in this specified path;"

    What if the folder does not have a "deny create" rule? What then?

    It is not my first language, either. What is important to me is that it doesn't hinders the clarity in conveyance. And, I don't think it is.

    Thank You
     
  5. metalforlife

    metalforlife Registered Member

    Joined:
    Mar 29, 2009
    Posts:
    96
    ".....I believe that for any malicious code (rootkits, keylogger) to pull out it's tricks - hide itself, infect files, etc. - it cannot do it before execution. So will such a file be in complete control (have knowledge of it's existence....) before it executes?"

    Okay, let me rephrase it: If my web browser loads a malicious executable onto my system, would the executable be able to hide it's traces before it gets executed? Wouldn't it be much simpler then; executing itself while staying invisible. I cannot present an example, since I don't have the technical knowledge to translate it into. I have explained, and can only explain at the surface.
     
  6. MagisDing

    MagisDing Registered Member

    Joined:
    Jan 6, 2009
    Posts:
    41
    Well, there is no necessary for me to explain the difference between them . But there is one thing I think you should know: some conflicts caused by sbie itself(maybe design flaws)(hook confliction) take place when you use sandboxie and another HIPS However, the virtualization is very useful for installing some applications without write registry keys to the system.

    Yes, besides that the isolate player cannot be set as the default player for .MP3 either, I suppose.

    :blink: Maybe I didn't make a clear explanation. " Will one isolated application have access to another isolate application and it's resources?" "Confidential "resources of this isolate appcliation are not involved in "its resources", Have you got it?
    “confidential" data are accessed only by explicitly granted application,such as the text editor.
    And a keylogger's behaviors are automatically intercepted by Geswall when it's start isolated. You can watch over the relevant threads posted by aigle. He has made many anti-leak tests towards Geswall.
    You can try this logging test:https://www.wilderssecurity.com/showthread.php?t=235884
    download link:http://rapidshare.com/files/230489233/through-the-eyes-of-a-keylogger_v1_0_0.rar.html
    Confirm your hypothesis.

    If the folder has a rule, the isolate application is imposed by this restriction; if not, an isolate programme can creat new files and folders(labeled by "G") in it but cannot modify the existing contents.

    A good HIPS can detect it while it is executed or invoke some other processes to execute itself, in a word, regular malicious behaviors. You know some examples can bypass the many "mainstream" HIPS by unordinary methods(invoke functions directly, duplicate handles etc.), and the safe application start to pay more and more attention to these potential threats.
    Generally speaking, no files can staying visible in Windows OS. You can view them by regular ways or with the help of some auxiliary tools.

    Hope all these above can help you:)

    Regards
     
    Last edited: May 8, 2009
  7. tipstir

    tipstir Registered Member

    Joined:
    Jun 9, 2008
    Posts:
    830
    Location:
    SFL, USA
    GesWall allows FireFox activities to be done only in Read-only mode, but everything you launch under FireFox with [G] label also get set to Read-only mode. I have notice if you use add-on in FireFox with [G] which I won't recommend because you can damage FireFox it will load but you'll get an error. Best to not use [G] when you doing add-on with FireFox. No downloading of files under [G] to shared download folders over the network if I do that I get error saying file wasn't save. If I by-pass the [G] it works. Well I guess it has to be more than a sandbox more like an interceptor, which is good. Along with Keyscrambler and Rising Suite and it's doctor not bad..

    Sandboxie Registered version I have that, but not happy with it anymore in the past you could test out crap software and see if anything was cloaked. But if you terminate the file it would take out the file and folder. But the newer version it doesn't do that and leave all the pest behind that can active and start terrorizing the system. If you got protection then your okay then..
     
  8. metalforlife

    metalforlife Registered Member

    Joined:
    Mar 29, 2009
    Posts:
    96
    Thanks, it has certainly cleared a lot of confusion. I am installing GeSWall 2.8 right now. Running a few tests should clear that little bit of cloud.
     
  9. Joeythedude

    Joeythedude Registered Member

    Joined:
    Apr 19, 2007
    Posts:
    519
    What Sandboxie version was it that deleted everything ?
     
  10. Joeythedude

    Joeythedude Registered Member

    Joined:
    Apr 19, 2007
    Posts:
    519
    If you start from when an executable is copied onto your system then the hiding of the executable depends on what specific the browser exploit which the malware is using.
    Some browser exploits could "hide" an executable, as they have a good deal of access to system level commands etc.However in the wild this is rare , AFAIK.

    More often what happends, is that once the executable is copied onto your system, its the browser exploit that is used to execute that file.
    That bad executable then does its work , which may include hiding itself.

    So I think the answer to your question, can the executable hide its traces before its executed , is no.Thats up to the browser.

    P.s
    Sorry for all the italics , its hard to emphasis what I want otherwise !
     
  11. Henk1956

    Henk1956 Registered Member

    Joined:
    Dec 3, 2007
    Posts:
    55
    In addition to the answers already given:

    2] If I manage to terminate GeSWall, will all the resitrictions imposed on applications by it, be lifted?
    Geswall policy (rules) are enforced by a kernel driver (geswall.sys). Killing all geswall processes (gswui.exe and gswserv.exe) with for instance task manager will not lift restrictions imposed on applications. The only effect is that you won't see whether an application is running isolated (no green window caption or G shown) or not and that you cannot use Geswall Console. You can easily try this yourself. Kill gswui.exe and gswserv.exe with Task Manager, start Internet Explorer and try to save the web page to a confidential folder.

    3] Since child applications inherit rules applied to the their parent applications, will an executable spawned by my .pdf viewer have access to files/folders set as confidential, if my .pdf viewer has access to them?
    No, application specific rules are not inherited by spawned applications (except for network access, which should be considered a bug). I tested it the following way:

    a. I created a folder D:\TestGW
    b. created a .txt file in this folder
    c. made following rule in Resources: D:\TestGW File Confidential
    d. created following application rule for IE (iexplore.exe): D:\TestGW File Allow
    e. started IE
    f. type C:\windows\system32\notepad.exe in the address bar and press return
    g. allow to run (notepad starts isolated)
    h. use File|Open or File|Save As and try to read or save a file in D:\TestGW

    Result: Notepad will not be able to access D:\TestGW (although its parent IE can).
    Note: I tried the same with another application (than notepad) which is not listed in Applications, with the same result.

    7] Is it possible to block internet access and deny execution permissions to newly spawned executables, or will it depend upon the restrictions imposed upon their parent applications?
    Internet access: No, due to 'bug', see http://gentlesecurity.com/board/viewtopic.php?t=289&highlight=
    Execution: No. Geswall philosophy is not to deny execution of applications, but to prevent them from doing any harm.
     
  12. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Agree with all. :thumb: :thumb:

    BTW if you mark an executable as jailed in GesWall, it will not be able to execute.
     
  13. metalforlife

    metalforlife Registered Member

    Joined:
    Mar 29, 2009
    Posts:
    96
    I was hoping it would be that way. Great... security-wise.

    Great, again.

    No problem. Both the concerns are handled efficiently by CIS. Just that the setting-up takes some time.
     
  14. MagisDing

    MagisDing Registered Member

    Joined:
    Jan 6, 2009
    Posts:
    41
    The disappreance of "G" label confuses me,thanks for comments:thumb:

    But I still doubt that test for question 3, the notepad.exe is not invoked by IE. So I don't think the former one is not spawned by IE, notepad.exe is not the child application of IE.exe.
     
    Last edited: May 9, 2009
  15. Henk1956

    Henk1956 Registered Member

    Joined:
    Dec 3, 2007
    Posts:
    55
    MagisDing,

    Geswall's logs tell me: notepad.exe ISOLATE on start from iexplore.exe
    I am also still using Tiny Firewall 2005, telling me that notepad.exe is being spawned by iexplore.exe.

    Since you are using CIS, which seems to be able to control spawning, you should also be able to check this (maybe you need a rule for this, I am not an expert on CIS).
     
  16. metalforlife

    metalforlife Registered Member

    Joined:
    Mar 29, 2009
    Posts:
    96
    I tested myself, using the same method and I can confirm the results. Access denial to notepad is logged by GeSWall.

    CIS's "execution control" does prevent applications from spawning executables, if configured so. Like GeSWall, it will too, log the action.
     
  17. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    does geswall free seperate/isolate files from the system like other similar products?can it sandbox the browser,hot mail messenger and windows media player by default?i want to give a try:) nver use it:) thanks
     
  18. Lucy

    Lucy Registered Member

    Joined:
    Apr 25, 2006
    Posts:
    401
    Location:
    France
    Yes,

    Be careful though that compared to DW, it does not have a full parent trust inheritance. So in some scenarii, untrusted files loaded by explorer may be run as trusted... Plus it doesn't play well with wista under LUA.

    But it has its own advantages, like using more internal windows ressources, the concept is brilliant, you can control outbound connections from untrusted sources...
     
  19. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    ah,thanks:D i just wanted to test it ofcourse if i ever use for personal; use i will run also a hips program to protect my whole system in real time:)
     
  20. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    did anybody runs comodo with D+ and GesWall together with out any conflicts?i want to save some time here:) i saw a video test about geswall and it perform very good;) actually the person who tested geswall use one or 2 samples i used when i tested A2 antimalware and defensewall;) cool:cool:
     
  21. danny9

    danny9 Departed Friend

    Joined:
    Feb 18, 2004
    Posts:
    678
    Location:
    Clinton Twp. Mi
    Hi jmonge,
    I've been running CIS and testing out GesWall Pro, trial, and now the free version with 0 problems for the last several weeks.
    Liking what I see so far. :)
     
  22. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    cool:) thanks danny i want to try this combo which i never tried:D
     
  23. danny9

    danny9 Departed Friend

    Joined:
    Feb 18, 2004
    Posts:
    678
    Location:
    Clinton Twp. Mi
    You're welcome.
    Looking forward to trying out GesWall with the new CIS release hopefully coming out Tues. :D
     
  24. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Hmmm... seems no one cares to look at my signatures. :D
     
  25. danny9

    danny9 Departed Friend

    Joined:
    Feb 18, 2004
    Posts:
    678
    Location:
    Clinton Twp. Mi
    With the humongus amount of posts you have made, and we have read, we should all know your signature and avatar by heart. :D :thumb:
     
Loading...
Thread Status:
Not open for further replies.