Virus-Test didnt know about this.

Could you share the people with your method? Many of them would be very happy to be effectively secured with no charge! And I'm too!

That is 100% right statment. BTW, kareldjag just wrote the article about it (it is not published yet).

Yes, that is 100% correct. But the thing is that all this sandboxed malware was harmless for the user (for me in current case). Without it, if my AV would failed to determine danger, I would had to clean my computer up hours and hours!

DefenseWall can not claim anything- it is just a program! And I'm sorry, but you are wrong! I've never claimed that DefenseWall can protect from the exploits! It can protect from the consequences! That is what I always talking about! Just search this forum- I've already wrote this words!

I'm sorry, but you are wrong one more time. You see, your point of view is "if malware runs- the system defense is failed". That is wrong position. OK. Malware runs. It can not break the system's integrity, it can not to break out the sandbox, it can not steel important information. So, and how dangerous the malware under this conditions?

OK. It is always possible to bypass ANY defense. It is just the question of time and money. Now, let's see. To bypass DW now it need a lot of the time and money to bypass it even at the present stage. Later, it will need a lot much more time and money to bypass DW because it is "in constant movement" product. So, it is useless from the point of view of the economy to bypass DW- there are a lot of the people with no defense at all! Even without AV!

If you think it is "piece a cake" to bypass DW - just try it! It will be not easy deal!

Yes, I understand that the weakest point of the any protection is the human. But it is just the thing I can do nothing with it! DefenseWall is just a tool! AV and firewall could be set by the user the way they will be useless. But it doesn't mean that AV and firewall are very bad idea, "big marketing claims"!

15 years! Now I understand why your point of view is so limited. One more time. There is "defense-in-depth" conception. Now. AV can recognize only the malware it is already captured. But what should I do if I have caught an exploit via my browser (or e-mail client) the AV still don't know? That is the field of HIPS! But what is your cure for this case? Ah, I see, "format C:"!

There is no "trusted software list". There is only "untrusted" one! Just look at the DW online documentation first before to say something!

First of all- I don't believe in marketing claims as you are. Maybe, even stronger that you are- I'm a 10+ years system programmer. DefenseWall is doing his job exectly as written! It contains all the "untrusted" processes into one virtual zone and do not allow for the untrusted processes to modify autostart, install/modify drivers/services, set global hooks, modify executable/interpretated files, break into the trusted processes zona and many more things. And, as prooved by the ITW test, it helps people!

DefenseWall is not the AV replacement! It is not firewall replacement (it doesn't protect you from browser hijack or firewall bypass, for instance, it is your firewall's job!). It is protection from the unknown by AV's malware. And this protection is strong. It if you have any doubts in it- just try to bypass my defense! It won't be easy!

DefenseWall has no registry/file system virtualization. It is a tool for the average users, I suppose thay will be vey surprices if they won't find the file they just downloaded at the place thay think thay have saved it. File system "virtualization" is usefull only for the rapid removing malware from the hard disk, it won't increase your security level, but increase the level of the product's learning and using curve complicity. Also, I don't think people will be very glad that emptying virtualization storage all they downloaded files will be erased too. I'll add some tracking tool in the future that it would be easy to clean up malware manually, 100% controlling this very dangerous process.

Anyway, just look at any of the products with the file system "virtualization"- thay place their "virtual" folders at your C: drive! All of them! There are no miracles in this world!

 

All the testimonials are 100% real. I've changed non of the word in it! A.B. is Notok at Wilders. Who are Todd and Chris- sorry, I can't say.

 

To quote the Softsphere homepage:

"DefencePlus protects your system against buffer overflow "exploits" which Hackers often use to crack computers on the Internet. These exploits exist owing to the vulnerabilities in many different components of your operating system, as well as those of application software such as network games, Internet-browsers, and e-mail programs etc). In any of these exploitable cases, neither anti-virus nor firewalls would be able to protect you. Only DefencePlus, a multi-level proactive security system, is able to cope with all known and unknown versions of these "exploits". DefencePlus provides the highest security possible and enables computers to work at their intended optimum level."

That sounds pretty much like a promise to protect against even unknown exploits.

Why is it a wrong position? Don't you agree, if the malware is allowed to execute, it gets the *possibility* to bypass DW. If no malicious code gets executed at all, that is a higher level of protection.

Why, I always liked innovative ideas, like heuristics, generics, behaviour blocking and sandboxing. I actually started with writing a fully heuristic-only scanner and a behaviour blocker back then.

But why does AV only block malware that is known? That is not true, witht good heuristic detection or variant detection (such as NOD32, VBA32, Bitdefender, Dr.Web and others have) you can easily catch lots of new malware.

So DW did not block the WMF exploit but the downloaded malware - but regular AV programs can do the same, easily.

Why, I read the homepage, which states:

"DefenseWall HIPS divides all applications into 'Trusted' and 'Untrusted' groups."

Sorry if I missinterpreted that. So, what happens if a trojan is time-triggered and is removed from the *untrusted" list by the user before the trigger activates?

Exactly what I said, the different technologies complement each other. The original poster however gave me the impression he only needs DW and nothing else - and is perfectly protected.

Then how it does protect the user from modification of these key areas? How it does prevent the malware to modify other critical processes, code injection and such?
If the level of monitoring and controling covers all of the possible entry vectors, such a tool would eat up enormous amounts of memory, no?
And how can anyone know *every* possible method to activate code and cause damage to the system if you haven't analysed all known malware, not to mention new malware that uses completely new methods if infection or code activation.

So don't get me wrong, I have no doubt that DW is an excellent product and when I find the time I will surely have a closer look at it.

 

Ilya actually I remember you posting about how Defensewall protects users from the WMF exploit, and I remember posting asking you point blank for a clarification, and confirmation that it didnt stop the exploit per se, but the consqeuence.

You agreed readily that I was right.

I suppose from the point of mere mortals, this may seem to be semantics, but in this forum we expect higher standards

 

May i ask for what you need money? You would need time AND KNOWNLEDGE.
Depending on the level of knownledge the factor time is relative.

And your 2nd statement "To bypass DW now it need a lot of the time" does only apply to 2nd class wannabe crackers. Your luck is here that most of the (true) advanced people having something else to do than proving this just as some kind of "attraction" in a forum. Fell free to contact me via PM if you have any doubts about that

Otherwise all has been said already - we're speaking here about 2 completely different technologies which are "designed" to work together and not against each other. There's no winner in this match. The game is drawn, even if the black player controls the middle field.

 

@ Stefan regarding exploit protection:
You are Quoting from DefencePlus which is a separate product than DefenseWall.

 

Stefan, I find it a bit odd that you are coming down so hard on a program you havent even tested. You have stated - more or less - that if you just gave it some time you would fairly easily crack DWs defense - do it - if its that easy - do it.

Happy Bytes seem also to be very sure that he or any other of all the advanced members of this forum would - if they bothered to lay down the time - crack the DW defense - so - DO IT!

Ilya Rabinovich says he has an extremly good product mainly for safe surfing and emailing, but also for defending A: D: and similar. DWs concept doesnt stop the malware who are in the virtual sandbox during a session, but it stops same malware from doing harm to your computer.

From my total layman user point of view DW is ahead on points in this match because its there - working with extremly good protection - not yet cracked.

If I should have to choose only 1 program to protect me from PC malfunction after a virus or trojan attack - I choose DW. If I can get free AVs and ATs I will use them - if I have to pay for them - I think not - because they failed me to many times. Reformating C: is a bad sucker for a layman user.

Best Regards

 

when you're dealing with guys that have so much programming expertise as Mike and Stefan its really only a question of whether they have enough time and especially motivation to do it( both are busy guys)

i think its mostly because its relatively unknown software.. if it was widely used the malware authors would try to attack it.. and like Stefan said, once the nasty is active in memory it can try to kill the protection..

many of the companies behind some current nasties use professional programmers to code their stuff.. those aint no script kiddies

do you happen to know whats the difference between a pro boxer and a tough guy?
yep, one punch

 

AV-comparatives latest "ProActive detection of ITW-samples" I suggest says something about the AVs ability to handle day-zero virus attacks.
With signatures loaded they do good, but at day-zero they have no signatures to back them up and their results are poor to say the least. NOD stands out with 62%, McAfee 35%, Norton 11% and many similar results.


Thats not the level of protection that I would choose for my first line of defense, but maybe I dont understand this test or AV-comparatives is not a respected test site?

With great interest I follow the very professional part of the discussion where ie Stefan K explains why he doesnt belive in the concept of DW. I can respect that - its his technically well argued opinion. If I see it otherwise is another thing.

What I fail to understand is why its become so important to state something like "if we want to - we can break DW - but we dont want to take the time to do it" thats very unusual type of argument here at Wilders. And other people joining in trying to explain these kind of statements - I dont understand why.

Rabinovich stated in another thread that DW was a better defense and much harder to break than BufferZone and he proved a flaw in BZ and he claimed the reward and he claimed it took him something like much less than an hour to find the flaw. Thats "less talk and more shop" and probably very good for the development of BufferZone - so not only critisism, but also contribution.

So - all you critical superpros - gloves off - and get down to business of truly evaluating DW and thereafter - tell us how you broke it!

Best Regards


I

 

it is a respected site

to rely on one piece of software for protection is just stupid IMHO
i think the guys reacted the way they did because there perhaps was a misconception that you can only use this and survive the internet

you need antiviruses. or make it YOU NEED ANTIVIRUSES
a pro programmer can exploit software, even defense wall.. ok it has not happened, but like i posted above only because its not that widely used so the spyware authors do not think its worthwhile to try to break its defense

it was posted at the defense wall site:

( bolded parts by me )

ok it allowed the exploit to download and execute its stuff.. what if the nasty was programmed to kill DefenseWall ? what if it was a fileinfector, would you clean the infected files manually ?

we here at wilders believe in layered security, as a part of layered approach DefenseWall excels, but its still not the holy grail of security, and even it is not idiot proof...

 

Perhaps it is better to compare DW with tools like
Online Armor from www.tallemu.com
Online Armor™ is a revolutionary product that protects your computer from Spyware, Trojan horses and other dangerous internet programs

or Appdefend see: www.Ghostsecurity.com
AppDefend is a kernel based application protection system, designed to be secure whilst using few resources. AppDefend intercepts various privileged actions and lets you decide whether they should occur or not.

or Processguard see: http://www.diamondcs.com.au/
Protect your system and other security programs from attacks by other processes, including viruses, trojans, worms and all forms of spyware.

Without AppDefend you are highly vulnerable to rootkits, worms, viruses and spyware. In some cases without AppDefend, the only way to fix the problem would be to format your hard drive and start fresh.

Or even Regrun (Platinum) see: http://www.greatis.com/security/
"Not an antivirus. A powerful tool kit against Trojans, viruses, spyware, adware and rootkits"

Or tools like ShadowUser: see: http://www.shadowstor.com/
StorageCraft™ ShadowUser™ provides easy to use desktop security and protection for Windows operating systems. ShadowUser is the best way to prevent unwanted changes to PCs and laptops. ShadowUser provides the following advantages:

and even Tiny Personal Firewall Pro see: http://www.tinysoftware.com/home/tiny2?la=EN
etc.
What this program can do to protect your system , just doesn't fit here

All not AV's but systems to protect your pc against malware.

I think it is good to mention these as well, otherwise it might look like an
advertisement thread for DW here.

Another thing is that real AV's these days like Kaspersky and NOD32
don't fully rely on the sigs anymore.

There is something called heuristics as well.

 

"What ifs" didn't compromise DW's security.

And can't these "what ifs" apply to AV's?

Can't any of the AV pushers come out and say DW protected the user against the latest zero day attack whereas most (apparently all on zero day) AV's didn't.

 

Franklin read the last sentence of my post very carefully
think about it

 

LOL what's wrong with the people here? Where am I pushing AV technology or saying that you only should use AV technolgy?

Read my lips, I stated this before: AV and Sandbox do not replace each other, they complement each other. Is that statement so difficult to understand?

Oh and DW did *not* protect against the WMF exploit, it protected against the malware that was downloaded. Which you were protected by other products aswell, that was not a feature unique to DW. And as was stated above, DW does not block exploits at all, that is DefensePlus.

This is so funny, where do all those people get their *vast* experience with malware from? How many malware samples did you actually analyse?

 

Really? Some people in Wilders (outside the antivirus subforums) have being yelling about the death of antiviruses for ages now.

E.g

That antiviruses only give you an illusion of security. That even one quality scanner is not enough.
Because they are only blacklists and cannot detect anything else.
That malware is increasing at an exponential rate, so no antivirus can keep up anyway
That they are defeat to use, and you employees need to spend time scanning with them etc..

The solution is Shadowuser!

 

What AV heuristics can do singlehanded without signfiles seems to be to stop between 11-62% in the AVcomparative - test. 11% isnt much of a first line of defense - even 62% isnt truly impressive, but NOD stands out from the others in this test.

If fileinfectors entered my DW virtual untrusted zone when I was surfing - note I am total basic layman surfer - it could infect the untrusted processes running at that given moment/session. For me that would be Outlook and IE and ntvdm.exe. And it could start some new processes in the untrusted zone. But it could not break out of the untrusted zone and infect any not running untrusted processes and also not infect any trusted processes wether running or not. If I reboot or press the BIG RED (closes all running processes in the untrusted zone) the fileinfector would be unable to reactivate themselves again without me surfing the same site and picture or similar - once again - and DW would protect me again. Protect me - for me - meaning I will not suffer any damage to my PC.
Experts can surely explain this better and also correct me if I dont understand how DW works.


If I was an expert I could easily state (but I never would) that "I could break NOD or McAfee etc if I only choose to, but I dont want to or dont have the time to do it". I would never say that without proof because its a careless way of treating the efforts of all the people behind NOD or any other serious anti-virus/malware-vendor.

Also I prefer to complement DW with free AVs and free ATs, but if I had to choose one I would choose DW even over paidAVs/ATs. Not saying that to try to boost the sale of DW - I dont have any interests in SoftSphere - but more to underline that there are a bunch of relatively "new kids on the block" when it comes to protectionsoftware nowadays - with new ways of protection and DW is one of the most interesting ones so far. Talking about them -try to evaluate them - help oneanother - isnt that what Wilders is about.

Best regards

 

No, you are totally correct.

There are LOTS of tools out there that protect your pc
in another way then most AV's do like:

Online Armor from www.tallemu.com

or Appdefend see: www.Ghostsecurity.com

or Processguard see: http://www.diamondcs.com.au/

Or even Regrun (Platinum) see: http://www.greatis.com/security/

Or tools like ShadowUser: see: http://www.shadowstor.com/

Deepfreeze, illusion, Watch-it etc. etc.

Tiny Personal Firewall Pro
see: http://www.tinysoftware.com/home/tiny2?la=EN

DW is just 1 of this range, it looks as if someone has choosen one of these,
suddenly that product is better then the rest.

i'd like to see what makes DW better then ANY product in this range?

You can't compare AntiMalware products this way..

Why don't you mention the others as well?

I've seen very strange comparisations in these forums,
Adware versus Kaspersky

DW versus NOD32/kaspersky etc.

Firewalls versus AV's

And complete security suites versus spyware scanners.

I think this is all very useless.

If you like to write a positive review regarding your product,
please do so, but don't compare apples with pears.

 

Heh, I got my *vast* experience simply by hanging out in forums like Wilders and reading a few security websites.

I don't know about programming, have no official qualifications, but I know way more about computer programs than any programmer.

 

Citations cut off halfways arent always to benefit the discussion.

I was unclear when i wrote about the new kids - I ment software like DW who works with virtualization-technique. So if DW fails me in the future I would probably look towards ShadowUser - if I can handle it. DW is simple to use. I dont know if Shadow-User is simple. I use ProcessGuard already - as you can see. As a matter of fact I show what I use in every post so if I were an recognized expert some might follow my setup - even you? (The red ones are
payed for)

But no matter what its called - its protection we search. So a comparision between DW and the AVs - with and without signfiles - would be interesting. Test them at AV-comparatives and try to determine how they protect your computer from damage not only detectionrates. And is there any interest really to clean up the deactivated malware that DW leaves behind - because it does, doesnt it?
Why not such a comparision? But I cant stage that.

You might argue its apples and pears - to me its protection and thats what counts. And we all want to figure out which ones are worth paying for - dont we.

Best Regards

 

There's a "small" difference between you and Stefan - Stefan works for years in this business as professional. Maybe some people should come away from the illusion that everybody who wears here a "AV Expert" has to be a selfproclaimed AV Expert through this forum. I know Stefan for years (decades) and we've worked already together. So i can successfuly tell you the difference between his knownledge IN THIS PARTICULAR AREA and yours is somewhere equal between a genie and a half-full ashtray. Note: No offense intended - i only speak about THIS AREA!

 

Well after a zero day attack the genie(av expert) will be formatting reinstalling and the half full ashtray(self taught) will be surfing away!

 

Dear Happy Bytes

I was kidding only, in case you missed it.

Like many here, I don't claim to be an expert in anything.

But that doesn't stop me from making big claims on the impending death of the AV industry. After all, I'm sure I read about it somewhere.

 

I'll be nearing the age of 40 when the first rumours of this "impending death" come out on a large scale, and even those will be just rumours.

 

I must agree. Sometimes I think this "layered strategy" is crap, you professionals dreamt up to make us spend as much money as possible. Ditto for all the reasons why Suites suck.

 

HappyBytes!

Was your comparision an argument or are you writing a novell on bad behaviour? "No offense intended."

Best Regards