GeSWall v2.1

Discussion in 'other anti-malware software' started by AvianFlux, Nov 30, 2005.

Thread Status:
Not open for further replies.
  1. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    Seems to me that I saw somewhere that if you turn it up to the highest setting it will block them. I haven't had a chance to try it yet, so I can't say for sure.
     
  2. GWBush

    GWBush Guest

    I don't understand what all the huff and puff with these leak tests anyway. They're not real malware. Leak tests are wayyyyyyyy overrated IMHO.
     
  3. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    There are a lot of trojan downloaders that work by launching IE and injecting a DLL into it (especially CWS, Lop, and other related), which is what the leaktests demonstrate. I wouldn't call it trivial at this point.
     
  4. GWBush

    GWBush Guest


    Yes, they're useful to demonstrate if certain techniques can be used to bypass your firewall, but they themselves are not actual malware and if they were your regular AV or AT would most likely detect them. Some people seem to think if one of these leak tests can bypass your firewall your up the creek without a paddle, which is far from the truth really.
     
  5. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    Of course the whole point of these types of apps is not having to rely on signature based products. You might be surprised how many of the downlaoders do slip by regular AVs. I'll agree that there are other ways of heading off these attacks, and that it's not the only thing one should look for in a security product, but I would still not call that a trivial feature.. it does happen, and it is worth blocking if you can.. but I'll agree that it's not the end of the world if a product doesn't block them directly. It's important to understand how a product works as a whole, what it can and cannot do for you. I have seen products criticized for not protecting against memory based attacks, when the program is designed to not let malware get that far in the first place.
     
  6. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    Well, I always say that farewall bypass tricks are for the firewall tests. HIPS tests are different, because it has another job! Firewall job- to control Internet and their trusted applications and processes, HIPS need to control system's integrity and their trusted processes.
     
  7. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    Wouldn't disallowing DLL injection fall under the catagory of integrity control (for trusted processes)? Some would argue that it's not the firewall's place to be monitoring what processes are doing with one another on the system, including hooking, thread injection, and DLL injection. An IPS would stop a process from injecting a DLL through the registry or file patching, why not in memory as well?
     
  8. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    The thing is that HIPS need to control their trusted processes, but not the firewall's one. They are different, dont forget! Yes, application firewall HIPS need to control all the processes for the DLL injection, but in the case of the sandbox HIPS it is not the same- they have their own list of the trusted processes and they ned to control them from the code injection by the untrusted ones.
     
  9. Considering the nature of GESwall and coreforce I would say that this is one of those programs. If you control read/write access tightly, it can't escape with confidental info, nor can it cause much damage

    My point about leak tests being 'not so important' is to counter one of the myths that I consider unhealthy in the security forums.

    The idea that the be all and end all of security lies in blocking ALL leak tests. I suppose blocking dll injection and the like might be worth having but to block some of the other simpler leak tests, often involved a cost (such as child/parent execution control or other troublesome tweaking required) higher than worth the trouble.

    If I didn't know better I would say 90% of people in wilders think a good firewall (from the security aspect only) is merely one that

    1) Gives a 'stealth' rating from GRC shields up

    and

    2) Passes as many leak tests as possible,

    If only things were that simple....
     
  10. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    10,304
    Hi,
    Tell me what is a good firewall, in your opinion.
    In mine - firewall is a controller of traffic in and out of your computer. It should be able to handle minimal and heavy traffic equally well and be able to stop intrusions mainly from the outside. Think of firewall as the curtain walls of a castle. It's there to stop enemies from outside. Not the Troyan Horse.
    Mrk
     
  11. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    Certainly, it's important to know how the app is capable of blocking infection overall, and not just fixate on any one feature. I do still think that DLL injection is something that would fit in with the concept of GeSWall quite well, and like I say- I'm pretty sure that it does protect against them if you turn the security level up to the highest setting. If it doesn't, that by no means makes it a worthless app, but I would think it would be something for them to consider.. blocking DLL injecting/hooking within the sandbox would solve the kinds of problems you and I speak of as being a weak point in SU - namely, in-session protection against keyloggers and such. So again, not worthless without, but having it there would make it a very good solution.


    Seems that way sometimes
     
  12. G1111

    G1111 Registered Member

    Joined:
    May 11, 2005
    Posts:
    2,299
    Location:
    USA
    Are there any known compatability problems with other programs like ProcessGuard, RegDefend or Outpost Pro? I would like to add restricted files using this program to prevent an intruder from gaining access and reading, copying files, etc. Also, how is this program on resources?
     
  13. They seem to work fine. G1111 YMMV and all that though.
     
  14. G1111

    G1111 Registered Member

    Joined:
    May 11, 2005
    Posts:
    2,299
    Location:
    USA
    Thanks DA. How is it on resources?
     
  15. JRCATES

    JRCATES Registered Member

    Joined:
    Apr 7, 2005
    Posts:
    1,205
    Location:
    USA
    Wow, I didn't see this thread until after I had already started the other one. Thanks for pointing that out, trickyricky. I see that this program has already been discussed somewhat considerably. The info posted here has been pretty informative, to say the least.

    devilsadvocate - I see that you've downloaded and used GeSwall. From a "user-end simplicity" standpoint, it sounds like it may be MORE complicated than DefenseWall, even though the GeS web-site seems to indicate that "simplicity" is what the authors were striving for. So, what would you say are the strengths and weaknesses of GeSWall compared to DefenseWall?
     
  16. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,997
    Location:
    The Netherlands
    Wow, another app I did not know about, looks interesting, but I can already see from the screenshots that the GUI needs to become a lot better. I´ve already tried BufferZone and DefenseWall and I like the concept, but overall I think both apps can be improved a lot. So far I´ve only been impressed by Sandboxie. ;)
     
  17. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,997
    Location:
    The Netherlands
    Now that I´ve tested the app I have to say that it was worse than I expected, the GUI sucks quite badly, too bad, I like the approach of these apps but so far they all have their drawbacks. :cautious:
     
  18. JRCATES

    JRCATES Registered Member

    Joined:
    Apr 7, 2005
    Posts:
    1,205
    Location:
    USA
    Yeah, I've pretty much written it off as well, Rasheed. Any company that I email that doesn't respond in over a week isn't one that I particularly care to associate with. At least they can say you get what you pay for (since it's free)....
     
  19. EASTER.2010

    EASTER.2010 Guest

    Just like to throw in my 2 cents worth, i recently tried both BufferZone and also GeSwall, BZ seemed to lay down pretty heavy on my machine and that's unacceptable given i rarely venture into crossfire malware zones anyway, occasionally for research purposes.

    GeSwall seems to have a lot of the pieces to the PC puzzle but needs to redistribute them in some more orderly fashion than it is currently. Omitting the console from right-click access is also somewhat frustrating.

    I dunno, i bit the bullet and went out on a limb to install CoreForce, it looks and reacts like a Very Formidable security application and i was growing very fond of it for a time but it suffers some failures right now that can leave a machine unprotected plus can prove a load over several hours of usage in it's present development stage. Several times it completely closed down when simply using IE.
    Noticably slower when accessing my regular programs. I believe the potential is really there for a powerful app but right now off in the future yet.

    At least these are some of my first impressions i encountered so far.
     
  20. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,167
    Location:
    UK / Pakistan
    Any new experience with GeSWall by the users? And how good it compares to DW that is paid?
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.