I just began 30-day trial period of DefenseWall.
A) The install went smoothly. However, at Step 4 of installing I was presented with 2 check boxes: _Expert and _Restart Now.
1) At that stage of using DW, "Expert" was an undefined term.
2) As used in Step 4 of the install procedure, does "Expert" mean (in effect) "Restart Later"... or what?
B) Comment- There is no option to maximize DW's "Add/Remove Untrusted" GUI. This makes it difficult to read the path & description columns.
C) DW's Rollback GUI can be maximized, & the columns resized for easier reading. However, after closing the GUI, all the format changes I made disappeared. Is there a way to make my format changes permanent?
D) I notice hh.exe is, by default, placed into the untrusted category. I'm curious as to why?
E) I put my email client (Pop Peeper) on the untrusted list. When Pop Peeper received messages today, it put copies of those messages into a file on my D drive. Those messages on D drive did not get not listed on DW's Rollback list. Evidently DW considers the file containing those messages to be non-sensitive. Correct?
F) A couple of questions about Rollback...
1) If I see an item on the Rollback list that I want to KEEP, I should remove it from the Rollback list. Correct?
2) If I forget to work with the Rollback list, & I shut down my computer, everything on the Rollback list will be killed. Correct?
3) I thought DW was a sandbox. To me, the name "Rollback" makes it sound like changes will be subsequently deleted (rolled back) instead of being isolated & confined within a sandbox.
a) To me, deleting or rolling back changes doesn't sound as secure as totally isolating & confining those changes within a sandbox.
b) Is DW a *real sandbox* -- or what?
Full Version: 30-day trial started
Hello bellgamin,
To take a quote from DefenseWall's online help faq's:
"Question: What does "Expert mode" mean?
Answer: There are two operating modes in DefenseWall - regular mode and expert mode.Within the "regular" mode all of the executable files created by untrusted processes are automatically added into the "untrusted applications" list of DefenseWall. This mode is very useful for non-technical users. Within the "expert" mode those files are not automatically added into the "untrusted application" list. It gives advanced users more control over the downloaded files."
To answer your question regarding email messages, if I understand it correctly, if the contents of a particular email message attempts to create a new file(s) and/or registry key(s) it will be listed in DefenseWall's Rollback list.
To answer your question regarding whether DefenseWall is a real sandbox, as far as I know, DW is not only a real sandbox but a strong one at that. The Rollback feature was implemented because DW does not employ file system virtualization as found in BufferZone, GreenBorder and SandBoxie. FYI, DW does employ limited registry virtualization. In any case, if malware attempted to create a new file(s) and/or registry key(s) these changes will be isolated and contained within the sandbox and included in the RollBack list. All that one has to do in this situation is press the "Big Red Button" or reboot the computer to terminate and make the malware impotent. Lastly, if one was not knowledgeable enough to use the RollBack feature, they could use several antivirus/spyware/rootkit scanners to remove the malicious files and/or registry keys. Even if one chose to leave the new changes alone, they would be harmless.
Hope this helps.
Peace & Love,
CogitoErgoSum
To take a quote from DefenseWall's online help faq's:
"Question: What does "Expert mode" mean?
Answer: There are two operating modes in DefenseWall - regular mode and expert mode.Within the "regular" mode all of the executable files created by untrusted processes are automatically added into the "untrusted applications" list of DefenseWall. This mode is very useful for non-technical users. Within the "expert" mode those files are not automatically added into the "untrusted application" list. It gives advanced users more control over the downloaded files."
To answer your question regarding email messages, if I understand it correctly, if the contents of a particular email message attempts to create a new file(s) and/or registry key(s) it will be listed in DefenseWall's Rollback list.
To answer your question regarding whether DefenseWall is a real sandbox, as far as I know, DW is not only a real sandbox but a strong one at that. The Rollback feature was implemented because DW does not employ file system virtualization as found in BufferZone, GreenBorder and SandBoxie. FYI, DW does employ limited registry virtualization. In any case, if malware attempted to create a new file(s) and/or registry key(s) these changes will be isolated and contained within the sandbox and included in the RollBack list. All that one has to do in this situation is press the "Big Red Button" or reboot the computer to terminate and make the malware impotent. Lastly, if one was not knowledgeable enough to use the RollBack feature, they could use several antivirus/spyware/rootkit scanners to remove the malicious files and/or registry keys. Even if one chose to leave the new changes alone, they would be harmless.
Hope this helps.
Peace & Love,
CogitoErgoSum
QUOTE
3) I thought DW was a sandbox. To me, the name "Rollback" makes it sound like changes will be subsequently deleted (rolled back) instead of being isolated & confined within a sandbox.
What you will find in the "rollback" area are "currently" allowed changes-they ARE in effect. Changes that haven't affected your OS, but might/might not have effected negative changes (say to a brower - the GUI as an example). To REMOVE them is saying "Ok - things are running smooth, I understand all this, So DW - Disregard these changes forever". To Erase them is saying "I'm not happy, undo undo undo".
Between you and I Bellgamin, "sandbox" is the cheesiest term I have ever heard from a programming standpoint. There are no sandboxes but only the mirage of attempted sandboxes. Many are very good but they are still mirages of a "sandbox". Defensewall HIPS - is exactly that, HIPS. "ain't happenin'". But a bit more eloquent that some ;)
By the by, I believe the rollback list trims itself at 15 days or some such thing
QUOTE (CogitoErgoSum @ Oct 31 2006, 02:39 PM) 
There are two operating modes in DefenseWall - regular mode and expert mode.
Thanks for your helpful comments.Yes, I read the FAQ & the Help file about "Expert" before I ever posted this thread. However, it makes no sense to me to offer "Expert" as alternative to "Restart now" -- especially at step 4 of the process for installing this program in the first place.
No doubt I'm missing the point but it seems to me that the logical alternative to "Restart Now" should be "Restart Later" -- and the logical alternative to "Expert" should be somthing like "Tyro."
QUOTE
...if the contents of a particular email message attempts to create a new file(s) and/or registry key(s) it will be listed in DefenseWall's Rollback list.
Yes, the files got listed -- after they had been in place for several minutes, but NOT at the time they were created. The differentiation between "erase," "remove," & ""rollback" escapes me. All I know is I tried all 3 actions, BUT the files made by my email client got put into the file where they always get put, & are still in my computer.No problem. Since I'm too noob to get DW to kill them, I shall shoot them dead myself.
QUOTE (toadbee @ Oct 31 2006, 04:19 PM)
Defensewall HIPS - is exactly that, HIPS. "ain't happenin'".
Clear enough, old toad. Problem is, I already have two HIPS -- both of them running quite well (one paid, one free) -- so what I'm looking for is a full-on, no frills *sandbox* to keep them company.
timing 
Sorry Bell -
"Rollback" is the same as my "erase" as mentioned above, but you just pick an event or date, i.e. one item, and hit "rollback" -and those changes are "erased" from that event to present. Like they never happened.
QUOTE (toadbee @ Oct 31 2006, 04:39 PM)
"Rollback" is the same as my "erase" as mentioned above, but you just pick an event or date, i.e. one item, and hit "rollback" -and those changes are "erased" from that event to present. Like they never happened.
Thanks toad old toad. Ribbit!P.S. Stop winking at me. You're making me nervous.
QUOTE (bellgamin @ Oct 31 2006, 09:42 PM)
B) Comment- There is no option to maximize DW's "Add/Remove Untrusted" GUI. This makes it difficult to read the path & description columns.
C) DW's Rollback GUI can be maximized, & the columns resized for easier reading. However, after closing the GUI, all the format changes I made disappeared. Is there a way to make my format changes permanent?
C) DW's Rollback GUI can be maximized, & the columns resized for easier reading. However, after closing the GUI, all the format changes I made disappeared. Is there a way to make my format changes permanent?
Both options are in plans for 2.0 version.
QUOTE (bellgamin @ Oct 31 2006, 09:42 PM)
D) I notice hh.exe is, by default, placed into the untrusted category. I'm curious as to why?
It is .chm files support application. .chm are compiled and compressed .html pages, so there could be malicious JavaScript/VBScript code.
QUOTE (bellgamin @ Oct 31 2006, 09:42 PM)
E) I put my email client (Pop Peeper) on the untrusted list. When Pop Peeper received messages today, it put copies of those messages into a file on my D drive. Those messages on D drive did not get not listed on DW's Rollback list. Evidently DW considers the file containing those messages to be non-sensitive. Correct?
DW's rollback feature is limited becasue many users won't be able to use it anyway. It shows only files with few known extensions. There is other, full-featured registry-based list with all the files created/modified (auto-cleaned up in 3 days).
QUOTE (bellgamin @ Oct 31 2006, 09:42 PM)
F) A couple of questions about Rollback...
1) If I see an item on the Rollback list that I want to KEEP, I should remove it from the Rollback list. Correct?
1) If I see an item on the Rollback list that I want to KEEP, I should remove it from the Rollback list. Correct?
Yes.
QUOTE (bellgamin @ Oct 31 2006, 09:42 PM)
2) If I forget to work with the Rollback list, & I shut down my computer, everything on the Rollback list will be killed. Correct?
No. This list remains.
QUOTE (bellgamin @ Oct 31 2006, 09:42 PM)
3) I thought DW was a sandbox. To me, the name "Rollback" makes it sound like changes will be subsequently deleted (rolled back) instead of being isolated & confined within a sandbox.
In fact, "sandbox" means "some area with the limited rights" that based on policy restrictions. "Rollback" feature is the list allow you manually remove malware is infected. Instead of file system virtualization tools, that are using "clean up virtualization container" technique for that (this is a huge possibility for user to make a mistake and erase something important), this allow you full control under the items you delete.
QUOTE (bellgamin @ Oct 31 2006, 09:42 PM)
a) To me, deleting or rolling back changes doesn't sound as secure as totally isolating & confining those changes within a sandbox.
Total isolation is not the main aim of sandbox HIPS tool. Its main aim is to break malware hidden installation & penetration into trusted processes area. Virtualization is just a techique to achive such the aim. The only thing is really important for sandbox HIPS is the balance between defense rate and usability. Advanced file system and registry virtualization tools are not very good is such the balance because of many compatibility/speed issues.
The only REAL total isolation tool I know are hardware virtualization tools (VMWare, VirtualPC, QEMU, Bosh,...). Others are simple emulators (they just create files®istry keys in other place, so-called "virtualization container" that contains into real file system folder/real registry key).
QUOTE (bellgamin @ Oct 31 2006, 09:42 PM)
b) Is DW a *real sandbox* -- or what?
Yes, it is real sandbox application, with highly limited registry-level virtualization. The main aim of DefenseWall HIPS project is not a virtualization itself (it's just a technique, nothing more), its main aim is a everyday usable and strong proactive anti-malware protection, that doesn't require people change its everyday work behaviour too much.
QUOTE (CogitoErgoSum @ Nov 1 2006, 12:39 AM)
In any case, if malware attempted to create a new file(s) and/or registry key(s) these changes will be isolated and contained within the sandbox and included in the RollBack list.
Not exactly. If the registry key is policy-restricted, it will be blocked but not created. Same thing is with file system.
QUOTE (toadbee @ Nov 1 2006, 02:19 AM)
By the by, I believe the rollback list trims itself at 15 days or some such thing
Not now, it is for the 2.0 version.
QUOTE (Ilya Rabinovich @ Nov 1 2006, 01:41 AM)
...Not now, it is for the 2.0 version.
Mr Rabinovich -- thank you for the excellent explanation. Since I am a tweak-freak, I'm going to play around with Pro-Security for a while. I'll lurk here often, & will definitely give 2.0 a spin when it is available.By the way, congratulations on DW's PERFECT record in the tests of HIPS done by AV-Comparatives...
For those rare birds who have never visited AV-C...
+Main AV-C website
+Click "Comparatives" button in left-hand column
+Scroll four-fifths of the way down the page until you see line entitled "Comparative of various protection tools October 2006"
+On that line, click "Report (PDF)"
Yes, I know about Andreas's results, he already sent me (and all the test participators) result .pdf file. Also, in fact, it was me who advized him this test's idea. :) Hope, it won't be the last HIPS test...
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.