Say with DefenseWall, I untrust a folder C:\folder

Anything that goes into that folder becomes untrusted right? Okay, say I have a file in the folder C:\folder\Best.doc

I'm noticing that when I copy Best.doc out of the untrusted folder and on to eg. my desktop, Best.doc becomes trusted (on my desktop)! This is surely a flaw in DefenseWall right?

Furthermore, I find that when I download a folder containing eg. 100 .doc files, these files are all labelled untrusted. However, when I zip all these files up, the resulting zip file is trusted. Then, when I unzip this file, all 100 .doc files become trusted! What if this was a malicious .exe file? Is the process of zipping and unzipping fooling DefenseWall?

On question 1 - No, not a problem. If an untrusted process would copy the file out of c:\folder then it would remain untrusted. If you do that manually, that's your bad.

question 2: a zip file is innocuous. If you are zipping files in order to move it to another location on your hard drive then you are wasting quite a bit of time. If an untrusted process tried the same silly move, then they're untrusted.

My suggestion is to look at it as - not you as a user trying to bypass DW, but as a process trying to. These are two completely different beasts. Programmatically there is only so much one can do, and Ilya's got it covered.

On further testing, copying a .exe file out of C:\folder seems to remain untrusted, even if done manually.

Also, zipping and unzipping a .exe file keeps it untrusted, even if done manually.

Does this mean that only select files remain untrusted after manipulation by the user? This sort of makes sense, as .exe files are the ones that contain malware usually, while .jpg or .doc files are harmless.

But then you've unsettled me by saying it is "my bad" if I did it manually. A lot of people would copy files out of an untrusted folder on to their trusted desktop mate. DefenseWall doesn't even give me a warning to say that it will become trusted automatically. I think we need Ilya to answer this.

EDIT: actually, I take it back. Even .exe files become trusted, if you manipulate it by zipping and unzipping. That is just not very good at all, and I think I am heading back towards classical HIPS. Any comments Ilya?

I think you've found that both your statements 1 and 2 were not correct.

Apparently either was mine. Thank goodness it worked out on the side of good. ;)

Edit: if ssj100 keeps editing his posts while I'm posting, all his posts will be moderated. How's that?

ssj100 - straighten your act up, if we need rhetoric, we'll look your posts up at other forums. We don't play that here at GSF.

Wow, apologies for "trolling". That's the first time I've been accused of that in all forums, including Wilders and Sandboxie.

I don't mind if my posts are moderated, as I am just posting what I find. I am in the process of testing and experimenting still, and that's why I keep editing my posts. I am not really sure how DefenseWall functions, although I do have a basic idea. The above observations that I've made have been confusing for me. I was hoping to get answers straight from Ilya, as he seems to be the only person who knows exactly what's going on with DefenseWall.

What do you mean by rhetoric? This is the third time that I'm giving DefenseWall a try, and I've been trying to integrate it into my security setup for months. DefenseWall is excellent software for sure.

No need for SCREAMING in topic titles..removed...now let's read this thread

ssj100, you've been spreading negativity about DefenseWall for a very long time..Ilya, the users trying to benefit from this forum and GSF Staff have been more than patient for too long..no more.

These are just a few of your typical comments through different forums and at GSF, and most of them made quite recently..

(Unfortunately, too many to put in quote box, the board rejected "too many quote code"...so your comments are Bold )
-------------------------------------------------------

Can I ask why Ilya is implementing a Firewall module in DefenseWall 3? Does it actually add any protection? And if so, that means DefenseWall 2 is genuinely vulnerable right? Otherwise why would Ilya add in a firewall component?

Ridiculous question..we all use a Firewall, even you!


I disliked the fact that everything I recovered from the sandbox was automatically labelled as untrusted by DefenseWall.

Then, of course, no need to use DefenseWall; no need to be here.


I've personally never really liked DefenseWall

You are in the wrong place, ssj100.


With a policy HIPS like DefenseWall, I could get infected by malware and not even know it

not likely unless you start fiddling with the protections...malware is rendered harmless... no infection.


I just find it unsettling that DefenseWall may be crippling this malware on my system, and I don't even know anything about it. Sure, the malware can't harm me at all, but it's just a little bit disturbing.

yes, that's how DW works; ssj100, you are in the wrong forum...go to the product-forums you favor.


but I still find it a bit unsettling and I personally like to know when I'm being attacked by malware in real-time

yep, this isn't the Product for you.


DefenseWall is just too buggy for me

trust me, I've almost tried all combinations personally, and I've been using my current combination for months with excellent usability and convenience.

great, happy to hear it; so, again....you are in the wrong place.


With a classical HIPS, you know everything that's going on, as it will give a pop-up.

yep, pop-up h*ll; 99% of people don't have skill or knowledge to answer and just love those pop-ups;

..and that is why DefenseWall exists..innovatiive and intelligent..

...ssj100, you are in the wrong forum.


Meaning you'll end up with an enormous list in the "File and Registry Protection Exludes". You like that?

how many times do you need to let us know you disdain DefenseWall?

ssj100, you are in the wrong forum; you are not here to "support" but to tear down.



Hacking DefenseWall, GeSWall etc in 60 seconds

Which anyone on the ball would have posted: Hacking multiple security products in 60 seconds, there was Kaspersky, AVG, and alot of others, eh?
--------------------------------------------------------------------------


We've all put up with your subtly-cloaked anti-DW attitude long enough. ssj100, you are in the wrong forum.

Oh but wait, I see that you have started giving it another try, you've started using DW sometime between Aug 16 and 17th.

Please pardon me, if you are now Licensed user.

Everyone Take note:

The SoftSphere/DefenseWall forums hosted by GSF are for the sole purpose of support and help of DefenseWall users and customers.

No Trolling;
No Flaming;
No baiting, tossing insults or name-calling.
Have your casual and personal conversations in private;

This is not the "antimalware forum"; this is not the "multi vendors" forum; this is not the products Debating forum.

This is the DefenseWall support forum.

Wow, talk about taking things out of context:

Can I ask why Ilya is implementing a Firewall module in DefenseWall 3? Does it actually add any protection? And if so, that means DefenseWall 2 is genuinely vulnerable right? Otherwise why would Ilya add in a firewall component?
First of all, that was a genuine question regarding DefenseWall version 2. I wasn't sure if a trojan run as "untrusted" could still call out. I'm still learning about how anti-malware programs work mate. Cut me some slack please.

I disliked the fact that everything I recovered from the sandbox was automatically labelled as untrusted by DefenseWall.
Again, I dislike it, but I'm willing to keep giving it a go to see if I can adapt to it. What's the big problem? You're reading too much into my comments. I have every right to state my opinions.

I've personally never really liked DefenseWall
Again, why can't I change my mind? As I said, I have every right to state my opinions. It's not like I'm saying all this stuff on the DefenseWall forums and trolling purposefully to get your attention. It's your own fault for reading Wilders and being so sensitive about my opinions. And opinions can change all the time.

With a policy HIPS like DefenseWall, I could get infected by malware and not even know it
When I said "infected by malware", I meant I could have malware on my system and not even know it ("infected" was the wrong word I admit). Apologies there, I guess it wasn't clearly worded. But I'm pretty sure I added in the next sentence that I recognised the malware could not do any harm to my system, since DefenseWall was protecting it.

I just find it unsettling that DefenseWall may be crippling this malware on my system, and I don't even know anything about it. Sure, the malware can't harm me at all, but it's just a little bit disturbing.
Again, that was my opinion at the time. Opinions can change.

but I still find it a bit unsettling and I personally like to know when I'm being attacked by malware in real-time
Again, opinions can change. Also, I didn't say that I HAVE to have it this way or I HAVE to have it that way. What is the big problem?

DefenseWall is just too buggy for me
trust me, I've almost tried all combinations personally, and I've been using my current combination for months with excellent usability and convenience.
Again, this is just my personal opinion. Did I say I would NEVER give DefenseWall another go? Did I use any swear words and/or insult anyone personally? Seriously, again, I don't see what the problem is.

With a classical HIPS, you know everything that's going on, as it will give a pop-up.
Why do you keep seeking to attack me and criticise my opinions? Now YOU are "attacking" classical HIPS with your reply above, and I have to say that your points are very valid and well made (and that I am very aware of those points). Also, that is your opinion, and I respect that.

Meaning you'll end up with an enormous list in the "File and Registry Protection Exludes". You like that?
I wasn't trying to say I hate DefenseWall and I will NEVER use it again. I was just venting a little bit of frustration at a product I would really really like to use. Again, why do you keep seeking to attack me?

Hacking DefenseWall, GeSWall etc in 60 seconds
Mate, the reason I used those 2 names was because I knew it would attract the most attention (since we all know DefenseWall and GeSWall are both almost bullet-proof), so that my questions could be answered quickly. You will note in that thread, I also wrote that other popular antivirus software, security suites, Threatfire etc were affected by that "hack". Again, what is the problem here, and why do you keep seeking to attack me?

Has it ever crossed your mind that I can change my mind too? With regards to security software and setups, I change it quite often. As I said, I've been trying several times to get DefenseWall to work with my setup. You can even look at my signature on Wilders - I've had DefenseWall added to it for the last 24 hours or so, because I am trying to get it to work for my purposes.

Anyway, I hope you enjoyed taking me apart there. In my opinion, it's a very disrespectful thing to do. Hopefully I've justified myself now though. I've always supported Ilya, and I've always said that DefenseWall is excellent software in general. Sure, I have my personal gripes about it, but that's because I care about it. Why would I keep re-visiting it? I think I've installed and un-installed DefenseWall about 4 times this year. If I thought it was rubbish, do you think I would keep installing it?

Please show some respect.

EDIT: Please check my last 2 posts of this thread:
http://www.wilderssecurity.com/showthread....9970&page=2

EDIT 2: Thanks for the offer of pardoning you. By the way, I do have a 1 year license for DefenseWall - I got one about 5 months ago. In fact, I got 2.

Wow...you moderators have got it totally wrong this time. I've been following SSJ100's posts as well (both on this board and others) and can clearly see the thought process he is going through as he develops a security strategy and starts to try out Defensewall again after previously dismissing it (as many many people have done in the past). His questions are reasonable and you owe him an apology in my opinion.

And SSJ100, if your comment about best.doc is correct (I will test it myself later), then that looks like a bug. Good find, because it has implications as to how some of use Defensewall in combination with Sandboxie.

Now back on topic, can anyone help me out with the zipping and unzipping issue? Has anyone managed to reproduce that a file that starts out as untrusted, becomes trusted after zipping and unzipping it?

Thanks for your support mate. Seriously, I don't know where all that came from! Hopefully I've defended myself enough already.

Yes, please see if you can reproduce this. What I found was that if I manually moved something out of an untrusted folder, it sometimes became trusted. I only tried it with non-executable files so far though. The zipping/unzipping issue is certainly another concerning aspect for me too.

EDIT: with regards to moving something out of an untrusted folder, it only seems to be non-executable files that become trusted. I think this is fine, as .doc, .jpg, .xml etc files would not contain malware right? So DefenseWall is programmed to trust these files?

EDIT2: After further experimentation, I've now worked out a way to reproduce consistently the issue with zipping and unzipping:
1. Download any .exe file into an untrusted folder
2. Take the .exe file and place it outside of the untrusted folder
3. Check the DefenseWall status of the .exe file - you will see it remains untrusted
4. Now, put the .exe file into a folder (eg. "New folder").
5. Zip the "New folder" (I use WinRAR)
6. Now check the DefenseWall status of "New folder.rar" - you will see it is trusted
7. Now unzip "New folder.rar" to uncover the .exe file
8. Check the DefenseWall status of the .exe file - you will see it has now become trusted!

Another illustration would be to download the CLT tests (the entire test comes in a folder called "CLT" after you unzip it) - http://www.testmypcsecurity.com/securityte...test_suite.html
1. Okay, you've unzipped CLT.rar, and recovered the folder from your untrusted downloads location
2. Check the DefenseWall status of the "CLT" folder - you will see it remains untrusted
3. Now, zip the "CLT" folder again (I use WinRAR)
4. Check the DefenseWall status of the re-zipped "CLT" folder - you will see it has now become trusted!
5. Unzipping this re-zipped "CLT" folder will result in everything being trusted.

I've tried a very quick test with a PDF (saved into a sandbox folder several layers deep) but I'm not seeing the same results as you. The PDF remains untrusted when I either copy or cut it to my desktop. Can you try it with a PDF and also list the directory you're copying/cutting it from to your desktop and also (and I presume here you're pulling it out of your sandbox folder) which Sandbox folder you've untrusted within Defensewall. Thx.

Oooo...confirmed. I copied a zip file out of an untrusted directory (and the zip file had the status of untrusted) to my desktop and it went from untrusted status to trusted. Very strange. Ilya, any thoughts????

Yes, it seems like with .pdf files, DefenseWall will keep them untrusted. I think it's just with .doc, .jpg, .xml, .ini etc. files, that DefenseWall will make them trusted automatically.

Also, .rar files are always kept untrusted, and anything coming out of the .rar file will remain untrusted (even if it is a .doc or .jpg file).

I guess this all seems reasonable, as malware can't possibly be infecting a .ini or a .jpg file right? And when it comes to .rar files, you never know what it contains, so it makes sense that DefenseWall will always untrust whatever comes out of it too.

So now the main concern is the zipping and unzipping issue. I guess I've learned NOT to do that sort of thing when using DefenseWall? Truth is, I often download lots of files and then put them into a folder and zip that folder. It seems doing that practise will make DefenseWall trust that zipped folder (which potentially may contain malware).

Wow, it was a .rar file? Are you sure? I don't think I can reproduce this with .rar files - it only seems to be with .doc, .jpg etc files for me.

Now I am completely confused haha.

Content removed cause it was OT and removed due to disrespecting and resisting an Admins alignment.

It shouldn't be like that. How do you copy the file? With Windows Explorer?


Yes, DW do not control such the operations. The point is it's quite hard to do technically.

I use right-click - "Copy".

I'm not sure why this is happening, and why Scoobs has reported that zipped files (starting out untrusted) become trusted when moved to the real system.

Hi

I've followed 'discussions' like that here for a long time now. I have no problem if a discussion is done open, constructive, using a civilized speach and honest. It seems some members of that forum believe they are out at the street, behaving here the same way.

For all not remembering them or still blinded them out what they did agree while registering for GSF, here a direct link to refresh everyones mind.

And some note on disrespecting an Admins word cause I see some known candidates here. If someone has a problem respecting the rules here, he is free to leave that forum and board.

So, guys, behave like adults should do, kay?

Regards
B. Udo

Is it reproducible? I just made same thing- no problems at all, file remained untrusted.

My guess is that Sandboxie is restricting DW's capability to track untrusted files. The way I did it was:
- Download a zip file using Utorrent, with Utorrent sandboxed
- I did not recover the file from the Sandbox when it had completed downloading
- Go into Windows explorer and navigate to the Sandbox folder and the zip file. Confirm that it is untrusted
- Copy and paste the zip file to my desktop. It now becomes trusted

Could you please try if possible without using sandboxie???I would tried it myself but i'm at work all day now

Just fired up a VM (clean installation of Windows XP, SP3), and I can reproduce that moving a .txt file out of an untrusted folder will make the .txt file trusted.

Is that with or without Sandboxie?

Nothing on the system except DefenseWall.

What about .msi,.exe files?Is it he same?

DefenseWall do not control .txt files. Only executable, archive and document ones, ie, can contains potential dangerous things.

I cannot reproduce this. Doc file (as well as .exe file) still remains untrusted.

I cannot reproduce this either and I am using Sandboxie as well

Yeah, I just realised that it's not .doc files that I'm talking about. It's more .jpg, .xml, .ini, and who knows what other file types. This is fair enough though, given that the files with those extensions will not have any malware attached to them right?

Also, Ilya has confirmed earlier that the zipping and unzipping process (with folder) does change file status from untrusted to trusted. That's actually a little unsettling. Ilya also mentioned that it's difficult to correct this I think? Any chance that this will be corrected?

I ask this, because I often zip and unzip stuff that I download (and therefore may contain malware). Anyone else share these concerns?

It's true. Is it critical?

I'll retest the zip (rar) file going from untrusted to trusted again tonight. I'm wondering whether I've accidentally done something to make anything going into my desktop automatically trusted (i.e. not untrusted). As for the zipping/unzipping issue it doesn't really bother me if I know about it. What I'd like to see is something I've asked for several months ago - a visual indicator on the files icon as to its status. That way, you'd instantly see that the files are now trusted.

EDIT - just realised my final comment is a bit stupid - if Ilya could do the icon thing to track the files, then he'd just make the untrusted status stick regardless of zipping/unzipping.

Hello,



Try placing your decompression software to Untrusted.

Hello ssj100,

You may find the link below useful.

http://gladiator-antivirus.com/forum/index...showtopic=76723

Hope this helps.


Peace & Gratitude,

CogitoErgoSum

Heya Cogito

good reply mate . But it's easier for some people to start ranting, flaming about a product instead using the GSF search function.

Take care
BU

Well I've tried to recreate the problem I originally saw with the zip file, but can't. It's now staying as untrusted. Strange!

And I remember about it. I already had few requests about this feature. It will be implemented in the future releases of the V3 thread, I promise, but not in the 3.00 version because I'm going to release it as soon as possible, this is very important for me.

Great!! Thanks Ilya

Yes, as I said, .rar files will always stay untrusted. It's only .jpg, .xml, .ini files etc that automatically become trusted when moved out of an untrusted folder.

~snip~

By the way, Ilya, any chance of you fixing the zipping issue? Or perhaps you should automatically add the eg. WinRar program to be always untrusted? I can see a lot of average joes having issues with this, and placing a potentially malicious .exe file (untrusted .exe) into a newly created folder (trusted), zipping the newly created folder (containing the malicious .exe), and then unzipping it (and find the malicious .exe is now trusted by DefenseWall).

Thanks for your replies Ilya.

I may make some research, but not sure if it will be in the near future as it's not an emergency.

Thanks Ilya.

Hello,


Same for me. I downloaded several files zipped, I unzipped (with 7z and with Windows). All files unzipped are Untrusted.

OK, thanks.

Hi Ilya, I think I've found the source of the problem I was seeing with files goes from untrusted to trusted when you move them out of Sandboxie. Basically, it appears that when you run your Sandboxed container of a RAMdrive, DW loses track of the files untrusted status when it comes out of RAMdrive and onto the C:drive. I can probably work around this, but I would be just interested to know whether you agree that what I'm seeing is correct, or whether in fact I've screwed up my DW configuration and that's what's causing the issue I'm seeing. Thx

What's the RAMDrive software do you use? Download link is most appreciate, I'll check it out when I get back home...

It's Gavotte. Here's the link [removed]
and here's a guide on setting it up:
http://www.mydigitallife.info/2007/05/27/f...nd-2003-server/

I am using a fairly simple workaround of just ensuring that anything I recover out of the sandbox goes into my downloads folder, and then ensuring that the downloads folder is untrusted. In that way the recovered files regain untrusted status again. Thanks Ilya.

Ilya, it would also be worth me pointing out that I'm running my browsers as trusted, but untrusting the Sandbox folder. Is that the cause of the problem? i.e. if I download a file into an untrusted folder, but the browser that downloaded it is not untrusted then the file itself becomes trusted when you move out of the untrusted folder?

First of all, you have to put your potentially dangerous Internet- facing apps to untrusted.

Next thing- it depends if you download files into virtualization container or not. As far as I understand, you recove the file into the real folder?