Jump to content


DefenseWall HIPS User Guide/Tutorial

  • This topic is locked This topic is locked
No replies to this topic

#1 Ilya Rabinovich

Ilya Rabinovich

    - DefenseWall -

  • SoftSphere Technologies
  • 4,975 posts

Posted 04 April 2006 - 11:21 AM

DefenseWall HIPS User Guide/Tutorial

DefenseWall HIPS is a very easy-to-use tool that provides 99.99% protection from all types of malware while surfing the Internet and while installing new software - if you use DefenseWall the right way!

DefenseWall HIPS divides all applications into 'trusted' and 'untrusted' groups. Untrusted processes which may be created by an untrusted application or process has limited rights. DefenseWall HIPS prevents untrusted processes from modifying the executable/interpretative files, phone database (target for "dialers" malware), Hosts files, add/modify autostart areas (both registry and file system), add/modify drivers/services (targeted by "rootkits"), modify desktop and browser settings (IE, FireFox, Mozilla, Opera), set global hooks (usually used by "keyloggers"), inject their code into "trusted" processes and many other dangers. In addition, DefenseWall HIPS prevents untrusted processes from gaining access to "Secured" files and folders. It will prevent your sensitive data from being stolen by malware. DefenseWall HIPS does not allow "untrusted" processes to break your system's integrity and to break out of the virtual "untrusted processes" area.

Terminating malware is very easy - close all untrusted processes with the "big red button" (recommended), or click the grey button, "you have 'x' untrusted process(es) running on your computer", to terminate individual malware proceses. Another method - simply restart your computer - the untrusted zone will be closed by your system.

Attached File  Untrusted.jpg   19.15KB   280 downloads

Keep in mind, the now-inactive malware will remain on your hard disk as it is impossible to automatically separate legitimate modules downloaded from the Internet (for instance) from the illegitimate modules (malware), but it cannot harm your system.

DefenseWall HIPS is not an Antivirus replacement. The malware file(s) will be in an inactive state. You can clean up your hard disk with your antivirus and/or other anti-malware progam, if your Security solution has created and delivered signatures for that malware, or manually, with DefenseWall's "rollback" tool (for the advanced users).

DefenseWall HIPS does not block
  • E-mail worms without autorun functions, i.e.: worms which read your address book send their message without modification to the system's funtionality.
  • Weak system passwords that could be broken with word analysis, buffer overflow (so far), phishing (that is anti-physhing toolbar's job), Internet connections/browser hijack (that is your firewall's job).
  • Advanced Keyloggers from logging due to flaws in Windows security architecture. Note that No Anti-keyloggers can stop these advanced techniques. DefenseWall HIPS will protect system integrity however, and it is recommended to Hit the Big Red Button ("Close all untrusted processes") prior to doing online banking or other activities where privacy is a must.
All other threats are covered by DefenseWall HIPS!

A little bit about DefenseWall HIPS functioning:
All the programs connecting to dangerous Internet content must be included into the "untrusted" zone. Browsers, E-mail, P2P and Instant Messaging clients - must be set as "untrusted". Also, it is necessary to add all software which utilizes a "plugin engine" (WinAmp, for instance). Because it is possible to add a new plugin by simply adding a .dll file into it's "plugin" folder, it is also possible for malware to add a WinAmp "plugin" and start any time WinAmp starts. DefenseWall HIPS does include a large built-in list of applications which are placed into the untrusted list during the installation process.
Attached File  Add_to_Untrust.jpg   14.49KB   275 downloads

Within DefenseWall HIPS there is a "plugin injection" protection mechanism. If an untrusted process creates a plugin dll (not exactly with this extension, it could be any extension) and it loads within a trusted process, this process turns to untrusted automatically.

"Rollback" window (click on "File and registry tracks" button), shows a list of all items created by untrusted processes (new folders, individual files and registry keys). Remember - this functionality is for advanced users only! Also, there is a hidden "allow to be modified" list of items created by the untrusted processes with controlled extentions. All of these items are automatically removed from this list after a 15-day period.

All your sensitive data files and folders can be protected by adding as "Secured Files".

Attached File  Secured_Fiels.jpg   15.8KB   283 downloads

If you run executable modules from the archive files, they will run as trusted if your archiver program is set as "trusted" and it is not in the internal archive's list of DefenseWall HIPS. It happens because it is impossible to back trace the archive's source. At the present time this internal list contains Windows Explorer (build-in zip/unzip utility), WinRAR, WinZIP, WinACE, 7-zip, ShaffIt, Ultimate ZIP, PKZIP, Power Archiver, FAR Commander, Servant Salamander, Total Commander and many more. If you use these archivers in your work, all the executables run from the archives directly will be untrusted. You need to extract all the achrive's content to run it as trusted. Also, within version 1.50 and higher, there is extended control under the archive files. Now, if it is in the ?ntrusted' list, and you open it from the Internet archive with your archive program via double-click, this program starts as untrusted. If you need to extract achive content as trusted- run it as trusted. Built-in WinXP Windows Explorer zip/unzip plugin is supported too.

All scripts run according to the trusted/untrusted rules (as it was with .cmd, .bat files before v1.50). If you install a new version over 1.40, disable or remove the following entries within "Add/Remove Untrusted": wscript.exe, cscript.exe,mshta.exe.
Executables (ie: program installer) which run directly from a local network environment will automatically run as "untrusted". Download files and run as "trusted", to install.

There is a built-in driver level list for those modules which are allowed to set global keyboard hooks. It contains module hashes and cannot be bypassed. At the present time, it contains Trillian and Sonork global module hook hashes.

There are two user modes - 'Regular' and 'Expert'. Under Regular mode, all executable files created by untrusted processes are added into the "untrusted applications" list automatically. In 'Expert' mode, you choose how to run files. User mode can be switched within the main program's menu with one mouse click.
Attached File  Regular_Mode.JPG   4.48KB   273 downloads............Attached File  ExpertMode.JPG   4.58KB   270 downloads

You can now disable DefenseWall HIPS's defense on-the-fly.
To do so, the user will be prompted and all untrusted processes will be closed by DefenseWall.

Attached File  DisableProt.JPG   4.95KB   253 downloads