 |
GentleSecurity
|
| View previous topic :: View next topic |
| Author |
Message |
VanguardLH
Joined: 10 Oct 2008
Posts: 48
|
 Posted: Thu Oct 16, 2008 4:00 pm Post subject: |
 |
|
| geswall wrote: | | VanguardLH wrote: | | As an aside, I'm wondering what happens to these tracked files if the user uninstalls GesWall. Do all the tracked files gets deleted by the uninstall? Or do they became unprotected and will run unfettered? If they get left behind, does the uninstall perform a scan for untrusted files and present that list before letting the user complete the uninstall? |
Right, the 'untrusted' labels make sense only while GeSWall is running and no list is generated on uninstall. |
If GesWall is reinstalled, will those previously tracked files get retracked?
Does the tracking require use of NTFS to, say, utilize its alternate data stream feature to track which files are untrusted? If so, that tracking won't work for FAT. If the file system itself isn't used to track which files are untrusted by GesWall, is the file list hardened by being hashed and GesWall's driver protect it against alteration or deletion by any process other than the GesWall driver? Since the Untrusted Files scan has to go looking around for the untrusted files, it doesn't seem like GesWall is maintaining its own list and why it might be using ADS which would only work with NTFS.
| geswall wrote: | | VanguardLH wrote: | I will still needs HIPS to control what can load on my host to provide a whitelist of authorized programs ... also delving down further into what actions an authorized process can perform, maybe like the Defense+ HIPS
|
The solutions you mentioned might be OK to restrict web browser but when it comes to e-mail client, office applications, viewers, messengers it may appears too complicated to be usable.
Preventing files to run or to be created is safe only for known malware. |
No. HIPS is also invaluable in regulating what can load for when the user doesn't expect the program to load just like a firewall is handy to find out an app connects that you didn't know would do so. You're assuming those listed apps do what you expect them to do. I don't. They may have behaviors that I don't want. They may carry a payload that I don't want.
With HIPS, control is returned back to the user rather than remain hidden or guesses made for them. Behavioral analyzers (like Threatfire) and policy enforcers (like GesWall) do not conflict with the purpose of HIPS but they certainly don't afford the user the same level of control over their host as does HIPS (and that is the HIPS *before* the inclusion of hash lists for whitelisted programs or any heuristics they might optionally include). Is that viewer really just a viewer? How did it get on your host? Did it get installed deliberately by the user or use some other vector for infiltration?
The HIPS that I've trialed include a disable or learning mode so when the user installs a trusted app (whether that trust is warranted or not) the HIPS doesn't interfere. But HIPS will interfere if the installation was through some unexpected vector for entry into their host. They might want that codec. They might not. They probably don't want any code executing on their host due to a buffer overrun. I see HIPS as trying to keep out the pests or noticing them when they attempt to act if they do get in. I see GesWall as letting them in but trying to nullify their actions. I don't equate GesWall to HIPS. They do security in different ways and which can compliment each other.
| geswall wrote: | | There is no magic here. It is uncertain if a file is malicious or not unless you have signature checks for known malware pieces, which is done by AV. All behaviour-analysis checks are also suffering from false-positives. |
I said HIPS, not behavioral analyzers or heuristic checkers. From what I've read, Threatfire is a behavioral analyzer just as are most anti-malware products. HIPS prompts and it's the user who then makes the choice. Having a hash list to whitelist of known good apps and eliminating those prompts is an optional convenience. Expert users of HIPS can turn that off (to go into a more paranoid mode) and even require the prompt and authentication of proposed actions for even the "safe" apps. I wasn't impressed with Threatfire or similar behavioral analyzers since they aren't much different than any other anti-malware scanner product which incorporate heuristic checking.
| Quote: | | So we decided that a proper balanse for GeSWall is an isolation that breaks as littlle as possible without affecting security. |
A list of security product types (I'm writing on-the-fly here) that I use, from lowest to highest is:
- File scanners (anti-malware & anti-virus scanners) whether on-access or on-demand. These are the flypaper scanners using blacklists.
- Behavioral scanners (Threatfire, anti-malware and anti-virus scanners with heuristics).
- Policy enforcers (GesWall, DefenseWall).
- HIPS. The user is brought back into control of their host which also means the user is the authority and must know what the prompts mean.
- Drive protection (Returnil, ShadowProtect, Bufferzone). No data security (for files in the same partition) as the pest is operating on the production host.
- Sandboxing. Might have data security. Might not. Depends on features of sandbox and configuration by user. Unlike policy enforcers or HIPS, deleting or wiping a sandbox when the intended app exit guarantees any pests in that sandbox are eradicated. They may be effective within the sandbox, like a keylogger, but when the sandbox is deleted or erased, it's all gone. No cleanup of the host is required for what might sneak by a behavioral analyzer, policy enforcer, or wrong choice in HIPS.
- Virtual machine. All hardware virtualized except CPU. More secure (isolated) than a sandbox.
- System emulator. All hardware virtualized, including CPU.
- Separate hardware platform with clean baseline image backup.
Many anti-malware programs are now including anti-virus features, and visa versa, and both are now incorporating heuristic or behavior analyzers, so the first 2 categories are getting mixed. They catch what they know about or within the limits of their algorithms for heuristic checking. If they were the end-all for security, I wouldn't even be here discussing GesWall and HIPS. They're more like the net below the highwire acrobat whereas a policy enforcer is like the pole they use to lower the center of gravity and HIPS is like their own ability to control their movement on the wire.
Actually from drive protection on up, there is no actual security detection with just those products but rather more secure isolation along with a better means of wiping the pest from the host or preventing them getting to the host. Only because they provide a means of preventing the pest from ever getting onto the production host and/or allow wholly wiping the pest from the test platform were they given a higher security value. Poof, gone, don't have to handle them. They offer an easy and instantaneous means to flattern and rebuild, something that too often is required of an infected host because it is easier and faster to rebuild the host than try to get rid of pest that bypassed all protections. If it takes me more than one evening in trying to eradicate a pest, I've already spent more time than it takes to flatten and rebuild the host. VMs, sandboxes, and drive protection let me to the flatten and rebuild and do it instantly.
Drive protection provides a snapshot back to a known prior state; however, regular [incremental] image backups are still required to allow stepping back to previous states if the just-prior state was already infected. VMs can be deleted or snapshotted back to a clean baseline state, and same for a system emulator. They still do not obviate the need for security software on the production host (i.e., they aren't mutually exclusive) but they offer a better means of testing unknown and untrusted software or browsing untrusted sites without the interference of anti-virus or anti-malware software or any regulation or alteration by behavioral analyzers or policy enforcers. Anti-malware, anti-virus, GesWall, and HIPS are not to protect me when I am visiting untrusted sites or when I am trialing unknown software. That's done in a more protected environment (VM, sandbox, drive protect). They are for when I am trusting the sites and software in my real host but I still don't unconditionally trust them.
Alas, I'm finding GesWall and sandboxes don't work well together without manual intervention. GesWall watches for the regulated processes to appear that it will isolate and it will do that even if the process is running inside a sandbox so GesWall can interfere with the app within the sandbox. I can still use the sandboxing if I first remember to lower Geswall to its green mode (isolate only jailed apps - and there are no jailed apps). While GesWall gives me a security blanket, it doesn't obviate the other methods used to secure my host.
I wanted something in addition to HIPS mostly in case I make a wrong decision and trust something that I shouldn't have. I'm not omnipotent so it's possible that I end up allowing a program to run or let it perform an action which I later regret. If something hits me that I don't expect, and if I can find no information about the infiltrator, then I have to make a choice to allow it in or block it - and if it was unexpected then it's very likely that I'll block it. Rather than trying to enforce some policies against it, I don't want it in at all. HIPS doesn't impact me as much as does a sandbox or VM, and GesWall doesn't impact me as much as HIPS.
I don't see a policy enforcer (GesWall) and HIPS as being competitive with each other. I see them as complimenting each other. For users that want more control over what any process can do (or if it even starts) then GesWall isn't a solution. If they don't want to bother with all the prompts and figuring them out from HIPS then a safety net like GesWall makes sense. I don't trust behavioral analyzers or hard-coded heuristic algorithms in Threatfire, anti-malware, anti-virus, or other such programs to fully protect me. GesWall gives me more control but it is still hard-coded control based on the expertise of the product developers (and sometimes limited as to what they can put in based on timelines enforced by Marketing/Sales, especially since they want to sell upgrades). For those that want even more control, HIPS is next.
Using HIPS doesn't mean having to give up policy enforcement. If the user deems themself equivalent to an OS guru then they probably feel the safety net of a policy enforcer under HIPS is not needed. For the rest of us, a safety net with or without HIPS is comforting as long as responsiveness of the host is not impacted. GesWall has been pleasantly unobtrusive not only in its behavior but also in its minimal impact on responsiveness of the host. I'm not giving up HIPS. I wanted to see if policy enforcement would provide additional protection and it can, and happily there is almost no impact on using GesWall.
I've seen nothing of policy enforcers that obviates the usefulness of HIPS for user that want more control. Using HIPS doesn't obviate the comfort of a quieter safety net under it, like using policy enforcement. GesWall doesn't obviate the need for HIPS if the user desires that level of control. Neither eliminate the need for the simpler heuristic or behavior analyzers and blacklists of anti-malware programs. Some users argue that sandboxes and VMs eliminate the anti-malware checkers but they don't understand that malware can go dark in those environments and fool the user into believing the unknown software is safe, so security on the real host is still required. I'm obviously not giving up the low or high levels of protection but was thinking of adding something in the middle.
Some users wanting to only use HIPS and not rely on GesWall as a security net. There are folks using HIPS that don't even feel the need for the low level protections (anti-malware scanners, heuristics, or behavior analyzers). Some users don't want to figure out how their apps and OS work to understand all the HIPS prompts and instead want to relinquish security to just using SRP or other policy enforcement (e.g., GesWall), behavior analyzers, and blacklist scanners. Some users want a mix where they have the immediate control of using HIPS, the quieter safety net of GesWall, and the flypaper scanners using blacklists and heuristics.
I don't see HIPS and GesWall as mutually exclusive. Some users want to use one or the other but not both. Some users do want to use both (like me), if possible, if no conflicts, and if not overly counterproductive. All security software is counterproductive but used as insurance to avoid the even higher counterproductivity from infestation. GesWall has so little perceptible impact on my host that it seems a viable addition to my security suite but I'm still teetering on whether I need GesWall with sandboxing or if GesWall will replace sandboxing. With GesWall, sandboxing is less needed by me since it is just a small step from GesWall to using a VM for a higher level of isolation. Having more choices as to the level of isolation can be handy but sometimes too many choices just makes for more work.
On an aside, I do have an issue with GesWall's use of the term "freeware" in the name of the free version of their product. Free is NOT the same as freeware. The free version of GesWall is not fully functional hence it does NOT qualify as freeware. Please read http://en.wikipedia.org/wiki/Freeware which states, "The only criterion for being classified as freeware is that the software must be fully functional for an unlimited time with no cost, monetary or otherwise." Visit alt.comp.freeware and you'll have lots to argue about in using "freeware" to name the free but crippled version. It should be renamed to Geswall Free, Geswall Personal Edition, or Geswall Limited (I'm sure GesWall Crippled Edition would never happen). "Freeware" is definitely not appropriate in the product's title for the free but crippled version. Again, free is NOT the same as freeware. |
|
| Back to top |
|
 |
geswall
Site Admin
Joined: 05 Jun 2006
Posts: 240
|
| Posted: Thu Oct 16, 2008 9:22 pm Post subject: |
|
|
| VanguardLH wrote: | | If GesWall is reinstalled, will those previously tracked files get retracked? |
Yes, the labels are effective in case of re-install.
| VanguardLH wrote: |
Does the tracking require use of NTFS to, say, utilize its alternate data stream feature to track which files are untrusted? If so, that tracking won't work for FAT. If the file system itself isn't used to track which files are untrusted by GesWall, is the file list hardened by being hashed and GesWall's driver protect it against alteration or deletion by any process other than the GesWall driver? Since the Untrusted Files scan has to go looking around for the untrusted files, it doesn't seem like GesWall is maintaining its own list and why it might be using ADS which would only work with NTFS.
|
NTFS is required but GeSWall doesn't use ADS.
Isolated application cannot alter GeSWall functionality. If a malware managed to run non-isolated it has much more attractive goals then attacking GeSWall. So it doesn't make sense to protect from non-existing threat. Protection is implemented within kernel mode driver, termination of GeSWall processes leads to default action as in Orange mode.
Thanks for your comments regarding HIPS!
| VanguardLH wrote: | | The free version of GesWall is not fully functional hence it does NOT qualify as freeware. |
Well, how you know it is not fully functional? The fact that another product has more features doesn't make it "not fully functional".
| VanguardLH wrote: | | On an aside, I do have an issue with GesWall's use of the term "freeware" in the name of the free version of their product. Free is NOT the same as freeware. The free version of GesWall is not fully functional hence it does NOT qualify as freeware. Please read http://en.wikipedia.org/wiki/Freeware which states, "The only criterion for being classified as freeware is that the software must be fully functional for an unlimited time with no cost, monetary or otherwise." |
There are many definitions of Freeware and wikipedia references just one of them. The name doesn't matter at the end, just meaning is important.
And the meaning is that GeSWall Freeware might be used free for any purpose including commercial. GeSWall Freeware has no limitations, it just lacks some features present in Professional Edition. The list of features is specified on the web site.
Last edited by geswall on Sat Oct 18, 2008 9:21 pm; edited 1 time in total |
|
| Back to top |
|
|
VanguardLH
Joined: 10 Oct 2008
Posts: 48
|
| Posted: Fri Oct 17, 2008 2:38 am Post subject: |
|
|
| VanguardLH wrote: | The free version of GesWall is not fully functional hence it does NOT qualify as freeware.
| geswall wrote: | | Well, how you know it is not fully functional? The fact that another product has more features doesn't make it "not fully functional". |
|
Freeware doesn't list functions that are not implemented or are unusable.
- Context menu shows adding an app policy. That function is not usable.
- Popup dialogs about the paid Pro version when right-clicking on the tray icon. Freeware apps don't need to advertise they are not as featured as some other product.
- A tree node labeled "Untrusted Files" is displayed and the user can even execute a scan but then can do nothing regarding the found untrusted file. Functionality is not full and borders on lureware.
- A Terminate button is displayed for an isolated app. It is not functional (other to popup a lure).
If the product were truly freeware, it would be fully functional and every option or function shown within it would be available. Because there are functions that are disabled in the free version proves it is not fully functional freeware. If these cripplings were hidden then it becomes a fully functional freeware version - because all functions presented would be usable, not lures.
| geswall wrote: | | The name doesn't matter at the end, just meaning is important. |
There can only be meaning if there is a common definition to know what is that meaning. If the term doesn't matter then don't use it. Having a free version is much appreciated but calling it freeware is misleading. It's a minor point and perhaps nothing over which you have any influence. Marketing folks often misuse or abuse terms.
Free is nice.
The free version is [just] usable.
But the free version is not freeware.
Freeware has a different connotation than free software.
Tis perhaps a small and unimportant difference to non-wizard users.
It is a real difference to the computer literate.
If I'm looking for freeware, I'm not looking for crippleware.
If I'm looking for free software, I may settle for crippleware.
Crippleware has a negative connotation but that doesn't obviate that it may be useful if the crippling can be tolerated. Putting features into a free version that result in popups to buy a payware version actually devolves a product into a worst category than crippleware: lureware. The popup lures and disabled features mar a product that would otherwise present itself as an excellent free option. Alas, that is often the cost of free software - but NOT of freeware.
Yes, this is nitpicking. So one more response (by you) is probably all that should be allowed and then we keep to more technical matters regarding the free version. Thanks for the tolerance so far. |
|
| Back to top |
|
|
Mancini
Joined: 23 May 2008
Posts: 47
|
| Posted: Sat Oct 18, 2008 12:20 am Post subject: |
|
|
VanguardLH
Excuse me for saying so, but after reading each and every lengthy post you've written in the last week, I'm left with the feeling that basically... you really like to hear yourself talk.
Sorry, but it's true. |
|
| Back to top |
|
|
IDH
Joined: 21 Jun 2008
Posts: 7
|
| Posted: Sat Oct 18, 2008 11:09 am Post subject: |
|
|
| Mancini wrote: | VanguardLH
Excuse me for saying so, but after reading each and every lengthy post you've written in the last week, I'm left with the feeling that basically... you really like to hear yourself talk.
Sorry, but it's true. |
Mancini,
Suggest you do a name search at OA forums 
VanguardLH,
The answers to nearly all the questions you have asked are in the Help and FAQ's if you had bothered to read them properly. You did read them didn't you.  |
|
| Back to top |
|
|
Mancini
Joined: 23 May 2008
Posts: 47
|
| Posted: Sat Oct 18, 2008 2:28 pm Post subject: |
|
|
| IDH wrote: | Mancini,
Suggest you do a name search at OA forums |
Spare me the pain, please. Your point is what? |
|
| Back to top |
|
|
VanguardLH
Joined: 10 Oct 2008
Posts: 48
|
| Posted: Sat Oct 18, 2008 2:29 pm Post subject: |
|
|
| Mancini wrote: | VanguardLH
Excuse me for saying so, but after reading each and every lengthy post you've written in the last week, I'm left with the feeling that basically... you really like to hear yourself talk.
Sorry, but it's true. |
I choose to be verbose. You choose to be terse. I'm not your clone nor volunteering to be one. |
|
| Back to top |
|
|
VanguardLH
Joined: 10 Oct 2008
Posts: 48
|
| Posted: Sat Oct 18, 2008 3:19 pm Post subject: |
|
|
| IDH wrote: | VanguardLH,
The answers to nearly all the questions you have asked are in the Help and FAQ's if you had bothered to read them properly. You did read them didn't you. :roll: |
Please indicate which of those FAQ posts addressed my original question for this thread (about notification disabling either including or not including attack alerts).
I saw some posts from searches (not from the FAQs) that asked about what happens when GeSWall is uninstalled regarding the untrusted-marked files. I didn't find one that asked about what happens if the product got reinstalled, or just how GeSWall actually tracks those untrusted files, like if NTFS was used, if ADS from NTFS was used. Other than saying that my guesses were wrong on how tracking is accomplished, that question remained unanswered.
Most users don't want malware files to ever show up on their host even if those files are dormant. GeSWall may not prevent the pest from depositing its files on the user's host. The hope is that the pest's files are rendered ineffective regarding their malicious behavior *if* they are isolated by GeSWall. With GeSWall, the user will still have to clean up their host to eradicate any of the pest's files that managed to get onto their host. That's in a FAQ somewhere? Guessed I missed that one.
Please indicate which of those FAQ posts addressed my question as to if lowering privileges for an isolated application would or would not add more security, or that the isolation masks out any effect from lowering privileges. Touching a topic that mentions lowered rights does NOT equate to addressing a specific question about that topic.
Um, just which FAQ post did you see that addressed why the free version of GeSWall would connect to hostforweb.com? Or mentions that the comparison list on their web page that states there are no app updates for the free version does NOT include the omission of updates for the hard-configured browser list pre-defined in the free version?
I saw mention in one FAQ that said, "restart is required because an isolated application can not be merely switched to non-isolated state without security breach". That does NOT address my question as to why the existing URL for the current page was not reused in the newly started non-isolated instance of the app.
Where in the FAQ does it mention that the user can take no action regarding an attack notification?
The free vs Pro comparison web page mentions *automatic* app policies by wizard in the Pro version. That description does NOT obviate availability *manual* app policy definitions. Where in the FAQ does it mention the free version does NOT permit users to manually define app policies?
Do you actually believe that every user will enter a search string that guarantees that a minimal number of posts are found from which one or more of them are guaranteed to address the user's question? Do you actually believe every new user is going to read all posts before asking a question, that no new user will touch on an already addressed topic although perhaps want different information regarding that topic?
Did YOU read the FAQs? If you felt my posts were redundant of existing posts, why didn't you actually point to them? Why did you read my posts once you got far enough into them for you to deem them trivial and not worth your consideration?
I did read the FAQs. I did perform searches. What was found did not address MY questions. There may be posts that might have danced around my topic or even answered them but I didn't find them. Sorry, but new users will appear in these forums so what is stale to you is new to them.
To you and Mancini, perhaps you would find your visits here less stressful if you ignore my posts hereafter.
Last edited by VanguardLH on Sat Oct 18, 2008 4:49 pm; edited 1 time in total |
|
| Back to top |
|
|
Mancini
Joined: 23 May 2008
Posts: 47
|
| Posted: Sat Oct 18, 2008 4:23 pm Post subject: |
|
|
VanguardLH
Appreciate it if you keep your facts straight. You attributed a quote to me that was in fact written by another poster. Maybe when you're busy being verbose, you overlook accuracy? |
|
| Back to top |
|
|
VanguardLH
Joined: 10 Oct 2008
Posts: 48
|
| Posted: Sat Oct 18, 2008 4:45 pm Post subject: |
|
|
| Mancini wrote: | VanguardLH
Excuse me for saying so, but after reading each and every lengthy post you've written in the last week, I'm left with the feeling that basically... you really like to hear yourself talk.
Sorry, but it's true. |
This forum allows multiple users to use the same username? Nope.
The quoting error was a defect in this forum's software. You'll notice IDH was the one intended for quoting, not you. You were mentioned in my last sentence. I'll go fix the quoting that got screwed up.
UPDATE: Quoting fixed. |
|
| Back to top |
|
|
Mancini
Joined: 23 May 2008
Posts: 47
|
| Posted: Sat Oct 18, 2008 8:02 pm Post subject: |
|
|
| VanguardLH wrote: | | I'll go fix the quoting that got screwed up. |
Now that you've fixed the quoting that you screwed up, let's set you straight on what FREE means. It means there is no cost. The vast majority of people already know that. If one insists on getting scientific, then merriam-webster.com defines freeware as "software that is available for use at no cost or for a nominal usually voluntary fee". Everything that you wrote about freeware is best described as bullshitware.  |
|
| Back to top |
|
|
tiroolmary
Joined: 06 Apr 2011
Posts: 21
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
Powered by phpBB © 2001, 2005 phpBB Group
|
FAQ
Search
Register
Profile
Log in to check your private messages
Log in
