GeSWall product (description and comparision)

• What is GeSWall?
• How GeSWall protects?
• What is the difference between GesWall and personal firewalls?
• What is the difference between GesWall and sandbox products?
• So, GeSWall is basically an isolator that lowers the rights of programs. Isn't that what limited user does, or does GeSWall do it better, use hardening techniques?
• What about comparing GeSWall with hardening software, AV and Behaviour Blockers?
• In limited user with one of those hardening tools, an AV, an AS, and a bi-directional Firewall, what does GeSWall specifically add to this setup?

Q: What is GeSWall?
A: GeSWall is intrusion prevention system that is non-intrusive and easy to use. It doesn't restrict network connections and does not use attack signatures or heuristic. Instead of blocking particular attack techniques, GeSWall focuses on attack objectives such as taking control of a PC, stealing data, breaking system integrity etc. By this approach, GeSWall prevents all attacks that involve damage, e.g. malicious software (viruses, trojans, spyware), software vulnerabilities (buffer overflow, privilege escalation, etc.), mis-configuration and unknown attacks based on "zero-days" vectors, e.g. GeSWall has been stopping Windows Metafile exploits.
GeSWall is designed to be as non-intrusive as possible. You can keep browsing, mailing, chatting, sharing and so forth in the same way as without GeSWall. Web browsers, mail clients, chat messengers, file sharing clients, office, multimedia and other internet applications become safe to use with GeSWall policy. At the same time, you can create files, start processes, access internet resources without restrictions. The files you created and worked with remain and are not erased, as is the case with virtualization solutions. Additionally, GeSWall does not require configuration or learning mode.
GeSWall is intended for regular operations with "trusted" or "safe" internet applications. It means you can do your regular stuff non-intrusively: browsing, reading mail, chating, etc. and GeSWall Personal Edition will prevent the attacks coming via these applications. Note that term "Trusted" means that you trust at least the installation of this program.

Q: How GeSWall protects?
A: GeSWall isolates applications that may serve as entry points for malicious software or intrusions. Viruses, trojans, spyware, keyloggers and exploits cannot pass through an isolated application and so cannot cause damage. By default only applications in its application database are isolated. So to see GeSWall's prevention mechanism you have to try run malware from an isolated application or download it by an isolated application, so GeSWall tracks that has untrusted source. If you start a malware from CD it will be nor tracked in default mode.
GeSWall tracks an untrusted application data-flow: files, registry, etc. For example, GeSWall doesn't prevent a new file to be created by a browser, but it will isolate (restrict) an application that uses that file. Such approach allows GeSWall policy to work in real-life environment non-intrusively.

Q: What is the difference between GesWall and personal firewalls?
A: GeSWall works fundamentally different, it does not restrict a network connections as personal firewalls. Instead of blocking traffic GeSWall isolates the application. The advantage of this approach is better usability and better security as "leak tests" don't introduce a security hole for GeSWall.
Firewall protects only if a malware requires a network access and Firewall believes that connection is suspicious. These assumptions are not sufficient to ensure security.

• Malware may not require a network access at all and have just purpose to disrupt your computer. Additionally, it might be root level malware - rootkit that is loaded into windows kernel as a driver effectively bypassing any Firewall restrictions.
• Firewall allows network access for "trusted" (non-suspicious) applications like IE, Firefox, Outlook, etc. But many actual firewalls have incomplete checks to ensure that application is really still trusted.Additionally, you can be easily hacked from within a "trusted" application. There are numerous attacks which do not require execution of an additional process but inject their code into address space of non-suspicious process, e.g.: buffer overflow attacks such as CodeRed worm.
• Firewalls cannot prevent well data leaking through covert channels and suffer from the leaking attacks.

Q: What is the difference between GesWall and sandbox products?
A: GeSWall is not a sandbox. Perhaps the best sandbox you can afford is a separate machine or VmWare/VirtualPC, the rest is by definition incomplete solutions and will always have some flaws. Virtualization/sandboxing solutions create strictly separated environments. The less links between these envelopments and the rest of the system then better a sandbox is. That is a reason for usability problems. It is OK to run a browser there, but you would be reluctant to use e-mail client within a sandbox. Instead of breaking the links, GeSWall tracks an untrusted application data-flow: files, registry, etc. For example, GeSWall does not prevent a new file to be created by a browser, but it tracks out files created by isolated applications and isolates (restricts) an application that uses those file.

Q: So, GeSWall is basically an isolator that lowers the rights of programs. Isn't that what limited user does, or does GeSWall do it better, use hardening techniques?
A: Isolation does not mean "lowering rights". GeSWall's isolation implies security policy that effectively prevents an attack damage. The only restrictions imposed are restrictions for leaving isolation layer - damaging system outside given application. "lowering rights" approach remove all application rights, even those that might be required by application. In fact, among many programs only limited set can work with "lowering rights" approach.
With GeSWall, an application has no restrictions, unless it starts to modify global system settings:

• no restrictions on network access
• no restrictions on creating files
• no restrictions on execution
• modification of trusted files is virtualized, so you don't see that restrictions.

The only visible restriction which stops most of installations is preventing creating new registry keys (not values). It was virtualized in past, and you could install and temporary use a software or ActiveX without any error. But that imposed false sense of correct installations and we had to disable creating new reg keys by isolated application unless it is explicitly enabled. So in many cases, you do not notice implication of GeSWall policy because Application Database rules has rules which enable correct functionality for most popular applications.

Q: What about comparing GeSWall with hardening software, AV and Behaviour Blockers?
A: The "hardening" tools have limited scope of use because they statically disable a limited subset of attacker's techniques. Behavior Blockers can block attack behaviors dynamically. Behavior blockers as well as AV use signature based or black-list approach and their lists are never complete. Creating new unrecognized virus modification is too easy nowadays, given number of generators, packers etc. available.

Q: In limited user with one of those hardening tools, an AV, an AS, and a bi-directional Firewall, what does GeSWall specifically add to this setup?
A: GeSWall adds ensured security. Security that independent of attack techniques, attack signatures, heuristic and does not require a configuration. At the same time, it is non-intrusive and easy to use. With GeSWall, you can securely surf the web, open e-mail attachments, chat, exchange files etc, regardless of the security threats posed by the internet. GeSWall prevents damage from malicious software and intrusions by isolating applications. Isolation applies an access restriction policy that effectively prevents various attacks, including:

• Confidential files disclosure
• Intrusions
• Malicious software spreading
• Backdoors, rootkits, key loggers