Protection
Q: Is it safe to use it alone or is it
better to use it with a firewall & AV?
A: As a usual
rule, at least incoming traffic to SMB protocol ports must be blocked. This
can be achieved by network separation without routing or firewall. Windows XP
firewall is sufficient for that purposes.Though GeSWall prevents attacks, it
doesn't recognize them. E.g. if you browse malware web site, GeSWall will prevent
an attack to go behind a web browser. But it will not warn about attack, because
it doesn't have attack signatures. GeSWall uses standard restrictions to prevent
an attack damage http://www.gentlesecurity.com/restriction.html
. AV uses known attack signatures to detect an attack and block it to prevent
damage. Thus the net result is the same, but in case of AV you get warned being
attacked. From other side, AV blocks only known attacks and fails in front of
"zero-days" and user mistakes. So, however AV is not required with
GeSWall, there is nothing wrong in using AV as a supplementary to GeSWall. GeSWall
will block unknown attacks and AV will get you warned when attack is get awareness
by AV vendor.
Q: You mention rootkits on your site, but provide
no guidelines and no examples of how you prevent or identify rootkit attacks…
A: GeSWall isolates applications that may serve as entry points for malicious
software or intrusions and labels files created by those isolated applications
as "untrusted". If an untrusted file is a driver then GeSWall prevents
its loading into kernel. That stops kernel mode rootkits. If a file is executable
or DLL GeSWall isolate it on execution or prevents its loading into trusted
processes. which prevents user mode rootkit's keylogging, spreading, stealing
confidential data, backdooring.In order to evaluate GeSWall's prevention mechanisms
you should run rootkit from an isolated application or download it by an isolated
application, so GeSWall tracks that file has untrusted source. E.g. if you start
a rootkit from CD (Sony DRM) it will not be tracked in default mode. However
you can set additional sources of untrusted software, such as \Device\CdRom
(http://www.gentlesecurity.com/tips.html#sonydrm)
Q: I am using the latest version of GeSWall and my
AV discovered the Trojan/Backdoor in my system32 folder. How it got round GeSWall?
A: There is a difference between presence of virus/trojan and having
it running. For example, on one of our system we have dozens of viruses, but
the machine is not infected because viruses are not running just stored, The
problem is when you have that trojan executable running. File presence doesn't
flag a problem yet. There are security products that prevents creating files,
but GeSWall designed to work in other way. Instead of blocking file creation
(no matter what destination: system32, temp, etc. ) GeSWall tracks out files
created by isolated applications. Assume you have somehow received that trojan
through the isolated browser. GeSWall will not prevent the file to be written
in system32. However, on the trojan start GeSWall will isolate it and prevent
a damage posed by this trojan: no trusted file can be modified or deleted, no
confidential data leaked. So basically the trojan is locked within GeSWall's
isolation layer and cannot do a harm. Additionally, GeSWall prevents subsequent
auto-runs (when it is started without your desire on some event: every boot,
logon, etc.) of this trojan. Most places used by malware for auto-run covered
by this
tool: http://www.sysinternals.com/Utilities/Autoruns.html.
It means that trojan will not be installed in the system and cannot "re-started"
later.
GeSWall use this "tracking" approach in order to be as non-intrusive
as possible. Nobody knows in advance if a file is dangerous or not, preventing
creating files into system32 may break functionality of
certain application. Using ""tracking GeSWall avoids those problems
and keeps security measures at the high level.
In that scenario you would need an Antivirues in order to clean malware files
from your system, when a vendor becoming aware of it. But, again, just presence
of malware files on your disk does not mean
that you are infected by the malware.
Q: Why GeSWall does not pass firewall leak tests?
A: Iinstead of blocking traffic GeSWall isolates the application. The
advantage of this approach is better usability and better security as "leak
tests" don't introduce a security hole for GeSWall. Battling the "leaks"
will never be successful and "covert channels" to send the info will
always exist. A good reading on this: http://www.security.nnov.ru/advisories/bypassing.asp?l=EN
GeSWall prevents leaks at first place by preventing access to confidential files.
Q: I was able to use the exploit against
RPC DCOM to get a shell and then install a service on the machine. I know accessing
the registry from a protected application(or something downloaded through it)
should be impossible. Is this correct or can services be installed using valid
CreateService() system calls?
A: GeSWall prevents installing services by registry modification
and by system APIs (including CreateService) but only for isolated applications.
In your case, "RPC DCOM" service is not isolated because it is hosted
by svchost.exe, which is always trusted (means never isolated) by default settings
(GeSWallConsole\Applications\system\svchost.exe). Though, you can change this,
we do not recommend this because there are no rules for the process and machine
may get to unbootable state. GeSWall for desktops is not supposed to isolated
services. For that you should use GeSWall Server Edition, which targets services
and other non-interactive applications. But even in this case we are not going
to isolate certain system services, because it is quite tricky and could lead
to many failures. That means GeSWall's security depends on the security of core
system components: kernel, drivers and key services - TCB (Trusted Computer
Base). If one of those components has a hole, then GeSWall, as well as other
security products, is out of business, because at that point the whole system
can be subverted.
Q: If there is already malware on the computer , does
GeSWall have any effect with this?
A: By default, GeSWall trusts all files unless they are created by isolated
applications. So, it is assumed that GeSWall is installed on clean (malware
free) machine at first place. However, GeSWall allows you specify what is untrusted
and must be isolated.
|
