Q: Is there anyway to restrict process
creation?
A: Process creation is not restricted because it doesn't make sense with
GeSWall. Just start an IE as isolated and any spawned process will be inherently
isolated as well. So even if somebody starts a malware through IE tricks it
will not make damage. Whenever an isolated IE creates a file GeSWall tracks
it down. Next time you try to run that file, GeSWall will pop up a dialog saying
that file source is untrusted and suggesting isolate it as well. When "Orange
security level" is used, isolation comes automatically without pop-ups
http://www.gentlesecurity.com/docs/seclevels.html
If file is a DLL, that DLL will be prevented to be loaded into trusted process.
If file is a driver it will be blocked to load into kernel, if file is vbs "Windows
Script Host" gets isolated while translating the script, etc..
Q: Is there a way to restrict network traffic coming
from a program, such as denying network access altogether?
A: No, that is job for Personal Firewall. That is principal, instead
of blocking network traffic GeSWall isolates an application itself. In order
to prevent leaks, GeSWall additionally blocks an access to confidential files.
Though there are products which restrict files/processes creation and network
traffic, GeSWall works in opposite direction. You may run what ever you want,
but it will be isolated. That makes GeSWall is less intrusive and doesn't introduce
a hole.
Q: When a log entry reads \"Deny C115 message
to...\" what does that mean? What is a C115 message? Are there other Deny
codes I might see?
A: "DENY C115 message to" means that windows message directed
to specified process was blocked. C115 is a hex number of message code. Messages
are blocked in order to prevent Shatter attacks
(http://security.tombom.co.uk/shatter.html).
You may see log entries with different messages codes from 0 up to 0xffff.
Q: Why do we need to block some messages? Is it dangerous?
A: Usually windows applications and core components send plenty of various
messages. GeSWall blocks only
potentially harmful messages from an isolated application. Those messages are
optional and blocking them
doesn't affect normal application functionality. Please note, the log in GeSWall
Console particularly useful for debugging application problems while authoring
specific rules for new applications. If you are interested in more technical
details on how harmful messages could be, and how GeSWall blocks them, you can
check the demo we provide http://www.gentlesecurity.com/demo.html
. It works as VBS script which simulates various intrusions. So you may
study the script code and change it for your tests.