GentleSecurity.com : Online Documentation

Restrictions

Is there anyway to restrict process creation?
Is there a way to restrict network traffic coming from a program, such as denying network access altogether?
When a log entry reads \"Deny C115 message to...\" what does that mean? What is a C115 message? Are there other Deny codes I might see?
Why do we need to block some messages? Is it dangerous?

Q: Is there anyway to restrict process creation?
A: Process creation is not restricted because it doesn't make sense with GeSWall. Just start an IE as isolated and any spawned process will be inherently isolated as well. So even if somebody starts a malware through IE tricks it will not make damage. Whenever an isolated IE creates a file GeSWall tracks it down. Next time you try to run that file, GeSWall will pop up a dialog saying that file source is untrusted and suggesting isolate it as well. When "Orange security level" is used, isolation comes automatically without pop-ups http://www.gentlesecurity.com/docs/seclevels.html If file is a DLL, that DLL will be prevented to be loaded into trusted process. If file is a driver it will be blocked to load into kernel, if file is vbs "Windows Script Host" gets isolated while translating the script, etc..

Q: Is there a way to restrict network traffic coming from a program, such as denying network access altogether?
A: No, that is job for Personal Firewall. That is principal, instead of blocking network traffic GeSWall isolates an application itself. In order to prevent leaks, GeSWall additionally blocks an access to confidential files. Though there are products which restrict files/processes creation and network traffic, GeSWall works in opposite direction. You may run what ever you want, but it will be isolated. That makes GeSWall is less intrusive and doesn't introduce a hole.

Q: When a log entry reads \"Deny C115 message to...\" what does that mean? What is a C115 message? Are there other Deny codes I might see?
A: "DENY C115 message to" means that windows message directed to specified process was blocked. C115 is a hex number of message code. Messages are blocked in order to prevent Shatter attacks
(http://security.tombom.co.uk/shatter.html). You may see log entries with different messages codes from 0 up to 0xffff.

Q: Why do we need to block some messages? Is it dangerous?
A: Usually windows applications and core components send plenty of various messages. GeSWall blocks only
potentially harmful messages from an isolated application. Those messages are optional and blocking them
doesn't affect normal application functionality. Please note, the log in GeSWall Console particularly useful for debugging application problems while authoring specific rules for new applications. If you are interested in more technical details on how harmful messages could be, and how GeSWall blocks them, you can check the demo we provide http://www.gentlesecurity.com/demo.html . It works as VBS script which simulates various intrusions. So you may study the script code and change it for your tests.