Found great new security app, DefenseWall HIPS

[richardrds]

I use the following 5 layered aproach, and the good news is all the products are freeware, except for the HIPS. I also stopped using IE and Outlook for my browser and email apps and now use FireFox and ThunderBird instead. http://www.mozilla.com/firefox/ http://www.mozilla.com/thunderbird/

I was also going to use a Limited Account Login (restricted privleges) and a Hosts file to filter known bad web sites to compliment my security setup, but after getting confidence in the abilities of my HIPS application I have decided not to use them. I could actually run the HIPS app and Firewall app by themselves with out any other security apps and my PC would be 100% protected (OK, 99.9999%, nothing is 100% but with this app it sure comes close) but i use the other layers/apps as insurance and to remove dead (non-runnning) malware corpse files from my hardrive.

L1. FireWall -
I am now using the free version of ZoneAlarm for this. This Acts like a Inbound stealth FW (hides your TCP/UDP ports from unsolicitated web scanning) and an Outbound Application FW (You set PC apps that can access the web, and can block server mode access to the apps.) http://www.zonelabs.com/store/content/c...al_zaFamily.jsp?lid=home_freedownloads

L2. Anti Virus -
I am now using Avast. It has a freeware version that is almost identicle to the paid version. With the free version you get Auto updates, Real time On-Access monitoring, and the ability to manually run On-Demand scanning (quick or thorough). The only major advantage of the paid version is you can auto schedule your On-Demand scanning (quick or thorough). So i just have to remember to maually run a weekly on-demand thorough scan with the free version, i use windows scheduled task manager to automatically run daily quick scans for me via the quickscan.exe http://free.grisoft.com/doc/2/lng/us/tpl/v5

L3. Anti Trojan -
I am now using the free version of Ewido. The main differance between the free version and the paid version is the free version does not have any real time monitoring or Auto Updates. I manually run weekly On-Demand Scans. http://www.ewido.net/en/

L4. Anti Spyware/IDS -
I am using MicroSoft AntiSpyware for this. It is a free program that is in Beta mode, but seems to be bug free (at least major bugs). It does Auto Updates, Auto On-Demand Scans, and has 59 Real Time Agents that act like an IDS (Intrusion Detection system) which monitor things like changes to startup programs, registry changes, ect... and gives warning pop-ups. http://www.microsoft.com/athome/security/spyware/software/default.mspx

L5. HIPS (Host Intrusion Prevention System) -
I use DefenseWall for this. I consider this the Crown Jeweal of my Suite, and is worth every penny of its reasonable $29 cost (30 day free trial). With DW i can serf the web like a newbie and don't have to worry about being hacked my Malware. If i get hacked the infection is limited to the sandbox and i can flush the sandbox with the press of one button and be back to normal. Any malware corpes that are left behind will be cleaned from my PC during my next scheduled scans. I have not personally used or tried similar type apps like Sandboxie or BufferZone, but from what i have read on forums DW seems to be easier to use and safer then those products. Following is the blurb from their website:

DefenseWall HIPS (Host Intrusion Prevention System) is the simplest and easiest way to protect yourself from malicious software (spyware, adware, keyloggers, rootkits, etc.) when you surf the Internet! Using the next generation proactive protection technologies, sandboxing and virtualization, DefenseWall HIPS helps you achieve a maximum level of protection against malicious software, while not demanding any special knowledge or ongoing online signature updates.

DefenseWall HIPS divides all applications into 'Trusted' and 'Untrusted' groups. Untrusted applications are launched with limited rights to modification of critical system parameters, and only in the virtual zone that is specially allocated for them, thus separating them from trusted applications. In the case of penetration by malicious software via one of the untrusted applications (web browsers etc), it cannot harm your system and may be closed with just one click! With DefenseWall HIPS, Internet surfing has never been so simple, safe and easy. Try it today, and you will be convinced! http://www.softsphere.com/

There is a thread at the Wilders Security Forum that is being used as the unofficial support thread for this product, the applications creator monitors that thread daily and provides quick enhancements and bug fixes (mostly compatability issues with other Hips/IDS software) for the product. The thread is tilted as the beta testing of DefenseWall, but the app has been released since late november 05. http://www.wilderssecurity.com/showthread.php?t=98240&highlight=defensewall

 

[kamper]

Congrats, you've added a 5th piece of bloat to your system, simply to do what is already built into your operating system!

 

[richardrds]

Originally posted by: kamper
Congrats, you've added a 5th piece of bloat to your system, simply to do what is already built into your operating system!

LOL, yeah right, along with the thousands of security holes that are built into my OS. We are talking about Windows OS's (XP home Sp2 here). It is so nice of MS to gives all these extra security holes for free, and they don't even charge extra for them!!!!

 

[n0cmonkey]

I was also going to use a Limited Account Login (restricted privleges) and a Hosts file to filter known bad web sites to compliment my security setup, but after getting confidence in the abilities of my HIPS application I have decided not to use them.

A limited user account is one of the most important pieces to a security plan. Not utilizing this simple piece of the puzzle is stupid. Period.

his Acts like a Inbound stealth FW (hides your TCP/UDP ports from unsolicitated web scanning)

"Cloaking" your ports does nothing, it's a waste of time.

DefenseWall HIPS divides all applications into 'Trusted' and 'Untrusted' groups. Untrusted applications are launched with limited rights to modification of critical system parameters, and only in the virtual zone that is specially allocated for them, thus separating them from trusted applications.

So it basically jails untrusted applications... If you ran as a non-admin user you wouldn't have to worry about applications messing with system files or parameters. I haven't found a list of trusted applications yet, but I'm kind of scared to see what's on the list...

 

[richardrds]

Originally posted by: n0cmonkey

I was also going to use a Limited Account Login (restricted privleges) and a Hosts file to filter known bad web sites to compliment my security setup, but after getting confidence in the abilities of my HIPS application I have decided not to use them.

A limited user account is one of the most important pieces to a security plan. Not utilizing this simple piece of the puzzle is stupid. Period.

his Acts like a Inbound stealth FW (hides your TCP/UDP ports from unsolicitated web scanning)

"Cloaking" your ports does nothing, it's a waste of time.

DefenseWall HIPS divides all applications into 'Trusted' and 'Untrusted' groups. Untrusted applications are launched with limited rights to modification of critical system parameters, and only in the virtual zone that is specially allocated for them, thus separating them from trusted applications.

So it basically jails untrusted applications... If you ran as a non-admin user you wouldn't have to worry about applications messing with system files or parameters. I haven't found a list of trusted applications yet, but I'm kind of scared to see what's on the list...

Take the time to research how the defense wall HIPS works before making such unimformed assumptions. All the security experts over at the Wilders Security Forum have had nothing but praise for this app. It is a whole new approach to security HIPS, combining Sandbox Virtulization system with Trusted and Untrusted apps. Simple definition of Untrusted Apps for this software is any apps that access the Internet (ie... Web browsers, email clients, P2P Clients, Media players ect...). Once you have set up all your apps that access the internet as untrusted, the processes (children) that they spin off are automatically also untrusted and isolated to the sandbox so you can't get infected.
You do not need to run as a Limited account with this hips because the hips puts the same kind of restrictions on Untrusted apps and their children as a limited account does (plus more).

 

[n0cmonkey]

Originally posted by: richardrds
Take the time to research how the defense wall HIPS works before making such unimformed assumptions. All the security experts over at the Wilders Security Forum have had nothing but praise for this app. It is a whole new approach to security HIPS, combining Sandbox Virtulization system with Trusted and Untrusted apps. Simple definition of Untrusted Apps for this software is any apps that access the Internet (ie... Web browsers, email clients, P2P Clients, Media players ect...). Once you have set up all your apps that access the internet as untrusted, the processes (children) that they spin off are automatically also untrusted and isolated to the sandbox so you can't get infected.
You do not need to run as a Limited account with this hips because the hips puts the same kind of restrictions on Untrusted apps and their children as a limited account does (plus more).

I haven't seen anything about this on other security forums, and I don't recognize a name on that forum. Nothing wrong with that, but I've got no reason to trust it either.

I said I can't find a list of untrusted applications, nor can I find their documentation. What kinds of techniques do they use to ensure the attacker cannot break out of the sandbox? Running as a limited user would help there, since if they do break out they can't do a whole lot (you know, security 101: layers). How do they keep users from messing with the HIPS while it's running, if they're using admin accounts?

What kind of reporting does the application do? How does it identify attacks (when reporting, not when the attack is happening) without signatures?

How does the sandbox differ from using a limited account for everything you do on a day to day basis?

Using a limited user account isn't just about what IE is doing. It goes deeper than that.

BTW, the approach isn't new. Sandboxing has been used for a long long time. And it's "etc."

EDIT: Don't think I'm speaking out against this unknown and undocumented closed source software from a company I've never heard of. If I had a spare Windows machine I'd even try it out. I just think relying on one single product shoveled on top of an OS that's proven itself in the past to be silly. Defense in depth and all that.

 

[Codewiz]

Originally posted by: richardrds

Originally posted by: n0cmonkey

I was also going to use a Limited Account Login (restricted privleges) and a Hosts file to filter known bad web sites to compliment my security setup, but after getting confidence in the abilities of my HIPS application I have decided not to use them.

A limited user account is one of the most important pieces to a security plan. Not utilizing this simple piece of the puzzle is stupid. Period.

his Acts like a Inbound stealth FW (hides your TCP/UDP ports from unsolicitated web scanning)

"Cloaking" your ports does nothing, it's a waste of time.

DefenseWall HIPS divides all applications into 'Trusted' and 'Untrusted' groups. Untrusted applications are launched with limited rights to modification of critical system parameters, and only in the virtual zone that is specially allocated for them, thus separating them from trusted applications.

So it basically jails untrusted applications... If you ran as a non-admin user you wouldn't have to worry about applications messing with system files or parameters. I haven't found a list of trusted applications yet, but I'm kind of scared to see what's on the list...

Take the time to research how the defense wall HIPS works before making such unimformed assumptions. All the security experts over at the Wilders Security Forum have had nothing but praise for this app. It is a whole new approach to security HIPS, combining Sandbox Virtulization system with Trusted and Untrusted apps. Simple definition of Untrusted Apps for this software is any apps that access the Internet (ie... Web browsers, email clients, P2P Clients, Media players ect...). Once you have set up all your apps that access the internet as untrusted, the processes (children) that they spin off are automatically also untrusted and isolated to the sandbox so you can't get infected.
You do not need to run as a Limited account with this hips because the hips puts the same kind of restrictions on Untrusted apps and their children as a limited account does (plus more).

But pretty much everything you describe can be done straight out of the box with the OS using limited accounts.

 

[Frodolives]

First off, thanks to the OP for openly sharing his setup and producing an informative discussion. I feel sort of as though I'm watching "Antiques Roadshow" and he's the guy that is being set up to be told that his Civil War sword was made in China last year, hehe. I'm just teasing of course, because richardrds, I also find your remarks worth consideration.

At any rate I know I've been needing to set up a limited user account and this thread has given me the nudge to get off of my virtual arse. Thanks guys!

 

[Ilya Rabinovich]

Hi everybody.

richardrds has invited me to join this discussion. I'm the author of the DefenseWall, and I see that many of you doesn't understand how my program works. OK, I'm going to fix it.

First of all, I'd like to note to richarrds that DefenseWall doesn't have registry/file system virtualization functionality, because it would dramaticaly rise up the complicity of the product's using for the regular non-technical users. Yes, "virtualization" file storage is a very easy tool to empty the malware, but it is also very easy tool to erase all the programs user have downloaded from the internet by themself . Registry and file system virtualization don't increase the common security level if you block any dangerous registry/file system modification attempts and do not allow for the untrusted processes to break out the virtual "untrusted processes" area by opening trusted processes/threads, service/driver installation, global hooks, physical meory object access and so on.....

2 Codewiz- I'm sorry, but you are wrong. It is still possible for the malware to set themself autostarted even under the limited account restriction. Also, many programs doesn't runs under the limited accounts. Not very good for the non-technical users! DefenseWall breaks any untrusted proceses attemps to set any file modules autostarted.

2 n0cmonkey-

a) Well, the discussion have already been at Wilders and CastleCops. Google will help you.
b) You can find oline documentation at my site: http://www.softsphere.com/online-help/defensewall
c) DefenseWall checks all the utrusted processes for the dangerous actions attemps (autostart set up, sensitive registry keys/files modification, global hooks installation, executable/interpretated files modification, driver/service installation/modification, opening trusted processes/threads and so on) and block it. This allow to prevent malware from being harm your system's integrity and allow to keep all the malware inside the untrusted processes zone without any irritating popup windows (like ProcessGuard do, for instance). By closing this zone you terminate all the malware processes and make all the malware modules inactive. After that you can clean them up with the free AV scanner or by the hands. Or even left those modules at your hard drive- they are inactive anyway!
d) As about approach- I don't know if it is new, but I don't think it is very interesting for the users. They need to be safe while they are surfing porn sites and open attachments, and DefenseWall give it to them!
e) "defense-in-depth"- yes, that are right words, but wrong understanding. Let's see. We have AV to check software for the already known malware, we have firewall to control network conections. But what about the malware AV doesn't know? It is just the fiels of the HIPS. DefenseWall is strong and the simpliest in use now. For the non-technical users.
f) You don't know me and my company? It is OK! Just answer- did you know Agnitum five yers ago? Just look at the product, not at the company. Many "good known" companies are making bad products. Many "bad known" companies are making good one. But if you don't care about it- you will have to "eat" bad products with the high prices. But from the "good known" companies, of course!

So, if you still have any questions- feel free to ask. I'll be watching this thread.

 

[n0cmonkey]

Originally posted by: Ilya Rabinovich
2 Codewiz- I'm sorry, but you are wrong. It is still possible for the malware to set themself autostarted even under the limited account restriction. Also, many programs doesn't runs under the limited accounts. Not very good for the non-technical users! DefenseWall breaks any untrusted proceses attemps to set any file modules autostarted.

What software doesn't work under a limited user account?

2 n0cmonkey-

a) Well, the discussion have already been at Wilders and CastleCops. Google will help you.

What discussion?

b) You can find oline documentation at my site: http://www.softsphere.com/online-help/defensewall

I looked, I promise. I must have missed it. I'll be browsing it later.

c) DefenseWall checks all the utrusted processes for the dangerous actions attemps (autostart set up, sensitive registry keys/files modification, global hooks installation, executable/interpretated files modification, driver/service installation/modification, opening trusted processes/threads and so on) and block it. This allow to prevent malware from being harm your system's integrity and allow to keep all the malware inside the untrusted processes zone without any irritating popup windows (like ProcessGuard do, for instance). By closing this zone you terminate all the malware processes and make all the malware modules inactive. After that you can clean them up with the free AV scanner or by the hands. Or even left those modules at your hard drive- they are inactive anyway!

It sounds interesting, but using a limited user account provides a good deal of security for the system without the price.

d) As about approach- I don't know if it is new, but I don't think it is very interesting for the users. They need to be safe while they are surfing porn sites and open attachments, and DefenseWall give it to them!

They shouldn't be opening attachments.

e) "defense-in-depth"- yes, that are right words, but wrong understanding. Let's see. We have AV to check software for the already known malware, we have firewall to control network conections. But what about the malware AV doesn't know? It is just the fiels of the HIPS. DefenseWall is strong and the simpliest in use now. For the non-technical users.

No, I understand just fine. Using a limited user account helps, period. Even if they use your software, using a limited user account provides plenty of positives WITH NO NEGATIVES. Why ignore one of the most basic security practices you can do, when it's simple and effective?

f) You don't know me and my company? It is OK! Just answer- did you know Agnitum five yers ago? Just look at the product, not at the company. Many "good known" companies are making bad products. Many "bad known" companies are making good one. But if you don't care about it- you will have to "eat" bad products with the high prices. But from the "good known" companies, of course!

I still don't know agnitum. It's an issue of trust. I can't see the source, I didn't see much of a history, I'm not sure how much trust I can give in that kind of situation. I'd definitely try the product out on a spare Windows machine, if I had one, but probably not on the one I work on.

 

[Ilya Rabinovich]

What software doesn't work under a limited user account?

Games, for instance .

a) Well, the discussion have already been at Wilders and CastleCops. Google will help you.

What discussion?

About DefenseWall. There was a public beta-testing at Wilders.

c) DefenseWall checks all the utrusted processes for the dangerous actions attemps (autostart set up, sensitive registry keys/files modification, global hooks installation, executable/interpretated files modification, driver/service installation/modification, opening trusted processes/threads and so on) and block it. This allow to prevent malware from being harm your system's integrity and allow to keep all the malware inside the untrusted processes zone without any irritating popup windows (like ProcessGuard do, for instance). By closing this zone you terminate all the malware processes and make all the malware modules inactive. After that you can clean them up with the free AV scanner or by the hands. Or even left those modules at your hard drive- they are inactive anyway!

It sounds interesting, but using a limited user account provides a good deal of security for the system without the price.

I'm sorry, but each thing has it's own price. First of all, it is possible to bypass limited rights restrictions or to work under them for the malware. Also, regular non-tech user doesn't know how to propertly set it up and work under.

d) As about approach- I don't know if it is new, but I don't think it is very interesting for the users. They need to be safe while they are surfing porn sites and open attachments, and DefenseWall give it to them!

They shouldn't be opening attachments.

Ha-ha-ha-ha!!!!!!!! Very-very funny!!!!!!!

e) "defense-in-depth"- yes, that are right words, but wrong understanding. Let's see. We have AV to check software for the already known malware, we have firewall to control network conections. But what about the malware AV doesn't know? It is just the fiels of the HIPS. DefenseWall is strong and the simpliest in use now. For the non-technical users.

No, I understand just fine. Using a limited user account helps, period. Even if they use your software, using a limited user account provides plenty of positives WITH NO NEGATIVES. Why ignore one of the most basic security practices you can do, when it's simple and effective?

I didn't say you should ignore it! The only thing I want to say is that limited rights account is not the "silver bullet" and not the sandbox HIPS replacement.

f) You don't know me and my company? It is OK! Just answer- did you know Agnitum five yers ago? Just look at the product, not at the company. Many "good known" companies are making bad products. Many "bad known" companies are making good one. But if you don't care about it- you will have to "eat" bad products with the high prices. But from the "good known" companies, of course!

I still don't know agnitum. It's an issue of trust. I can't see the source, I didn't see much of a history, I'm not sure how much trust I can give in that kind of situation. I'd definitely try the product out on a spare Windows machine, if I had one, but probably not on the one I work on.

Then Linux is your way! Windows doesn't have their sources public (officialy, naturaly) anyway. It is commercial project (as mine one). Also, there is no malware under Linux......

 

[n0cmonkey]

Originally posted by: Ilya Rabinovich

What software doesn't work under a limited user account?

Games, for instance .

I've been able to use some games, but I haven't tried a lot.

Games don't really do anything an unpriviledged user shouldn't be able to do, I don't think.

I'm sorry, but each thing has it's own price. First of all, it is possible to bypass limited rights restrictions or to work under them for the malware. Also, regular non-tech user doesn't know how to propertly set it up and work under.

Of course each thing has its own price. You have to buy and use the anti-virus solution (unless you use something free like clamwin), and the same goes for the firewall. Using your product may not be a bad thing (time will tell, good luck to you ), but it's no reason not to use a limited account (my original point).

Yes, privilege escalation can be an issue, but what does your product do that makes this impossible?

There should be no setup necessary for using limited user accounts, it should basically just work. Non-technical users have already proven themselves to be too ignorant to properly use anti-virus, firewalls, and anti-spamware programs. What makes defensewall any different?

I didn't say you should ignore it! The only thing I want to say is that limited rights account is not the "silver bullet" and not the sandbox HIPS replacement.

There is no silver bullet, hence defense in depth. These two things (limited user accounts and a HIPS product) should be able to work together. Cover each other's butts.

Then Linux is your way! Windows doesn't have their sources public (officialy, naturaly) anyway. It is commercial project (as mine one). Also, there is no malware under Linux......

Of course there's malware that runs on Linux. But there are also many more technologies readily available to defend it. Personally, I don't care much for it.

 

[Ilya Rabinovich]

Yes, privilege escalation can be an issue, but what does your product do that makes this impossible?

Some things are implemented already now (global hooks installation), some are in my todo list and will be implemented a little bit later (shatter attack protection).

There should be no setup necessary for using limited user accounts, it should basically just work. Non-technical users have already proven themselves to be too ignorant to properly use anti-virus, firewalls, and anti-spamware programs. What makes defensewall any different?

It can't. But, anyway, most of the firewall/AV users are non-techical ones .

There is no silver bullet, hence defense in depth. These two things (limited user accounts and a HIPS product) should be able to work together. Cover each other's butts.

Yup!!!!!!!! That is the point!!!