DefenseWall 2.45 Intro Review On YouTube

DefenseWall looks like to be a very good app, BUT only for people who know how to work with it . I mean not so many people know a thing about what is svchost.exe winlogon.exe alg.exe lsass.exe rundll32.exe for example so they could terminate a legit process and mess up their pc and say and post stupid comments like DefenseWall destroy their pc. Yes HIPS is the future of security programs , you already can find this in some new applications like KIS 2009 who divide them in 3 categories :Trusted ,Low restricted and High restricted , and it decide by itself what is good and what is bad but you can decide yourself if you want to trust or not a app . The conclusion is that this is a new approach to the virtual security , and keep the good work Matt and maybe you cam review KIS 2009 in the future .

I’m afraid it’s not that simple…If everything downloaded is isolated and restricted,you won’t be able to install not only bad products,but legit ones as well.And If someone says,”I know that this program is legit.I’ll put it to exeptions”,then the answer is:If you knew which programm is good,and which is bad,you wouldn’t need defence wall,or any other security program in the first place…Someone finally has to decide what is good and what is harmfull.And that is the old,traditional antivirus with the signatures of the risky applications.

Hi Matt.

This is why Prevention is your fist line of Defense and NOT Detection. Detection should be your 2nd line of Defense, DefenseWall did do well. Thx for the videos, keep it up!

Josh

Nice one.

BTW Kaspersky Internet Security 2009 also features HIPS+Firewall.
And i can tell you from my experience that KIS 2009 is really flexible.

Another product that i requested for review, Outpost Security Suite, also features a HIPS module (If im not wrong).

Thats why its always better to review an Internet Security Products or Complete Suites etc. since these mostly feature maximum protection.

May be something for future reviews. Try to review the top of class product from a security vendor.
1st part of review will be detect and remove (basic routine).
2nd part of review would be prevention.
and ofcourse SAS scans..

But honestly, im glad that you are looking for things other that simple ‘detect & remove’:)

DefenseWall did well and it has great functionality with the sand boxing capabilities but I would have to say I don’t really like the look or the overall feel of the product I agree completely with Emperor Darius’s comment.

>BUT only for people who know how to work with it
Did you test DefenseWall by yourself? I suppose, you didn’t as the product is used by children and 75-years old women.
http://www.wilderssecurity.com/showpost.php?p=1342048&postcount=12

>I’m afraid it’s not that simple
It is that simple.

>you won’t be able to install not only bad products,but legit ones as well
There is “run as trusted” feature right for this. It is very simple to use.

>HIPS Sucks. False Positive/Spam/Popup Messages galore.
Looks like, you never met sandboxing-style HIPS defense systems. They do not spam users with popup messages. That’s the job of classical HIPS, and, sometimes, blacklisting HIPS (so-called intellectual behavior blockers).

>Try to review the top of class product from a security vendor.
DefenseWall is the top class product from the top class developer (vendor).

>I don’t really like the look or the overall feel of the product
What is exactly wrong with my software?

Just like Emperor Darius said, everything you download in IE en firefox hase limited rights. So you choose yourself if you want to give it the normall rights ore not..

HIPS will never mean the end of anti-something. Why? Normal users will never figure out how to use them, respond to the alerts, etc. One bad decision and a total messed up system.

@ Ilya Rabinovich
I’ll give you an example.I download a program from the internet.If I don’t add it to trusted,it won’t install.What i am supposed to do.Don’t trust it?It won’t install.Trust it?How I can be sure that it is not a virus…

HIPS is future for experienced users. Dumb users might just well select all and click Allow. So every HIPS is as smart as user controlling it.
The future is in behavior detection. Unfortunately not many are doing it right or they just plain don’t support 64bit systems that are more and more common these days.

Since Ilya is here to answer us regarding his product, i would like to ask him this……

What according to you is the best set up for a system?
In other words, to keep my system nice and clean, which applications can i use alongside DefenseWall?

well we saw the results on the video’s, it’s realy impressive:) and withouth a doubt a great program:)

Comodo Internet Security has a HIPS called defense+ installed by default so there’s no need to install DefenseWall in addition.

Not to mention CIS is 100% free

Hey Matt,

I just want to tell you if you diden’t find out that the DEFENSE+ feature
inside of “COMODO internet security” CIS, that you tested last week is also a HIPS app. I wanted to say this since you also liked defense+ a lot as well!

@ Ilya Rabinovich

It is easy. I personally, don’t use DefenseWall (But, I downloaded it and will be testing it, though. Want to see how it looks like and how it behaves.), but another HIPS (what we call classical HIPS), which requires the user to understand every alert and how to find out more information about each process that the HIPS is alerting us for.

Could you, honestly say, that everyone is able to understand what each alert means?

“Also, “>If I don’t add it to trusted
There is no need to “add to trusted”. Right-mouse click on a file->”DefenseWall HIPS”->”Run as trusted”.”

“Run as trusted”? How can the user know that he/she can fully trust the application? What is the difference between Run as trusted or Add as trusted? It will be trusted no matter what, right?

>it won’t install
If you not really sure about software you did download, you can install it as untrusted (I install this way some software I download via P2P).

>How I can be sure that it is not a virus
Simple- this work is for anti-virus labs.”,

No, that why there are HIPS. Because no AV vendor is able to discover all viruses that come out today. An IPS is the only way to prevent any possible damage caused by new malware.

Now, lets take this example. Very recently, Kaspersky Lab saw their Malasian (if I am not mistaken) filial online services being hacked and who knows if their trial versions weren’t switched. So, a user downloads it, installs it, a HIPS alert for a change to an important system file, registry entry, etc., the user will allow it, because, by the time he/she downloaded it, no one knew Kaspersky Lab online has been hacked. We could figure the result (what ever it could have been).

Would a normal user know if this Kaspersky AV/Internet Security Suite installer was or not suppose to do such thing? Would a 75 year old woman know anything about it? (unless, of course, she is/was a security professional).

Again, I would like to hear it from a security expert, as I only am a user in the middle field (not a beginner nor an advanced user).

@ Ilya Rabinovich

Thanks for those explanations. Truly appreciate it.

So, in that scenario that I mentioned, if that was the case, then a HIPS would be of no use? Lets imagine that it did happen with me (it didn’t! ) and since I trust Kaspersky (in this case), then I ran the installer without HIPS controlling it. I then turn my HIPS on/everything on, and then it alerts me that a process is trying to modify an important system file, etc. I check the process and I’ve never seen it before in my system. I dig further into it and find no reference of what so ever on the internet. Then I can only think that it has been placed by the installer and that the process has to be known, right? (I’m supposing so). I will temporarily block it until I know more about it.

That’s what I do when I don’t know what a process is or if I find no info about it. I always try to find out if it is a system’s own process and if not then I look further to see if it belongs to any other application I might have. If not, then I just block it until know more about it.

Isn’t this the right thing to do in such scenario?

But, I do agree with you.

Best regards

And in case I didn’t make it very clear,I meant 5 unknown *.exe files(4 good,1 bad).Not obviously safe or unsafe.

Exactly

At the end of the day : the user decides what to run. Same goes for letting through outgoing processes in personal firewalls, UAC in Vista and Hips programs. Sure, drive-by-downloads exists but 99% of infections I see are user-self-inflicted. Users are the weakest link in all of this.

@Densker
A little off topic,but anyway it’s true.But I don’t see any major changes..

Defensewall.. When i installed it it looked very easy. No pop up no nothing. Eveything i run is in unsafe mode. Take my download folder. When i want to delete everything inside it i cant. Because it is unsafe. I try to run it un as trusted, but i still cant delete anything. After unninstalling i could delete what was in there.

So.. I think defensewall is a great product!! But i think you need some experience to use it!

@Subgud- if you have set everything as untrusted, “run as trusted” wont work for you as it requires to be sent only from a trusted process. That is why all the software you need to have untrusted is listed at the main site and program’s page. And that is why there is a built-in list of “already known that should be untrusted” apps.

@Adam- DefenseWall do restrict untrusted processes activity according internal ruleset. So, malware won’t be restricted from any actions, but from the malicious ones- yes.

Yep, sure you can.

Because of the PatchGuard I can’t implement as strong protection there as I do for x32 OSes. PatchGuard API is incomplete for me. So, my next step is not x64 variant, but outbound traffic control with 2.50 version.

Which would you use sandboxie or HIPS defense wall?