DefenseWall 2.45 Intro Review On YouTube

I uploaded the DefenseWall 2.45 Intro Review on YouTube today.  DefenseWall is a HIPS Antimalware Product (Host Intrustion Prevention System) from SoftSphere (Ilya Rabinovich).  This is the first HIPS product i’ve ever tested and it left me with a very big question….

Have we seen the end of Antivirus?

If you install DefenseWall on a clean system that should be all the protection against malware you’ll ever need (theoretically).  Here is a quote from Ilya Rabinovich (developer of DefenseWall) on how DefenseWall protects your PC:

DefenseWall HIPS is a very easy-to-use tool that provides 99.99% protection from all types of malware while surfing the Internet and while installing new software – if you use DefenseWall the right way!

DefenseWall HIPS divides all applications into ‘trusted’ and ‘untrusted’ groups. Untrusted processes which may be created by an untrusted application or process has limited rights. DefenseWall HIPS prevents untrusted processes from modifying the executable/interpretative files, phone database (target for “dialers” malware), Hosts files, add/modify autostart areas (both registry and file system), add/modify drivers/services (targeted by “rootkits”), modify desktop and browser settings (IE, FireFox, Mozilla, Opera), set global hooks (usually used by “keyloggers”), inject their code into “trusted” processes and many other dangers. In addition, DefenseWall HIPS prevents untrusted processes from gaining access to “Secured” files and folders. It will prevent your sensitive data from being stolen by malware. DefenseWall HIPS does not allow “untrusted” processes to break your system’s integrity and to break out of the virtual “untrusted processes” area.

Terminating malware is very easy – close all untrusted processes with the “big red button” (recommended), or click the grey button, “you have ‘x’ untrusted process(es) running on your computer”, to terminate individual malware proceses. Another method – simply restart your computer – the untrusted zone will be closed by your system.

I’m completely amazed at how well DefenseWall protected my (test) computer from zero-day threats, it was absolutley perfect in test after test.

Let me know what you guys think about DefenseWall and HIPS in general.

DefenseWall Part 1

DefenseWall Part 2

DefenseWall Part 3

, , , , , , , , ,

56 Responses to DefenseWall 2.45 Intro Review On YouTube

  1. fsibechi November 15, 2008 at 10:18 pm #

    DefenseWall looks like to be a very good app, BUT only for people who know how to work with it . I mean not so many people know a thing about what is svchost.exe winlogon.exe alg.exe lsass.exe rundll32.exe for example so they could terminate a legit process and mess up their pc and say and post stupid comments like DefenseWall destroy their pc. Yes HIPS is the future of security programs , you already can find this in some new applications like KIS 2009 who divide them in 3 categories :Trusted ,Low restricted and High restricted , and it decide by itself what is good and what is bad but you can decide yourself if you want to trust or not a app . The conclusion is that this is a new approach to the virtual security , and keep the good work Matt and maybe you cam review KIS 2009 in the future .

  2. Emperor Darius November 15, 2008 at 10:23 pm #

    So you started testing HIPS programs? You'll need a new huge list 😀

  3. Vasilis November 15, 2008 at 10:34 pm #

    I'm afraid it's not that simple…If everything downloaded is isolated and restricted,you won't be able to install not only bad products,but legit ones as well.And If someone says,''I know that this program is legit.I'll put it to exeptions'',then the answer is:If you knew which programm is good,and which is bad,you wouldn't need defence wall,or any other security program in the first place…Someone finally has to decide what is good and what is harmfull.And that is the old,traditional antivirus with the signatures of the risky applications.

  4. Tycho November 15, 2008 at 11:03 pm #

    Matt,

    Just wanted to let you know, Kaspersky IS/AV 2009 both use HIPS in evaluating threats.

  5. 3xist November 16, 2008 at 12:06 am #

    Hi Matt. 🙂

    This is why Prevention is your fist line of Defense and NOT Detection. 🙂 Detection should be your 2nd line of Defense, DefenseWall did do well. 🙂 Thx for the videos, keep it up!

    Josh

  6. f November 16, 2008 at 12:43 am #

    The problem with this type of av, is that it spams you alot. I think it should be like antivirus signatures are first, hip backup.

  7. Adel November 16, 2008 at 1:14 am #

    Nice one.

    BTW Kaspersky Internet Security 2009 also features HIPS+Firewall.

    And i can tell you from my experience that KIS 2009 is really flexible.

    Another product that i requested for review, Outpost Security Suite, also features a HIPS module (If im not wrong).

    Thats why its always better to review an Internet Security Products or Complete Suites etc. since these mostly feature maximum protection.

    May be something for future reviews. Try to review the top of class product from a security vendor.

    1st part of review will be detect and remove (basic routine).

    2nd part of review would be prevention.

    and ofcourse SAS scans..

    But honestly, im glad that you are looking for things other that simple 'detect & remove':)

  8. fsibechi November 16, 2008 at 1:50 am #

    Hi Matt , i do not understand why i can not see my first post , maybe because i am not from USA , but i appreciate your work and keep it on .

    DefenceWall is a good application but only for advanced users because there are a lot of people who have no idea about how to handle such app , things like svchost.exe ,lsass.exe , rundll32.exe , are too cryptic and they will fail by killing good and legit processes , so this is for advanced users i think or maybe for someone who know what is good and what is not. BTW, HIPS is already incorporated in some new security programs like KIS 2009 and it works splendid so maybe you can take a look at it !

  9. Justin November 16, 2008 at 2:54 am #

    DefenseWall did well and it has great functionality with the sand boxing capabilities but I would have to say I don't really like the look or the overall feel of the product I agree completely with Emperor Darius's comment.

  10. Densker November 16, 2008 at 2:56 am #

    HIPS Sucks. False Positive/Spam/Popup Messages galore. ^_^

  11. Ilya Rabinovich November 16, 2008 at 10:47 am #

    >BUT only for people who know how to work with it

    Did you test DefenseWall by yourself? I suppose, you didn't as the product is used by children and 75-years old women.
    http://www.wilderssecurity.com/showpost.php?p=134

    >I’m afraid it’s not that simple

    It is that simple.

    >you won’t be able to install not only bad products,but legit ones as well

    There is "run as trusted" feature right for this. It is very simple to use.

    >HIPS Sucks. False Positive/Spam/Popup Messages galore.

    Looks like, you never met sandboxing-style HIPS defense systems. They do not spam users with popup messages. That's the job of classical HIPS, and, sometimes, blacklisting HIPS (so-called intellectual behavior blockers).

    >Try to review the top of class product from a security vendor.

    DefenseWall is the top class product from the top class developer (vendor).

    >I don’t really like the look or the overall feel of the product

    What is exactly wrong with my software?

  12. Wav3_CrackeR November 16, 2008 at 2:15 pm #

    Doesn`t Winpatrol 2008 do something like this? Or it`s more like a extra real-time protection… it would be fun if you could test Winpatrol anyway sometime when you got some time over. thx 😀

  13. robin November 16, 2008 at 2:41 pm #

    Just like Emperor Darius said, everything you download in IE en firefox hase limited rights. So you choose yourself if you want to give it the normall rights ore not..

  14. Vasilis November 16, 2008 at 3:00 pm #

    I said it,actually…But it's ok.I've tried such programms in the past,and finally damped them for the reasons I explained earlier

  15. m00nbl00d November 16, 2008 at 3:05 pm #

    HIPS will never mean the end of anti-something. Why? Normal users will never figure out how to use them, respond to the alerts, etc. One bad decision and a total messed up system.

  16. Ilya Rabinovich November 16, 2008 at 4:02 pm #

    >Normal users will never figure out how to use them

    Can you prove your words? I can prove the opposite.

  17. Vasilis November 16, 2008 at 4:30 pm #

    @ Ilya Rabinovich

    I'll give you an example.I download a program from the internet.If I don't add it to trusted,it won't install.What i am supposed to do.Don't trust it?It won't install.Trust it?How I can be sure that it is not a virus…

  18. Ilya Rabinovich November 16, 2008 at 4:40 pm #

    >If I don’t add it to trusted

    There is no need to "add to trusted". Right-mouse click on a file->"DefenseWall HIPS"->"Run as trusted".

    >it won’t install

    If you not really sure about software you did download, you can install it as untrusted (I install this way some software I download via P2P).

    >How I can be sure that it is not a virus

    Simple- this work is for anti-virus labs.

  19. RejZoR November 16, 2008 at 6:17 pm #

    HIPS is future for experienced users. Dumb users might just well select all and click Allow. So every HIPS is as smart as user controlling it.

    The future is in behavior detection. Unfortunately not many are doing it right or they just plain don't support 64bit systems that are more and more common these days.

  20. Adel November 16, 2008 at 6:18 pm #

    >Try to review the top of class product from a security vendor.

    >>DefenseWall is the top class product from the top class developer (vendor).

    Ilya that comment was at Matt, and nothing to do with DefenseWall.

    Matt usually tests Anti Virus Products and not really the Internet Security Suites. So i was basically telling him to test Suites instead of AVs. 🙂

  21. Adel November 16, 2008 at 6:26 pm #

    Since Ilya is here to answer us regarding his product, i would like to ask him this……

    What according to you is the best set up for a system?
    In other words, to keep my system nice and clean, which applications can i use alongside DefenseWall?

  22. Ilya Rabinovich November 16, 2008 at 6:53 pm #

    Well, as for me, I need only DefenseWall, but I'm a security professional. Other (average) users complement DefenseWall with firewalls, anti-virus and ISR (like Returnil, for instance) products.

  23. robin November 16, 2008 at 8:44 pm #

    well we saw the results on the video's, it's realy impressive:) and withouth a doubt a great program:)

  24. Densker November 16, 2008 at 8:59 pm #

    oh, so its sandboxing. maybe similar to ZoneAlarm ForceField?

  25. Halcyon Hush November 16, 2008 at 10:53 pm #

    Comodo Internet Security has a HIPS called defense+ installed by default so there's no need to install DefenseWall in addition.

    Not to mention CIS is 100% free

  26. Adam November 16, 2008 at 11:31 pm #

    How different is DefenseWall from Sandboxie and Buffer Zone?

  27. Johan November 16, 2008 at 11:44 pm #

    Hey Matt,

    I just want to tell you if you diden't find out that the DEFENSE+ feature

    inside of "COMODO internet security" CIS, that you tested last week is also a HIPS app. I wanted to say this since you also liked defense+ a lot as well!

  28. Ilya Rabinovich November 17, 2008 at 11:41 am #

    >How different is DefenseWall from Sandboxie and Buffer Zone?

    SBIE and BZ are using partial virtualization in order to isolate file system and registry keys from untrusted processes manipulations. Defensewall is using built-in policy ruleset to do this. Each approach have pros and cons.

  29. m00nbl00d November 17, 2008 at 2:42 pm #

    @ Ilya Rabinovich

    It is easy. I personally, don't use DefenseWall (But, I downloaded it and will be testing it, though. Want to see how it looks like and how it behaves.), but another HIPS (what we call classical HIPS), which requires the user to understand every alert and how to find out more information about each process that the HIPS is alerting us for.

    Could you, honestly say, that everyone is able to understand what each alert means?

    "Also, ">If I don’t add it to trusted

    There is no need to “add to trusted”. Right-mouse click on a file->”DefenseWall HIPS”->”Run as trusted”."

    "Run as trusted"? How can the user know that he/she can fully trust the application? What is the difference between Run as trusted or Add as trusted? It will be trusted no matter what, right?

    >it won’t install

    If you not really sure about software you did download, you can install it as untrusted (I install this way some software I download via P2P).

    >How I can be sure that it is not a virus

    Simple- this work is for anti-virus labs.",

    No, that why there are HIPS. Because no AV vendor is able to discover all viruses that come out today. An IPS is the only way to prevent any possible damage caused by new malware.

    Now, lets take this example. Very recently, Kaspersky Lab saw their Malasian (if I am not mistaken) filial online services being hacked and who knows if their trial versions weren't switched. So, a user downloads it, installs it, a HIPS alert for a change to an important system file, registry entry, etc., the user will allow it, because, by the time he/she downloaded it, no one knew Kaspersky Lab online has been hacked. We could figure the result (what ever it could have been).

    Would a normal user know if this Kaspersky AV/Internet Security Suite installer was or not suppose to do such thing? Would a 75 year old woman know anything about it? (unless, of course, she is/was a security professional).

    Again, I would like to hear it from a security expert, as I only am a user in the middle field (not a beginner nor an advanced user).

  30. Ilya Rabinovich November 17, 2008 at 3:08 pm #

    >Could you, honestly say, that everyone is able to understand what each alert means?

    Absolutely not, that is why there is no such the alerts with DefenseWall at all. That is why I consider all the classical HIPS are non-effective for an "average Joe" user.

    >How can the user know that he/she can fully trust the application?

    If you did download a new application from Adobe, IBM or Blizzard, for instance, you can definitely manually run it as trusted, no doubts. One more time- if you trust vendor, you can run its software with full rights enabled.

    >What is the difference between Run as trusted or Add as trusted?

    "Run as trusted" will runs an application as trusted, but will leave the executable as untrusted. If you change status to trusted, thye application will be removed from the "untrusted applications" list forgot.

    >No, that why there are HIPS.

    HIPS's job is to prevent malware infection. But no HIPS can determine for sure if software malicious or not. It's a virus analytics (human's) job. So, if you really not sure about some software, just send it to different AV labs they could identify its status.

    >Very recently, Kaspersky Lab saw their Malasian (if I am not mistaken) filial

    Not filial, but an affilated company, local-state reseller.

    >who knows if their trial versions weren’t switched

    OK, if we consider this scenario, no HIPS can help this case. To install anti-virus, it requires full administrative rights. The only protection here is the signature check. Or send this installer to the KL labs for their check.

  31. m00nbl00d November 17, 2008 at 3:31 pm #

    @ Ilya Rabinovich

    Thanks for those explanations. Truly appreciate it.

    So, in that scenario that I mentioned, if that was the case, then a HIPS would be of no use? Lets imagine that it did happen with me (it didn't! 😉 ) and since I trust Kaspersky (in this case), then I ran the installer without HIPS controlling it. I then turn my HIPS on/everything on, and then it alerts me that a process is trying to modify an important system file, etc. I check the process and I've never seen it before in my system. I dig further into it and find no reference of what so ever on the internet. Then I can only think that it has been placed by the installer and that the process has to be known, right? (I'm supposing so). I will temporarily block it until I know more about it.

    That's what I do when I don't know what a process is or if I find no info about it. I always try to find out if it is a system's own process and if not then I look further to see if it belongs to any other application I might have. If not, then I just block it until know more about it.

    Isn't this the right thing to do in such scenario?

    But, I do agree with you.

    Best regards

  32. Ilya Rabinovich November 17, 2008 at 3:47 pm #

    >I check the process and I’ve never seen it before in my system

    An average user won't be able to identify if the process is legitimate (part of their AV/FW/wherever) or not. Some anti-spyware tools are using random names for its software parts in order to bypass malware name check (most malware terminate processes or blocking files according its names).

    The only way here is whitelisting as a supporting technique. It's into my roadmap for DefenseWall, maybe, next year if everything will be fine with the project and I'll be receiving enough money with sells to keep my work as before.

  33. malwarekilla November 17, 2008 at 5:47 pm #

    @everyone – I suppose I've test "classical HIPS" and that stuff is ONLY for an experienced users (due to the sheer amount of popups for every action), however DefenseWall is completely different….not a SINGLE popup!

    If you trust a software vendor (like Adobe) then trust the app, if not then leave it untrusted…nothing could be more simple and protective.

    Here's the fact, Zero-Day threats are increasing exponentially and something like DefenseWall is really the only option for prevention…otherwise…reserve yourself to cleaning after the fact.

  34. Vasilis November 17, 2008 at 6:45 pm #

    @Matt

    Matt,there is not only Adobe out there…The average user downloads stuff from all kinds of sources,and thats the way we get infected by malware.You have to treat all of them as 'untrusted' and as I mentioned before,they simply DO NOT install this way…I've tested it.I'm not talking just to argue..Try it yourself,or even better make a video about it.Download a few things from the net,let's say,4 safe programs and 1 harmfull one,and show us how an inexpirienced user is going to install all five of them(providing that he/she does not have an antivirus)and still not get infected,just using DefenceWall

  35. Vasilis November 17, 2008 at 6:53 pm #

    And in case I didn't make it very clear,I meant 5 unknown *.exe files(4 good,1 bad).Not obviously safe or unsafe.

  36. malwarekilla November 17, 2008 at 8:48 pm #

    @Vasilis – yeah, I get ya. You NEED to know if it's a legit app otherwise the app runs in a "read only" sandbox environment and basically does nothing.

  37. Vasilis November 17, 2008 at 9:05 pm #

    Exactly

  38. fsibechi November 17, 2008 at 10:17 pm #

    DefenseWall have some funny interactions with KIS , first of all it placed it in the trusted group but quarantined it at the finish of the install saying it behaves like a trojan by downloading a driver in a hidden way. Everything goes smooth and the app does what it suppose to do and worth the money , but i must say that you must have only one active app on your sistem running because it can interfere with other app's that have the same capabilities . If you change the trust level of KIS like i do behaving like a total idiot, and put DefenseWall in the High restricted group and KIS in untrusted area of DefenseWall everything will be not so good DW trying to limit KIS actions and KIS trying to protect itself from termination and judging by KIS alerts , DW trying to set debug privileges for example .

    My conclusion is that you must run only one app with HIPS capabilities like you must run only one antivirus and one firewall and if you are concerned about your safety you should give a try to this great program , DefenseWall.

  39. Dvader November 18, 2008 at 9:19 am #

    At the end of the day : the user decides what to run. Same goes for letting through outgoing processes in personal firewalls, UAC in Vista and Hips programs. Sure, drive-by-downloads exists but 99% of infections I see are user-self-inflicted. Users are the weakest link in all of this.

  40. Densker November 18, 2008 at 11:43 am #

    SAS 4.22 is out. ^_^

  41. Vasilis November 18, 2008 at 4:58 pm #

    @Densker

    A little off topic,but anyway it's true.But I don't see any major changes..

  42. Emperor Darius November 22, 2008 at 10:07 pm #

    Really a great and simple to use program. Definitely added to my Security Arsenal 😉

    BTW: Matt, could you check GeSWall? It's similar to DefenseWall (HIPS+Sandboxing)

  43. Subgud November 23, 2008 at 11:45 am #

    Defensewall.. When i installed it it looked very easy. No pop up no nothing. Eveything i run is in unsafe mode. Take my download folder. When i want to delete everything inside it i cant. Because it is unsafe. I try to run it un as trusted, but i still cant delete anything. After unninstalling i could delete what was in there.

    So.. I think defensewall is a great product!! But i think you need some experience to use it!

  44. malwarekilla November 23, 2008 at 7:55 pm #

    @Darius – yeah, I’m looking at all sandbox technologies right now. I’ve only tested DefenseWall at this point though.

    @Subgud – Yup, you do have to have a little experience or none at all.

    Take my wife for example – she get’s on the internet and goes everywhere…she has no idea defense wall is running on her laptop.

    …but I know.

    She has a rogue installer in her sandbox (untrusted download from IE). I just love DW!

  45. Ilya Rabinovich November 23, 2008 at 8:15 pm #

    @Subgud- if you have set everything as untrusted, "run as trusted" wont work for you as it requires to be sent only from a trusted process. That is why all the software you need to have untrusted is listed at the main site and program's page. And that is why there is a built-in list of "already known that should be untrusted" apps.

  46. Adam November 23, 2008 at 11:18 pm #

    Can your product be used to execute malware for testing to see what effect the malware would make if executed in real life situation by a person.

    Or will the malware be restricted by defensewall from performing any action whatsoever

  47. Ilya Rabinovich November 24, 2008 at 11:56 am #

    @Adam- DefenseWall do restrict untrusted processes activity according internal ruleset. So, malware won't be restricted from any actions, but from the malicious ones- yes.

  48. showtime33 December 3, 2008 at 7:40 pm #

    Why is everyone talking good about KIS 2009….in the past KIS HIPS have been defeated easily…..I myself had issues with full reg/file hips turned on using it…..

    Personally I wish avira had a virtual hips…that would be cool…:)

    In the meantime I really like defensewall…I believe it works good.

  49. malwarekilla December 3, 2008 at 8:55 pm #

    @showtime33 – HIPS and Sandboxing are TOTALLY different. Sandboxing says…."I don't care what you are, you're untrusted to me"

    HIPS rely's on a "community database" + heuristics which…yes, can be defeated.

  50. david December 23, 2008 at 11:00 pm #

    I can use defensewall with avira antivirus and get no problems?

  51. Ilya Rabinovich December 24, 2008 at 4:48 pm #

    Yep, sure you can.

  52. Yashau January 2, 2009 at 9:24 am #

    Ilya, any chance for a 64-bit capable version in the near future?

  53. Ilya Rabinovich January 4, 2009 at 9:21 am #

    Because of the PatchGuard I can't implement as strong protection there as I do for x32 OSes. PatchGuard API is incomplete for me. So, my next step is not x64 variant, but outbound traffic control with 2.50 version.

  54. rolo March 14, 2009 at 12:25 pm #

    ok matt,

    heres one for you.

    I have vista box running kis 2009 ,& ms virtual pc running xp.Inside xp im running commodo & sand boxie. I dont care too much about xp cause if it does get infected i will just reinstall. however my vista box should be 210% solid ehh?

    What do you think?

  55. Wil March 25, 2010 at 12:15 am #

    Which would you use sandboxie or HIPS defense wall?

  56. Tom May 4, 2010 at 4:28 pm #

    Quick question…

    You were able to shutdown processes and close .EXE’s…but you didn’t mention anything about “left behind” installation files…and particularly – registry entries. Does DefenseWall NOT load anything into the registry – but instead create a “duplicate” pseudo registry?

Leave a Reply