DefenseWall is an HIPS program, working on the « white-list » principle : It reduces the rights of the programs and executable files running outside of the trusted zone. The idea is to set the programs which are vectors of infections (browsers, e-mail, P2P, Instant messengers and IRC clients, script engines, etc) as “untrusted”, meaning that everything getting through the computer from theses programs will be enclosed inside the untrusted zone.
The protection works in a “no popups” mode. In other words, the protection is automated, because the ‘untrusted attribute is set for everything which is coming through ‘untrusted programs, on the parent process mode : processes, scripts, and registry activity. And the ‘untrusted attribute is “contagious” : when an ‘untrusted process launches another process already present on the system (ie. cmd.exe) , this process is made ‘untrusted too. Then very little user input is needed to run the program.
The main window shows the number of ‘untrusted processes running, and a big red button is here to kill all theses ‘untrusted processes if an infection occurs :
All the settings can be accessed from this main window, and the user can view the ‘untrusted processes activity with the Event viewer, and/or the Rollback panel.
All the user needs to do it to add the programs he wants to run in ‘untrusted mode to the default list. Whenever some malware is downloaded through a browser, for instance, the malware is subjected to the ‘untrusted zone policy : The ‘untrusted processes won’t be able to autostart, to load drivers/services, to alter system files, to change some security settings on the system, to terminate/kill other trusted processes, etc.
An additional protection is offered by the “Secured files” feature : the user can add any files/folders he doesn’t want to ever be accessed/read by ‘untrusted processes. The purpose is to protect personal files from being infected and/or hijacked by some malware, for instance.
The ‘untrusted zone can be manually set not only per program, but per folders/directories too : The user can add a folder into the untrusted zone, by using the right-click menu.
For the modifications that DefenseWall doesn’t prevent directly (as blocking it), a rollback function is taking over : That’s a concrete illustration of the separation between the normal “trusted” zone, and the ‘untrusted one. All ‘untrusted files, folders and registry entries created by 'untrusted processes can be viewed, and erased by DefenseWall, here.
DefenseWall presentation by its author (Ilya Rabinovitch):
DefenseWall has a powerfull logging mechanism which allows you to see all the blocked dangerous actions. It may allow you to detect the presence of malware on your system.
DefenseWall's interface is really simple and intuitive. You don't need to read the help file to start using DefenseWall in a 100% effective manner.
The only thing you need to do is to put all the potentially dangerous applications (browsers, e-mail, P2P and IRC clients) into the untrusted applications list (also, there is build-in untrusted applications list which will be growing). If your computer is attacked with your browser via a browser vulnerability (or run as an attachment with your e-mail client), the malware won't be able to install propertly into your system, nor can it steal your sensitive information or harm your computer. It will be within the "untrusted processes" area, and can be terminated with one "big red" button push! Or, you may close malware processes separately.
DefenseWall has a registry and file system tracking mechanism which allows you to cleanup all the malware modules and malware-created registry keys under your full control. You have no chance of erasing anything important! ATTENTION! This feature is for the advanced user only! Others may need to use antivirus scan engines to remove malware modules from their system.
I hope you'll like and enjoy DefenseWall as much as many users!
* For theses tests, Version 1.40 was used (several improvements were added in the meantime on further versions).
* Tests were made with other monitoring programs enabled first, to watch closely the events before the actual test (Process Guard and RegDefend), and then with DefenseWall only. Most of the tests were made several times, with different setups.
* Antivirus was disabled for the tests, except for few tests where the AV was likely to be killed by the test file, to take note of the killing or not (test file was then excluded from scan).
* Most of the tests were launched from a CD, to meet the methodology criteria (files must be “unknown” for the program), then the CD drive was added to the ‘untrusted zone. But few tests had to be launched from the hard-drive - when there were not working from a removable device. Some other tests files were downloaded through the browser, and then automatically ‘untrusted. For kareldjag: test files are launched as untrusted from the CDRom, or on the hard-drive for some of them. Antivirus always disabled, and the firewall is only enabled if the test file needs an outbound connection. A protocol analyzer was used for backdoors tests. Tests done with only one HIPS (DefenseWall) installed. All tests done on Windows XP2, and results submitted to Softsphere team before the publication.
For kareldjag: test files are launched as untrusted from the CDRom, or on the hard-drive for some of them.
Antivirus always disabled, and the firewall is only enabled if the test file needs an outbound connection.
A protocol analyzer was used for backdoors tests.
Tests done with only one HIPS (DefenseWall) installed.
All tests done on Windows XP2, and results submitted to Softsphere team before the publication.