Anyone hear of GeSWall??

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
Sounds interesting. Does anyone here use it or know anything about it?


Re: Anyone hear of GeSWall??


Quoted text here. Click to load it

Interesting?  Yes.  Effective?  Well, somewhat.

GeSWall is a policy enforcer that locks down the specified applications.
The free version only locks down web browsers.  You cannot use it to
lockdown all Internet-facing applications.  Since this is a freeware
group, I'll only discuss the free version of GeSWall (since that's all I

Like DropMyRights or SysInternals' psexec, it reduces the privileges of
the web browser.  This is the same as would happen if you were logging
onto Windows using a limited user account (LUA).  These utilities run
the process under a LUA token to reduce their privileges.  That means
you cannot install software, including Windows updates, and any software
that makes it to your host will also be running under the LUA token
which affords some protection of your OS, like restricting access to the
%programfiles% and %windir% folders (so malware cannot deposit itself
there).  That does NOT prevent malware from, for example, installing
itself in your %userprofile% where you have full read and write
permissions even under a LUA account; otherwise, the %userprofile% path
would be of no value (however, I'm inclined to change permissions on
%userprofile% to disallow execution of files since the only files that
*should* go there are data files - but I haven't investigated the
ramifications of changing permissions on the %userprofile% folder).
Products from Google (e.g., Google Earth and Google Desktop) install in
the %userprofile% folder and why they can even install under a LUA
account which frustrates those trying to manage what software can be
installed on their hosts.  Unlike DropMyRights or psexec that actually
*remove* priviliges from a process (i.e., deny them to have those
privileges), GeSWall allows the process to have them but then disables
them.  If you use SysInternals' Process Explorer and look at the
security properties of your web browser, under DropMyRights or psexec
you will see only a couple of privileges listed (and which are enabled)
and the rest aren't even allowed on the process.  Doing the same with
GeSWall shows that all the privileges are there but almost all of them
have been disabled.  GeSWall is, after all, a policy enforcement tool.

You will find the policy restrictions to interfere with the use of some
sites.  For example, Windows Updates site won't function because it will
see the web browser is running under a LUA account (well, the browser
process is, not your Windows login) and tell you that you need to be an
admin user to apply updates.  You cannot install Adobe's Flash player
because, after all, you are trying to install software and that's not
allowed under a LUA.

GeSWall has sandboxing although they prefer to call it their isolated
mode.  When a process is GeSWalled, it won't have access to many
folders.  Instead any access to those folders is redirected to a virtual
copy of that folder (i.e., the virtual folder exists and accepts the
files or changes to them but that virtual folder vaporizes when the
isolated mode is exited).  GeSWall does not hook into as many system
APIs as does a sandbox, like Sandboxie.  That's not the point of
GeSWall.  It enforces policies on processes and does some isolation of
their file system access.  Sandboxing is more protective but also more
of a nuisance if you want to keep what you downloaded (usually involving
prompts having you decide if you want to save what you downloaded).
GeSWall tracks files that you download.  If you try to run them, GeSWall
intercepts the load and warns you that the file is tracked and will
start in an isolated mode (so the program runs under the LUA
restrictions).  You can choose to ignore the warning and load the
program non-isolated.  However, unlike sandboxing or virtual machines
which virtualizes all file downloads, and because GeSWall does permit
the file to download, you can get malware on your system - but then you
chose to download that file.  The default of running the download in
isolated mode is the anti-malware protection afforded by GeSWall
(besides the web browser running effectively under the reduced
privileges of a LUA token).  If, for example, you download a keylogger
and choose to run it, and accept the default action of running it
isolated, it only logs the keyboard while the process is loaded (by you)
and can be eliminated by killing the isolated environment for that
process.  GeSWall does not obviate the need for anti-virus and
anti-malware programs.  Neither does sandboxing or virtual machines
since often the point of using them is to test unknown and untrusted
software which you may eventually elect to install on your real host.

For awhile, GeSWall was interfering with the use of Java applets.  These
download to your host and run there using whatever is currently
configured as the Java interpreter.  I'm not talking about Javascript
which is an scripting engine built into the web browser and executed
within the address space and process for the web browser.  I'm talking
about applets that download to your host and use the Java programming
language.  And example is , a crossword puzzle
that uses a Java applet.  The problem was that GeSWall somehow
interfered with Java applets so they wouldn't start.  I've retrialed a
later version of GeSWall a couple weeks ago and that problem was gone
(well, it was gone for the Java sites that I visit).  Running a web
browser under a LUA token and inside an isolated environment (where
folder access is redirected to virtual folders) has its problems.  I use
the IE7Pro add-on to IE7.  It can save its config changes but those go
into a virtual copy of the %userprofile% folder.  That means when I
close that web browser and later start it that those config settings are
gone.  I've tried defining a resource rule to allow access to IE7Pro's
%appdata%\IE7Pro folder (and even tried using the registry key names
that GeSWall likes to use instead of standard environment variables) but
could not get IE7Pro to remember its config changes between browser
sessions.  This also means that any changes to the ad-block module (to
add a new spam source to block it) or a new login page added to its
forms saver (to make logins easy and semi-automatic) were discarded when
the isolated mode instance of the web browser was exited.  

They need to get away from using the MMC console as their UI.  It sucks.
There are defiencies in MMC that become exhibited when using it as a UI
to GeSWall.  One of those is viewing the logfile.  GeSWall provides no
search tool to go hunting for specific entries in the log file.  You
have to scroll around.  They log everything (i.e., detailed logging) so
it gets very difficult to differentiate the "normal operations" logging
(that you rarely care about) from the alerts (that tell you something
wanted to change a registry key, for example, and was blocked but you'd
like to find out if maybe it was something you need to allow).  There
are no options to let you configure how detailed is the logging or what
type of entries get put into the log.  If you ever get into defining
resources (to block or allow them for the isolated environment for a
program), be prepared for confusion.  It takes awhile to get used to
their style of defining resources.

Their free version of GeSWall has what I would deem critical features
missing that are available in the paid version.  Forget about adding
more programs to the free version other than the included definitions
for web browsers.  You cannot define new programs to add to GeSWall for
it to run under a LUA token and in isolated mode.  So the free version
is really only useful for guarding the most common infection vector to
your host: the web browser.  Rather than having to terminate each
process that was running in isolated mode, the paid version lets you
clear them all out at once.  Doing them one by one is a nuisance but
then typically you only have web browsers listed in the isolated mode
(although other processes might be there, like the Dr Watson debugger if
the web browser happened to crash).  

There is still the bug that you cannot go into the browser's own
Internet Options -> General and view the TIF cache to see the files
there.  IE (iexplore.exe) uses DDE to send a message to Windows Explorer
(explorer.exe) to use it as the browser dialog to show that folder.
GeSWall also intercepts window messages to limit malware from attempting
to control other processes.  When you download a file (that you do
want), the folder to where you want to save it must already exist.  If
not, it will appear the browser dialog does nothing when you create a
new folder.  What happens, in fact, is the window messaging is again
blocked to show a repaint of the dialog.  You have to force a repaint by
navigating to a different folder, like going up to the parent folder,
and then navigate back to where you created the folder which then shows
up in the dialog's file/folder listing.  Since you couldn't name the
folder, you'll see "New Folder" as the newly added folder.  You'll
probably want to rename it but again the block on window messaging
interferes with the repaint of the listing.  You'll rename the folder,
navigate elsewhere, and navigate back to see the folder with its new
name.  Sometimes GeSWall is overly restrictive and can interfere with
your expected normal use of the web browser.  They're working on which
processes are trusted for window messaging to get around these defects;
however, the free version does not get whitelist updates so unless they
change that then you won't get an updated whitelist of file hashes of
what are trusted files, like for explorer.exe (Windows Explorer) and any
updated versions of it through hotfixes or service packs.

For protecting your host from malware using your web browser to get in,
GeSWall is good.  Just remember that if you download a file (which was
your choice) that it could contain malware and GeSWall won't protect you
from running that file - but it will default to running that untrusted
download within an isolated environment.  Just don't using policy
enforcers with isolated modes, sandboxing, or virtual machines as your
sole means of preventing infection by malware.  The super-nasties can
punch out of those, plus often they go quiescent inside those
environments because a process can detect those environments, so you
think the program is okay, your anti-virus program (within that
environment) doesn't bark out an alert, and you install it in your
production host which means the pest sees it isn't under a protective
environment and then it breaks open.

I've trialed GeSWall several times.  Although it strives to be
transparent, I've had too many interferences from it.  I don't mind the
LUA mode for the web browser.  GeSWall puts a "G" button in the titlebar
for the web browser which makes it easy to start a non-isolated instance
of the web browser.  I would prefer a tray icon context menu to do that
rather than having to first load the web browser and then switch it to
non-isolated mode.  The problem is, and as a deliberate security
measure, they won't pass the current URL to the non-isolated instance of
the web browser.  So you need to copy the URL in the Address bar, start
the non-isolated instance, and then copy the URL into the Address bar to
navigate back to where you were.  While it would be convenient to open
the non-isolated instance at the current URL, there are security issues
with this plus many sites won't let you directly navigate to a page,
anyway.  My original intent was to run *all* instances of Internet
Explorer under a LUA token (so I could continue logging onto my admin-
level account but the web browser was downed to running under a limited
account to reduce its privileges).  DropMyRights and SysInternals'
psexec only reduce privileges for the instance of the program that they
load.  They do nothing to reduce privileges on the web browser when
started as a child process of some parent process, like when you click a
URL link in an e-mail in your e-mail program to open the web browser.
Many programs can start the web browser as a child process, including
malware and why I wanted the web browser to always default to running
under a LUA token.  DropMyRights and psexec only protected the instances
that I started using shortcuts, not when the web browser was started by
another program.  GeSWall fulfills that need so the web browser is
always defaulted to starting in restricted mode no matter what started
the web browser.  The extra was the virtualization of folders for use by
the web browser's process to prevent the modification of the real
folders.  I eventually decided to get rid of GeSWall but I needed
something to give my LUA mode on all web browser instances.  I get that
with Tall Emu's Online Armor (OA), a firewall with HIPS.  It includes a
RunSafer option that you can enable on a program.  Any instance of that
program will run under a LUA token.  I can not only specify the web
browsers RunSafer but also my e-mail client and even Windows Media
Player and any other Internet-accessing program.  However, because the
program looks like it is running under a limited user account, you might
still find some problems using the program.  For example, under a LUA
token, the Filetypes tab in Windows Media Player options will disappear
because, as a non-admin, you aren't allowed to change filetypes.
GeSWall makes it easy (but only for the web browser in the free version)
to switch out of its isolated mode with the "G" titlebar button.  In OA,
I just right-click on its tray icon and temporarily disable the Program
Guard (its HIPS feature that includes the RunSafer option) when I need
an unprotected version of a program, like the web browser when visiting
the Windows Update site.

But I run into problems even with Online Armor (which was my substitute
for GeSWall + Windows Firewall).  Keystrokes gets delayed in games.  In
non-game apps, I see no such delay.  In games, there is a noticeable
delay that has me running off cliffs or hestitating on a lean.  I have
to disable OA's Program Guard when I play a game to get rid of keyboard
delay.  ALL security software incurs a penalty.  They always engender
some delay because, well, they have interrogate what's going on.  They
can cause conflicts.  They can be more restrictive than you care for.
Right now, GeSWall is a bit too intrusive to cause too many
interferences with my use of my computer and OA seems a better balance.
I'm not looking to so overly secure my host as to make it unusable.  The
more security software gets in my way, the less that I'll use it.
Secure is nice; however, that's not the actual purpose of my host.
Security for security sake alone is of no value.  My host must be usable
to me.  

Re: Anyone hear of GeSWall??

A comprehensive and interesting post, VanguardLH - Thank you.

Btw, did you revisit the 'Pictures in groups? thread in
'motzarella.newusers' ?

I had a faint hope that you might further explore!


Quoted text here. Click to load it

Re: Anyone hear of GeSWall??


Quoted text here. Click to load it

"GeSWall is intrusion prevention system that is non-intrusive and easy
to use. With GeSWall, you can safely surf the Web, use e-mail, chat,
exchange files, regardless of the security threats posed by the
Internet. GeSWall is a required supplementary to your anti-virus,
anti-spyware and personal firewall as it blocks unknown treats missed by
those solutions."

Gotta love a supplementary that blocks unknown treats.

   -Friends don't let friends drive Windows

Re: Anyone hear of GeSWall??

John D wrote:

Quoted text here. Click to load it

Nope.  I have no personal interest in using the publicly accessible
private groups at annexcafe.  I don't do binaries no matter what
newsgroups server I use.

Re: Anyone hear of GeSWall??

Quoted text here. Click to load it

I understand, yet I thought you might have commented on this:-

"I finally managed to register there and I must say that this is not a
domain I like to be on. First of all, the site doesn't seem to work
properly without scripts enabled. Second, indeed, a lot of 'wrong'
redirections. I'd advise you get out of there right away. I have a
feeling the host is no longer in charge there... "

The computer 'experts' group - User2User - is staffed by *really* clever
folk. They'd make you look like a newbie and eat you for breakfast!

Site Timeline