DefenseWall Personal Firewall at Bits du Jour

For all who are interested in DefenseWall: in the next days there should be an offer to buy DefenseWall Personal Firewall for $20 (means 50% discount) at Bits du Jour.

Link

The deal is active.

Just briefly tested DefenseWall 3.10 Beta and Ilya still hasn't done anything to address this vulnerability in DefenseWall:
https://ssj100.forumotion.com/t311-sandboxing-explorerexe-with-sandboxie#2762
https://ssj100.forumotion.com/t290-defensewall-pitfalls#2749

It's a very simple bypass to reproduce (and this is just an example of a potentially malicious "attack vector"):
1. Install Adobe Reader and DefenseWall.
2. Download any PDF document and make sure it's "Untrusted".
3. Open Windows Task Manager - look for a process called "AcroRd32Info.exe" - if it's running, terminate it.
4. Hover your mouse cursor over the PDF document while watching for "AcroRd32Info.exe" to spawn in Task Manager.
5. Check DefenseWall to see if "AcroRd32Info.exe" is running "Untrusted". Since the PDF document is "Untrusted", we would expect DefenseWall to run anything related to it as "Untrusted" too.
6. Notice that "AcroRd32Info.exe" is actually running "Trusted"!

Has someone actually brought this to Ilya attention? Ilya is pretty good about taking care of any issues. I don't think I've met any other developer that actually checks forums as well as he does. I don't use defensewall myself but I wouldn't hesitate to use it knowing how well it works and is developed.

I think Ilya knows about all the issues I have posted about DefenseWall here (there are many "Guests" who visit this forum who also visit the DefenseWall forum). Whether it's easy or even possible to "fix" these issues is another story. If you are a user of DefenseWall and if you are concerned (I certainly would be), I would suggest contacting Ilya yourself. The last time I posted about an issue, I got "verbally" abused (via PM) by an Administrator on the DefenseWall forum and got IP banned.

Of course, I fully support Ilya and DefenseWall - that's why I care enough to test it out and to point out its strengths and weaknesses.

kjdemuth wrote:Has someone actually brought this to Ilya attention?

ssj100 wrote:I think Ilya knows about all the issues

I reported the issue to Ilya on one of the many Russian forums. He was reluctant to do anything about images and text files (by default also launched by "Trusted" applications), but with the PDF issue and AcroRd32Info.exe launching as "Trusted" his reply was more encouraging: "This is at least theoretically risky; I'll have a look into it". As soon as he comes up with a reply, I'll let you know.

Paul

Ilya replied: he seems to have added AcroRd32Info.exe to the Untrusted Zone ("dynamically" - whatever that means).

Paul

That's what I thought he might do, but it's only a specific fix for Adobe Reader files - it still means DefenseWall is vulnerable to this attack vector. Even with earlier DefenseWall versions, any user could have "fixed" this him/her-self by manually adding "AcroRd32Info.exe" as "Untrusted".

In order for DefenseWall to properly fix (perhaps a variant?) of this attack vector, it must be able to run "explorer.exe" as "Untrusted". Last time I checked, this wasn't possible with DefenseWall. It's possible with Sandboxie as I demonstrated here:
https://ssj100.forumotion.com/t311-sandboxing-explorerexe-with-sandboxie#2499

Will be interesting to see if Ilya will add this (equivalent) feature in DefenseWall, and if not, why not?

ssj100 wrote:run "explorer.exe" as "Untrusted" [...]Will be interesting to see if Ilya will add this (equivalent) feature in DefenseWall, and if not, why not?

I asked this question already. Waiting for a reply. I'll let you know all the details as soon as Ilya posts his reply.

Paul

Thinking about it, I don't think much can be done to solve it from DefenseWall's point of view. It's possible with Sandboxie because Sandboxie applies more of a virtualisation mechanism. DefenseWall applies more of a policy mechanism. This means that DefenseWall is not able to run a virtualised instance of "explorer.exe" like Sandboxie does. It may be able to run "explorer.exe" with "limited rights", but I think that would defeat the purpose, since we do want to potentially use "explorer.exe" freely.

Anyway, will be interesting to see what Ilya says about this.