I wonder what the experts think of intrusion defenders like Geswall
(GentleSecurity).
Is it useful or overkill? To be used in addition to other protections (AV,
firewall, etc.) or instead of?
Jeff
I used GeSWall on and off. I like its premise but its implementation needs
work. Too often if would get in my way. For example, when you download a
file from a site through your browser, it appears you cannot create a new
folder (to save the downloaded file). You try to use New Folder to create a
new folder but it doesn't appear (and there is no error message). The
workaround is to backup a folder level to select a different folder, select
the parent folder (under which you created the new folder), and that
refreshes the list so you can now see and select the new folder you created.
I do like that it has a means of conveniently letting you start a
non-protected instance of the web browser (like when you visit Windows
Updates or any site where you want to actually install some software from
there) but it doesn't remember where you were. It starts a new instance
without remembering your current navigation path. That means, in the new
unprotected instance, you have to navigate all the way to where you were
before for when you decided you needed an unprotected instance. This is a
security measure to prevent any buffer overruns or other malware from
affected the new unprotected instance but it is a hassle.
If you visit their forums (
http://www.gentlesecurity.com/board/) and search
on my moniker, you'll find other posts that I've made there regarding
deficiencies in their program. Actually their search doesn't seem to find
but one of my posts. Here is a link list of them:
http://gentlesecurity.com/board/viewtopic.php?t=333
http://gentlesecurity.com/board/viewtopic.php?t=327 (fixed, I think)
http://gentlesecurity.com/board/viewtopic.php?t=326
http://gentlesecurity.com/board/viewtopic.php?t=325
http://gentlesecurity.com/board/viewtopic.php?t=324
http://gentlesecurity.com/board/viewtopic.php?t=323
http://gentlesecurity.com/board/viewtopic.php?t=301 (fixed)
http://gentlesecurity.com/board/viewtopic.php?t=318
http://gentlesecurity.com/board/viewtopic.php?t=304
http://gentlesecurity.com/board/viewtopic.php?t=298
http://gentlesecurity.com/board/viewtopic.php?t=297
http://gentlesecurity.com/board/viewtopic.php?t=293
http://gentlesecurity.com/board/viewtopic.php?t=295
http://gentlesecurity.com/board/viewtopic.php?t=294
http://gentlesecurity.com/board/viewtopic.php?t=296
http://gentlesecurity.com/board/viewtopic.php?t=292
I wait until they get a new version, trial it again, hit another wall, and
then discard it again. My needs may be more robust or unbounded than yours.
I would suggest using an uninstaller utility, like Zsoft Uninstaller, to
record the GeSWall installation so you can do a clean uninstall of it (first
use the Add/Remove Programs entry and then use Zsoft for more cleanup).
The free version of GeSWall only protects (enforces additional policies and
virtualizes some folders) a few applications, like your web browser. I
don't know if it covers all web browsers yet, like Safari, Chrome, or Opera.
I only recall IE and FF being covered. I found GeSWall just got in my way
too much.
To protect my web browser, e-mail client, or any Internet-facing
application, I instead switched to TallEmu's OnlineArmor which is a firewall
with HIPS (host intrusion protection system). It has a Run Safer option you
can enable on a rule that you have defined for an application. The Run
Safer forces the process (no matter who started it which means it covers
when, for example, the web browser is started as a child process by another
application) to run under a Limited User Access (LUA) token. This means the
process runs under the same limited privileges as if you had logged in under
a limited user account. Almost all security experts will tell you that the
best way to be safe when doing anything Internet is to be under a LUA
account. I used to use SysInternals psexec.exe because it had a
command-line parameter to run the program that it loaded to run it under a
LUA token; however, that only works to make the program you started with it
to run that way. If that program was started as a child process, like some
application starting an instance of your web browser, the web browser would
not be limited. The Run Safer option in OnlineArmor regulates at the
process level, not at the command-line level, so no matter what app started
the process, that process got limited. The Run Safer option is available in
the free version of OnlineArmor (but I squeaked in on a day they had a
giveaway and now have the full version). I can use the Run Safer option on
any process that is defined as an app rule in OnlineArmor, not just on the
web browser (as would be only covered by free GeSWall). That includes my
e-mail clients or anything else that makes an network connection. You do
run into problems when you visit a site where you want to install software,
like the Windows Updates site; however, it is easy enough to right-click on
the OnlineArmor tray icon and disable it and load a new instance of the web
browser to that site.
Both GeSWall and Run Safer are safety features that are in *addition* to
using a firewall, not to replace a firewall. Neither do they obviate the
need for anti-virus/malware software.