how is geswall and def+ different

are they 2 different technologys like def+ is hips geswall seems to be hips also. am i wrong here no?

The have one difference: Defense+ works.

I tested on some latest Cycbot samples today, geswall didn’t even realize what was happening in the system.

Defense+ produces a barrage of messages, including those where the malware tried to modify svchost

Defense Plus relies on a black/white list to know if something is safe or not, Geswall just does not trust anything at all that is downloaded from the browser.

No, Defense+ relies on application behavior to know if something is safe.

The white lists (trusted vendors) is a hasty and ultimately botched effort to make it easier to use.

I don’t know about Geswall,

But to clear some misunderstanding.

D+ uses the white list, recognizing Safe files by file hash.
Unknown are just that, unknown. No black list in D+ per se.
If the unknown file is upped to cloud then…
If the cloud Behavior check comes back Not Malicious, the file will still be unknown. And will continue to be sandboxed, unless the user adds it to their own safe files, or the file eventually gets whitelisted through whatever process/vetting Comodo analysts use…
If the cloud behavior check comes back malicious the file will be black listed as in AV sigs and dealt with accordingly.
So even without the AV active. D+ users get the benefit of having unknowns checked against the black or AV list.

The TVL is a separate list. Some don’t like it, and many wish for more control over it than just choosing not to use it.

All together it works great. “a hasty and ultimately botched effort” is definitely a matter of personal opinion.

reference - Comodo Help


I don’t use Geswall, but I don’t believe it is a HIPS. I think it’s more of a sandboxing application? As far as I’m aware, it isolates anything internet facing and restricts the access rights of those applications.

that’s what i thought but geswall’s site which i just revisited said it’s an intrusion prevention system rather than a host intrusion prevention system which from what i’ve read and the way i understand it. IPS monitor and prevent bad things from happening both on the host its self and on the network. where as hips only monitors and prevents bad things from happening on the host and has nothing to do with the network its self. so in theory IPS sounds better than HIPS. maybe def+ is ridiculously powerful and geswall is just ridiculously weak at this time. but i don’t know my understanding could be flawed.

i made the original post because when i visted geswalls site a long time ago i couldn’t find out what kind of technology geswall was at the time on their site but they were claiming to be a better solution than sandboxing, HIPS, firewall and av. the only thing i knew at the time from their site about geswall was that it isolates things which is what sandboxing does correct? and because i seen no difference between what geswall does and what a sandbox does i found it confusing for them to claim to be better than a sandbox. i guess i should have visited their site again before i started a new topic.

please correct me if i’m wrong in thinking isolating and sandboxing are the same. the only way i can think of that i may be wrong is if you’re able to isolate things without virtualizing which is what sandboxing is correct?

Yes, they say it’s an intrusion prevention system, but if you follow the how it works link, it mentions that it protects you from intrusions by isolating internet facing applications by an access restriction policy.

So yes, this is a type of sandboxing application. It is an access restriction sandbox such as the current CIS automatic sandbox or the Chrome sandbox, not a fully virtualized sandbox like the manual sandbox in CIS or Sandboxie.

thanks for the link.

do you know if the automatic sandbox in cis is stronger than the one in chrome?

from what i know, chromes sandbox relies on windows security model and does not fully virtualize if it even actually virtualizes anything at all i don’t know. i’ve heard some people say it doesn’t really virtualize but they never gave any evidence that supported that claim.

also regardless of whether or not either one of comodo’s sandboxes are stronger than chrome do you know if comodo’s automatic or manual sandbox relies on windows security model?

I don’t know if the automatic sandbox is stronger than Chrome.

Yes, Chrome utilizes built in OS security features to restrict plugin access. From what I’ve read about their sandbox, it doesn’t virtualize anything. You can read more about it here.

I don’t believe the developers have ever said exactly how the access restrictions in the automatic sandbox work, so I don’t know if it relies on the OS security features to function. Since the manual sandbox is a virtualized file system, I’d suspect it doesn’t rely on the OS for security, but the developers haven’t released any specifics on the operation of the manual sandbox either.

I am sure that Auto Sandbox uses OS security features. :a0

Open your CIS, and go to:
Defense+ > “Computer Security Policy” option > “Always Sandbox” tab > “Add” button

Notice in RESTRICTION SETTINGS tab the following:
Move the restriction level and read the description for each level.
You will notice that the stronger the level is, the more OS security feaures are used.

Also if you go to ADVANCED SETTINGS tab you will notice:
. Enable file system virtualization
. Enable registry virtualization

In resume, OS security features + virtualization (file system and registry) is the most secure combination for protection. Great work from COMODO dont you think? Well done! :-TU

do you know if you could run comodo dragon in sandboxie and put sandboxie in the always sandboxed list? this way the browser takes advantage of 3 sandboxes since comodo dragon uses chromes sandbox.

IMO that would be unnecessary.
You have enough with the security CD browser provides, plus CIS. :wink:

i’d agree but i was just curious if it would provide any more security to a users browsing

and also if you could do it without the sandboxes conflicting