The past six and a half months has truly convinced me that a host intrusion prevention system(HIPS) that employs non-admin./limited user, sandboxing and virtualization technologies is the ultimate security setup for malware prevention alongside an antivirus and firewall. The links posted below explain or demonstrate the virtue of a non-admin./limited user account.

http://blogs.msdn.com/aaron_margosis/archive/2004/06/17/157962.aspx
http://blogs.msdn.com/aaron_margosis/archive/2004/06/25/166039.aspx
http://eweek.com/article2/0,1759,1891447,00.asp

In an objective and open minded fashion I have posted links below to current HIPS that incorporate some or all of the above mentioned technologies.

DefenseWall - http://www.softsphere.com/
BufferZone SAE/Home/Pro - http://www.trustware.com/
GreenBorder - http://greenborder.com/
Virtual Sandbox - http://www.fortresgrand.com/products/vsb/vsb.htm
VELite - http://www.secureol.com/
SandBoxie - http://sandboxie.com/
RunSafe - http://www.runsafe.com/
1-Defender - http://amustsoft.com/1-defender/

Out of the eight, for whatever reason, my sole experience is with DefenseWall. Interestingly, I found out about DW at both CastleCops - http://www.castlecops.com/postlite140478-defensewall.html and Wilders - http://www.wilderssecurity.com/showthread.php?t=98240&highlight=defensewall. It is my opinion that DW is the most effective and refined example of this kind of software at any price. In addition to being both simple and easy to use, it uses a relatively modest amount of resources. Ilya Rabinovich, DW's creator, provides excellent customer and technical support and timely program updates and fixes. I have provided links regarding DW below that may be of interest to you.

DefenseWall Test - http://security.over-blog.com/article-3030160.html
DefenseWall Support Forums - http://gladiator-antivirus.com/forum/index.php?showforum=192

Peace & Love,

CogitoErgoSum

U forgot GesWall!

I have been using DefenceWall for a while and I feel that it great. I am not a security expert but from what I have seen I feel that it is one of ,if not the best security programs I have. I would much rather keep things off my computer than try to get them off.

I tried RunSafe, but I don't like its design. The box with the secured applications isn't a good idea IMO.
Each choosen application is in fact double on your desktop : insecured and secured. If I click on the wrong icon of MSIE I'm not secured.
MSIE is secured, but if I click on a website-icon on my desktop, the website isn't secured. What a mess.

-{ Quote: " The links posted below explain or demonstrate the virtue of a non-admin./limited user account.

http://blogs.msdn.com/aaron_margosis/archi.../17/157962.aspx
http://blogs.msdn.com/aaron_margosis/archi.../25/166039.aspx
" }-

Hi CogitoErgoSum,

Your first two links do not work, seems they've been shortened :-\ .

here are the links :

Why you shouldn't run as admin... (http://blogs.msdn.com/aaron_margosis/archive/2004/06/17/157962.aspx)

"Zero-day" attacks and using limited privilege (http://blogs.msdn.com/aaron_margosis/archive/2004/06/25/166039.aspx)

Very interesting ! ;)

nicM

DefenseWall seems good.

Has anybody tried both DefenseWall and Prevx?

I like the sound of both programs.

I think i have to mention a similiar soft called Blackice here, which is IMHO one of the best IDS - you _could_ call it also HIPS - out there.

-{ Quote: "Has anybody tried both DefenseWall and Prevx?
I like the sound of both programs." }-

I've tested both together and have found no problems.

-{ Quote: "I think i have to mention a similiar soft called Blackice here, which is IMHO one of the best IDS - you _could_ call it also HIPS - out there." }-

Wrong- IDS are based on signature methods, HIPS are not.

-{ Quote: "Wrong- IDS are based on signature methods, HIPS are not." }-
Learned something again today. Wasn't aware of this.

It has been brought to my attention that the first two links that I originally posted regarding the virtues of a non-admin./limited user account apparently do not work. I revised the links in the original post up above so that they do work. Thanks nicM for pointing that out.

The Wilder's link apparently does not work either. I also revised this link in the OP so that it works.


Peace & Love,

CogitoErgoSum

Hi,

Juts some links about different classes of programs and HIPS:

http://wiki.castlecops.com/Different_classes_of_security_software

Focused on HIPS: http://kareldjag.over-blog.com/article-1693696.html

Amust and Runsafe can't be considered as HIPS!
They're only administrator tools.
An HIPS is generally integrated at a low level and intercepts API calls in order to control system's activity (behaviour).
Most HIPS use policy and privileges restrictions (service/driver, physical memory etc); and are mostly designed to protect the local host where the're installed.

It's true that an IDS is based on signatures, but the main difference is somewhere else: an IDS focus its protection on a network perimeter, an HIPS on the local host (desktop for home users, server for a corporate environment).

The problem is that the administrator account is the default Windows account, and that the majority of users run under this account simply because it's the easiest way to use their pc for most of them.

HIPS based sandboxing and virtualization are ineteresting, but this is not the panacea: for VMWare for instance, finguerprint scanning methods exist to find if a system is under Vmware or not,and then a buffer overflow exploit can be applied.
This is the same if an attacker has a remote command or a phisical access to the machine: there's documented and undocumented methods to verify if the system is under Vmware or not (see image here : http://idata.over-blog.com/0/22/17/61/vmwarefing.jpg. ).

The kind of HIPS is not the most important since the user run under a limited account and has the right HIPS for him.

regards

-{ Quote: "

The kind of HIPS is not the most important since the user run under a limited account and has the right HIPS for him.

regards" }-

Do u mean to say that running as limited user is more safer than running as administrator with sandboxing of vulnerable applications?

BTW, Ur tests of DefenseWall were nice but I really missed the comparison, without any other similar application being tested at the same time, it is hard to guess how good is DefenseWall esp as compared to other similar applications. Pls if possible can u do a comparative testing of DefenceWall with other applictions like Sandboxie or GesWall? It will be really iunteresting to see.

-{ Quote: "Amust and Runsafe can't be considered as HIPS!" }-

Agree 100% !

-{ Quote: "but the main difference is somewhere else: an IDS focus its protection on a network perimeter, an HIPS on the local host (desktop for home users, server for a corporate environment)." }-

Not quite! There are some local host - based end-user IDS systems. SocketShield, for instance...

-{ Quote: "
The problem is that the administrator account is the default Windows account, and that the majority of users run under this account simply because it's the easiest way to use their pc for most of them." }-

Well, it is possible for malware to operate even under limited rights user account. The fact is that Windows were designed in 80-th years- there was no malware those time, and there was no tools included into it's core to protect users from this stuff. That is the main reason for HIPS products to be here.

-{ Quote: "
HIPS based sandboxing and virtualization are ineteresting, but this is not the panacea: " }-

Panacea is not exists, we all know about it! This is just new protection method for the tools increasing protection level against unknown malware. It has advantages and disadvantages as all the protection schemes in the real world- nobody's perfect (we just discuss it in parallel thread)!

BTW- add your new blog's address into your signature!

Hello kareldjag,

Thanks for sharing your wisdom with us and setting the record straight.


Peace & Love,

CogitoErgoSum

doesn't matter that much if someone knows if I have a VmWare Station aboard .. and fingerprint scanner .. hmmm the first one entering my living room with something like a VmWare Fingerprinting tool .. I bet I'll buy him a nice belgian beer lol :)

Hello Ilya,

Thanks for sharing your experience with sandboxes, virtualization, non-admin./limited user accounts and HIPS. As usual, they are very much appreciated.


Peace & Love,

CogitoErgoSum

I didn´t understand the part about the VMware "fingerprint scanner", can you give a bit more info about this? I mean are you saying that malware is able to fool the virtual machine (avoiding detection), or can they break out of the virtual machine? :blink:

-{ Quote: "I didn´t understand the part about the VMware "fingerprint scanner", can you give a bit more info about this? I mean are you saying that malware is able to fool the virtual machine (avoiding detection), or can they break out of the virtual machine? :blink:" }-

No. It means that malware is able to determine if it is running under VM and to stop working or use some specialized techniques to break out from it.

Has anyone compared Virtual Sandbox by Fortresgrand and BufferZone?
The concept is great but I'm reading an awful lot of install, uninstall, and compatability issue in BZ forums but I haven't seen a forum for Virtual Sandbox.

I'm using system safety monitor and safe system 2006.
or Ghost security suite and parador .

These 2 suite is both good!

-{ Quote: "Has anyone compared Virtual Sandbox by Fortresgrand and BufferZone?
The concept is great but I'm reading an awful lot of install, uninstall, and compatability issue in BZ forums but I haven't seen a forum for Virtual Sandbox." }-
Never used VS. Used BZ for a very short period so can,t comment. There are soem threads in the forums about both esp BZ. U can try to search them.

-{ Quote: "Never used VS. Used BZ for a very short period so can,t comment. " }-

aigle, sorry for being off topic, but where you running Rollback when you installed BZ??

nicM

I also think that AMUST 1-Defender and RunSafe can´t be considered to be sandbox HIPS, the only thing they do is make processes run in non admin mode, so it´s not really sandboxing. RunSafe does however also cover process spawning so it´s more advanced than 1-Defender.

-{ Quote: "aigle, sorry for being off topic, but where you running Rollback when you installed BZ??

nicM" }-

I am not sure now but I think probably not. I had not bought RollbackRx at that time.
Does BZ plays with MBR?

-{ Quote: "I am not sure now but I think probably not. I had not bought RollbackRx at that time.
Does BZ plays with MBR?" }-

No, I don't think, about MBR. The reason I asked you about that is, since I'm running Rollback, there is no way to install BZ anymore for me :dry: . Each times I've tried, the computer gets unbootable, in normal or even safe mode.

The problem is it seems that nobody else could reproduce this bug, at least in my knowledge. That's why I asked you, just to know if you were one more successful Rollback/BZ user, or not : This issue is really weird.

nicM

-{ Quote: "No, I don't think, about MBR. The reason I asked you about that is, since I'm running Rollback, there is no way to install BZ anymore for me :dry: . Each times I've tried, the computer gets unbootable, in normal or even safe mode.

The problem is it seems that nobody else could reproduce this bug, at least in my knowledge. That's why I asked you, just to know if you were one more successful Rollback/BZ user, or not : This issue is really weird.

nicM" }-

RollbackRx itself have proved to be the one of the most buggy application for me. However I can try BZ with RollbackRx for u, on my system, if u give me a download link.

-{ Quote: "RollbackRx itself have proved to be the one of the most buggy application for me. However I can try BZ with RollbackRx for u, on my system, if u give me a download link." }-

Thank you ;) . You can try with any of the freeware versions, it is similar to the home version, except for few details which shouldn't interfere here (BZ's firewall, for example).

If ever you get the same problem than me, that's not a big problem with Rollback, all you have to do is to reload another snapshot with the sub-system console in Rollback. At least that worked for me :) .

nicM

Hi,

Virtualization and sandboxing softwares have many advantages: easy to manage (limited user's interaction) and to configure, and most of all, make more simple and reliable incidents recovery.

With HIPS based sandboxing and virtualization, security is not only intended for an elite of knoledgeable and skilled users (case for most HIPS), but for the majority of them: teens, seniors, beginners, knowlegeable or not...
From a consumer point of view, it's much more equal.

VMWare is safe and sure, and i just mean that security provided by sofware is never absolute, with or without virtualization technologies.
Infinity, it's important for an attacker to know if the target host is a native system or under VMWare: this information will determine the kind of attack: under VMWare, it's not ineresting to install any malware, but to make an "in the fly attack" as long as the workstation is running (example: data exfiltration via a tunneling backdoor).
If exploits have already affected VMWare, they're not always necessary
( http://secunia.com/search/?search=vmware ).
If the information gathering phase have shown that VNC server is running, then a brute force attack will certainly be enough to launch a remote command in order to know if it is a native system or not.

Currently, some research about "virtual rootkits" (SubVirt/BluePill) shows (but not demonstrates since the POC are not public) that virtualization subversions are possible.
Loïc Duflot has also done some research about attacks via hardwares (processor for instance) which can make easier some privilege escalation (the end of part2 is related to viryualization): http://www.securityfocus.com/columnists/402

But Infinity can keep his excellent beer in the fridge: a script kiddie will not wake up on a morning and say: i have dream...today i will break a VMWare workstation.
There is a big difference between what is technically possible ( exploits, remote access) and what is statistically happens...

Rasheed, there is no fingerprinting malwares, but only fingerprinting tools managed by the hand and brain of an attacker or pen-tester!

The next pdf paper is a summarize of pen-testing methods (non technical, and easy to understand):
w.cert-in.org.in/training/23dec05/PT%20Methodologies.pdf

Socketshield can't be considered as an IDS: IDS products rely mostly on network attacks misuse/signatures detection and needs packet libraries.
Excellent AV like Kav, BitDefender or Nod32 have also a detection of exploits and are not considered as IDS.
A similar and well known example of this kind of product is Blink:
http://www.eeye.com/html/products/blink/index.html

But i'm sure that DefenseWall is an HIPS and that DefenseWall or any other HIPS (PG/OA/SSM/Viguard/SnS etc) are much more needed than SocketShield wich is just a "plus" in a line defense.

For information, virtualization or similar techniques are also used as network attacks prevention:

a summarize about virtualization and security:
http://www.virtualization.info/2006/07/security-by-virtualization.html

Virtualization and honeypot: http://www.honeynet.org/papers/virtual/

Intrusion prevention of network/zero day attacks:

http://www.reflexsecurity.com/

http://www.bufferxone.com/

Hope this helps,

regards

About malware breaking out of virtual machines, are hackers already able to do this? I mean there are currently not any known serious holes in VMware, if I´m correct? ???

Known holes?

Superhackers will use unknown (to you anyway) holes.

Seriously, a more realistic consideration is malware that detects it is running in vmware (there are many trival ways to do it), and doesn't do anything evil...

When you think it is safe and try it on your production machine....

I 'heard' attackers try to 'fingerprint' your operating system to learn more about the system, the software it runs etc so they can break it by looking for vulnerabilities.

-{ Quote: "About malware breaking out of virtual machines, are hackers already able to do this?" }-
Given enough time and access, a really talented hacker can crack into most anything. That said, most of the time a user isn't defending against a hacker. The user normally has to deal with trojans, viruses, and other "packaged malware" with a limited range of function. While a good hacker could defeat a virtual setup, malicious code as we know it now probably can not, at least not yet.
-{ Quote: "I 'heard' attackers try to 'fingerprint' your operating system to learn more about the system, the software it runs etc so they can break it by looking for vulnerabilities." }-
This is often true. All software has some vulnerability. There is no uncrackable software. By identifying what software you use, a good hacker will then try to exploit the known weaknesses in those apps. Example, some firewalls can be remotely disabled or killed outright if not properly configured. If a hacker can gain an entry point, either from a weakness in the firewall itself or more likely, poorly written firewall rules, he may try to shut it down and make his task easier. Some firewalls ask you for the administrative password when you try to shut them down. If the user didn't set a password or used a weak one, this could be exploited relatively easy. Besides using a good password, another thing the user can do is to use layered security. Layered security is more than a collection of security apps trying to cover "all the bases". They also have to protect each other. In this instance, a HIPS like SSM can be used to protect the firewall in several ways. First, it will prevent much of the malicious code from running in the first place. Beyond that, SSM has an option to "keep a process in memory". This restarts the process if something manages to terminate it. That option is ideal for supporting the firewall and AV.
Right now, virtualization is enjoying an advantage over malware, but the more it's used, the more it will be targeted and eventually defeated. HIPS applications will be attacked as well. Each is just another step in an unending battle.
Has anyone tried running virtualization software on a HIPS protected PC? Using a combination of both methods might be the way to go. Even if something can break out of the sandbox, it would still have to deal with a protected system, which would likely be beyond the ability of packaged malicious code for some time, requiring a talented "human touch" to successfully attack it.
Rick

-{ Quote: "Known holes?

Superhackers will use unknown (to you anyway) holes.

Seriously, a more realistic consideration is malware that detects it is running in vmware (there are many trival ways to do it), and doesn't do anything evil..." }-

Perhaps VMWare can be improved to make this stuff harder? Also, hopefully the hardware CPU support (Vanderpool, Pacifica) will make it almost impossible to break out of the VM. ;)

-{ Quote: "Never used VS. Used BZ for a very short period so can,t comment. There are soem threads in the forums about both esp BZ. U can try to search them." }-

Here is a thread for VS.

http://www.wilderssecurity.com/showthread.php?p=756621

I haven't used BZ, but VS has worked pretty well for me for a few months now. They just put up a free version of version 1 on download.com now, so that's what I've been using.

What is the difference between free and paid version?
Any slow downs or conflicts?

;D -{ Quote: "Hi,
.... .... ....

Hope this helps,

regards" }-

Hi Kareldjag, Sincerely wanted to thank you for all the info you bring, as I am always willing to learn, your posts are truely amazing!

Thanx!

-{ Quote: "What is the difference between free and paid version?
Any slow downs or conflicts?" }-
i cannot find any free versions of BZ at download.com, just a 60-day trial, but teh BZ homepage does have their BZ - single application edition (http://www.trustware.com/freeware.php) for free.

He was talking of VS.

my bad. i need to slow down when reading. i did find this tho:

-{ Quote: "What is the difference between the Virtual Sandbox free version and the for sale version?

The free version is actually version 1.0 of the for sale version. We give it away for free because we think it creates value for people and would otherwise just sit idle. The for sale version has a more modern interface, auto-configures some convenience features, allows consistent functioning of browser favorites inside and outside of a sandbox, provides more information regarding secure digital signatures, and can be centrally managed on a network through our Central Control Version 6.
" }-

thanks.