I haven't used virtualization software and am interested in trying it.

Tell me about these 3 programs; which is the best in your opinion/offers the most security? How hard are they to use?

I did see in Gizmos test that Geswall totally failed.

well from experience (i've tried all three) geswall gives you the best bang for the buck : program termination protection, keyloggers, and various nasty disk killing virii and malware. i haven't yet tried sandboxie 3.0 (last version i tried was 2.4 or soemthing) or bufferzone 2.5 beta (the last version i tried was 2.1xx and didn't like it) so i don't know what's changed since i last tried them. geswall is also relatively bug free, the only major bug that comes to mind was the "explorer isloation" bug (but i personally never experienced it) and i think that's been addressed.

I cannot comment on Geswall due to my inexperience with it.
However, I have become quite enamored with SandboxIE.
Efficacy (if using Gizmo's findings as a benchmark) is among the best.
I find it easy to use/intuitive.
System impact is minimal.
Tzuk (the developer) is very active in it's continued evolution.
I was sufficiently enamored that I sent him my $.

hello bob d, are you using version 3 of sandboxie? if so can you do me a favor?

can you (or any other user of sandboxie 3.0 reading this thread) run these 3 tests? they are non-destructive (ie they are not virii or malware) and should only take a few seconds to run them.

1) the advanced process termination test by DCS :
http://www.diamondcs.com.au/freeutilities/apt.php

run this program sandboxed and select a non-sandboxed program (like calculator or notepad) and see if any of the tests can terminate the non-sandboxed program.

2) martin's undetectable keylogger test (this is NOT malware) :

http://www.winsite.com/bin/Info?26000000037599

run this program sandboxed and open up a non-sandboxed notepad and type some gibberish in it. see if any keys are logged.

3) http://www.firewallleaktester.com/aklt.htm

again run this program sandboxed and then open up a non-sandboxed verion of notepad and type gibberish there again. see if any keys are logged.

-{ Quote: "I haven't used virtualization software and am interested in trying it." }-
Don't forget DefenseWall ;)

I'm looking at freeware only. I know Defensewall is about the best security program you can get!

-{ Quote: "hello bob d, are you using version 3 of sandboxie? if so can you do me a favor?.." }-
Hi zopzop

Ver. 3
Will run tests shortly when I get some play time.

-{ Quote: "...run these 3 tests?...." }-
Notes:
My AV (VBA32) flagged apt, keylog files. So I had to disable monitor.
Of course my HIPS (PS) alerted to everything (had to select "allow" for all).

1)apt: I could not kill running instance of notepad.

2)keylogger test: Keystrokes were logged.
(log.txt file was saved automatically within the sandbox).

3)aklt: No keystrokes logged.
Screenshot does take a screenie of desktop.
(Paint program with screen shot is of course running sandboxed).

so does this mean it passed or failed. Sorry, ignorant joe here.::)

What about Gizmos findings in his test where Geswall totally failed? What do you guys have to say about that?

-{ Quote: "so does this mean it passed or failed...." }-
That depends what you are looking for. We'll have to wait for zopzop's comments.
Bear in mind that by design SandboxIE keeps just about anything from getting on your system.
I love the idea of surfing the dark side (if one is so inclined) with virtual impunity.
It does not do as well preventing stuff from leaving your system.
Hence the rationale for outgoing protection, be it a FW w/ good outbound protection or a substantial HIPs proggie.

-{ Quote: "What about Gizmos findings in his test where Geswall totally failed? What do you guys have to say about that?" }-

all i can say is he needs to redo those tests. geswall has passed everything i (and some others) have thrown at it. and when holes were found they were quickly addressed by gentlesecurity. so the less said about gizmo and his tests the better.

-{ Quote: "1)apt: I could not kill running instance of notepad." }-

excellent result! thank you.

-{ Quote: "2)keylogger test: Keystrokes were logged.
(log.txt file was saved automatically within the sandbox)." }-

not good. just to double check you ran the keylogger sandboxed and notepad (or whatever test program you used) unsandboxed right? that means that martin's keylogger sandboxed was logging keystrokes in programs running outside the sandbox :(

-{ Quote: "3)aklt: No keystrokes logged.
Screenshot does take a screenie of desktop.
(Paint program with screen shot is of course running sandboxed)." }-

excellent, this is a pass. as long as it passed all 3 keylogging tests in the aklt it's a pass.

thank you very much bob d. can i trouble you with one more round of tests? again they are nondestructive and are not malware. :D

zopzop, have you tried Geswall on some of the ubber nasty drive by exploit sites at all?

-{ Quote: "
excellent result! thank you. " }-
You're quite welcome
re: keylogger: -{ Quote: "not good. just to double check you ran the keylogger sandboxed and notepad (or whatever test program you used) unsandboxed right? that means that martin's keylogger sandboxed was logging keystrokes in programs running outside the sandbox :(" }-
Correct, Notepad was not sandboxed. But log.txt file was saved within the sandbox.
I'm not really surprised here.
Keyloggers are quite benign unless they are allowed to send that info out. (Not to be redundant here, but..) Hence the rationale for outgoing protection...
Also, if you terminate the sandboxed program (before your logged key strokes are sent out), the log.txt file goes away.
-{ Quote: "can i trouble you with one more round of tests? " }-
And that would be...?

-{ Quote: "zopzop, have you tried Geswall on some of the ubber nasty drive by exploit sites at all?" }-

yes. back when i actually had a test machine to mess around with, i'd visit some really bad sites (what was on those sites i really can't mention here cause i'd be banned :D ).

-{ Quote: "And that would be...?" }-

the HIPS leak tests by the makers of SSM found here :
http://www.syssafety.com/leaktests.html

i forgot how to run these sandboxed. they are not regular windows programs where you just click or double click them to get them to run. you need to go to the command line to run them.

the simple process termination is a series of 16 tests that attempt to shut down a process. i found some programs that passed the DCS advanced process termination tests failed against one or two of these.

ditto with the simple keylogger test.

same testing method, run the HIPS leaktests sandboxed and make sure the targets of their fury are outside the sandbox :D

ooops before i forget. there is one more test by ghostsecurity, it attempts to modify the registry and checks to see if your HIPS or sandbox can prevent it. it consists of 2 tests. the second test forces a reboot upon completion. when i tested sandboxie 2.4 against it, it did indeed pass both tests. what i found annoying was that a sandboxed process could actually force a restart. i just wanted to see if the test can still force a restart if sandboxed in sandboxie 3.0. it's found here :

http://www.ghostsecurity.com/registrytest/

that's it. i won't pester you anymore :D

-{ Quote: "...i forgot how to run these sandboxed. they are not regular windows programs where you just click or double click them to get them to run..." }-
keylogger.exe gets flagged by PS.
Dbl click does nothing.
spt.exe does nothing.
Will have to play with these to figure out how to execute them.
Running (dbl click) of .exe yields nothing.

Ghost Security's tests: (All flagged by PS)
Regtest 1 fails (I think).
Registry modification was allowed. I don't know if modification was constrained to sandbox.
Will have to investigate.

Test 2:
Access was denied. No reboot was invoked.
However, it did make a mess. K-Meleon crashed, desktop got screwed up.
Reboot and all OK.

-{ Quote: "that's it. i won't pester you anymore" }-
Yea, right :)

Cheers

-{ Quote: "geswall has passed everything i (and some others) have thrown at it. and when holes were found they were quickly addressed by gentlesecurity.
" }-

is this the case on both pro and free version of geswall?

-{ Quote: "is this the case on both pro and free version of geswall?" }-

yup. the only differences between pro and free are the pro version gives you :

1) application wizard - so you can automatically create rules for applications you want to run isolated and have them function correctly

2) custom rules for apps - if you know what you are doing you can make your own rules for applications/resources/etc...

3) much larger safe application list - HUGE list of preconfigured apps

all in all. i still like the free version (even though i have the paid version). since you can still right click an application's icon and run it isolated.

Does Geswall help with the test below.

Lockup Test (http://forum.maxthon.com/uploads/lockuptest.htm)

FF with Noscript stops it.

-{ Quote: "keylogger.exe gets flagged by PS." }-

PS?

-{ Quote: "Dbl click does nothing.
spt.exe does nothing.
Will have to play with these to figure out how to execute them.
Running (dbl click) of .exe yields nothing." }-

you have to click on the start menu, select "run", then type "cmd". then type cd\xxxx where xxx is the directory where you downloaded and saved the HIPS leaktests. once you are in the directory type the name of the file and hit enter. text will scroll by telling you what the options are for the test and how to proceed. it helps if you download and save the file to someplace easy to remember like c:\temp (if you have a temp directory that is). the HIPS leaktests from the makers of system safety monitor are kind of difficult at first to get the hang of.

-{ Quote: "Ghost Security's tests: (All flagged by PS)
Regtest 1 fails (I think).
Registry modification was allowed. I don't know if modification was constrained to sandbox.
Will have to investigate." }-

sandboxie easily passes this test. the registry changes that were allowed are all done virtually. as long as the test was run sandboxed, they aren't real :) again what is PS? prosecurity?

-{ Quote: "Test 2:
Access was denied. No reboot was invoked.
However, it did make a mess. K-Meleon crashed, desktop got screwed up.
Reboot and all OK." }-

system still crashed? hmm this is what irked me last time too. i know that sandboxie passes both tests when it comes to altering the registry (which is the key function of the ghostsecurity tests), i just want to see if sandboxie ver3 stopped the reboot/crash.


-{ Quote: "Yea, right :)" }-

i'm done i swear ;-) and thanks again for running these tests for us :)

If you want to try something really nasty, try this:

http://www.morgud.com/interests/security/dfk-threat-simulator-v2.asp

Its a threat simulator that pull of the whole spectrum of infections. From rootkit, to adware, spyware and so on. Its not destructive. Its just to show how easily you can get your system completly f*cked. Theres a cleaner supplied to get rid of it.

The intresting part of that thing is mainly to see how good the sandbox works. Because if you start that thing inside the sandbox, everything that gets installed through it should stay inside the sandbox. So all the adware windows should be sandboxed and so on. So technically if you "clean/reset" your sandbox that thing should be gone.

Tried it back in the day with Greenborder and Bufferzone. Greenborder "passed" as in everything stayed within the Sandbox. Reseting Greenborder and that thing was gone. Bufferzone (Version: 1.something) wasn't able to run the test, since it doesn't have "deep" enough virtualisation aka it doesn virtualise the ability to install kernel drivers.

A little o/t but i find the best free virtualization software is virtual pc.

-{ Quote: "A little o/t but i find the best free virtualization software is virtual pc." }-
Ditto and running on a 22 inch lcd screen!;)
192186

-{ Quote: "...what is PS? prosecurity?" }-
Correct

Do I reed Geswall's website correctly in that it controls outbound internet access?

-{ Quote: "If you want to try something really nasty, try this:

http://www.morgud.com/interests/security/dfk-threat-simulator-v2.asp
" }-

yeah we tried this months ago with defensewall, sandboxie, and geswall. all 3 passed with flying colors :)

For sandboxes: Sandboxie, GesWall and DefenceWall, try and see which one you like.

Other virtualizations: ShadowUser ans ShadowSurfer, PowerShadow, Returnil etc

Virtual OS: VirtualBox, VMware, Virtual PC.

A lot of fun stuff!

So does Geswall have outbound protection?

Sorry for the barrage of questions; I need to make a new updated disk image and just try the sucker!

-{ Quote: "So does Geswall have outbound protection?

Sorry for the barrage of questions; I need to make a new updated disk image and just try the sucker!" }-

Hi all,

Absolutely not, GeSWall is a firewall between untrusted apps and ressources of your system

MaB

I read some threads on the Sandboxie forum stating that even if you get malware on your machine inside the sandbox, it can still do damage like log keystrokes etc. UNTIL you delete the sandbox. Will Geswall protect against this issue???

GW stops keyloggers mostly.

-{ Quote: "Hi all,

Absolutely not, GeSWall is a firewall between untrusted apps and ressources of your system

MaB" }-

Sandboxie works as a Firewall? (http://www.wilderssecurity.com/showthread.php?t=182836)

Sorry to bring back to life an old thread, but I'm trying GesWall right now and have some questions.

With Sandboxie you can empty the sandbox. In GesWall I don't see such an option. How do I do that?

Thanks

-{ Quote: "Sorry to bring back to life an old thread, but I'm trying GesWall right now and have some questions.

With Sandboxie you can empty the sandbox. In GesWall I don't see such an option. How do I do that?

Thanks" }-
I may be wrong about this, but they are different in how they work. Sandboxie has some virtualization and GesWall is a policy based sandbox. GesWall goes by a set of rules that says what your browser can and cannot do.

Here's a little more information on sandboxing apps.
http://wiki.castlecops.com/Different_classes_of_security_software#Sandboxing:-

Hi, SBIE virtualizes both registry and files.

GW virtualizes registry and the virtual reg is auto-deleted once u clse an isolated application in GW. U don,t ned to take any action/
GW doesn,t virtualize files, files are created as normally but they are marked with a small G icon and are under strict control by GW( marked as isolated)- GW,s policy control. They are allowed to run but are not allowed to damage the system in anyway. Also GW restricts ceation of files in critical system areas. It gives u a good balance of security and usability most of time.

If u get a malware with GW, sure it will be on ur HD but isolated( under strict control) by GW and will not be able to damage ur system. It can be picked up by ur AV/ AS etc anytime and deleted. It can be deleted when u empty ur browser cache( if it,s in the cache). For manual deletion u can do a manual scan in GW console and delet files manually. Butt don,e delete the files of ur browsers that are needed by ur browser as they are alos marked isolated by GW.

Hi aigle

Thanks for the explanation. Sandboxing/Virtualization is a new approach for me and I'm learning a lot (or trying to learn)...

Those screenshots are from the paid version or not? Because I checked the console and there is no "untrusted" label....

Thanks

I have the Pro version. Not sure about the free one.

A good sandbox is the best defence for zero day threats. Install and forget. No popups, no hassle. Very very strong against malware.

I have thrown a lot of malware against GW and has never seens anyone breaking through it.

-{ Quote: "Because I checked the console and there is no "untrusted" label....

" }-

I believe that is only available in 2.7 beta version.

Oh yes! I forgot it completely.