Recently I got a free license for BufferZone Pro. I have used its free version for sometime( this was the time when free version was as capable as pro but as I know current free version is limited as compared to pro). I always like BZ and the only complain from it is a bit slow down on launch of bufferzoned applications but that is tolerable.
It has a nice GUI( probably the best GUI of all SandBoxes). Like DefenceWall it has zero pop ups, so might be good for user who don,t like pop ups. It has four processes running in ProcessExplorer but total memory taken by them is acceptable( all in all about 20 Mb). There is an option for confidential files too that will be hidden from untrusted( BufferZoned) processes. Also u can mark any process as ForBidden that will deny all access to it and will deny its execution as well.

I tried it against few malware and my findings are as follows:

Advanced Process Terminator from DCS: I tried to kill IE ( that was running outside of BZ) via APT running inside bufferzone.
APT failed to kill IE, all tests passed by BZ.
BTW Bufferzone service is itself immune to termination by any process/ malware etc. APT even running outside of bufferzone was unable to kill BZ service. Very hardened self defense indeed. I have rarely seen such type of self defense.

Advanced process manipulation by DCS: tried to kill IE that failed. BZ passed.

Simple Process Terminator from SysSafety: All tests passed

A special termination method- discussed in this thread:

http://www.wilderssecurity.com/showthread.php?t=172653&highlight=termination

VideoLinkParser while running inside BufferZone failed to kill RegMon. BZ passed.

An interesting kill method: Spy.exe running inside bufferzone was able to kill IE running outside of BZ. BufferZone FAILED.

http://www.kobik.net/spy_capture.asp

SysSafety KeyLogger test: All four tests passed

Martin,s Undetectable Keylogger: Pass. An interesting thing is that unlike most other sandboxes and HIPS , BZ stops MUK totally as it does not allow even the logging of Alt, Shift, Ctrl etc keys. Very well PASS.

AKLT by FireWall tester: BZ passed first two key logging methods but failed the last one.

KeyHook by DCS: BZ Passed.

Home Key Logger and Family Key Logger( use global hooking): I installed them outside of BZ and then launched main executable inside BZ, they were able to set global hook( that was located outside of BZ) and logged keystrokes successfully. If I shifted the dll inside BZ and the executed main the executable inside BZ, BZ passed as no keys were logged. I am not sure it should be regarded as pass or fail. To me it appears as FAIL. I will see what they reply to it on their forums.

Zilla( Browsezilla) trojan/ worm: PASS, it was able to copy its executable in C:\ but all executables were inside BZ and if eexecuted they will crash. PASS

GlobalHook( keylogger behavior) : I used Y,z shadow that uses a global hook( legitimate hook but similar hook can be used by malware). It failed to set global hook. PASS

I am not sure but BZ,s behavior regarding global hooks seems inconistant. It blocks the global hook by YzShadow.exe but allows global hooks by HomeKeylogger and FamilyKeyLogger. There was nothing wrong in my testing probably it,s something wrong in BZ,s behavior and I will haver to wait for their reply in this regard.

BlackDay Trojan( It,s a very nasty trojan. It overwrites a lot of the executables on ur different HD partitions converting them into its copies. Not only u get a lot of malware executables but also u loose all the executables overwritten by the trojan. One important thing is that it does not remain limited to C partition but also jumps to other partitions as well, so if u are covering ur C partition with some Instant Recovery Software like FDISR, Returnil or PowerShadow etc, it might not help u as trojan will infect ur non-OS partitions as well):
BZ passed here. All copies of trojans were isolated inside bufferzone and it was not able to overwrite any executables. The only problem I noted that on attempted termination through BZ, I was not able to terminate BlackDay trojan process( may be some problem just on my system).

DFK Threat Simulator: Passed. Although I got the message that u have been owned but I think all of DFK threat Simulator,s activity was inside bufferzone. I was not able to terminate Win32.exe though( as challenged by DFK threat simulator) but I checked and it was infact running inside BufferZone), So on reboot everything should have been fine but I was not able to verify as I did all this testing in ShadowMode and would have lost everything on reboot. I will say it Pass. Unable to terminate win32.exe seems a bug of BZ just like BlackDay trojan above.

RegTest( 1 and 2) by Ghost Security: Pass. It was unable to reboot the system, though I was not able to reboot manually to confirm it( due to ShadowMode).

W32/ Virut.P trojan( it was the trojan one user got from an infected torrent( a crack) and it messed with FDISR service and infected other snapshot of FDISR as well. When I tried it, it was not even detected by many AVs on Virus Total. On my system it killed my AV Antivir. I tested it with Antivir,s guard off as it was detected by Antivir). BZ passed, as trojan was not able to mess with Antivir and other processes( grossly).

Qucan IM worm( IM-Worm.Win32.Qucan.a/ Win32.Worm.IM.Sohanat.A): This worm disables RegEdit and TaskManager: BZ Passed

XP Killer trojan: It disables three services, Windows Firewall, System Restore and Automatic Updates Services. BZ Passed.

Brontok worm: It makes a lot of copies of itslef: BZ passed. All copies of the worm were isolated inside BZ.

In order to check malware cleaning capability of BZ, I installed an IE Spyware toolbar inside BufferZone. It was installed OK inside BufferZonesd IE. When I launched IE outside BufferZone, there was no toolbar. On launching IE inside BZ, toolbar was there. I then emptied BufferZone, removing all BZoned registry and files. Launched IE inside BZ and Spyware toolbar was gone. Same results with a legitimate toolbar( Google Toolbar). PASS

SDT Unhooker malware( called RKIT/Agent.EZ by Antivir): Once executed it unkooks all HIPS SSDT hooks making them blind. BZ passed.

Prueba trojan discussed here:

http://www.wilderssecurity.com/showthread.php?t=179003&highlight=SSM+bypassed

BZ failed as prueba was able to make its copy outside of BufferZone in ProgramFiles> Config32 folder.( BTW CH failed against it but beta1 of ThreatFire stops this trojan).

KillDisk virus: not tested as I have no VM. Anyone please?

Results are quite good in my opinion. Only failures are against some keyloggers and Prueba.

I will make a thread over their forums. Let,s see what is their response.
Now I wonder why BZ is not so popular, it seems quite strong and I was able to run it alongwith Antivir, EQSecure, GeSWall, ThreatFire, and ShadowSurfer without any conflicts. That shows a lot of compatibility in my opinion.

Note: during this testing there was a minor problem with BZ install( due to my system, not due to BufferZone). I uninsnatlled BZ, then when I tried to reinstall, I did not find the key( I could not re-retrieve it from my e-mail as I had no internet at that time, so I just did a system restore that brought BZ,s installation back though some of its functions/ options were disabled( making it more like a free version). I don't however think that the results are affected by this in any way.
193127
193128
193129
193130
193131

nice job aigle! also nice find with the spy.exe process termination method. i'm amazed BZ failed. damn how many ways are there to kill a process? :)

ps aigle did you get your free key to BZ from the giveaway.com or something site? if so, the downside to that version of BZ isn't entitled to updates at all. if not, ignore this part of my post ;)

Hey aigle, nice tests!

re: why its not more popular, its because it takes up more cpu usage than the likes of sandboxie, and I think alot of people see lots of fluff compared to sandboxie for the same purpose. Maybe I'm wrong.

But also sandboxie is free. Bufferzone has a free version too but I think its limited in some way.

As the other posters already said- very nice job!

Question- why does BZ have problems with key loggers but seems resolute against pretty much everything else?

Thanks all of u.
I am not sure why it failed against keyloggers. Wait for their response on their forums.

I have posted it here.

http://www.trustware.com/forum/viewtopic.php?t=2046

Thanks for the tests aigle!
The Blackday trojan is one of the few malware types that I am truly afraid of. Limited user or FDISR wont help against it. To make images of all my harddrives/partitions would require really big backup drive, atleast until I figure out why my SP wont compress.
Maybe it is an old malware but I didnt know they where out there, I have been expecting one though. I know I am a bit ignorant about this, maybe I have put my head in the sand before but have not read about such malware for years. Is it or malware like it which spreads to other drives common?

Maybe I have to install Returnil, shadowdefefender or Powershadow to protect my other partitions and drives after all....Drat! now that I moved on to a more lighter security setup and was very happy with it :(

Aigle,

Good job. You have tested sandboxes often. You are also on the game with NeoavaGuard and EQSecurity.

I am wondering, when you seperate fun from nessecity, you must have experienced yourself that a defense consisting of
- Hardware Firewall
- Sandbox (GesWall, DefenseWall, Sandboxie or BuffeZone)
- Antivirus
- Behavior Blocker (ThreatFire free, Norton Antibot)

Would be off sufficient protecton and can be configured and operated very easily.

Regards Kees

{QUOTE-> Thanks for the tests aigle!
The Blackday trojan is one of the few malware types that I am truly afraid of. Limited user or FDISR wont help against it. To make images of all my harddrives/partitions would require really big backup drive, atleast until I figure out why my SP wont compress.
Maybe it is an old malware but I didnt know they where out there, I have been expecting one though. I know I am a bit ignorant about this, maybe I have put my head in the sand before but have not read about such malware for years. Is it or malware like it which spreads to other drives common?

Maybe I have to install Returnil, shadowdefefender or Powershadow to protect my other partitions and drives after all....Drat! now that I moved on to a more lighter security setup and was very happy with it :( <-QUOTE}
I use EQS file protection feature( very strong indeed). NG will cover it also due to filter for "stopping an executable from making copy of itself". ThreatFire/ CH will protect too think. Any sandbox like BZ, GW, SBIE will protect as well.
Otherwise separate ur data from OS( two partitions), image OS partition and make backup of data, put them ofline.
I can,t think of any other ways ATM.

{QUOTE-> Aigle,

Good job. You have tested sandboxes often. You are also on the game with NeoavaGuard and EQSecurity.

I am wondering, when you seperate fun from nessecity, you must have experienced yourself that a defense consisting of
- Hardware Firewall
- Sandbox (GesWall, DefenseWall, Sandboxie or BuffeZone)
- Antivirus
- Behavior Blocker (ThreatFire free, Norton Antibot)

Would be off sufficient protecton and can be configured and operated very easily.

Regards Kees <-QUOTE}
For reality:

Ya! a FW, an AV and commom sense/ safe habits might be enough!

Well, I think I may answer on your question why BZ is not so popular. The point is that SBIE is the same sandbox type software (with file system virtualization), much smaller, almost free :) . As about simplicity- policy-based sandboxes without file system virtualization are out of competition.

Also, there is one more point here. It is interesting, but one-wizard-man projects takes more sympathy (from my own experience). Don't know why, I may only guess...

SBIE is sure the most popular one.
BTW anybody know out of SBIE, GW, DW, BZ and VS, which one was launched first and which was launched last of all?

{QUOTE-> SBIE is sure the most popular one.
BTW anybody know out of SBIE, GW, DW, BZ and VS, which one was launched first and which was launched last of all? <-QUOTE}
Tzuk actually posted here trying to generate interest around 3 years ago.
My oh my, Sandboxie has certainly came a long way since!
First Wilders mention (http://www.wilderssecurity.com/showthread.php?t=39677&highlight=sandboxie)

Another old post (http://www.wilderssecurity.com/showthread.php?t=47760)

thanks.

I also tried BZ pro with the free licence...However it still has issues, AdMuncher and Roboform are not compatible...Sandboxie on the other hand works perfect here and in my mind it´s an absolute winner!

Sandboxie slows down my webbrowsing too much. Very uncool.

{QUOTE-> Now I wonder why BZ is not so popular, it seems quite strong and I was able to run it alongwith Antivir, EQSecure, GeSWall, ThreatFire, and ShadowSurfer without any conflicts. That shows a lot of compatibility in my opinion. <-QUOTE}

Thanks for the testdrive Aigle. I never doubted the fact that BZ gives good protection, but everytime I tried it, it used way too many resources and it was very sluggish. Just like the new SafeSpace which is similar. Sandboxie is like 10x better. And are you sure you could run it with all these tools without system slowdown? On my virtual machine it´s even sluggish without any other tools installed. :blink:

{QUOTE-> Thanks for the testdrive Aigle. I never doubted the fact that BZ gives good protection, but everytime I tried it, it used way too many resources and it was very sluggish. Just like the new SafeSpace which is similar. Sandboxie is like 10x better. And are you sure you could run it with all these tools without system slowdown? On my virtual machine it´s even sluggish without any other tools installed. :blink: <-QUOTE}

Equal results here. Way back when some time ago i really was encouraged with BZ and actually tried to live with the limitation of it slowing browsing but that became a real issue for a speedster like myself.

I'm sure it's developed far beyond and better now then when i tried it before.

Likewise, thanks for test results, impressive. Like others i've settled into Sandboxie for the time being but am not deterred from BufferZone in anyway and especially from results like those.

If the system can handle it, BZ appears a viable alternative.

{QUOTE-> Thanks for the testdrive Aigle. I never doubted the fact that BZ gives good protection, but everytime I tried it, it used way too many resources and it was very sluggish. Just like the new SafeSpace which is similar. Sandboxie is like 10x better. And are you sure you could run it with all these tools without system slowdown? On my virtual machine it´s even sluggish without any other tools installed. :blink: <-QUOTE}

Hi Rasheed187

Completely the opposite here with Buffer Zone. No apparent slowdown and the resource numbers seem ridiculously low. I'll post them when on the machine in question.

Returnil doesn't complain either and vice versa.

As the others said nice job aigle! As for people preferring Sandboxie from what I have read it would fail at many of the tests Bufferzone passed (please let me know if my readings are incorrect). So if true I am not sure why people prefer to use a product that is not as safe even though it is free unless the funds are just not available. In that case I totally understand.

Thanks,

Chris

Can anyone performe the same tests with SandboxIE and post the results?

{QUOTE-> Can anyone performe the same tests with SandboxIE and post the results? <-QUOTE}

Yes, I hope Aigle will do this, but I have no reason to believe that SBIE can´t stop most of these tests. All tests that try to modify file system and registry will probably be passed. I do know that SBIE does not protect against keyloggers. And if you look at performance, it´s also quite easy to install apps in the sandbox, I wonder if BufferZone can do the same?

@ Old Monk, I suppose it might depend on your system configuration, for me it always felt quite heavy, the last time I checked was about 3 months ago, and I think it´s unlikely that resource usage has been improved that dramatically.

{QUOTE-> Yes, I hope Aigle will do this <-QUOTE}I am realy sory, no time ATM and no internet access.

I have tried SBIE against malware many times. Its only weakness seems keyloggers and some termination attempt failures otherwise it,s very strong. Sure better than BZ.

{QUOTE-> I have tried SBIE against malware many times. Its only weakness seems keyloggers and some termination attempt failures otherwise it,s very strong. Sure better than BZ. <-QUOTE}
Not sure if it's better or not but Trustware does offer $500.00 for any one that can show the BZ was breached http://www.trustware.com/virtualization/500.html .

"Your PC is secure from viruses, spyware and malware while you surf the Internet, download and open files within the virtual BufferZone. Trustware is willing to pay $500 to anyone who can prove otherwise."

Thanks,

Chris

{QUOTE-> The Blackday trojan is one of the few malware types.... Limited user or FDISR wont help against it. <-QUOTE}
Are you sure about this? What does "Limited user... won't help against it [Blackday]" mean? I thought malware executed in an LUA cannot write or delete system files?

{QUOTE-> Are you sure about this? What does "Limited user... won't help against it [Blackday]" mean? I thought malware executed in an LUA cannot write or delete system files? <-QUOTE}

I am not worried about my system files, LUA does a excellent job in protecting them and FDISR can restore C drive. I am worried about malware that targets my other partition (and drives?).

{QUOTE-> BlackDay Trojan( It,s a very nasty trojan. It overwrites a lot of the executables on ur different HD partitions converting them into its copies. Not only u get a lot of malware executables but also u loose all the executables overwritten by the trojan. One important thing is that it does not remain limited to C partition but also jumps to other partitions as well, so if u are covering ur C partition with some Instant Recovery Software like FDISR, Returnil or PowerShadow etc, it might not help u as trojan will infect ur non-OS partitions as well): <-QUOTE}

Aigle,
Good job !!! Is BlackDay Trojan an executable ? If yes, Faronics Anti-Executable will kill it.

I certainly can attest to a virus very capable of jumping the fence into the next yard, in this case the other partition on a dual setup, because i just had it happen for me during one of my research tests.

Even though it's been catalogued as a medium threat courtesy several popular AV vendors & claimed easily cleaned, that is not entirely true or else other spinoff variants of this same one no doubt exists in the wild.

Exclusively using NOD32, it "cleaned" approximately 80% of the .exe's infected but the rest were left waning and required nothing less than a complete overwrite with a fresh clean copy in order to restore 100% functionality again.

BufferZone might stave off many such common types, but what about those so-called proof-of-concept releases, and especially one's specially designed to disable these popular programs?

...................and the beat goes on.

The BBC Honey Pot was a good example for me. It was so infected that even security softwares couldn't clean it or keep it clean. The only way to clean it was restoring an image.

ISR-softwares are good for daily cleaning and Image Backup softwares will do the job, if ISR-softwares fail to do it.
Recovery softwares are the future, not security softwares, they fail too much.
Just like I wear a clean shirt every day, I have a new system partition every day or after each reboot.
If Microsoft doesn't do it, I have to do it myself.