*If this has been discussed before then sorry about that*

Andrew over at Gentle Security Forum in FAQ stated that GesWall is not a sandbox but I also read statements by Aigle, someone whom I respect a great deal, saying that it was. So, which is it? Anyone want to chime in and explain this?

The reason for the confusion is because the definition of this type of HIPS isn´t quite determined yet. However, I agree with Aigle in this case since it isolates/restricts the "sandboxed" application and its outcome (parent-child processes). Andrew seems to compare and distinguish these types of applications (GW, DW etc.) with "real" VM's as been true sandboxes. I prefer to distinguish them as application-level and system-level "sandboxes" instead.

/C.

-{ Quote: "*If this has been discussed before then sorry about that*

Andrew over at Gentle Security Forum in FAQ stated that GesWall is not a sandbox but I also read statements by Aigle, someone whom I respect a great deal, saying that it was. So, which is it? Anyone want to chime in and explain this?" }-
GesWall is sure a policy based sandbox with limited registry visualization. Infact the definitions- Sandbox, HIPS etc- are used so loosely for a range of applications and products that I don,t care anymore for the exact terminology and nomenclature. All I care is that I understand what an application( GesWall) does and how effectively it performs its job.

The Sandbox in FAQ,s refers to total virtualization like VM etc as Cerxes explained.

Hi,

Although not 100% accurate, This is what I use to explain

1. Policy sandboxing (or soft sandboxes)
Restricts the rights of applications to access critical OS data, registry hives and quarantaines processes from potential malicious behavior. What running LUA does (user with restricted rights) does for a user, do DefenseWall and GesWall for all/selected threat gate application or internet/external facing applications (like your browser, e-mail, chat, P2P, etc). Vista UAC for instance restricts access to registry hives and critical OS directories and runs IE in 'protected' mode. Nicething about applications like DW and GW is that downloaded files of threat gate applications inherit the rights restriction. So you normally do not have think about its status (trusted or untrusted).

2. Shadow Sandboxes (or 'virtualisation' sandboxes)
Virtualise (keep them seperate) the file system for all sandboxed applications (Sandboxie, SafeSpace) or a partition/complete drive (Returnil, PoweShadow, MS SteadyState). Some (like SafeSpace) offer both. When using this it is important to know in which mode you downloaded files, etc. Otherwise when you purge a sandbox everything in it is reset. Point is those applications trick the virtualised applications to use a copy (shadow) of the protected files/partition.

3. Virtual Machine Sandboxes
They create a complete different environment (virtualise Hardware), requiring an additional OS in the virtualised area. Examples VM, Virtual PC

-{ Quote: "
1. Policy sandboxing (or soft sandboxes)
" }-
BTW the term soft might misguide here as I don,t find them soft in their porotection in any way.

Agree,

I did not invent the term. Soft for software, because it sandboxes the internet facing software amongst things.

Both DW and GW suffer from marketing gizzmo, they are in fact policy enforcement HIPS, enabling a the average PC user to apply a pre-set policy restrictions rules while running as admin. HIPS have the association of being complex, Sandboxes of non-transparency, so invent a new name for this category which honours the ease of use and protection strength.

Nicely explained, gentlemen. And thanks, Kees, for the in-depth analysis.

BTW, Cerxes, I like that avatar. I've tried Solaris Express, 10, and even Nexenta but had too much trouble with hardware compatibility. Still prefer Linux, though.

Again, thanks.