Sandbox & Virtualization HIPS

[CogitoErgoSum]

The past six and a half months has truly convinced me that a host intrusion prevention system(HIPS) that employs non-admin./limited user, sandboxing and virtualization technologies is the ultimate security setup for malware prevention alongside an antivirus and firewall. The links posted below explain or demonstrate the virtue of a non-admin./limited user account.

http://blogs.msdn.com/aaron_margosis...17/157962.aspx
http://blogs.msdn.com/aaron_margosis...25/166039.aspx
http://eweek.com/article2/0,1759,1891447,00.asp

In an objective and open minded fashion I have posted links below to current HIPS that incorporate some or all of the above mentioned technologies.

DefenseWall - http://www.softsphere.com/
BufferZone SAE/Home/Pro - http://www.trustware.com/
GreenBorder - http://greenborder.com/
Virtual Sandbox - http://www.fortresgrand.com/products/vsb/vsb.htm
VELite - http://www.secureol.com/
SandBoxie - http://sandboxie.com/
RunSafe - http://www.runsafe.com/
1-Defender - http://amustsoft.com/1-defender/

Out of the eight, for whatever reason, my sole experience is with DefenseWall. Interestingly, I found out about DW at both CastleCops - http://www.castlecops.com/postlite14...fensewall.html and Wilders - http://www.wilderssecurity.com/showt...ht=defensewall. It is my opinion that DW is the most effective and refined example of this kind of software at any price. In addition to being both simple and easy to use, it uses a relatively modest amount of resources. Ilya Rabinovich, DW's creator, provides excellent customer and technical support and timely program updates and fixes. I have provided links regarding DW below that may be of interest to you.

DefenseWall Test - http://security.over-blog.com/article-3030160.html
DefenseWall Support Forums - http://gladiator-antivirus.com/forum...?showforum=192

Peace & Love,

CogitoErgoSum

[aigle]

U forgot GesWall!

[WilliamP]

I have been using DefenceWall for a while and I feel that it great. I am not a security expert but from what I have seen I feel that it is one of ,if not the best security programs I have. I would much rather keep things off my computer than try to get them off.

[ErikAlbert]

I tried RunSafe, but I don't like its design. The box with the secured applications isn't a good idea IMO.
Each choosen application is in fact double on your desktop : insecured and secured. If I click on the wrong icon of MSIE I'm not secured.
MSIE is secured, but if I click on a website-icon on my desktop, the website isn't secured. What a mess.

[nicM]

Quote:

Originally Posted by CogitoErgoSum

The links posted below explain or demonstrate the virtue of a non-admin./limited user account.

http://blogs.msdn.com/aaron_margosis...17/157962.aspx
http://blogs.msdn.com/aaron_margosis...25/166039.aspx

Hi CogitoErgoSum,

Your first two links do not work, seems they've been shortened .

here are the links :

Why you shouldn't run as admin...

"Zero-day" attacks and using limited privilege

Very interesting !

nicM

[Frank the Perv]

DefenseWall seems good.

Has anybody tried both DefenseWall and Prevx?

I like the sound of both programs.

[Tommy]

I think i have to mention a similiar soft called Blackice here, which is IMHO one of the best IDS - you _could_ call it also HIPS - out there.

[Ilya Rabinovich]

Quote:

Originally Posted by Frank the Perv

Has anybody tried both DefenseWall and Prevx?
I like the sound of both programs.

I've tested both together and have found no problems.

Quote:

Originally Posted by Tommy

I think i have to mention a similiar soft called Blackice here, which is IMHO one of the best IDS - you _could_ call it also HIPS - out there.

Wrong- IDS are based on signature methods, HIPS are not.

[Tommy]

Quote:

Wrong- IDS are based on signature methods, HIPS are not.

Learned something again today. Wasn't aware of this.

[CogitoErgoSum]

It has been brought to my attention that the first two links that I originally posted regarding the virtues of a non-admin./limited user account apparently do not work. I revised the links in the original post up above so that they do work. Thanks nicM for pointing that out.

The Wilder's link apparently does not work either. I also revised this link in the OP so that it works.


Peace & Love,

CogitoErgoSum

[kareldjag]

Hi,

Juts some links about different classes of programs and HIPS:

http://wiki.castlecops.com/Different...urity_software

Focused on HIPS: http://kareldjag.over-blog.com/article-1693696.html

Amust and Runsafe can't be considered as HIPS!
They're only administrator tools.
An HIPS is generally integrated at a low level and intercepts API calls in order to control system's activity (behaviour).
Most HIPS use policy and privileges restrictions (service/driver, physical memory etc); and are mostly designed to protect the local host where the're installed.

It's true that an IDS is based on signatures, but the main difference is somewhere else: an IDS focus its protection on a network perimeter, an HIPS on the local host (desktop for home users, server for a corporate environment).

The problem is that the administrator account is the default Windows account, and that the majority of users run under this account simply because it's the easiest way to use their pc for most of them.

HIPS based sandboxing and virtualization are ineteresting, but this is not the panacea: for VMWare for instance, finguerprint scanning methods exist to find if a system is under Vmware or not,and then a buffer overflow exploit can be applied.
This is the same if an attacker has a remote command or a phisical access to the machine: there's documented and undocumented methods to verify if the system is under Vmware or not (see image here : http://idata.over-blog.com/0/22/17/61/vmwarefing.jpg. ).

The kind of HIPS is not the most important since the user run under a limited account and has the right HIPS for him.

regards

[aigle]

Quote:

Originally Posted by kareldjag

The kind of HIPS is not the most important since the user run under a limited account and has the right HIPS for him.

regards

Do u mean to say that running as limited user is more safer than running as administrator with sandboxing of vulnerable applications?

BTW, Ur tests of DefenseWall were nice but I really missed the comparison, without any other similar application being tested at the same time, it is hard to guess how good is DefenseWall esp as compared to other similar applications. Pls if possible can u do a comparative testing of DefenceWall with other applictions like Sandboxie or GesWall? It will be really iunteresting to see.

[Ilya Rabinovich]

Quote:

Originally Posted by kareldjag

Amust and Runsafe can't be considered as HIPS!

Agree 100% !

Quote:

Originally Posted by kareldjag

but the main difference is somewhere else: an IDS focus its protection on a network perimeter, an HIPS on the local host (desktop for home users, server for a corporate environment).

Not quite! There are some local host - based end-user IDS systems. SocketShield, for instance...

Quote:

Originally Posted by kareldjag

The problem is that the administrator account is the default Windows account, and that the majority of users run under this account simply because it's the easiest way to use their pc for most of them.

Well, it is possible for malware to operate even under limited rights user account. The fact is that Windows were designed in 80-th years- there was no malware those time, and there was no tools included into it's core to protect users from this stuff. That is the main reason for HIPS products to be here.

Quote:

Originally Posted by kareldjag

HIPS based sandboxing and virtualization are ineteresting, but this is not the panacea:

Panacea is not exists, we all know about it! This is just new protection method for the tools increasing protection level against unknown malware. It has advantages and disadvantages as all the protection schemes in the real world- nobody's perfect (we just discuss it in parallel thread)!

BTW- add your new blog's address into your signature!

[CogitoErgoSum]

Hello kareldjag,

Thanks for sharing your wisdom with us and setting the record straight.


Peace & Love,

CogitoErgoSum

[Infinity]

doesn't matter that much if someone knows if I have a VmWare Station aboard .. and fingerprint scanner .. hmmm the first one entering my living room with something like a VmWare Fingerprinting tool .. I bet I'll buy him a nice belgian beer lol

[CogitoErgoSum]

Hello Ilya,

Thanks for sharing your experience with sandboxes, virtualization, non-admin./limited user accounts and HIPS. As usual, they are very much appreciated.


Peace & Love,

CogitoErgoSum

[Rasheed187]

I didn´t understand the part about the VMware "fingerprint scanner", can you give a bit more info about this? I mean are you saying that malware is able to fool the virtual machine (avoiding detection), or can they break out of the virtual machine?

[Ilya Rabinovich]

Quote:

Originally Posted by Rasheed187

I didn´t understand the part about the VMware "fingerprint scanner", can you give a bit more info about this? I mean are you saying that malware is able to fool the virtual machine (avoiding detection), or can they break out of the virtual machine?

No. It means that malware is able to determine if it is running under VM and to stop working or use some specialized techniques to break out from it.

[angus49]

Has anyone compared Virtual Sandbox by Fortresgrand and BufferZone?
The concept is great but I'm reading an awful lot of install, uninstall, and compatability issue in BZ forums but I haven't seen a forum for Virtual Sandbox.

[crazy4stef]

I'm using system safety monitor and safe system 2006.
or Ghost security suite and parador .

These 2 suite is both good!

[aigle]

Quote:

Originally Posted by angus49

Has anyone compared Virtual Sandbox by Fortresgrand and BufferZone?
The concept is great but I'm reading an awful lot of install, uninstall, and compatability issue in BZ forums but I haven't seen a forum for Virtual Sandbox.

Never used VS. Used BZ for a very short period so can,t comment. There are soem threads in the forums about both esp BZ. U can try to search them.

[nicM]

Quote:

Originally Posted by aigle

Never used VS. Used BZ for a very short period so can,t comment.

aigle, sorry for being off topic, but where you running Rollback when you installed BZ??

nicM

[Rasheed187]

I also think that AMUST 1-Defender and RunSafe can´t be considered to be sandbox HIPS, the only thing they do is make processes run in non admin mode, so it´s not really sandboxing. RunSafe does however also cover process spawning so it´s more advanced than 1-Defender.

[aigle]

Quote:

Originally Posted by nicM

aigle, sorry for being off topic, but where you running Rollback when you installed BZ??

nicM

I am not sure now but I think probably not. I had not bought RollbackRx at that time.
Does BZ plays with MBR?

[nicM]

Quote:

Originally Posted by aigle

I am not sure now but I think probably not. I had not bought RollbackRx at that time.
Does BZ plays with MBR?

No, I don't think, about MBR. The reason I asked you about that is, since I'm running Rollback, there is no way to install BZ anymore for me . Each times I've tried, the computer gets unbootable, in normal or even safe mode.

The problem is it seems that nobody else could reproduce this bug, at least in my knowledge. That's why I asked you, just to know if you were one more successful Rollback/BZ user, or not : This issue is really weird.

nicM