Playing with SandBox HIPS

[aigle]

Hi users, very brief play around with different sandboxes.

BufferZone---- Stopped KillDisk virus
Stopped Morgud,s threat simulator
Could not stop Martin,s Undetectable Keylogger( MUK)
Stopped Elite keylogger rootkit installation
Sysinternals process explore while running inside GesWall failed to terminate IE running as trusted( outside BZ)

Virtual Sandbox free version ----Stopped KillDisk Virus
Stopped Morgud,s threat simulator on two systems with slightly different results but stopped in both cases altogether
MUK failed to install in VS
Elite Keylogger rootkit failed to install itself in VS
Sysinternals process explore could not run inside VS, windows task manager while running inside VS was able to terminate IE running outside VS.( zopzops,s findings are different here as he posted in another thread, I am not sure what is the problem but I tried VS on two system witl almost similar findings, he has posted to the support and will see the reply)


GeSwall-----Stopped KillDisk virus
Stopped Morgud,s threat simulator
Stopped Martin,s Undetectable Keylogger( MUK) from logging keydtrokes but not mouse clicks
Stopped Elite keylogger rootkit installation
Sysinternals process explore while running inside GesWall failed to terminate IE running as trusted( outside GW)


SandBoxie----- Stopped KillDisk virus
Stopped Morgud,s threat simulator
Could not stop Martin,s Undetectable Keylogger( MUK)
Stopped Elite keylogger rootkit installation
Sysinternals process explore while running inside GesWall failed to terminate IE running outside sandboxie.



DefenceWall
version 1.61,
may not be latest --Stopped KillDisk virus
Stopped Morgud,s threat simulator
Could not stop Martin,s Undetectable Keylogger( MUK)
Stopped Elite keylogger rootkit installation
Sysinternals process explore while running inside DerfenceWall failed to terminate IE running as trusted( outside DW).


Just few related/ unrelated notes--

Antivir classic detected Morgud,s threat simulator by heuristics( that,s nice) but failed to stop it.

EAZ-FIX protects against KillDisk virus except taht u loose ur current working snapshot( or u can make a snapshot just before running KillDisk). I covered C partition of my single HD with EAZ-FIX and D, E, F were unprotected. Ran KillDisk from C and it could not damage any of the partitions at all. That,s nice.

FDISR does not protect against KillDisk virus, u loose all ur system.

BZ paid version has maximum features( like a true sandboxing HIPS) and I really like its features. The least slowdown I noted was with GesWall, DefenceWall and Sandboxie followed by BufferZone and the worst slowdown with Virtual Sandbox. VS has almost all features(except firewall) of BZ paied version but I think it still need lot of work to be tweaked. I have used all of them for a while. I like its features but dislike the slow down in its loading on boot up and start of applications inside VS. Also it seems aggressive and I faced loss of functionality like issues so I jsut uninstalled it.


Thanks.

[aigle]

A little addition. While testing this, I collected the malware samples on my PC.
Antivir detected MUK by heuristics. I never expected such a nice detection, so I uploaded it to virus total, no other scaner detects it. Wonderful work by Avira.

[Tommy]

Looking at a view other threads at Wilder, AntiVir is getting more and more points. Amazing

[davidleu]

Quote:

Originally Posted by aigle

Wonderful work by Avira.

Yeah very nice! Its another proof that you dont need to spend a single penny for professional security software!

[aigle]

Will post back the scanning results of Morgud,s threat simulator also.

[Lucy]

Hi Aigle,

A little correction:
BZ 1.90 doesn't stop Martin,s Undetectable Keylogger( MUK) (version 1.6 did, but they forgot to implement it in 1.90)

But new beta version 2.10-20 does. Release version, which will do, is expected for end of october.

Regards

[aigle]

Thank a lot for the info.
That,s nice. I am liking BZ.

[aigle]

Results of DFK threat simulator exe file. NOD,s heuristics are great. Panda is also good here( it is TruPrevent I think)!

Antivir detects some componants on its execution but can,t stop the threat.

[aigle]

Results of DFK threat simulator Zip

NOD and Panada gain.
It seems I am going a lot OT now, so I will stop here. Back to sandboxes.

[aigle]

Some more testing here.
I ran a process as trusted ( ouside Sandbox) and tried to kill it via APT( Advanced Process Terminator) running as untrusted( inside sandbox).
Here are the results.

BufferZone-- APT failed to kill trusted process( all 16 Kill methods)

GesWall ---- APT failed to kill trusted process except by Kill method 7 and 8

Sandboxie-- APT failed to kill trusted process except by Kill method 10. I did all my testing with version 2.42 that was available at the time of testing, it mightb be fixed in latest version. If anybody knows pls post here. Thanks.

Virtual Sandbox --- It seems quite buggy and even Process Explorer was able to kill trusted process, I did not test it with APT.

DefenceWall-- I was not able to test as APT while running untrusted failed to show any processes running as trusted. Anyway to test it?

BTW, I tried to kill sanbox process itself via process explorer running as trusted, it killed DefenceWall, GesWall, VS and Sandboxie.
In case of BufferZone--- I was really impressed here-- even APT running as trusted was not able to terminate its protection with all 16 kill methods( though its GUI can be killed even by Process Explorer but it does not affect its protection at all). Very strong software indeed!!

Edit-- DefenceWall GUI is killed but protection remain as it is driver based.
I will have to re-check about Sandboxie as i misinterpreted these tests probably.

[Ilya Rabinovich]

Quote:

Originally Posted by aigle

DefenceWall-- I was not able to test as APT while running untrusted failed to show any processes running as trusted. Anyway to test it?

1. I would suggest you use the latest version of DefenseWall- 1.65, this will block APT. 1.70 is coming soon.

2. For APT test you need use direct PID numbers input.

3. Killing DW's GUI won't stop proteciton- it is pure driver-level.

As about MUK- just check if they use ring3 hooks for it (I'm more than sure in it). If they are- they gives you false feeling of security.

[zopzop]

Quote:

Originally Posted by aigle

GesWall ---- APT failed to kill trusted process except by Kill method 7 and 8

method 8 is a bug and they are working on it. method 7 is left open on purpose (i forgot why exactly). but geswall itself is immune to all 16 attempts to shut it down.

you know what you should try next aigle. ghostsecurity's reg test. that's the real eye opener, especially test 2.

[Lucy]

Quote:

As about MUK- just check if they use ring3 hooks for it (I'm more than sure in it)

I asked about BZ and I have been answered the drive is fully ring0... as defensewall.

Quote:

you know what you should try next aigle. ghostsecurity's reg test. that's the real eye opener, especially test 2

I disagree. regtest2 could maybe shut down your PC, but the purpose is to prove that by doing it, you can add a key to system startup. If your prog is running untrusted, then anyway it should go to the ubtrusted registry... So even with shutdown, regtest2 should fail with a proper virtualization / sandbox protection...

[aigle]

Quote:

Originally Posted by Ilya Rabinovich

3. Killing DW's GUI won't stop proteciton- it is pure driver-level.

Sorry u are right. It was my mistake. I was only mistaken by GUI. I just checked it now and protection remains there. I shall correct it.

Quote:

Originally Posted by Ilya Rabinovich

As about MUK- just check if they use ring3 hooks for it (I'm more than sure in it). If they are- they gives you false feeling of security.

I think they use GetKeyState method but i am not sure. CAn anybody tell more about MUK.

What about this false sense of security? Can u expolain more. Thanks

[aigle]

Quote:

Originally Posted by zopzop

method 8 is a bug and they are working on it. method 7 is left open on purpose (i forgot why exactly). but geswall itself is immune to all 16 attempts to shut it down.

you know what you should try next aigle. ghostsecurity's reg test. that's the real eye opener, especially test 2.

Thanks.
Will tryt it sometime. I tried it in the past but forgot the results.

[aigle]

Some more testing using syssafety SPT( instaed of APT)-- settings same as in post no.10 above. ( I did not use parameter f with SPT, only e parameter used).

http://syssafety.com/leaktests.html

BZ-- failed with method 15 and 16( with 16 message came that killing failed but infact the target was became unresponsive so I will take it equivalent to killing).
GW--- failed with method 16 just like above
DW -- failed with many, 9, 10, 11, 12, 14, 15, 16( may be i missed something)
Sandboxie-- not tested

Also tried keylogger test from syssafety.

GW-- failed with method 3 and 4
BZ-- failed with method 1 only
DW--- failed with method 1 and 2
Sandboxie-- not checked, may be later.

BTW, SnoopFree tested here detected and successfully stopped all methods except method 1. SnoopFree is always wonderful. A tiny but great piece of software that detect keyloggers generically.

Edit-- I am not expert here. I did not test SPT full and there may be mistakes. Feel free to correct me if I am wrong.

[Ilya Rabinovich]

Quote:

Originally Posted by aigle

I think they use GetKeyState method but i am not sure. CAn anybody tell more about MUK.

GetAsyncKeyState. This function is, mostly, using shared keystate buffer without using native API.

Quote:

Originally Posted by aigle

What about this false sense of security? Can u expolain more. Thanks

I still haven't found good driver-based way how to prevent GetAsyncKeyState-based keyloggers from it's job. All the ring3 hooks may be easily bypassed. Also, there could be GetMessage/PeekMessage and TranslateMessage intercepting keyloggers and subclassing- based keyloggers that can not be stoped from driver level. That is why keylogger defense is really limited in Windows. It's architecture is not built perfectly from the point of view of security.

[aigle]

Another killing method-- IceSword and DarkSpy

DarkSpy and IceSword failed to initialize in DW, GW and BufferZone.

[zopzop]

Quote:

Originally Posted by BZJet

I disagree. regtest2 could maybe shut down your PC, but the purpose is to prove that by doing it, you can add a key to system startup. If your prog is running untrusted, then anyway it should go to the ubtrusted registry... So even with shutdown, regtest2 should fail with a proper virtualization / sandbox protection...

i realize it won't faze the real registry, but the annoyance of a malware being able to force a shutdown/restart is...................annoying.

[bellgamin]

And the winner is --- (Tah-Dah!) BufferZone! Or did I misinterpret the comments here? If BZ did not "win" then am I correct in saying that none of the tested apps did the job?

By the way, why wasn't the redoubtable Prevx included, I wonder?

[Tommy]

Quote:

Originally Posted by bellgamin

And the winner is --- (Tah-Dah!) BufferZone! Or did I misinterpret the comments here? If BZ did not "win" then am I correct in saying that none of the tested apps did the job?

By the way, why wasn't the redoubtable Prevx included, I wonder?

Neova Guard is also restistent agains those tests

[Ilya Rabinovich]

Quote:

Originally Posted by aigle

DW[/b] -- failed with many, 9, 10, 11, 12, 14, 15, 16( may be i missed something)

Just tested DefenseWall 1.70 with APT and SPT. All the tests are passed. 1.70 will be released tomorrow.

2 aigle- don't use old versions of DefenseWall for your tests! 1.61 have been released two mounths ago, it's a huge period of time!

[aigle]

Quote:

Originally Posted by Ilya Rabinovich

Just tested DefenseWall 1.70 with APT and SPT. All the tests are passed. 1.70 will be released tomorrow.

2 aigle- don't use old versions of DefenseWall for your tests! 1.61 have been released two mounths ago, it's a huge period of time!

Wasn,t it the latest version when I tested?

[aigle]

Quote:

Originally Posted by bellgamin

By the way, why wasn't the redoubtable Prevx included, I wonder?

Just as I mainly checked for sandboxes. I did mention some other software but ther were on my system so if I found something incidently, I just posted that as well.
APT and SPT were tested specifically for SandBoxes only.
Prevx will come in HIPS.

[Lucy]

Hi,

Quote:

I still haven't found good driver-based way how to prevent GetAsyncKeyState-based keyloggers from it's job

And nobody did

Anyway, to give echo to an old discussion we had once, keyloggers are not really a problem for virtualization / sandbox security tools... as long as the user understands what he is doing.

If you go to your online banking account, I guess you should at least stop all untrusted processes before logging... BZ team even advises to open IE or whatever surfer you use outside the virtualized area before going to online banking, so that it is safe from the untrusted zone...

I let the last word to Uriel from Trustware:

Quote:

By the way, even if we were to prevent applications from logging key strokes of other applications altogether, what if you run IE with a key-logging ActiveX control? It will still log your key strokes when you access your bank account... You cannot prevent an application from logging its own keystrokes...