SafeSpace- my impressions

[aigle]

I have tried SafeSpace briefly. Overall seems good and it,s free so far.

It need .NetFramework2 to install. ( I think it,s included in Vista by default?, if so the no rpoblems for Vista users). I have mainly relied on snapshots. To me it looked very similar to BufferZone( BZ), but has almost no performance issues than BZ.

Use with EQS, CFP( FW mode only) and ShadowSurfer without issues.

Install went without problems, was smooth. It needed a reboot. Tray icon is nice and so is the GUI. I realy liked it.

[aigle]

It runs multiple pocesses that use quite a bit of memory but overall it,s acceptable.

Did not notice any slow down in system but launch of application inside SS was a bit delayed( slower than GW, DW, SBIE - almost same like BZ).

[aigle]

Here are main features of GUI.

[aigle]

Tested some nasty malware/ POCs( i will not write the details what these malware do as it has been known to many during discussions over here and i am soooo lazy to write)

Prueba malware- Pass
AKLT- all Pass
File infector malware( blackday trojan)- Pass
SDTRestore( physical memory access)- Pass
SohandIM worm- Pass
XP Killer trojan- Pass
SSDT Unhoker rootkit( EZ) - Pass
RegTest- not sure, it crashed explorer and f i launched explorer again, it recrashed but sustem was no rebooted.
Bontok worm pass
Worm Autoit- Pass
Autostart reg enteries manipulation via Autoruns- Pass
System Shut Down Simulator- Pass
BZ Trojan test- Failed( test is buggy though so I can,t be sure).

[aigle]

Bugs/ Problems:

Unable to attach trusted file via Opera and IE in Hotmail
Unable to upload trusted file to rapidshare and even over here at wilders, very irritating
High CPU usage by isolated aplication when it tries to creat a file in a protected directory( see pic)
I was nable to zip/ unzip an untrusted file via 7-zip

[aigle]

Needed features/ improvements

Decrease in the delay of isolated application,s launch time
A file explorer for created isolated files for recovery of needed files or analysis
Ability to purge the registry only but not the files on session closure
Separate manual purge option for registry and files
Ability to kill isolated processes individually( selectively) via main console
Optional notifications on high risks events like hook based keylogging, driver/ servic install, creation of execuatble/ rgistries in protected direstories( windows start up, System32 folder etc)
Option to totally lock down system 32 folder for isolated aplications( read-only)- not sure f it,a alreday there by default
Option to iolate CD rooms, USB and Floppy drives
Network access control( default deny without popup) for isolated aplication except allowed for executables that need it like browsers, messengers etc but not their child procsses unless specified by aplication rules or globally in the main GUI

[tradetime]

Nice review thanx.

[aigle]

More testing needed; anyone with VM pls( I have none)!

KillDisk
MBR Rootkit
Clean MBR tool
PassDiskProtect_C- sandbox/virtulization bypass under ring3
Most recent Cutwail/Bulknet malware
Bypass.dll
A BIOS rootkit may be ....

[aigle]

It does has issues. During last 15 min of Wilder,s browsing via Opera in SafeSpace. I posted, uloaded pic, did search, serch in page, browsed in multiple tabs etc- all over here at Wilders. It,s not smooth. I get hangs down especially on USB mouse scrooling an serch in page while page loading etc.

Not good feeling. Needs work!

[Matern]

Yes, FlashPlayer Webstream and other Media Players are a little bit hooking, too, high CPU spikes, but it works, I use it.
Maybe next Version will be pefecter with purging Regkeys, because its a little bit fragmentation my Harddrive and my Defrag can't fix it, only after Reboot.

[mrfargoreed]

Hey aigle

I've been using SafeSpace for a few months now and I love it. It does have a few issues, as you say. I find that it does, sometimes, slow down the initial startup of Firefox, and sometimes Firefox just doesn't even start at all.

I don't have the hanging whilst browsing that you have experienced (although I rarely use Opera). I have also experienced the slight slowdown of applications opened inside SafeSpace, but it's bearable to me.

Thanks you for the tests that you have done - I think SafeSpace could become a great application. They also show that it does a pretty decent job of isolating threats ran inside SafeSpace.

I now use it instead of SandboxIE myself. I find it easier to configure than SandboxIE, too. There are some helpful threads on the official forum that could be worth a read for anyone starting to use this excellent app.

[Drew99GT]

Thanks for the review aigle!

Have you tested Sandboxie in a similar fashion against real malware, especially any keyloggers? How does SafeSpace compare to Sandboxie in terms of keylogger protection?

[Xenophobe]

Quote:

Originally Posted by Drew99GT

Thanks for the review aigle!

Have you tested Sandboxie in a similar fashion against real malware, especially any keyloggers? How does SafeSpace compare to Sandboxie in terms of keylogger protection?

Sandboxie doesn't have keylogger detection I believe, but they do get removed once you clear the sandbox.

[aigle]

Quote:

Originally Posted by Drew99GT

Thanks for the review aigle!

Have you tested Sandboxie in a similar fashion against real malware, especially any keyloggers? How does SafeSpace compare to Sandboxie in terms of keylogger protection?

Yes, there is an old thread of mine with all major sandboxes if I don,t forget.
SBIE is not good againt stopping the keyloggers, it,s only major drawback!

[aigle]

Regarding the CPU spikes and hanging issues, I think they are significant enough for me and I can,t use it ATM for daily browsing, atleast with Opera!

I am using GW, very smooth indeed. Can,t say about SBIE and DW. Initial slow launch of applications is also an issue. I am too touchy in this regard. DW, GW, SBIE are very very good in this regard.

[demoneye]

there is nothing to compare this safespace junk to SANBOXIE.

sanboxie is is more advence... flexable stable ...etc....

wize ppl choos sandboxie among all other

cheers

[Matern]

Sandboxie as freeware is nagware and you have a lot of more features with SafeSpace as freeware.
Playing a little with some Media Players.
GomPlayer was very slow at loading in SafeSpace, now I'm using MediaPlayerClassic. It runs very fast with only a little Start delay. I think its the better way to play with some apps, to find the best konfiguration.

[Trespasser]

Nice review, aigle. Your usual excellent job.

The only fault I have with SafeSpace is its inability to allow full access to individual items within a folder instead of the whole folder. As far as the lag of sandboxed browsers opening...well, sometimes Sandboxie is real slow opening up a browser as well (at least in Vista).

[trjam]

SafeSpace is going to continue to evolve. But in the meantime SD works very well.

[LUSHER]

I like safespace a lot, though I initially had problems understanding the system because I was locked in the sandboxie view of things...

The main problem so far I think is that it is still occasionally very heavy on resources, though this has improved a lot since the earliest release.

[Tadoussac]

Tresspasser said:

Quote:

The only fault I have with SafeSpace is its inability to allow full access to individual items within a folder instead of the whole folder

I agree that this is a flaw.

Also, on my system apps run inside SafeSpace were really slow and unresponsive. I think it's an attractive product; and I plan to try it again once they've ironed out some issues.

[Rasheed187]

Nice job Aigle, I can only say that at the moment this app is not really an option for me, I´m sure that it does a good job in protecting apps, but look at all those (slowdown) problems. Plus it needs 10 seconds for the GUI to load, this is ridiculous. Strangely enough I found it to be faster than Sandboxie when it came to launching apps sandboxed.

[twofiftyfive]

Hi,

Thanks to everyone for the feedback on SafeSpace, especially aigle for such a detailed review and we have noted the feature requests.

All comments regarding SafeSpace are appreciated, as they ensure that we continue to improve the software.

I'd like to respond to a few of the comments made:

• Each system is unique and occasionally there are issues with performance with individual applications. With each release we attempt to improve the overall performance and all reported problems with performance are investigated thoroughly, and so we will be looking into the issues raised here. Most of our testing for web browsers is focused on Internet Explorer and Firefox, so we will look to carry out more detailed testing with Opera, in light of this post. We will also investigate the high CPU usage when saving a file to the windows directory.
• With regard to the console, the original design decision to use .NET was to allow us to rapidly develop an attractive and feature-rich user interface. As .NET is an integral part of Windows Vista, it will become the standard for UI development in the future. From the feedback, I think we have achieved this goal, but we also appreciate the concerns. We acknowledge the memory footprint of the console is not small, but it’s comparable with other feature-rich UIs, and .NET uses a garbage collector to reclaim memory, as and when required by the operating system. The isolation engine does not use .Net, and therefore has a small footprint.
• The problem with being unable to attach a trusted file is due to the privacy setting of the Desktop, which by default is ‘No Access’, to ensure that your private files can’t be read by spyware. This also prevents an application running inside SafeSpace, such as Opera, from accessing your private data. To upload files to an application running inside SafeSpace, you must either tag the file from the shell menu or have the folder protection level set to at least ‘Read Only’.
• Attempting to run untrusted (tagged) applications from a native application (running outside SafeSpace) will be blocked, as this is part of SafeSpace's protection. We have provided a shell extension to allow the user to open/run an untrusted file from explorer by simply double clicking it or using the shell context menu.
• The feature request to allow full access to files, is something that is available in the underlying engine, but we initially decided not to expose this feature in the User Interface. However since we have added the ‘Manage Exclusions’ advanced feature to the console, there is now a mechanism to allow you to do this. We will be posting a Knowledge Base article on the SafeSpace Forum in the very near future.
• The protection level for the Windows folder and it's subfolders, including system32, is by default set to ‘Virtual’, which means that isolated applications can’t modify the OS system files. All modifications (creating new files, overwriting files, renaming files, deleting files etc) are virtualized and will be wiped clean when SafeSpace is purged.
• For information, the two WAVEHOST.EXE processes are virtual services for RPCSS and DCOM, and are created on demand when the first application launches inside SafeSpace. They remain running, as the SafeSpace environment remains live until you purge, either manually or by logging off.

And finally SafeSpace is always going to be free for personal use, so we hope you will continue to use it and we appreciate and encourage all constructive feedback.

Regards,

John
Artificial Dynamics

[Matern]

Quote:

Originally Posted by twofiftyfive

Hi,

Thanks to everyone for the feedback on SafeSpace, especially aigle for such a detailed review and we have noted the feature requests.

All comments regarding SafeSpace are appreciated, as they ensure that we continue to improve the software.

I'd like to respond to a few of the comments made:

• Each system is unique and occasionally there are issues with performance with individual applications. With each release we attempt to improve the overall performance and all reported problems with performance are investigated thoroughly, and so we will be looking into the issues raised here. Most of our testing for web browsers is focused on Internet Explorer and Firefox, so we will look to carry out more detailed testing with Opera, in light of this post. We will also investigate the high CPU usage when saving a file to the windows directory.
• With regard to the console, the original design decision to use .NET was to allow us to rapidly develop an attractive and feature-rich user interface. As .NET is an integral part of Windows Vista, it will become the standard for UI development in the future. From the feedback, I think we have achieved this goal, but we also appreciate the concerns. We acknowledge the memory footprint of the console is not small, but it’s comparable with other feature-rich UIs, and .NET uses a garbage collector to reclaim memory, as and when required by the operating system. The isolation engine does not use .Net, and therefore has a small footprint.
• The problem with being unable to attach a trusted file is due to the privacy setting of the Desktop, which by default is ‘No Access’, to ensure that your private files can’t be read by spyware. This also prevents an application running inside SafeSpace, such as Opera, from accessing your private data. To upload files to an application running inside SafeSpace, you must either tag the file from the shell menu or have the folder protection level set to at least ‘Read Only’.
• Attempting to run untrusted (tagged) applications from a native application (running outside SafeSpace) will be blocked, as this is part of SafeSpace's protection. We have provided a shell extension to allow the user to open/run an untrusted file from explorer by simply double clicking it or using the shell context menu.
• The feature request to allow full access to files, is something that is available in the underlying engine, but we initially decided not to expose this feature in the User Interface. However since we have added the ‘Manage Exclusions’ advanced feature to the console, there is now a mechanism to allow you to do this. We will be posting a Knowledge Base article on the SafeSpace Forum in the very near future.
• The protection level for the Windows folder and it's subfolders, including system32, is by default set to ‘Virtual’, which means that isolated applications can’t modify the OS system files. All modifications (creating new files, overwriting files, renaming files, deleting files etc) are virtualized and will be wiped clean when SafeSpace is purged.
• For information, the two WAVEHOST.EXE processes are virtual services for RPCSS and DCOM, and are created on demand when the first application launches inside SafeSpace. They remain running, as the SafeSpace environment remains live until you purge, either manually or by logging off.

And finally SafeSpace is always going to be free for personal use, so we hope you will continue to use it and we appreciate and encourage all constructive feedback.

Regards,

John
Artificial Dynamics

Thank you for more testing Opera in the future !
The scolling of big Web-Pages is one thing you could be make better, but please have a look at the Flashplayer Plugin, its not running perfect. The Videos have a "flicker" every 5 seconds.

[Kees1958]

Aigle

Impressive impression. What I also like is the readiness of the developers to assist you with setup questions (there is a setting possible which nearly is as easy to use as GeSwall and DefenseWall), their open mind to improvement suggestions and the flexibility of the engine.

It looks like SafeSpace is going to develop into a virtualisation tool which
a) offers application based virtualisation (normal operations mode, the SandBoxIE like operation)
b) offers a full/partition virtualisation (the strong protection setting, like PowerShadow)
c) offers a GW/DW like protection by virtualisation of the most critical OS files (the light setting)

With such improvements since first release and flexibility of the engine, it will deserve the choice/preference of more Wilders Members