DefenseWall & SBIE

Discussion in 'other anti-malware software' started by stevan4, Jul 1, 2011.

Thread Status:
Not open for further replies.
  1. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,247
    Hi, Zyrtec, did you try to test Sandboxie and DW against key-loggers?
    Because key-loggers are allegedly the one thing Sandboxie is vulnerable to and can't stop them (meaning they will be able to connect with the source) unless you terminate them.
     
  2. Zyrtec

    Zyrtec Registered Member

    Joined:
    Mar 4, 2008
    Posts:
    534
    Location:
    USA

    With DW, all files that you download from the Internet, are not in a virtual folder or environment [e.g., SandboxIE] which you can delete the content once you close the last program that was running in the sandbox.

    With DW, all your downloaded files are physically sitting on your computer hard drive. The only difference is that they are classified as Untrusted by DW and thus, cannot modify or damage your system, but you have to purge them from the hard disk, either transferring them to another location [e.g., a USB thumb drive] or deleting them from the hard drive. Also, if the files are malware, running an anti-malware scanner [e.g., MBAM, Hitman Pro, SAS, etc.], or as a last resort, running the ROLLBACK feature on DW which Ilya advice against using it unless you're an advanced user.



    Hope this helps.
     
  3. Zyrtec

    Zyrtec Registered Member

    Joined:
    Mar 4, 2008
    Posts:
    534
    Location:
    USA

    Nope, I haven't but that will be my next task. As soon as I do that, I will post back with the results for both, SBIE and DW.


    Regards.
     
  4. acr1965

    acr1965 Registered Member

    Joined:
    Oct 12, 2006
    Posts:
    4,995
    thanks for the info-
    What if I just want to save the videos in my media folder on my computer to play again? Do I just classify them as trusted once I know they are safe? Then they are just regular files again?
     
  5. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,247
    Please, also test if Sandboxie truly fails against this (supposedly SBIE fails against this, but DW passes because it has inbound/outbound firewall and HIPS):

    http://www.4shared.com/file/pov8eLRf/my_test.html

    This is supposed to be some network worm:
    To know more details read here:
    https://www.wilderssecurity.com/showthread.php?t=307208

    Thanks again.
     
  6. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,247
    I don't know what's the big idea, I tried it. I downloaded it Sandboxie asked me if I want to recover, I simply closed it. However, what would happen if you recover it (out of the sandbox), and than you again run it sandboxed?
    That I didn't try.
     
  7. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,247
    Shouldn't rollback delete all the malware files? I use rollback option all the time.
     
  8. Zyrtec

    Zyrtec Registered Member

    Joined:
    Mar 4, 2008
    Posts:
    534
    Location:
    USA
    Well,

    I am not an expert at using DW, just yet. I just purchased a license 10 days ago [thanks to Ilya] for one installation on our main computer at home [the one used mainly by kids and wife b/c they were getting hit by malware even running as restricted users].

    I'm learning how to use it. But I can test both today or tomorrow [SBIE & DW] against keyloggers and come up with results for you.

    I suppose DW's Rollback feature can be used as you do but Ilya advises newbies against using this feature because important of files and registry entries could also end up being removed from your hard disk.

    By the way, could you please edit your posts and de-link the 4Shared URL just in case it is indeed malicious. We don't want other users' computers getting infected. ;)


    Regards
     
  9. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,247
    Well, here is the thing: You surf through websites with Mozilla Firefox or Internet Explorer or Opera... you close them everything is terminated in Sandboxie. In DW you need to delete everything what is in rollback. Nothing happens, no damage to registry or anything like it. The main problem comes when you try to delete traces of malware in th rollback-would this damage your system by erasing some vital functions in your registry or somewhere else-I never tried this.
     
  10. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,247
    It doesn't matter nothing happens, when I closed my Firefox, Sandboxie traced over 100 mb of this worm spreading (but inside the sandboxie), it asked me do I want to delete it-I clicked yes, and everything was gone/terminated.
     
  11. PJC

    PJC Very Frequent Poster

    Joined:
    Feb 17, 2010
    Posts:
    2,959
    Location:
    Internet
    :thumb:
    You pointed out the difference very clear...;)
     
  12. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,144
    Location:
    Nicaragua
    Updates should be done out of the sandbox. If you are using SBIE on default settings, updates done while running sandboxed, will be gone when you delete your sandbox. You can change this, if you want, by applying direct file access but personally, I prefer not to do so.

    When is time to update, disable your forced programs, do the update and after closing the unsandboxed program, go back to the sandbox. Thats the normal procedure.
    You can leave them as untrusted forever if you want or if you feel certain that they are clean, you can change the status to trusted. It does not matter, they will play the same.

    Keep in mind that if you ever uninstall DW, all untrusted files in your computer will become trusted once DW is uninstalled. This is not a big deal with respect to videos downloaded from Youtube but if you have some untrusted files that are malicious, your system will not be protected if you execute those files. As mentioned, you can use the rollback function or scanners to get rid of malicious files, just dont leave them in the computer.

    On this matter, the "delete contents" feature in SBIE, gives an edge to the sandbox, in my opinion.:cool:

    Bo
     
  13. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,144
    Location:
    Nicaragua
    It can happen, that's why Ilya recommends not to mess with it. Personally, I never had to delete any malware using the rollback or a scanner since I was also running SBIE at the same time. I always deleted my sandbox and my rollback list never got to long but I did use the rollback function, deleting something, testing it to see how it worked and I never got into trouble. After a few days or weeks, you know what is supposed to be in there. I got use to seeing it and I would a known if something in there was malicious. I used the rollback function to follow up changes in the computer. It is a nice feature.

    Bo.
     
  14. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    Looks like, there is a little misunderstanding of DefenseWall role in computer's security. It's not a standalone protection software, it's a part of multi-layered defense. The main problem of any blacklisting solution is "infection window", where new malicious files are infecting user's computers, but not known as malicious by AV. DefenseWall cope the gape. Malicious files can be deleted in automatic mode later, when new signatures will come up.
     
  15. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,247
    But how do you than explain DefenseWall as only as an standalone product beat every test 100% in recent years?
    I still don't see the reason why I shouldn't use DefenseWall as only as standalone product (as I do in one of my 3 computers).
    Also, DW has inbound/outbound firewall.
    Nuff said.
     
  16. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,247
    I tested Sandboxie against some malware several samples, some of the were key-loggers. Sandboxie despite tight configuration did actually fail against some key-loggers (while DefenseWall didn't). And for some reason I had 2 very nasty backdoor trojans on my computer, they must have been downloaded somehow while I was surfing and had Sandboxie.
    So, for the overall security DefenseWall has advantage over SBIE, at least in my testing. I didn't except I will be infected, at least not with SBIE.
    Also, regarding rollback list: I had tried this this morning very early. I had rescue CD just in case and my USB stick.
    I have deleted all of malware samples in my DefenseWall, and everything was ok. I opened computer 30 minutes later and nothing was missing, like nothing happened. So, it seems rollback function is not that dangerous 8well, at least it will not delete vital parts of your hard disk.
     
  17. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,247

    I apologize for misinformation. the reason why I was infected with backdoor trojans was because I had to update my Nitro PDF Reader, just before that I have scanned my system with MBAM, Kaspersky and Hitman Pro-they found nothing. It was after I had to disable sandboxie so I can install Nitro's new version, it was than when I was infected. Regarding key-loggers I went to some websites, and instead I close this process, I recovered it into my desktop-the beginner's mistake.
    However, I tested it again with no mistakes, and every key-logger was contained in the sandboxie, and I deleted all of them.
    My sincere apologies.
     
  18. Zyrtec

    Zyrtec Registered Member

    Joined:
    Mar 4, 2008
    Posts:
    534
    Location:
    USA
    @ CoolWebSearch:

    I had promised to test both, SBIE & DW against keyloggers for the sake of testing.

    3 keyloggers were used in my test against both, SBIE & DW.
    Well, SBIE at default configuration with no tweaking at all to bump its security failed on my tests. However, I repeated the test but this time I tweaked SBIE so it wouldn't allow Internet access, Hardware access, and manipulating resource access settings to make it hard for the keyloggers to do their deeds and SBIE passed with flying colors.

    Tested DW firewall against the same keyloggers and it passed at default settings.

    So, bottom line: both applications can handle keyloggers but my advise based on what I saw would be to harden SBIE configuration as it would fail if left just at default settings.
    DW fw, the way it is configured out of the box, would pass these tests without a problem.

    Although, I have to empathize, I only used three keyloggers for my test. I know there might be dozens and dozens of those applications out there but I cannot tell how SBIE and DW fw would handle those since I do not have those samples.


    Regards,


    P.S.: I'd like testing AppGuard against those keyloggers too and see how it performs.
     
  19. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    13,744
    Location:
    Canada
    thanks for testing;) :thumb:
     
  20. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,247
    Thanks for these results.
    Can you help me in configuration: What and how did you configure SBIE to pass these tests?
    I don't want to block internet access and system to myself.
     
  21. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,247
    Hi, Zyrtec, if you want to test more malware samples and exploits against DW and SPIE and Appuard, I recommend you:
    ~ Removed Link to Malware List Site as per Policy ~

    You can write any malware type in the search section to test against DW and SPIE and Appuard.
    ~ Removed Link to Malware List Site as per Policy ~

    These are keyloggers, but you can write any malware form in the search section you want to test.
    But, please be careful.
    Cheers.
     
    Last edited by a moderator: Nov 29, 2011
  22. Zyrtec

    Zyrtec Registered Member

    Joined:
    Mar 4, 2008
    Posts:
    534
    Location:
    USA
    @ jmonge,

    sure buddy, my pleasure. I do tests every now and then to see how some security applications perform against security threats. I do have a 5 years old DELL Dimension 4600 at home running Win XP Pro SP-3 with 2 GB RAM and a P4 2.8GHz and and I only use it to test new software and malware.


    @CoolWebSearch,

    The way I had to configure SBIE to pass against those three keyloggers was by [a] denying Internet access to those shady applications not allowing under any circumstances low-level access to kernel drivers or windows hooks [c] not allowing to access keyboard and also not allowing hardware device configuration [d] restricting COM access [e] restricting registry access.

    I know it sounds a very lockdown configuration but I knew beforehand what kind of software I was going to test so I took measures to minimize the impact once I ran those keyloggers.

    By the way [very important]: This may work if the keyloggers are NOT ALREADY running on your PC when you setup your SBIE settings.
    If they were already running on your PC, well I honestly cannot guarantee you would succeed setting up SBIE to stop them once the damage is done.


    I hope this helps.
     
    Last edited: Nov 29, 2011
  23. Zyrtec

    Zyrtec Registered Member

    Joined:
    Mar 4, 2008
    Posts:
    534
    Location:
    USA
    @CoolWebSearch,

    Thanks for the sites. I know about MDL, Malc0de and Clean-MX. Those are the sites where I retrieve the samples I use for testing.

    By, the way, I do not EVER test those shady downloads on my main PC [ my wife would slap me if I do ;) ]. That's why I have the old DELL Dimension PC I told you about [a spare PC where I do not store anything, no important software, no passwords , nothing, just a bare bones OS, Win XP Pro SP-3]

    I will see if I can test AppGuard later today and can come up with results.

    P.S.: This site has a tab named "Public Block Lists" with links to the sites you mentioned :

    ---http://www.selectrealsecurity.com/---

    ~ Comments Removed ~

    Thanks.
     
    Last edited by a moderator: Nov 29, 2011
  24. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,247
    I realized that I must not post any of those links too late.
     
  25. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,144
    Location:
    Nicaragua
    Hi Ilya, your quote of what I was saying was not complete. You left the last sentence out. Please read it.
    and that's why I also said.
    Bo
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.