Playing around with GreenBorder

Got curious about sandboxing tools. So I looked at different ones and found a couple of interesting ones. Since most of the programs are already discussed here I thougth I would start with playing around with GreenBorder.

Sounded like a nice program. So downloaded it and installed it. Boot up was a bit longer and system seems and is slower. So to test it out I got myself the infamous DFK Threat Simulator from morgud.com. So bottom line: GreenBorder failed misserably at first look. The "owned" window came within second, even though I ran the program inside the GreenBorder and by this inside of the Sandbox. The funny thing is actually that KIS that normally always went crazy and detected and block nearly all of DFK, didn detect any of the included trojans this time because they ran inside the Sandbox.

But the really funny thing was that the second I pressed the "Clean & Reset GreenBorder" Button the whole thing was gone and everything was back again. So the whole thing ran but never left the sandbox. So it actually did what its supposed to do. And it also blocked the DFK Keylogger.

So Im actually quite happy with the tool. Makes me wonder though why you read so little about it here. Is it because its payware? Or is it known to be bad and I just missed that. And I actually got one reall question. Does anyone if the Sandbox is automatically reset when you shut down the system.

Cheers

 

I have written about it a lot. I think it is one of the most securest apps out there. I use to have issues with it because it didnt support Firefox so you had to do your Microsoft updates manually in a session that wasnt protected. Now it allows you to choose either browser for protection. I choose Firefox and now XP can update outside the box automatcally. On one machine that I have it own, it has never left anything behind, cookies included.

 

You literally go go with an AV for email scanning, Greenborder and a firewall, and be more secure then some who are running 10 different apps.

 

Thats exactly what is was thinking about. Using KIS atm and im sitting behind a NAT Router. So KIS + Router + GreenBorder should be pretty secure.

Btw if you know the program quite well, is there any way to configure the program more? Like setting the folders that you can move protected files to or the possibility to allow some things inside GreenBorder. My XFire always gets detected as Keylogger (since it has the ability to show if a user is typing), but the program is safe. So I would love to be able to allow it fully and not get blocked by GB.

And does GB support by default any Mail Clients. Tested it with my windows live mail desktop and thats not supported.

 

look for a member here called BillyGreenborder. He is the one to PM and answer all.

 

IMO Greenborder (GB) should have stopped the execution of DFK, that didn't happen and that's why you thought that GB failed at first sight. I wouldn't be happy with this.

 

It's not like FDISR at all.

 

So should you expect from a sandbox then to block something like that or not?
Gonna try it now with Bufferzone just to see how that reacts to morguds

 

GB isolated DFK, so it knows that DFK is something bad, why doesn't GB block DFK's execution.
I find GB's reaction very confusing for users and unlogical and don't forget it confused you too and most probably it would confuse me too.
The final result is of course the same, because DFK was removed by GB.

If all sandboxes act like that, I have many doubts to use it in my frozen snapshot.
I don't need to be "scared" first and then feel relieved and that's what GB did to you and will do to me.

 

Wir Sing,

Greenborder gets less attention, because it is payware and not exactly cheap. When you start to poke around with virtu/sandbox it is natural you go for a 'discovery', e.g: Sandboxie (free), GeSWall (free), BufferZone (free for one ap, but allows adding others, and DefenseWall (30 us$ life time lisence).

Please publish your experience. After trying some (Sandboxie, GeSWall, BufferZone, DefenseWall) we use both BufferZone (son's PC) and DefenseWall (paid on wife's PC). On my laptop I use GeSWall.

Why, using 3 different?
- Son prefers BufferZone, because it is free, easy to use and he claims has better protection than GeSwall from real life drive by threats (DefenseWall was as good, but is paid)
- I installed DefenseWall on wife's PC because it has really seamless protection (once installed it us use and forget) and is faster than BufferZone (below her irritation level).
- I use GeSWall on my laptop, because I like the concept of using policy restrictions of windows (some how, based on nothing, I have the idea it is the best guarantee of compatability with OS).



Still I would like to know something more of both GreenBorder and CoreForce, so please publish your findings.

 

ErikAlbert,

There is a very important point here you are missing.

GreenBorder doesn't "know" that DFK is bad - in fact, it specifically doesn't care. There is no scanning involved at all (signature-based or heuristics-based). GreenBorder simply runs IE/FireFox inside a safe environment and the files you download to the desktop (for example the DFK) get tagged so that when you choose to run them they will also run inside the GreenBorder environment.

We probably all know by now that signature scanning is useless (when it comes to protecting against 0-day attacks, that is) and heuristics scanning is also problematic (because it will always suffer from false negatives as well as false positives). Having that extra layer of protection that doesn't rely on any scanning is a huge benefit in my mind.

Brekmeister.

 

Thanks for the info.
I prefer softwares that
- block the installation of malwares immediately and
- block the execution of malwares immediately, if the malware succeeded to install itself.
That sandboxes allow the execution in a virtual environment is good, but that depends on how strong the virtual environment is.

 

In tests, this was the one rated the best.

http://www.techsupportalert.com/security_virtualization.htm