Questions about files that are virtualized

I am trying to understand or make sure I understand so I will use Geswall for the example. Sandboxie is easy to understand because once it is closed, it flushes to the toilet. With a product like Geswall my OS in protected, but if malware attaches itself to any files tha are virtualized, when does, it get flushed. Or does it reside their for good.

If it does, does it just continue to build up over time.
or does it disapperar on reboot, sort of like ShadowDefender.

thanks

 

Dear Trjam,

Sandboxie and Safe Space are virtualisation sandboxes, they apply a policy limitation (sandbox) AND have a seperate file system (virtualisation). GesWall is partly visualisation sandbox (the redirect option) and mainly policy sandbox. DefenseWall ia a pure policy sandbox (or HIPS as Ilya prefers to call it).

The advantage of GeSWall and DefenseWall is that they integrate their security seamlessly with the file system. Meaning a file gets an untrusted tag. This tag leashes them (or better chains them) to an improved limited user environment. So you do not have to worry whether it is in or out of the sandbox, you are ALWAYS protected.

Difference between DW and GW is that DW applies a simple deny or allow (and only asks for user permission when assessing protected resources), GW has some more options (depending on choice leading to automated containment or pop-ups).

GW also has a redirect option (meaning a virtualisation of protected resources), which allows access of protected resources but virtualises the changes (while DW only knows a deny or allow). This set of changes (e.g. registry) is thrown away after untrusted process executon has finished. This redirect option makes it easier for users to solve incompatibility problems themselves (which is an advantage of GW as is the application wizard of GW which builds rules automatically)

Basically the toilet should never be flushed with DW or GW.

DW has a roll back option in which you can manually flush the toilet. This is only for power user intended. Normal users should not have to use or know about this feature, because DW has total untrusted file protection.

This total untrusted file protection is the competitive advantage of DW over GW. GW will change a file's status from untrusted to trusted when you move it from disk partition to another. GW wil also change the status from untrusted to trusted when an untrusted file is modified by a trusted application. For instance when you install 7-zip in a different folder than the default folder, GW will not recognise 7-zip and untrusted zipped files will change to trusted zipped content. DW has a much smarter way of recognising build in programs.


By the way I am using GW Pro now, so when used with care this disadvantage of GW is not a big deal in daily practise. Only in the hands of security noob I would advise DW over GW (as a matter of fact my mom of 75 is able to use DW, because the application is so easy to use).

Hope this helps

 

thanks Kees, now I understand.

 

Yep, GW stopped them all also and DefenseWall stopped 'only' the important ones. It is a strengthened limited user environment. See edgeguard solo same principle, so user based restriction should not be taken to literately.

On the other hand when Comodo's HIPS and leaktest set was launched, DW stopped them all cold, while SBIE missed one.

This user limitation / outside sandbox problem is not related to the architecture of the program, but with the quality it is made. Bufferzone for instance is vulnarable for key loggers being able to grasp data inside the sandbox, while SBIE slaps all of them on the fingers.

Greenborder and Bufferzone belong to the same category as Sandboxie and SafeSpace, SBIE is just clearly the best in its category, while DW and GW comparison is a complex one

 

Sorry, but you are definitely wrong here. DefenseWall do protect important files against its modification by untrusted processes unless they are into the "Defense Excludes" list.

 

yeap i was thinking about it too and the separation of trusted and untrusted is the main idea here nothing untrusted can hurt or modify the system(trusted) every thing that is untrusted is black listed and separated and can not do any harm to the pc.i like this aproach better than the pure sandbox,cause if by accident let a file outside the sandbox can easily harm the real system and the policy base sandbox restrict the action or damage that can be done by untrusted process.some thing like that

 

GW n DW are a bit hybrid. The virtualized files are flushed automatically as soon as they are closed( gone from memory). The isolated files remain there unless they are deleted manually or via GW/ DW console. In nay case they can,t damage the system as they are isolated.

 

As I intended to say, it is simular, but not the same (because stronger and enforced using different means,

 

yeahhhhhhhh i knew it