Sandbox vs HIPS

I currentley have Prosecurity Free and SandboxIE paid. Are they bith as effective at preventing malware?

I find sandboxIE easier to use, but does Prosecurity provide better protection?

 

Sandboxie would be my first choice of any software period.

 

Yea I have read in these forums before that there are malware that behavior blockers miss but Sandboxie contains.

 

AFAIK I know, Sandboxie isolates each object in a sandbox, that is downloaded by myself or something else via Firefox + Noscript.
As long I don't do anything with these isolates objects, they will be removed by Sandboxie manually or automatically.
If I LOCK my data partition/folders, these isolated objects can't read, write or steal my data.
All this without doing anything than an one-time configuration of Sandboxie
Except for installation files of legitimate softwares, why would I recover and click on any other object in the sandbox ?
It's not even my habit to click on objects in my system partition, there is no reason for me to do this, because I start all my applications via icons on my desktop and lots of malware need some kind of trigger first in order to do their evil job.

On top of that, I use Anti-Executable (HIPS) to terminate any unauthorized executable in my system partition immediately. Anti-Executable also requires a one-time configuration and that's it.

Last but not least, my system partition is frozen to make sure that any change is removed, in case SB or AE or my firewall + router, failed to do their job. I only need SB and AE to stop the execution of malware, because a frozen system partition, doesn't do that.

My personal goal was not to waste any time on malware anymore, because I learned in malware forums, how much time less-knowledgeable users spend on malware and repairing their system partition : one hour, several hours, one day or even several days.
But most members seem to have another goal : play with any kind of security software, even when they don't need it.

The only security softwares, I'm still considering are script blockers and behavior blockers and I still have a big problem : NEW objects, but every user has that problem.

 

Behav. blockers will always miss malware, because of their blacklist nature. This said, they're order of magnitude more effective against malware than AVs. The approach of behav. blockers is the same as the approach of AVs, only alert you of real malware and don't bother configuring. Sandboxes are a bit stronger, but they requiere more imput from you.

 

In that case I don't need behavior blockers, it's against my principle of not using any blacklist security softwares. One worry less.

 

what sort of malwares have been getting thru ? do you know how your machine is becoming contaminated ?

 

Nothing has really been getting through mainly due to the vast amount of AV's and antispywares i used to use. Ive decided enough is enough and am cutting back. Thats why i was wondering which would be the better option to run, and have now decided to run both.

My pc with my new setup in xp sp2 takes just under 30 secs to start after the welcome screen.

 

That question, I asked myself once and the answer is simple : I don't know and I will never know, because I don't see any difference between good and bad objects, they all look the same to me.
The only way for me to see, I'm infected is when a malware uses special visual effects, like a black screen when I reboot my computer and can't get to Windows.

 

I thought behavior blocker(AntiBot/PRSC/TF) did just that, monitored software that's running/active for certin types of behaviur, not blacklisting. But I could very well be wrong here.

 

Behav. blockers do blacklisting, because they enforce a default-permit policy until they detect malicious behaviour.
AVs do blacklisting, but with a weaker technology (file scanning throu signatures, heuristics and emulation)

 

Looking at PRSC which is a BB, I don't see blacklisting anywhere here.



What am I missing here?

 

Behavior blocking plus Blacklisting (Antivirus module or build-in blacklists )

* Cyberhawk (now ThreatFire) Liteware (Build-in lists used for specific identification, also includes optional AV module)
* DriveSentry - Liteware (Build-in lists)
* Online Armor - Liteware (Build-in lists, also includes optional AV module)
* Prevx Community protection Liteware (Build-in lists)
* Safe n Sec (Includes optional AV module)


Smart expert based Behavior blockering

* Primary Response SafeConnect & Norton AntiBot
* ThreatFire - Free version
* Micropoint Proactive Defense - English version is free?
* Mamutu
* DriveSentry - Liteware

 

Thanks trjam.

 

I have to admit I really like Antibot. The one option it has over TF is that you can set it to make the choice for you without the popup.

 

Blacklisting = enumeration of badness.
AVs enumerate badness by signatures/heuristics, behav. blockers enumerate badness by behaviours.
"intelligently analyzing a combination of known bad behaviours to determine if a program is malicious"
Do you see it now?
Do some thinking about what sandboxes do, what classical HIPS do and what whitelist HIPS do and you'll see the differences.

 

U are just playing with the words. This way every application, even the classical HIPS are blacklisters. After all every HIPS has a set of filters that it watches and intercepts. No HIPS can intercept each and eevry movement on the OS.

 

True, that's why HIPS are regularly updated to cope with the latest leak-test/PoC. However:
- Classical HIPS don't make decisions on their own, you make the decisions.
- They are first and foremost anti-executables (secondarily you have interprocess communication, file defence, registry defense, etc) which stops 100 % of ITW malware.

 

So by ue definition HIPS are also black listers.

 

Sorry but I just do not agree with you on this.
True behavior blocking is not blacklisting IMO.
Maybe you should think about it some more.

 

I think you can add that behavior blockers work on rules, which are variables that must be part of some type of lists, whether created dynamically or part of a database of functions ie good or bad they are still using lists...

 

Instead of blacklisting code, behavior blockers blacklist actions.

 

I have to agree with loneWolf here:
Black listing is simply labeling a checksum as hostile, giving it a name and linking it to some other database such as perhaps a disinfection methodology for a specific Trojan for example.

I wrote a small explanation on both in another post here:
https://www.wilderssecurity.com/showpost.php?p=1162450&postcount=27

 

Wrong. Blacklisting has nothing to do with giving names and cleaning. It's just a process of identifying a string of code as bad; end of story. Whether you want to give that code string a name or write a cleaning routine for it is irrelevant.

Same goes for behavior blocking. Only difference is that you're blacklisting actions, instead of code.

 

Of course you are right as for the behavior algorithms themselves:

Read my "other" explanation. We could get lost in semantics here forever...
I wrote a small explanation on both in another post here:
https://www.wilderssecurity.com/showpost.php?p=1162450&postcount=27