Sandboxing/HIPS

I'm not convinced yet these are the best way for 100% prevention of malware...

Any comments on all 6 pages of this test of specifically DefenseWall (Which is Virtualization/HIPS or something of the sort... I'm not sure lol) which might achieve the same results as other Virtualization technologies.

http://security.over-blog.com/0-categorie-566881.html

 

My comments are that the tests are 9 months old and Defensewall has improved quite a bit since then.

And if you want go back further when those 200 or so variants of that zero attack hit in JAN 2006 Defensewall protected better than any AV.

IMHO Defensewall will offer better protection than any blacklist scanner whilst using less resources with the install being small compared to most AV's.

 

Yes, DefenseWall have been significantly improved against screen capturing,trusted process termination, keyboard/mouse input emulation, shatter attacks and keylogging. And its improvement never stops- bugfix and compatibility are the first-queue targets.

 

Hi Btman,

I favour policy restriction sandboxes, because they are seamless, unlike file virtualisation sandboxes (you have to move around with files downloaded to NOT delete them).

At home we use two different applications

Wife's PC: DefenseWall - it is simple, quite (no pop-up) and strong. Remember you have to check whether your chat, e-mail, browser, etc applications are listed in the untrusted aps. You can also harden your defense by adding your uncompresss program as untrusted (normal windows zip is covered by default).

Son's PC: GeSWall Pro - it has more configuration options, but asks what to do when one of the pre-defined programs is started, also proved to be very protective. You can configure the aps yourself or ask for a 'new application". Response is quick (about 2 to 3 days).

A free file virtualisation program you might try is PowerShadow, you can virtualize your OS-partition and leave your data partition untouched. After re-boot your OS-partition is reset. When you need extra protection you just go into single shadow mode. Also a very effective program without the downside of accidental (downloaded) file removal of your Data partition.

Offcourse some like File virtualisation sandboxes, due to the fact that they clear all changes and files when a 'contained treath gate session' is removed. SandboxIE is popular on this forum.

Regards K

 

I have used DefenseWall for a year. It has been updated and improved very often. The support has been great. I feel that it is the best protection for 0 day baddies. It is great because you can turn on or off the protection without re-booting.

 

Yes, SandboxIE is popular. Not only for what is said above, but also there aren't problems with some uncompress program not being supported (as in being run unsandboxed...).

My uneducated hint is that policy based are more problematic to develop, because all sorts of programs rise and evolve, and these have to be supported. It seems more tricky to keep up. SandboxIE should get them all as is. It intercepts everything coming from the isolated program, and redirects it to the sandbox, where the limited rights are enforced. It seems a more generalistic approach, and yes, i can clean everything from a session (CCleaner, wait a month or so ok?).

Ilya Rabinovich, i expect you to correct me or complete what i said.

 

Pedro,

Ilya will problably correct you. DefenseWall does not need program specific settings like GeSWall. Just mark it as untrusted that is all.

 

Ok, thanks. But you still have to mark programs as untrusted. With SandboxIE you just run whatever you want untrusted, and everything else that is derived from that is untrusted/isolated/sandboxed too. Or it should be, unless some bug arises.

 

Same with DW.

Same with DW.

Right and wrong same time. There are not a big number of well-known threat-gate programs to write rules for them or use general-used ruleset ("plugin injection protection", for example).

1. Not to sandbox, but to virtualization container. Lets do not mix sandboxing and virtualization.

2. Yes, it is more generalisttic in approach, and, thus, have their pros and cons.

In fact, there is a balance between simplicity in everyday use and security strength. SBIE is balanced for (theoritically) more file system defense by the price of simplicity. DW is balanced for simplicity, thus, theoretically, it have less file system defense settings (at leats, for now, later on I'm going to improve this situation). But practically, under ITW malware, both of the sandboxes are the same defense value plus/minus programming-level mistakes.

 

It,s exactly same with DefneceWall and GeSWall.

 

100%?? I dont know if that exists.

If you dont want anything to stick to your system I suggest Power Shadow in automated startup mode. It doesnt protect you during your session, you need your ordinary protection software for that, but after reboot Power Shadow has reset everything to what it was before. Havent read that its been broken yet. But its impractical if you want to really save something. Even downloaded emails are gone - nothing sticks.

Partly virtulized like I believe Sandboxie does with IE OE etc I suppose mean you have to know what your doing to keep all gates likes USB , CD etc protected. How you save a downloaded file - I dont know how it works.

I have choosen a - for me - practical way and try to protect my gates with DefenseWall. For me its sort of a hybrid. Some malware can resend via email but not hurt your system. You can Rollback the whole sessions untrusted events or even further back. Your system is protected from untrusted activity. Its my Zero-minute protection. I dont expect it to be 100%, but its percent enough for me sofar. Support is awesome.

If your a highrisksurfer I would go with Power Shadow either autostart or manual start when needed - as a complement to ordinary security software - read the long PS-thread. Impractical, but could be worth it. Seems PS virtulizes most security software without problems - all maybe? Havent read the thread for a while.

Best Regards

 

I was refering to the browser calling for the pdf reader to read a document, IZarc to unzip a file, etc. Is it the same with DW? Does it intercept all that and isolate regardless of being known or not?
(i'm sorry if i lack the proper words, or understanding )

You're right, but i think i wasn't confusing. It is a sandbox, with file system virtualization yes. Your words seem appropriate, but is it not still a sandbox?

In fact, i would have a hard time explaining it to a friend how to retrieve from the sandbox. Some would get it, some would uninstall.
I still like GeSWall and DW's concept note, there's nothing to do. Just run it.
But since using SandboxIE, i also think it's way simple. And in my head, it's more comfortable, since things are not where there were meant to be, they are all in one folder, where they can't do anything. My head, not fact.

Thanks for the time to explain.

 

I've never heard about pdf-based malware, so "untrusted" state doesn't inherits for .pdf files- there is no sense in it, but you can always run it as untrusted. IZarc- yes, it is supported.

Well, there are two ways to isolate potential unwanted software from the rest of the system- sandboxing and virtualization. Virtualization creates a fake environment (in case of file system and registry one- redirect calls from real to fake records within virtualization container). Sandboxing relies on policy-based allow/deny ideology- forbidden actions simply blocks. So, as you can see, the core of sandbox HIPS ideolofy is the same- isolation, but the tools to achieve this aim are slightly different.

One more time- from virtulization container, not from sandbox.

 

It's not that pdf has or not security issues, i was providing examples of programs being used while browsing.
You did give an example of one program that won't run isolated. That's the whole point i'm making: it's not only your design (of course, and a good one), but it's also your choice of policy. Everything is not isolated. With SandboxIE it is.

So it's a sandbox. Sandbox..... IE. Another method.
Gentle Security even states that GeSWall is not a sandbox, so you see i think there is no consensus. I agree on your terminology, but SandboxIE is a sandbox, a sandbox with file system virtualization, while DW is a policy based sandbox.
No?

Sorry, it says here sandbox. Explore sandbox contents, delete sandbox contents... If i am to explain how to use SandboxIE,and i say the virtualization container, i lose my audience.

 

I'm just not so paranoid. Have you ever seen or heard about .txt malware?

Yes, that is correct.

Virtualization container.

 

Well, you are right, but I can't as I'm technician. Can't think other way.

 

No, lol.
But you are obligated to know all programs that must be isolated, and insert that into DW's code, or am i still picturing it wrong?
I do understand what you're saying, you isolate the ones that are vulnerable.

lol
Good sense of humour

 

Potentially vulnerable ot threat-gates applications.

 

I know that. That is why I've cooked DefenseWall the way I don't need to explain what virtualization container is!

 

Hi, folks: I realize that DefenseWall is an excellent sandbox/virtualization app, but it still requires users's hand-on approach to decide which are trusted or untrusted. Is there any possibility that any given average user may have lapsed his/her judgement and triggered the unthinkable? If so, DW somehow requires user possessing some degree of computer knowhow, in other words, it is not a tool for PC idiots like me. Am I right here? I currently use DeepFreeze standard. It has only three options, yes three only, no more. One is for clone, second is for freezemode, the last one is for thaw state. No miskes can possibly be made. Simple , straightforward, and secure, IMO, it is the toy for everyday idiots, counting me. Just my loonie sense for the day.

 

I think the use of a system snapshot program like DeepFreeze does not have the same objective as using a sandbox/HIPS programs like DW. For example, beta 2 of DW can stop the DirectInput based keylogger test while even with a frozen snapshot the user is still vulnerable to it. A system snapshot program by itself is mainly for "cleaning" up after allowing everything.

 

hi, folks: I appreciate your point. But the most important thing is that at the end of any given day, my system is NOT compromised, no matter how nasty these malwares/threats may be. My system is still as pure as a white sheet. The snapshot theory of DF is not only for "cleaning up" but also for "ensuring the purity of system". One quick question:What would happen if DW only can stop 99 of 100 keyloggers thrown at it? would that only one undetected spoil the whole basket? Just my curiosity.

 

Mistakes are always possible...