Sandboxes-Comparison Test.

A comparison test with Four Sandbox programs and a small malware test-bed on Windows 7 32-bit.

Sandboxes tested:

BufferZone Pro, DefenseWall, GeSWall Pro and Sandboxie.


http://subsetlines.wordpress.com/vergleichstests/sandboxen/

 

Interesting test. Thanks!

(FYI...The site is in German but you can use Google Translate to view it.)

 

Not really a sandbox comparison. BZ is a virtualization software like Returnil is it not?

http://translate.google.com/translate?hl=en&sl=de&u=http://subsetlines.wordpress.com/vergleichstests/sandboxen/&ei=PFwJTe6gB8Oblge1wZ2pAw&sa=X&oi=translate&ct=result&resnum=1&ved=0CBwQ7gEwAA&prev=/search%3Fq%3Dhttp://subsetlines.wordpress.com/vergleichstests/sandboxen/%26hl%3Den%26sa%3DG%26prmd%3Div

 

No. It,s a sandbox like SBIE.

 

SandBoxie did well, as expected.

 

So if i change that rule in geswall to read only, am i safe from the gamania exploit?

 

Pretty good test. I think all the programs tested are very good. Sandboxing and policy restrictions are really the first line of defense.
Ice

 

Problem is it is not practical to empty Geswall and Defencewall as shown

 

interesting test. thanks!
i`ll adjust my bufferzone settings!

 

Thanks Blackcat for good share It is very good and comprehensive comparison test of sandboxes against real world malwares. Glad to know that DefenseWall rocks without need of any user interaction/settings change.

 

Blackcat nice find

Some Remarks though:

DefenseWall: a pure policy HIPS to contain threatgate programs and their downloads, also a great firewall

Sandboxie: an application virtualisation application with full control (execution, lowering rights, firewall) on specific sandboxes (e.g. application based or directory based = forced folder). Flush the sandbox and malware is gone, save something outside the sandbox and you are gone.

GesWall: a Policy HIPS with some virtualisation posibilities (the redirect option). As with DefenseWall covers also the downloads of the threatgates (only when moving/copying from one partition to another this protection is lost). It has a firewall option which does not pop-up (more like Vista/Windows internal FW)

Bufferzone: an application virtualisation application which ALSO protects against downloads (even from trusted sources, which gives it the widest protection of all) and USB sources. Unlike SBIE it has one Sandbox which is kept all the time. Also has the option to save and restore Sandbox snapshots. It has an outbound firewall option, same as GW, no pop-ups to guide you

SBIE and GW are more geek's tools, DW and BZ are more fit for average PC users.

When you want single session sandboxing: choose SBIE

When you want an easy to use HIPS/FW on threatgates and related downloads: choose DW

When you want low overhead/full control selective defense: choose GW

When you want system wide protection and occasionally clear sandbox for dodgy browsing and want an releatively easy user interface: choose BZ

IMO they are all great
Regards

 

Thanks for sharing

 

@Blackcat : Thanks for the heads up.

@Kees: Informative Summary!

 

Good Info

 

Yes, that's correct.

However, in general this problem is known for more than a year now.
"Setting TabProcGrowth to a value of zero disables Protected Mode for IE Security Zones."
http://www.ie8blog.com/2009/09/22/s...isables-protected-mode-for-ie-security-zones/

It didn't hurt too much during the tests.
But I assume you mean this is not practical in the long run.

Cheers

 

re: subset: Yes, that's correct.
However, in general this problem is known for more than a year now.
"Setting TabProcGrowth to a value of zero disables Protected Mode for IE Security Zones."

Thank you very much for that

 

I don,t think that it,s crucial to change this setting, all that malware did was it disabled IE,s protected mode but as IE is still sandboxed it doesn,t make much of a difference I guess.

The default allow settings for this in GW are probably due to usability reasons. And they can be changed if some one wants more tighter control.

 

They wrote that Trojan Gamania was able to disable IE protected mode. I don,t know how trojan can do this. Only IE itself is allowed to do so.

The threat expert report attached by them shows no such reg modifications. I tried two samples of this trojan but it doesn,t see to disable IE protected mode however these samples were not exactly same as the one used by them( MD5 is different).

I wish if I could access their sample and try it. I am curious to know how this trojan can do this( I really doubt that).

 

Ok, I found the sample and tested it.

If I run it isolated directly via context menue, geswall Passes and sample is well contained.
If I run it via isolated internet explorer( IE being the parent), it,s still isolated but does changes the registry that it should not have changed. It,s a bypass for sure. Well caught. Will report it to them.

 

Aigle,

Problem is the same as with network access you have reported here:
http://gentlesecurity.com/board/viewtopic.php?t=289&highlight=network

Note the respons of geswall:
Application started from isolated one gets the same permissions (rules) as parent, unless child application has its own rules in the console.

So, when you run the sample via isolated internet explorer it will get the same permissions as the parent (being internet explorer for which the registry access is allowed), since the sample does not have its own rules in the console.

To solve the problem in a general way, no permissions should be inherited at all from the starting application (like you suggested for network access in the post mentioned above).

In the same post, mentioned above, geswall also states:
The behaviour is correct, but in scenario you described security would defenitly benefit from blocked inheritance.

This statement might suggest that not inheriting any permissions from the starting application might result in some things not to work (although at this moment I can not imagine a scenario for which this would hold).

As a last note, in the same post mentioned above (last entry) geswall also says:
Inhetitance option for application rules is scheduled for 3.0

So, I hope this option will be included in version 3.0

 

So as long as a non IE based browser is being used your safe?

 

Avant and Maxthon have also the same rule.

Cheers

 

Hi, I am almost sure that child applications only inherit network permissions of the parent in GW, other permissions are mot inherited. Rather geswall applies default restrictions to any child, regardless of permissions of the parent.

Am I right?

 

Aigle,

No, you are not right.

You can try the following test I performed:

Make a copy of notepad.exe on the C: drive, rename it into note1.exe and label it as untrusted.
Make a text file C:\test.txt (and put some text in it).

Make rule in Resources: C:\test.txt File Confidential
Make rule for Internet Explorer: C:\test.txt File Allow

Using Geswall Security Level = High, I get following results:
1. If I run note1.exe via Explorer, it will be isolated and is not able to read C:\test.txt (using File\Open menu).
2. If I start Internet Explorer (isolated) and type C:\note1.exe (in the same place as you type a URL), IE will start note1.exe isolated. Using File\Open menu, note1.exe is now allowed to open C:\test.txt

From this I have to conclude that note1.exe inherits the rules of Internet Explorer (when started by it).

 

All very good, as one might imagine Sandboxie would block everything, really am becoming a fan of that software, and it work perfectly on my W7 x64 and have a free option.