Playing with SandBox HIPS

U are right.
I just like to play with these things. Personally I do safe sufing, Rarely encounter a virus. No sppyware issue as I don,t install untrusted software and don,t go to dark sides. Rootkits-- I never think about them. I use firewall but just as I like it otherwise I can go on net without it. For an average user I just think he needs an AV and Firewall( even windows inbound only might be enough) with safe surfing. If he wants more, a sandbox is best thing. And ofcourse he needs a reliable backup.
All other is just my play and I personally rely on a clean snpashot/ image of my system. As far as other professional are concerned, they are doing good as lot of them earn by this way!!

 

It means that there is something wrong with installation. Does DefenseWall's service have been installed propertly?

 

I will mail u 2 morrow.

 

Aigle, how are you actually using GesWall / BufferZone? Bufferzone for ? Geswall for?

dja2k

 

One at a time.
Testing done in different snapshots of system.
I mainly use GW. Just installed BZ until new version of GW is released.
I like both, they are a bit different. BZ purely relies upon virtualization while GW relies heavily on policy restrictions as well.
I prefer GW as it has least slow down effect and least obtrusive.
On the other hand, BZ has some nice features that are absent in GW.
BTW, sometimes I am not using all the software mentioned in my signature, like FDISR i just used trial but it is on my furure list.
Similarly I prefer EAZ-Clone instead of DriveImageXML, more fast and robust.

 

Aigle, thx 4 the useful info.

My experiences from a user point of view:

I have tried Sandboxie, but did not like the slow down of my system. The ap worked perfectly.

GeSWall is fast, but I kept problems when printing. GeSwall did not allow the spooler to print pages. When I logged out and in again, GeSWall seemed to release the spool and the pages were print. Although the helpdesk of GeSwall is amazing reponsive (for a free product), they did not know how to fix it (because you need to allow two spool programs of my HP deskjet with the same internal product name, when adding the second spooler as "always trusted", GeSwall tells you have already one program with the same name, althoug the rule is named differently)

Then I tried Buffezone free for FireFox. Was easier to install and more straight forward. was slower than GeSWall. BufferZone had one problem: when you put an USB stick in the computer it freezes. When you pull out the USB stick the problem is gone. Considering the ease of use, it is workable (just not put the USB stick in when Bufferzone is active). It is a pity BufferZone free is only for one treath gate ap).

Because my company made an arrangement to enhance PC security at home. We got an license of DefenseWall and 150 euro's to buy an external drive (we also got a script to make a bootable BartPE with DriveimageXML for restore after disasters/backup programs drive and the free syncback to backup/restore your data drive). I am now using DefenseWall.
I must say DefenseWall is very easy to use. Is just a bit slower than GesWall, but faster than BufferZone (and a lot faster than SandBoxie). For speed reference: I have a AMD Athlon 3400 with 1MB (about 740K free after windows boot).

Regards

Kees

 

Guys, I think you're doing a GREAT job of testing those different products with different attack types etc.
The testing tools & techniques you're bringing here are very insightful (and helpful for us on the R&D side).

To give a full picture of those security products, it might also be interesting to look into the usability of the different security approaches. I mean: a security product that blocks all threats may not be as practical if it also blocks legitimate installations / applications / plugins etc.
So it might be an interesting next step: to see for example what happens when you surf and want to install the latest Flash plugin, or Adobe Reader extension, etc.

Btw: BZ 2.10 is to be released next week, after 6 months of work following version 1.90!

Keep up the good job,
Eyal Dotan
CTO, BufferZone

 

I never tried it as I do all installations offline and if I am using a sandbox of course I will run the installation exe out of sandbox.

BTW, I am eager to try latest BZ version. Will the free version remain there?

 

Edotan

I agree, that is why I like GeSWall, DefenseWall and BufferZone. I do not have experence with GreenBorder. With BufferZone you can keep the changes in the virtual space, with DefenseWall you can decide to roll-back or remove the entry (a way of accepting changes).

Regards

Kees

 

Geswall, Defensewall, Bufferzone, and Sandboxie are great programs, but out of all these, in regards to compatibility with other HIPS like programs and other security defense (AV, FW, AS, etc), which one still stands out to be effective?

 

Greenborder is an excellent program that has proven to be the best of the sandboxies. Now that it supports Firefox, it is even better. That was my issue before with it. I was having to do manual windows updates and now I set it up just for Firefox and my updating problem is corrected. It really is a good program, nice and clean when finished.

 

About GB I can,t say about performance but I know it was having a lot of campatibility issues just few months back. When they offered free I downloaded but uninstaled just after the BSOD.
The more strict is the sandboxing, the more functionality u loose. U need a good balance.

 

U need to try for ur system as they are not so widely used so issues may arise but as far as the software maker is actively developing the product, I hope the issues to be resolved/ minimized with time as new versions come.
A good support here is must.

 

Security Test
I try to open the sandboxed IE and make some changes on my drives inside the sandboxed IE.

Stop it from creating and editing the file
GesWall -- Failed.
Sandboxie -- Succeeded. The change is stored separately in its sandbox.

Stop it from moving existing files
GesWall -- Failed.
Sandboxie -- Succeeded. The original file can't be altered.

Note: For GesWall, you may need to refresh, or go back and forth to see the change.
I don't understand why Geswall would allow the sandboxied application to create/edit/move files on the drive. Hard to believe. It should block it for security reason. Geswall... disappointed

Feature Comparison
Run application in sandbox
GesWall -- I don't see how I can instruct the program to run in a sandbox manually like what I can do with Sandboxie. The only way I could think of is to open the GesWall console and add the applicaton to its policy, but that is inconvenient.
Sandboxie -- you can simply "right-click -> run sandbox" to run any executable application in sandbox.

Save some changes before trashing sandbox
GesWall -- no easy way to do, as far as I know.
Sandboxie -- simply right-click the Sandboxie GUI -> Contents of sandbox, you can browse the virtual place and backup some of the files/changes here (eg bookmark, history,cookies). You can also automate the process via sandbox settings (eg save the bookmark first before trashing the sandbox).

Policy and Rulesets
GesWall -- It is comprehensive. You can add rulesets to each application (eg this registry can access to this file/registry key etc.) There are 4 type of permissions - allow, redirect (ie sandbox the change), deny, read only. But this functionality may be useful mainly for intermediate or advanced levels of computer users. Newbies just don't bother.
Sandboxie -- Not available at all. It doesn't like micro-management

I hope others will do similar comparisons like this one.
While the security test is valuable, we shouldn't forget the features/functionality part - how many good security addons/features they are offering.
Tell me what you think.
Any suggestion or comment is correct.

 

Wai Wai

Good to see you experiment with virtu/sanbox aps

 

The purpose of sandboxing is to run the application safe without losing (much) functionality or reducing user experiences. Every malicious change will be discarded/restored once the sandbox is closed.

If we lose much functionality while using sandboxed applicatons, that's ruins its major prupose. Restricting its functionality is more to do with behaviour blockers or HIPS.

By the way, as far as I know, Greenborder is just to do with Internet applications and a few more, not all executable programs. Correct me if I'm wrong.

 

Nice to hear your praise.
Thank you.

PS: My previous test/post is updated.

 

GesWall is not like Sandboxie. Infact it is not a pure Sandbox. It has virtualization for registry but alongwith that it relies heavily on policy restrictions rather than virtualization. It does not stop from creating/ dletinf files, except vital system files.
It gives u a lot of functionality with enough protection and no hindrence. If u download a file, it will be at it,s palce, not like Sandboxie that u will have to explore it from its contents. Also if u add bookmarks etc, change ur browser settings they will persist. If there is any malware, it can,t do its damage as Geswall wil protrect it from altering registry and altering vital system files. The files are not virtualized but they reamain isolated( marked untrusted) and can,t do any damahe untilo u can delete them.
To me ur testing not justifies here. Put it to some real malware and then see how it protects against it.
Also GesWall has no privacy protection except that if u put something in confidential file folder, it will be protected from unallowed access.
For me gesWall is install and forget. I run all my browsers untrusted and hardly feel any loss of functionality, just a normal PC use and get a good protection.
If u want real complete isolation then Sandboxie is the choice or BZ( Sandboxie is more light and bug-free, BZ is more convinient to use). Sandboxie is like a Pc inside ur PC. For me since long I am not able to run my main browser Opera inside sandboxie, can,t guess what is the reason.

 

As aigle said, GeSWall isn't really a sandbox. It runs based on the policies and rules you set for your applications. Provided you set everything right and for example if you isolate Firefox, everything downloaded from FF will be label as untrusted as well. If they try to change your registry or modify an existing file, GeSWall would prompt you.

GeSWall doesn't prevent file creation by default so it's normal to find viruses, trojans and malwares on your computer but it's SAFE if they can't do anything that will harm your pc since GeSWall will block them from altering your registry and isolate them.

I'm currently beta testing v2.5 and according to Brian from GeSWall tech support, the final version of v2.5 will be available soon. It has some new features like run an application isolated through Explorer's context menu, policy & attack notifications and launch GeSWall console via system tray icon.

What's great about GeSWall is the developers do their best in improving a FREE product and provide assistance to users. They listen to our suggestions and keep on improving.

 

Well, i sure would like to be using that new version of BufferZone that was released last week. Just one problem - WHERE THE HELL IS IT?.

 

It was beta and about to release but I never knew it is released.

 

Then the description and the image of GesWall from its website misled me.

It has a function called "auto-isolation". This function and the description leads me to think it should isolate any change made by that application when it is in auto-isolation. But it is not. If the isolated application can still make some changes to my system/drives, then it is not really isolated. A misnomer in my humble opinion. It would be better named restricted.
http://www.gentlesecurity.com/images/logo_anim.gif

If it just prevents some changes made to some registry and some system files, it is definitely possible to alter/infect other files in your drive. And a malicious website may be able to plant malicious files/programs into your computer (although it may not be able to run properly though). No wonder why I could run an application to alter/infect some files in my drive. Then it is not as safe as complete isolation solution like what sandboxie offers.

I tried to add the whole drive as "deny" in the console. I don't understand why it won't work either. What resource type should I choose?

I don't see any loss of functionality (maybe just very minor) when I use sandboxie with IE.

I don't bother sandboxing Firefox/Opera since I think they are safe and I don't practice dangerous browsing (unless I am doing tests).

Hmm... You can mark the application as always trusted, trusted, trusted (auto-isolation), and untrusted.
If you mark an application as untrusted, it couldn't run at all.
What did I miss?

 

That could be a serious problem.
If the malware can be left behind your system, that could pose a potential threat and you may run into trouble.

Imagine the malware writer plants the malware first into your system via the browser, and has a nice name on it like microsoft.exe or avp.exe (name of KAV app), and create a shortcut on the desktop. After the user finished browsing, he sees a nice shortcut with a nice icon (eg Microsoft icon or KAV icon). He mistakenly think it is the legitimte program. He clicked on it. GesWall may prompt asking for instructions. He simply selects "No" (ie run it outside the control of Geswall) and he is doomed!

There are more ways a malware writer can do to trap the user into running it as trusted.

By the way, I tried to add the whole drive as "deny" in the console. I don't understand why it won't work either. What resource type should I choose to block the access to the whole drive?

 

Similar situations can happen to other sandbox environments. If the user boots into XP safe mode (when sandbox program XYZ is not running) and the user mistakenly runs ABC.exe which had been downloaded to the "sandboxed" folder on the PC, the PC will get infected. Even when not in safe mode but if the user shutdowns sandbox program XYZ, then running any downloaded file afterwards is potentially harmful too. No matter how many locks you put on your front door, there is always a chance of having a break-in.

 

Hi, by default all applicatuons run as trusted. It,s only when some application( from the list of appliances in GesWall console) makes a network access/ vital system access, it is made untrusted( isolated) by GW. Untrusted application will sure run but with restricted rights.
About the nomenclature, it,s not so important to me as far as I understand what they mean.
Regarding the protection, I am well satisfied. I remember when some people tested KillDisk virus against sandboxes many months back and at that time GesWall stopped it while sandboxie failed inspite of its strict sandboxing.( I am not talking of current versions).
Regarding loss of functionality I still can,t run Opera in sandboxie( some other users here as well), in the past I was having troubles with Yahoom messenger.
If I download a file on my desktop, it is not on the desktop but inside a virtual desktop. Also in free version I have to run all application from right click menue while in GesWall I run appliances normally.
In short it is more a matter of personal preference. Currently I prefer GW over sandboxie, in future I might prefer BZ or Sandboxie. So go with the choice that suits you.
I am a safe surfer but like to install security software( it,s great fun to play with them).