Playing with SandBox HIPS

Hi users, very brief play around with different sandboxes.

BufferZone---- Stopped KillDisk virus
Stopped Morgud,s threat simulator
Could not stop Martin,s Undetectable Keylogger( MUK)
Stopped Elite keylogger rootkit installation
Sysinternals process explore while running inside GesWall failed to terminate IE running as trusted( outside BZ)

Virtual Sandbox free version ----Stopped KillDisk Virus
Stopped Morgud,s threat simulator on two systems with slightly different results but stopped in both cases altogether
MUK failed to install in VS
Elite Keylogger rootkit failed to install itself in VS
Sysinternals process explore could not run inside VS, windows task manager while running inside VS was able to terminate IE running outside VS.( zopzops,s findings are different here as he posted in another thread, I am not sure what is the problem but I tried VS on two system witl almost similar findings, he has posted to the support and will see the reply)


GeSwall-----Stopped KillDisk virus
Stopped Morgud,s threat simulator
Stopped Martin,s Undetectable Keylogger( MUK) from logging keydtrokes but not mouse clicks
Stopped Elite keylogger rootkit installation
Sysinternals process explore while running inside GesWall failed to terminate IE running as trusted( outside GW)


SandBoxie----- Stopped KillDisk virus
Stopped Morgud,s threat simulator
Could not stop Martin,s Undetectable Keylogger( MUK)
Stopped Elite keylogger rootkit installation
Sysinternals process explore while running inside GesWall failed to terminate IE running outside sandboxie.



DefenceWall
version 1.61,
may not be latest --Stopped KillDisk virus
Stopped Morgud,s threat simulator
Could not stop Martin,s Undetectable Keylogger( MUK)
Stopped Elite keylogger rootkit installation
Sysinternals process explore while running inside DerfenceWall failed to terminate IE running as trusted( outside DW).


Just few related/ unrelated notes--

Antivir classic detected Morgud,s threat simulator by heuristics( that,s nice) but failed to stop it.

EAZ-FIX protects against KillDisk virus except taht u loose ur current working snapshot( or u can make a snapshot just before running KillDisk). I covered C partition of my single HD with EAZ-FIX and D, E, F were unprotected. Ran KillDisk from C and it could not damage any of the partitions at all. That,s nice.

FDISR does not protect against KillDisk virus, u loose all ur system.

BZ paid version has maximum features( like a true sandboxing HIPS) and I really like its features. The least slowdown I noted was with GesWall, DefenceWall and Sandboxie followed by BufferZone and the worst slowdown with Virtual Sandbox. VS has almost all features(except firewall) of BZ paied version but I think it still need lot of work to be tweaked. I have used all of them for a while. I like its features but dislike the slow down in its loading on boot up and start of applications inside VS. Also it seems aggressive and I faced loss of functionality like issues so I jsut uninstalled it.


Thanks.

 

A little addition. While testing this, I collected the malware samples on my PC.
Antivir detected MUK by heuristics. I never expected such a nice detection, so I uploaded it to virus total, no other scaner detects it. Wonderful work by Avira.

 

Looking at a view other threads at Wilder, AntiVir is getting more and more points. Amazing

 

Yeah very nice! Its another proof that you dont need to spend a single penny for professional security software!

 

Will post back the scanning results of Morgud,s threat simulator also.

 

Hi Aigle,

A little correction:
BZ 1.90 doesn't stop Martin,s Undetectable Keylogger( MUK) (version 1.6 did, but they forgot to implement it in 1.90)

But new beta version 2.10-20 does. Release version, which will do, is expected for end of october.

Regards

 

Thank a lot for the info.
That,s nice. I am liking BZ.

 

Results of DFK threat simulator exe file. NOD,s heuristics are great. Panda is also good here( it is TruPrevent I think)!

Antivir detects some componants on its execution but can,t stop the threat.

 

Results of DFK threat simulator Zip

NOD and Panada gain.
It seems I am going a lot OT now, so I will stop here. Back to sandboxes.

 

Re: Playing with SandBox HIPS-- TESTING WITH APT

Some more testing here.
I ran a process as trusted ( ouside Sandbox) and tried to kill it via APT( Advanced Process Terminator) running as untrusted( inside sandbox).
Here are the results.

BufferZone-- APT failed to kill trusted process( all 16 Kill methods)

GesWall ---- APT failed to kill trusted process except by Kill method 7 and 8

Sandboxie-- APT failed to kill trusted process except by Kill method 10. I did all my testing with version 2.42 that was available at the time of testing, it mightb be fixed in latest version. If anybody knows pls post here. Thanks.

Virtual Sandbox --- It seems quite buggy and even Process Explorer was able to kill trusted process, I did not test it with APT.

DefenceWall-- I was not able to test as APT while running untrusted failed to show any processes running as trusted. Anyway to test it?

BTW, I tried to kill sanbox process itself via process explorer running as trusted, it killed DefenceWall, GesWall, VS and Sandboxie.
In case of BufferZone--- I was really impressed here-- even APT running as trusted was not able to terminate its protection with all 16 kill methods( though its GUI can be killed even by Process Explorer but it does not affect its protection at all). Very strong software indeed!!

Edit-- DefenceWall GUI is killed but protection remain as it is driver based.
I will have to re-check about Sandboxie as i misinterpreted these tests probably.

 

Re: Playing with SandBox HIPS-- TESTING WITH APT

1. I would suggest you use the latest version of DefenseWall- 1.65, this will block APT. 1.70 is coming soon.

2. For APT test you need use direct PID numbers input.

3. Killing DW's GUI won't stop proteciton- it is pure driver-level.

As about MUK- just check if they use ring3 hooks for it (I'm more than sure in it). If they are- they gives you false feeling of security.

 

Re: Playing with SandBox HIPS-- TESTING WITH APT

method 8 is a bug and they are working on it. method 7 is left open on purpose (i forgot why exactly). but geswall itself is immune to all 16 attempts to shut it down.

you know what you should try next aigle. ghostsecurity's reg test. that's the real eye opener, especially test 2.

 

I asked about BZ and I have been answered the drive is fully ring0... as defensewall.

I disagree. regtest2 could maybe shut down your PC, but the purpose is to prove that by doing it, you can add a key to system startup. If your prog is running untrusted, then anyway it should go to the ubtrusted registry... So even with shutdown, regtest2 should fail with a proper virtualization / sandbox protection...

 

Re: Playing with SandBox HIPS-- TESTING WITH APT

Sorry u are right. It was my mistake. I was only mistaken by GUI. I just checked it now and protection remains there. I shall correct it.

I think they use GetKeyState method but i am not sure. CAn anybody tell more about MUK.

What about this false sense of security? Can u expolain more. Thanks

 

Re: Playing with SandBox HIPS-- TESTING WITH APT

Thanks.
Will tryt it sometime. I tried it in the past but forgot the results.

 

Some more testing using syssafety SPT( instaed of APT)-- settings same as in post no.10 above. ( I did not use parameter f with SPT, only e parameter used).

http://syssafety.com/leaktests.html

BZ-- failed with method 15 and 16( with 16 message came that killing failed but infact the target was became unresponsive so I will take it equivalent to killing).
GW--- failed with method 16 just like above
DW -- failed with many, 9, 10, 11, 12, 14, 15, 16( may be i missed something)
Sandboxie-- not tested

Also tried keylogger test from syssafety.

GW-- failed with method 3 and 4
BZ-- failed with method 1 only
DW--- failed with method 1 and 2
Sandboxie-- not checked, may be later.

BTW, SnoopFree tested here detected and successfully stopped all methods except method 1. SnoopFree is always wonderful. A tiny but great piece of software that detect keyloggers generically.

Edit-- I am not expert here. I did not test SPT full and there may be mistakes. Feel free to correct me if I am wrong.

 

Re: Playing with SandBox HIPS-- TESTING WITH APT

GetAsyncKeyState. This function is, mostly, using shared keystate buffer without using native API.

I still haven't found good driver-based way how to prevent GetAsyncKeyState-based keyloggers from it's job. All the ring3 hooks may be easily bypassed. Also, there could be GetMessage/PeekMessage and TranslateMessage intercepting keyloggers and subclassing- based keyloggers that can not be stoped from driver level. That is why keylogger defense is really limited in Windows. It's architecture is not built perfectly from the point of view of security.

 

Another killing method-- IceSword and DarkSpy

DarkSpy and IceSword failed to initialize in DW, GW and BufferZone.

 

i realize it won't faze the real registry, but the annoyance of a malware being able to force a shutdown/restart is...................annoying.

 

And the winner is --- (Tah-Dah!) BufferZone! Or did I misinterpret the comments here? If BZ did not "win" then am I correct in saying that none of the tested apps did the job?

By the way, why wasn't the redoubtable Prevx included, I wonder?

 

Neova Guard is also restistent agains those tests

 

Just tested DefenseWall 1.70 with APT and SPT. All the tests are passed. 1.70 will be released tomorrow.

2 aigle- don't use old versions of DefenseWall for your tests! 1.61 have been released two mounths ago, it's a huge period of time!

 

Wasn,t it the latest version when I tested?

 

Just as I mainly checked for sandboxes. I did mention some other software but ther were on my system so if I found something incidently, I just posted that as well.
APT and SPT were tested specifically for SandBoxes only.
Prevx will come in HIPS.

 

Hi,

And nobody did

Anyway, to give echo to an old discussion we had once, keyloggers are not really a problem for virtualization / sandbox security tools... as long as the user understands what he is doing.

If you go to your online banking account, I guess you should at least stop all untrusted processes before logging... BZ team even advises to open IE or whatever surfer you use outside the virtualized area before going to online banking, so that it is safe from the untrusted zone...

I let the last word to Uriel from Trustware: