anti-executable or Sandboxie

Discussion in 'other anti-malware software' started by Long View, Dec 8, 2007.

Thread Status:
Not open for further replies.
  1. Long View

    Long View Registered Member

    Joined:
    Apr 30, 2004
    Posts:
    2,295
    Location:
    Cromwell Country
    Have been playing with Anti-executable today having previously played with Sandboxie and can't decide.
    It seems to me that if I run with anti-executable there is no need for Sandboxie ? I should add that I'm running deepfreeze or Returnil or Powershadow as well
    so anything that Sandboxie might have stopped will be gone at reboot even if it does not act allowing Anti-executable to spot it.

    any thoughts ?
     
  2. LoneWolf

    LoneWolf Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    3,408

    Having used these two before I found that they are both excellent programs and well worth the paid price. As you know they both work differantly.
    AE will block any non-autherized excutable from running at all (whitelist), while sandboxie will let them run but all will be gone when the sandbox is closed.
    That said,since you state that you also use deepfreeze or Returnil or Powershadow as well, which I have never used any of these (tried PS one time would not work for me) but from what I understand how they work, with a reboot and all will be back to a state before your session. So I would think (IMO) that Anti Excutable might serve you better. (added protection)
    FWIW i'm planning on putting AE back on my machine again (with a few other app's to test again)when I get done testing out this combo.
     
  3. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Any boot-to-restore solution is in theory too late, because any installed malware can do whatever it wants in the period between two reboots.

    AE will stop any unauthorized executable IMMEDIATELY, while a boot-to-restore only removes it during reboot.
    Sandboxie isolates ANY object of a sandboxed application IMMEDIATELY and the execution is only done in the sandbox, which is still better and faster than a boot-to-restore.

    The only reason why I keep my boot-to-restore is : if my Firewall, AE and Sandboxie fail, my boot-to-restore will fix it and my boot-to-restore does alot more cleaning than just malware, it does the job of a registry cleaner, history cleaner and junk cleaner and does it much safer, more complete and without human mistakes.
    That's why users do a backup of their registry, before they clean the mess, because they are afraid to make mistakes during the cleaning. I don't need to do this.
    None of my cleaning tools remove the junk created by DVD Shrink, but my boot-to-restore does the job and there are more softwares like DVD Shrink.

    AFAIK Returnil works in a virtual environment and that raises the question : do you need another isolated environment like Sandboxie ? I can't really answer that question. The answer is probably NO, because two isolated environments is absurd.
    However, I wonder how Returnil is going to stop a malware that targets a second partition, if you don't have Sandboxie on board.
    Another interesting test for Peter. :)
     
    Last edited: Dec 8, 2007
  4. Long View

    Long View Registered Member

    Joined:
    Apr 30, 2004
    Posts:
    2,295
    Location:
    Cromwell Country
    well I may not be testing AE much longer. when I set to high AE complains about
    Perfect disk "This action violates the acceptable use policy" same with Crap cleaner. I thought the idea was that AE would pick up existing programs ?
     
  5. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Defragging involves moving/deleting files, so I think that AE would complain about this if it's being used on high security.
     
  6. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    PerfectDisk works fine, if you turn OFF Anti-Executable.
    I use PerfectDisk in another snapshot that doesn't contain any anti-malware appllication or internet connection.
     
  7. Long View

    Long View Registered Member

    Joined:
    Apr 30, 2004
    Posts:
    2,295
    Location:
    Cromwell Country

    Thanks that makes sense. I have put both crap cleaner and Perfect disk as trusted so that is ok. Now I find that http://www.superwin.com/speedstartup.htm can not be used. I'm not really concerned about this particular program - more that it was installed before AE and AE can not deal with it nor can it be set to trusted. Even setting to low and Speed start can not run.
     
  8. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,632
    Location:
    U.S.A. (South)
    An accurate assessment.

    I employ a HIPS, in my case EQSecure 3.4, which is quite formidable enough up front to suspend most any file activity BEFORE they get a chance to interact with Windows files/systems, plus can stop scripts dead in their tracks too.

    But this Topic is a subject for choice between just 2 apps. Personally i would choose SandboxIE because as already explained in brief, anything entering whether valid or of mischievious nature is contained in an artifical environment, sandbox as it's called, and should be easily cancelled off your disc thru SandboxIE's delete sandbox contents. Same applies to Returnil or any other virtual program.
    AE is Xtremely strong in holding off common executables but can do nothing if malicious scripts are on the menu for some intrusion. But, still i favor it highly in spite of that because of my other Multi-Layer shield combinations that can compliment and backup AE's protection ability.

    Between the above two mentioned though, SandboxIE would have to get my vote first by virtue of it's complete coverage, including scripts!
     
  9. tradetime

    tradetime Registered Member

    Joined:
    Oct 24, 2006
    Posts:
    1,000
    Location:
    UK
    I disagree, I run both Returnil and Sandboxie, my system is on 24/7 and connected to the net most of that time, as you correctly pointed out, you are vulnerable between 2 reboots, and that can be several days for me, sandboxie limits this as all my browsing and chat is done in the sandbox which I can delete between reboots. Returnil acts as a failsafe if something should get out of the box.
     
  10. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,779
    I am new to this stuff, but don't you guys need or use something to alert you when malware or something nasty is executing? Else how will you know when it does happen? Or do you just rely on a reboot as the cure all and figure after that you're clean again? In other words, is it necessary to be alerted to something going wrong? Or do you just not worry about it anymore? Seems like if something bad were happening then it's possible for malware to do some damage by communicating outbound or whatever.
     
  11. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,632
    Location:
    U.S.A. (South)
    Exactly. Not even the proverbial so-called boot-to-restore will help if a cleverly crafted file infector virus were to bite, and that's where HIPS comes in IMO. Provided the program's developer has mapped enough of the Windows internals course, API's, SSDT Table entries, your Host Intrusion Protection app will have "FIRST" suspended incoming activity then alerted a user via screen box detailing just what file name and path is plus intention. For most, this is enough good data to make an accurate decision.

    That's where your ALERT comes in at for most. AE also (if you choose to) will alert to an executable if not listed as acceptable in it's database.

    Since i dropped AS's/AV's (resident/scanners) in exchange for the much more reliable and BETTER protection of HIPS in the form of first, System Safety Monitor then now EQSecure, and teaming this sole app up with the likes of Returnil/Power Shadow PLUS SandboxIE on top of FD-ISR snapshots, but first archiving (duplicating) them isolated to an alternative HD or partition, this combination is proved Super-Invaluable as it is 100% safe & stable!
     
  12. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,779
    Lately I am back to relying on images, so I'm thinking of trying the Returnil and Sandboxie approach, it interests me a lot, and dropping my traditional AV and firewall (have router). Only thing I see that I would need is some form of HIPS or alert mechanism. For me, the less popups the better, I am annoyed by most of them. I like TF and think perhaps that is all I would need... I'll have to experiment a little with the new Returnil beta, it sounds good..
     
  13. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Kerodo,
    I use my boot-to-restore for two reasons :
    1. Any malware that passed through my security softwares is removed.
    2. As a replacement for registry cleaner(s), history cleaner(s) and junk cleaner(s). A boot-to-restore restores my complete system partition to its original installation state and that is very safe and without human mistakes and more complete.

    All the rest is done by my security softwares, which act immediately when something happens. I'm looking for other security softwares, that stop the execution of malware also, but I have to find and understand them first. :)
     
    Last edited: Dec 8, 2007
  14. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,779
    Thanks for the comments Easter and ErikAlbert both...

    I guess I rely on my images as the fall back in case of disaster, so lately I am thinking maybe I can do without much resident protection. Time to play with some of these new things (Returnil and Sandboxie are new to me). :)
     
  15. Long View

    Long View Registered Member

    Joined:
    Apr 30, 2004
    Posts:
    2,295
    Location:
    Cromwell Country
    Having set up and played with AE I can see how it could be be of use in some circumstances but have determined that it is not for me. For the moment I will go back to my Hardware Firewall + Firefox + Returnil/deepfreeze with Acronis as fall back.
     
  16. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,632
    Location:
    U.S.A. (South)
    I procrastinated as the term goes by neglecting imaging for a long time and believe me i've paid the piper in rattled nerves and staring at blank screens where windows wouldn't boot and searched in desperation on Google for the proverbial work-around to restore a good registry, Recovery Console and all on XP Pro.

    This forum is the ONLY one to have really opened my eyes to the absolute neccessity of "FIRST" establishing a reliable back up plan and all the details that go along with them.

    It's done far more for my self-confidence then reaching for the Install CD everytime i've finally run out of (lost time) & failed options only to start over from scratch again, which is been a defeat in favor of the junk & gunk perveyors who gloat over drawing up all that mess.

    What Returnil & SandboxIE do is throw up IMO, the best force field against getting knocked off balance in the first place, and believe me they do it very well indeed.

    Researching malware in the past without such products for me is always proved a nerve-bending experience just waiting for the hammer to finally fall.

    Now the tables have finally turned in the users favor ha! ha! :D

    The only use i get of backup images these days is keeping them updated and thats the way i like it. ISR in the form of the authentic full-version FD-ISR even is give my image programs room to rest easy and play cards. :D
     
  17. Acadia

    Acadia Registered Member

    Joined:
    Sep 8, 2002
    Posts:
    4,048
    Location:
    SouthCentral PA
    :thumb: :thumb:

    My three, yes, three, imaging programs are bored silly ... I've never used a single one of them, meanwhile, my FirstDefense is dogged tired! :D

    Acadia
     
Loading...
Thread Status:
Not open for further replies.