Bufferzone Pro okay with Returnil?

Discussion in 'General Returnil discussions' started by VanguardLH, Dec 2, 2011.

Thread Status:
Not open for further replies.
  1. VanguardLH

    VanguardLH Registered Member

    Joined:
    Sep 10, 2007
    Posts:
    96
    Windows XP Pro SP-3 + all updates
    Bufferzone Pro (whatever is the latest version available today)
    Returnil (whatever is the latest version available today)

    I did a search on "bufferzone" but got no hits. I think Bufferzone Pro went freeware back in August. I had used GeSWall in the past and was considering looking at it again since it went up a minor version (2.8.x to 2.9.x); however, after some research, either GeSWall is dead or nearly so. GentleSecurity sold off their LeakWall to BeyondTrust so they lost that revenue source (but, of course, got the proceeds from the sale of LeakWall). There never seemed a large market for the payware version of GeSWall compared to the number of instances of their freeware version (that only supports web browsers). Updates were always far between, like a year, or more. It just doesn't seem an actively supported product so I figured instead to try Bufferzone Pro, especially now that it's free.

    However, I'm wondering what might be the consequences of mixing Bufferzone with Returnil. GeSWall and Bufferzone are more about policy enforcement than sandboxing. They will use an isolation environment (akin to a sandbox) for untrusted downloaded programs but most of what they do seems to be regulating what behavior is allowed per their own policies (not Windows policies). When there was a problem getting Java applets to run, a policy in GeSWall had to get added to all for the "js" pipe. Fixes are often made as changes to their policies.

    So I'm wondering if a policy enforcer, like Bufferzone, would have problems working with the virtual disk write protection in Returnil.


    --- UPDATE ---

    Oops, meant to post this in the General discussion forum. Maybe a moderator could move it over there (and delete this update portion of this post).
     
    Last edited: Dec 2, 2011
  2. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,981
    Location:
    USA
    The major issue is the type of virtualization employed. Though not tested by us, in theory they should play together as BF is application layer while RSS/RVS is disk level (similar in some ways to the SBIE/RSS combo approach).

    As we have not tested this, I strongly suggest you try the combination in VMWare, VPC, or VirtualBox before you move to a production system and then report your findings in this thread for others interested in this combination as well.

    Mike
     
  3. VanguardLH

    VanguardLH Registered Member

    Joined:
    Sep 10, 2007
    Posts:
    96
    While I do have VirtualPC 2007 (on Windows XP) to provide me with a virtual machine (VM) in which to test software, that runs software rather slowly plus you're trying to virtualize the hard disk that is a virtual hard disk for the VM. I'm not sure that there wouldn't be conflicts or that such testing would be invalid.

    I perform daily image backups using Acronis True Image (full back on Monday, incrementals on the other days). So if a software setup screws up Windows then I can recover back to a prior image. Their recovery manager was installed in (usurped) the MBR bootstrap code so I can use it on a bootup (before Windows is loaded) to perform a restore or use their rescue or installation CD for the restore operation.

    At this point, I'm still investigating whether or not I want to use Returnil (free version) to virtualize all disk changes and wipe them on a reboot to provide protection or go with Bufferzone alone to prevent malicious action on my host. I'm also not sure if I'll be going with BufferZone or with Comodo (which has its auto/manual sandbox feature). I have Avast (free) which has its auto-sandbox feature but that's triggered for blacklisted programs or those that are detected via heuristics as performing some action that is suspicious. If Avast doesn't see the process as malware or suspicious, the program doesn't get sandboxed. Also, programs you want to always sandbox (i.e., web browser) is not an option with Avast (free version). The manual sandboxing (where you specify a program to always sandbox) is available only in the payware version of Avast. Comodo has their auto-sandbox but differs from Avast. Comodo's auto-sandbox uses privilege enforcement (similar to GeSWall/BufferZone) whereas Avast's auto-sandbox is a virtualized environment; however, Comodo's manual sandbox is a virtualized environ, like Avast's auto-sandbox, so overall I think I would prefer Comodo auto and manual sandboxing feature over Avast free's auto-sandbox only mode. I would disable Avast's auto-sandbox if I decide to roll Comodo and its auto/manual sandbox into my security suite. I may also end up disabling Avast free's auto-sandbox with BufferZone.

    I'm pretty sure that I won't be using Avast and BufferZone and Comodo but instead Avast + BufferZone or Avast + Comodo. I wanted to check if there were any known problems with either setup. I've seen some posts here from Comodo users and that looks okay so I wanted to ask about BufferZone. Yep, I have a recovery scheme in place during testing by having image backups so I don't have to test inside a VM where all the hardware is emulated except the CPU.

    I've narrowed down the security suite to possibly include one, or more, of the following:
    - Avast free. Whether I use its auto-sandbox depends on what other security products are used in an overlapped security suite.
    - BufferZone Pro. It's free now so it's a candidate for testing.
    - Comodo Internet Security (or just Comodo Firewall since I probably won't be using their AV component).
    - Returnil (free).

    I suspect BufferZone and Comodo will be mutually exclusive of each other. That is, I'll be trialing one or the other but not both.
     
  4. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,981
    Location:
    USA
    Order of install may be an issue with AVAST!, especially if you are using its sandboxing so make sure Returnil is installed and working first, then install AVAST!. One thing I don't see in your flow of conscientiousness here is a less complicated approach.

    Have you looked into the well discussed combo of RSS + SandboxIE? It IS tested and many members have reported it as being a very good combination with low resource use...
     
  5. VanguardLH

    VanguardLH Registered Member

    Joined:
    Sep 10, 2007
    Posts:
    96
    Right now I'm only investigating free-only (freeware) solutions. Sandboxies is freeware but it also devolves into nagware. After a month of trialing and choosing to remain with the freeware version, Sandboxie starts to nag. I don't know the frequency and it isn't often but it is nagware. I'll use some adware, like Avast, which is not in-your-face adware (although Avast is getting worse with popups whereas it used to only have their ad in the lower half of the summary config panel) but it would be rare that I ever use nagware.

    Sandboxie is a good product. The freeware version is crippled and that's all its author should use to lure customers into buying the payware version. It shouldn't be using nags to push customers away (like me) or to buy it. Crippling the product to provide a still usable freeware product is sufficient. If users want the non-crippled version to get the other features then they go buy it. Those that only need the crippled version shouldn't get nagged about that choice.

    That Sandboxie nags is why I don't use it.
     
  6. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,279
    Location:
    UK
    I've tested Returnil System Safe Free with Comodo Firewall (Proactive Security) on Windows XP Pro SP3 and found it to be a good combination. They work well together and you get a good combination of system-wide virtualization and policy enforcement.

    No need for a separate AV with this combination. RSS Free contains VirusGuard and Comodo Firewall performs cloud-based behaviour analysis of unrecognised files.
     
Thread Status:
Not open for further replies.