BufferZone - Question ? Plzz Help

Discussion in 'sandboxing & virtualization' started by SPEEDY6128, Feb 12, 2006.

Thread Status:
Not open for further replies.
  1. SPEEDY6128

    SPEEDY6128 Registered Member

    Joined:
    Apr 18, 2005
    Posts:
    101
    Hi,

    Can anyone please help me. I think my brains about to explode :eek: :eek: . Just been over to Castlecops reading about Bufferzone and it sounded good. So I installed it to try it out. At first I thought great, this is such a great added layer of protection. But then I discovered that the maker of DefenceWall started claiming he could find away to bypass Bufferzones protection and said it was easy and that it posed as a threat. Both developers of both apps started having ago at each other. So I could'nt work out if Bufferzone did in fact pose any security risk. What I'd really like to know is that with having all my security apps installed i.e anitvirus,firewall,antispyware etc does using my PC in Bufferzone undermind my secuirty apps and pose a risk ? Are my security apps effective when running anything in BufferZone ? Also can all your running security apps autoupdate while being in BufferZone, and then still being up to date when you come out of BufferZone. I'am so confused o_O o_O o_O


    Plzzzzzzz help anyone o_Oo_O
     
  2. nicM

    nicM nico-nico

    Joined:
    Jul 15, 2004
    Posts:
    631
    Location:
    France
    Hi SPEEDY6128,

    The "threat" you're talking about was a PoC made to show that an app running in BufferZone could load and call a driver outside the BZ (if I remember). It did work, but this "bug" was fixed in version 1.70.1, and current one is 1.70.6 :) .

    Another thing: if such an exploit was possible, things should be different in "real life" though: for the bypass to work, the PoC had to have its own .dat file outside the BZ: A real malware, coming through web, should then have to be able to create such a file outside the BZ, to bypass BZ's protection...what is not currently allowed, all files coming from your browser are made virtual (unless you modify default settings). Programs running in BZ can't load drivers and services by themselves.

    Other tricks are maybe possible, I don't know, but this one doesn't seem to work anymore (I could check this incidentally lately, by trying to run a program in BZ while it's driver was still loaded in memory).

    Cheers,
    nicM

    And do NOT run your security apps inside the BufferZone!!! use the BZ for browsers, mail programs, IM, what you want except security programs (they wouldn't work anymore, due to the limitations BZ does enforce to programs). Security apps (antivirus, firewall, etc) will work with programs running in BZ, exactly as without BZ.
     
  3. SPEEDY6128

    SPEEDY6128 Registered Member

    Joined:
    Apr 18, 2005
    Posts:
    101
    Many thanks nicM for the response, most appreciated.

    So just to clarify all my security apps that auto load at boot, are automatically selected as to being outside the BufferZone ?

    And with all my security apps being outside the BufferZone, if anything was to somehow get threw BufferZone, my secuirty apps would try to protect me just as if I was not using BufferZone in the first place ?

    Many thanks again
     
  4. nicM

    nicM nico-nico

    Joined:
    Jul 15, 2004
    Posts:
    631
    Location:
    France
    Yes, your security apps should (and must) run outside the Bufferzone; anyway, you can check what is running inside BZ, by opening the main GUI: you've a "Programs running in bufferZone" large window, if it's empty, that means nothing is running inside - and programs running in BZ are listed in this window, with their icon. You can check which programs will run in BZ, by clicking on the "Web protection", "Mail protection" and "P2P protection" links, in the same main window (each link will show a list of apps running by default in BZ - you can add, remove apps if you wish).

    Furthermore, to reply to your first question, you can check the state of your security apps, by clicking on the "Trusted process" tab, at the top of the main window: all programs listed here are thoses running "normally", outside the BZ; all your security apps should be here.

    About your second question, yes, BZ doesn't change the way your security apps are protecting you. Although there are two differences: 1) The BufferZone security policy can prevent some malware to run, or to damage (autostart, driver install, scripts, trusted files access etc, can't happen for a app or file running in BZ; ie some malware is downloaded through your browser: this malware will run in the BZ too :D ; and don't forget you can delete every files created in the BZ, by pressing the "Clean the BZ" button). And 2) your security apps will "see" and detect malware exactly as they do without BZ, the difference is if you download a virus, your AV will detect it in two locations: the current one (ie. in your browser cache), and the virtual shortcut (BufferZone does store copies of virtual files in a "Virtual" folder, in Hard drive root. You can try to download eicar, to see what I mean.

    Cheers,
    nicM
     
  5. SPEEDY6128

    SPEEDY6128 Registered Member

    Joined:
    Apr 18, 2005
    Posts:
    101
    Cant thank you enough nicM mate. Cheers :) :) :) :) :) :)
     
Thread Status:
Not open for further replies.