BufferZone versus malware

Discussion in 'sandboxing & virtualization' started by aigle, Sep 1, 2007.

Thread Status:
Not open for further replies.
  1. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Recently I got a free license for BufferZone Pro. I have used its free version for sometime( this was the time when free version was as capable as pro but as I know current free version is limited as compared to pro). I always like BZ and the only complain from it is a bit slow down on launch of bufferzoned applications but that is tolerable.
    It has a nice GUI( probably the best GUI of all SandBoxes). Like DefenceWall it has zero pop ups, so might be good for user who don,t like pop ups. It has four processes running in ProcessExplorer but total memory taken by them is acceptable( all in all about 20 Mb). There is an option for confidential files too that will be hidden from untrusted( BufferZoned) processes. Also u can mark any process as ForBidden that will deny all access to it and will deny its execution as well.

    I tried it against few malware and my findings are as follows:

    Advanced Process Terminator from DCS: I tried to kill IE ( that was running outside of BZ) via APT running inside bufferzone.
    APT failed to kill IE, all tests passed by BZ.
    BTW Bufferzone service is itself immune to termination by any process/ malware etc. APT even running outside of bufferzone was unable to kill BZ service. Very hardened self defense indeed. I have rarely seen such type of self defense.

    Advanced process manipulation by DCS: tried to kill IE that failed. BZ passed.

    Simple Process Terminator from SysSafety: All tests passed

    A special termination method- discussed in this thread:

    https://www.wilderssecurity.com/showthread.php?t=172653&highlight=termination

    VideoLinkParser while running inside BufferZone failed to kill RegMon. BZ passed.

    An interesting kill method: Spy.exe running inside bufferzone was able to kill IE running outside of BZ. BufferZone FAILED.

    http://www.kobik.net/spy_capture.asp

    SysSafety KeyLogger test
    : All four tests passed

    Martin,s Undetectable Keylogger: Pass. An interesting thing is that unlike most other sandboxes and HIPS , BZ stops MUK totally as it does not allow even the logging of Alt, Shift, Ctrl etc keys. Very well PASS.

    AKLT by FireWall tester: BZ passed first two key logging methods but failed the last one.

    KeyHook by DCS: BZ Passed.

    Home Key Logger and Family Key Logger( use global hooking): I installed them outside of BZ and then launched main executable inside BZ, they were able to set global hook( that was located outside of BZ) and logged keystrokes successfully. If I shifted the dll inside BZ and the executed main the executable inside BZ, BZ passed as no keys were logged. I am not sure it should be regarded as pass or fail. To me it appears as FAIL. I will see what they reply to it on their forums.

    Zilla( Browsezilla) trojan/ worm
    : PASS, it was able to copy its executable in C:\ but all executables were inside BZ and if eexecuted they will crash. PASS

    GlobalHook( keylogger behavior) : I used Y,z shadow that uses a global hook( legitimate hook but similar hook can be used by malware). It failed to set global hook. PASS

    I am not sure but BZ,s behavior regarding global hooks seems inconistant. It blocks the global hook by YzShadow.exe but allows global hooks by HomeKeylogger and FamilyKeyLogger. There was nothing wrong in my testing probably it,s something wrong in BZ,s behavior and I will haver to wait for their reply in this regard.

    BlackDay Trojan( It,s a very nasty trojan. It overwrites a lot of the executables on ur different HD partitions converting them into its copies. Not only u get a lot of malware executables but also u loose all the executables overwritten by the trojan. One important thing is that it does not remain limited to C partition but also jumps to other partitions as well, so if u are covering ur C partition with some Instant Recovery Software like FDISR, Returnil or PowerShadow etc, it might not help u as trojan will infect ur non-OS partitions as well):
    BZ passed here. All copies of trojans were isolated inside bufferzone and it was not able to overwrite any executables. The only problem I noted that on attempted termination through BZ, I was not able to terminate BlackDay trojan process( may be some problem just on my system).

    DFK Threat Simulator
    : Passed. Although I got the message that u have been owned but I think all of DFK threat Simulator,s activity was inside bufferzone. I was not able to terminate Win32.exe though( as challenged by DFK threat simulator) but I checked and it was infact running inside BufferZone), So on reboot everything should have been fine but I was not able to verify as I did all this testing in ShadowMode and would have lost everything on reboot. I will say it Pass. Unable to terminate win32.exe seems a bug of BZ just like BlackDay trojan above.

    RegTest( 1 and 2) by Ghost Security: Pass. It was unable to reboot the system, though I was not able to reboot manually to confirm it( due to ShadowMode).

    W32/ Virut.P trojan( it was the trojan one user got from an infected torrent( a crack) and it messed with FDISR service and infected other snapshot of FDISR as well. When I tried it, it was not even detected by many AVs on Virus Total. On my system it killed my AV Antivir. I tested it with Antivir,s guard off as it was detected by Antivir). BZ passed, as trojan was not able to mess with Antivir and other processes( grossly).

    Qucan IM worm( IM-Worm.Win32.Qucan.a/ Win32.Worm.IM.Sohanat.A): This worm disables RegEdit and TaskManager: BZ Passed

    XP Killer trojan: It disables three services, Windows Firewall, System Restore and Automatic Updates Services. BZ Passed.

    Brontok worm: It makes a lot of copies of itslef: BZ passed. All copies of the worm were isolated inside BZ.

    In order to check malware cleaning capability of BZ, I installed an IE Spyware toolbar inside BufferZone. It was installed OK inside BufferZonesd IE. When I launched IE outside BufferZone, there was no toolbar. On launching IE inside BZ, toolbar was there. I then emptied BufferZone, removing all BZoned registry and files. Launched IE inside BZ and Spyware toolbar was gone. Same results with a legitimate toolbar( Google Toolbar). PASS

    SDT Unhooker malware( called RKIT/Agent.EZ by Antivir): Once executed it unkooks all HIPS SSDT hooks making them blind. BZ passed.

    Prueba trojan discussed here:

    https://www.wilderssecurity.com/showthread.php?t=179003&highlight=SSM bypassed

    BZ failed as prueba was able to make its copy outside of BufferZone in ProgramFiles> Config32 folder.( BTW CH failed against it but beta1 of ThreatFire stops this trojan).

    KillDisk virus: not tested as I have no VM. Anyone please?

    Results are quite good in my opinion. Only failures are against some keyloggers and Prueba.

    I will make a thread over their forums. Let,s see what is their response.
    Now I wonder why BZ is not so popular, it seems quite strong and I was able to run it alongwith Antivir, EQSecure, GeSWall, ThreatFire, and ShadowSurfer without any conflicts. That shows a lot of compatibility in my opinion.

    Note: during this testing there was a minor problem with BZ install( due to my system, not due to BufferZone). I uninsnatlled BZ, then when I tried to reinstall, I did not find the key( I could not re-retrieve it from my e-mail as I had no internet at that time, so I just did a system restore that brought BZ,s installation back though some of its functions/ options were disabled( making it more like a free version). I don't however think that the results are affected by this in any way.
    BZ 1.jpg
    BZ3.jpg
    BZ4.jpg
    BZ5 (1).jpg
    bz6.jpg
     
  2. zopzop

    zopzop Registered Member

    Joined:
    Apr 6, 2006
    Posts:
    632
    nice job aigle! also nice find with the spy.exe process termination method. i'm amazed BZ failed. damn how many ways are there to kill a process? :)

    ps aigle did you get your free key to BZ from the giveaway.com or something site? if so, the downside to that version of BZ isn't entitled to updates at all. if not, ignore this part of my post ;)
     
  3. tamdam

    tamdam Registered Member

    Joined:
    Feb 8, 2007
    Posts:
    88
    Hey aigle, nice tests!

    re: why its not more popular, its because it takes up more cpu usage than the likes of sandboxie, and I think alot of people see lots of fluff compared to sandboxie for the same purpose. Maybe I'm wrong.

    But also sandboxie is free. Bufferzone has a free version too but I think its limited in some way.
     
  4. acr1965

    acr1965 Registered Member

    Joined:
    Oct 12, 2006
    Posts:
    4,954
    As the other posters already said- very nice job!

    Question- why does BZ have problems with key loggers but seems resolute against pretty much everything else?
     
  5. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
  6. sukarof

    sukarof Registered Member

    Joined:
    Jun 22, 2004
    Posts:
    1,714
    Location:
    Stockholm Sweden
    Thanks for the tests aigle!
    The Blackday trojan is one of the few malware types that I am truly afraid of. Limited user or FDISR wont help against it. To make images of all my harddrives/partitions would require really big backup drive, atleast until I figure out why my SP wont compress.
    Maybe it is an old malware but I didnt know they where out there, I have been expecting one though. I know I am a bit ignorant about this, maybe I have put my head in the sand before but have not read about such malware for years. Is it or malware like it which spreads to other drives common?

    Maybe I have to install Returnil, shadowdefefender or Powershadow to protect my other partitions and drives after all....Drat! now that I moved on to a more lighter security setup and was very happy with it :(
     
  7. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Aigle,

    Good job. You have tested sandboxes often. You are also on the game with NeoavaGuard and EQSecurity.

    I am wondering, when you seperate fun from nessecity, you must have experienced yourself that a defense consisting of
    - Hardware Firewall
    - Sandbox (GesWall, DefenseWall, Sandboxie or BuffeZone)
    - Antivirus
    - Behavior Blocker (ThreatFire free, Norton Antibot)

    Would be off sufficient protecton and can be configured and operated very easily.

    Regards Kees
     
  8. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I use EQS file protection feature( very strong indeed). NG will cover it also due to filter for "stopping an executable from making copy of itself". ThreatFire/ CH will protect too think. Any sandbox like BZ, GW, SBIE will protect as well.
    Otherwise separate ur data from OS( two partitions), image OS partition and make backup of data, put them ofline.
    I can,t think of any other ways ATM.
     
  9. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    For reality:

    Ya! a FW, an AV and commom sense/ safe habits might be enough!
     
  10. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    Well, I think I may answer on your question why BZ is not so popular. The point is that SBIE is the same sandbox type software (with file system virtualization), much smaller, almost free :) . As about simplicity- policy-based sandboxes without file system virtualization are out of competition.

    Also, there is one more point here. It is interesting, but one-wizard-man projects takes more sympathy (from my own experience). Don't know why, I may only guess...
     
  11. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    SBIE is sure the most popular one.
    BTW anybody know out of SBIE, GW, DW, BZ and VS, which one was launched first and which was launched last of all?
     
  12. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    Tzuk actually posted here trying to generate interest around 3 years ago.
    My oh my, Sandboxie has certainly came a long way since!
    First Wilders mention

    Another old post
     
  13. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    thanks.
     
  14. osip

    osip Registered Member

    Joined:
    Oct 25, 2006
    Posts:
    610
    I also tried BZ pro with the free licence...However it still has issues, AdMuncher and Roboform are not compatible...Sandboxie on the other hand works perfect here and in my mind it´s an absolute winner!
     
  15. GES/POR

    GES/POR Registered Member

    Joined:
    Nov 26, 2006
    Posts:
    1,490
    Location:
    Armacham
    Sandboxie slows down my webbrowsing too much. Very uncool.
     
  16. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,055
    Location:
    The Netherlands
    Thanks for the testdrive Aigle. I never doubted the fact that BZ gives good protection, but everytime I tried it, it used way too many resources and it was very sluggish. Just like the new SafeSpace which is similar. Sandboxie is like 10x better. And are you sure you could run it with all these tools without system slowdown? On my virtual machine it´s even sluggish without any other tools installed. :blink:
     
  17. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,634
    Location:
    U.S.A. (South)
    Equal results here. Way back when some time ago i really was encouraged with BZ and actually tried to live with the limitation of it slowing browsing but that became a real issue for a speedster like myself.

    I'm sure it's developed far beyond and better now then when i tried it before.

    Likewise, thanks for test results, impressive. Like others i've settled into Sandboxie for the time being but am not deterred from BufferZone in anyway and especially from results like those.

    If the system can handle it, BZ appears a viable alternative.
     
  18. Old Monk

    Old Monk Registered Member

    Joined:
    Feb 8, 2005
    Posts:
    633
    Location:
    Sheffield, UK
    Hi Rasheed187

    Completely the opposite here with Buffer Zone. No apparent slowdown and the resource numbers seem ridiculously low. I'll post them when on the machine in question.

    Returnil doesn't complain either and vice versa.
     
  19. Chris12923

    Chris12923 Registered Member

    Joined:
    May 31, 2004
    Posts:
    1,097
    As the others said nice job aigle! As for people preferring Sandboxie from what I have read it would fail at many of the tests Bufferzone passed (please let me know if my readings are incorrect). So if true I am not sure why people prefer to use a product that is not as safe even though it is free unless the funds are just not available. In that case I totally understand.

    Thanks,

    Chris
     
  20. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    Can anyone performe the same tests with SandboxIE and post the results?
     
  21. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,055
    Location:
    The Netherlands
    Yes, I hope Aigle will do this, but I have no reason to believe that SBIE can´t stop most of these tests. All tests that try to modify file system and registry will probably be passed. I do know that SBIE does not protect against keyloggers. And if you look at performance, it´s also quite easy to install apps in the sandbox, I wonder if BufferZone can do the same?

    @ Old Monk, I suppose it might depend on your system configuration, for me it always felt quite heavy, the last time I checked was about 3 months ago, and I think it´s unlikely that resource usage has been improved that dramatically.
     
    Last edited: Sep 10, 2007
  22. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I am realy sory, no time ATM and no internet access.

    I have tried SBIE against malware many times. Its only weakness seems keyloggers and some termination attempt failures otherwise it,s very strong. Sure better than BZ.
     
    Last edited: Sep 23, 2007
  23. Chris12923

    Chris12923 Registered Member

    Joined:
    May 31, 2004
    Posts:
    1,097
    Not sure if it's better or not but Trustware does offer $500.00 for any one that can show the BZ was breached http://www.trustware.com/virtualization/500.html .

    "Your PC is secure from viruses, spyware and malware while you surf the Internet, download and open files within the virtual BufferZone. Trustware is willing to pay $500 to anyone who can prove otherwise."

    Thanks,

    Chris
     
  24. Dogbiscuit

    Dogbiscuit Guest

    Are you sure about this? What does "Limited user... won't help against it [Blackday]" mean? I thought malware executed in an LUA cannot write or delete system files?
     
    Last edited by a moderator: Sep 24, 2007
  25. sukarof

    sukarof Registered Member

    Joined:
    Jun 22, 2004
    Posts:
    1,714
    Location:
    Stockholm Sweden
    I am not worried about my system files, LUA does a excellent job in protecting them and FDISR can restore C drive. I am worried about malware that targets my other partition (and drives?).

     
Thread Status:
Not open for further replies.