Combining OA with Defensewall?

Discussion in 'other anti-malware software' started by beethoven, Mar 28, 2008.

Thread Status:
Not open for further replies.
  1. beethoven

    beethoven Registered Member

    Joined:
    Dec 27, 2004
    Posts:
    1,044
    I am currently using Online Armor with Sandboxie and apart from one little issue they work well together.
    I read a lot of positive reviews about Defensewall and looked at this as an alternative to Sandboxie. However, I am a bit confused on how DW differs from Sandboxie and if it could work well with OA?
    I understand that
    OA already provides a facility to run programs with limited rights (safer) - so my first query is if this duplication between the HIPS part of the firewall and DW may cause problems.
    Secondly, I understand how sandboxie works (in practical terms ;) only) but what would be advantages of DW over Sandboxie and vice versa?

    Third, to cause more confusion :D - would threatfire be a good addition or just be overkill?
     
  2. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    It is a policy-based sandbox with no file system and almost no registry virtualization (its defense is based on a inner ruleset) instead of SBIE.

    Yes.
     
  3. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    That's funny. I installed OA Free Firewall today combined with DefenseWall, Anti-Executable and ScripTrap.
    I use DefenseWall mainly to lock my data partition, while I'm surfing on the internet (Sandboxie can do this too).
    So far no problems, but one day isn't much to evaluate this combinaton.
    I can't make up my mind regarding DW (policy-based) or SB (isolation).
     
    Last edited: Mar 28, 2008
  4. Perman

    Perman Registered Member

    Joined:
    Nov 23, 2005
    Posts:
    2,160
    Hi,

    You can try this:

    Put SBIE inside of DW (folder: C:/Sandbox ) as untrust, and disable your browser in DW.

    Each time you surf net, everything is contained in SBIE, whatever leaks out of SBIE will be caught by DW. Double insulation normally will not go very wrong.
     
  5. osip

    osip Registered Member

    Joined:
    Oct 25, 2006
    Posts:
    610
    hmm...interesting approach...
     
  6. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Many thanks. I copied your post in my installation file. Next time when I need to change my on-line snapshot, I will follow your instructions. This way I can use both paid softwares.

    PS: I ditched ScripTrap already, I couldn't read my .doc-files anymore.
     
    Last edited: Mar 28, 2008
  7. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    When there is time, even triple insulation will go wrong. Infact such double insulation is a bit abnormal.
     
  8. Perman

    Perman Registered Member

    Joined:
    Nov 23, 2005
    Posts:
    2,160
    Hi,

    Abnormal ? I am not quite sure about that. But I do know

    There are something that DW can't do while SBIE can OR viceversa. although both are excellent products.

    Therefore, compensating each other may not be a bad idea at all, and so far so good.
     
  9. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    I will have a triple insulation :

    1. Sandboxie
    2. DefenseWall
    3. System Partition : when a malware bypasses SB and DW, it has only access to my System Partition, because my Data Partition is locked.

    A malware can indeed damage my boring System Partition without data, but I don't care about that, because one reboot and I'm back in business. The worst case scenario is a restore of a clean image.

    I'm years ahead :rolleyes: with my approach, which kills three kinds of malware :
    - existing malware
    - undiscovered malware
    - unborn malware
    while all these scanner-fans are still talking about viruses, trojans, keyloggers, spyware, worms, zero-day attacks, etc.
    I'm only talking about "changes" and I remove any change during each reboot. That's why I remove virtumondo like peanuts, while 5 scanners couldn't remove it. It wasn't me but read this true story :

     
    Last edited: Mar 28, 2008
  10. beethoven

    beethoven Registered Member

    Joined:
    Dec 27, 2004
    Posts:
    1,044
    thank you - could you or someone explain this in somewhat easier terms? How exactly do these rulesets work and are they static, depend on the set-up or user decision (which would require some knowledge)?
     
  11. Lucy

    Lucy Registered Member

    Joined:
    Apr 25, 2006
    Posts:
    401
    Location:
    France
    1- policy-based sandbox: There is a list of applications to be watched. In order to do that, rules are created for each of these application, eg, forbidden to delete files, to modify files, or even read and/or access some area of the disk... These rulesets therefore depend on set-up, but depending on the sanbox, custom rules can be created (and require user decision - DW philosophy is to minimize to the strict minimum custom rules).

    2- These predefined rules are "static", but through the mechanism of inheritance (or contamination), programs created by watched applications (sandboxed) inherit the sandboxed status and the rules applying to the parent process. This insures that nothing potentially bad will slip out the sandbox. The drawback is that some legitimate processes contaminated by the status of the parent application might not work properly due to sandbox rules (impossible to update a sandboxed application without running it first out of the sanbox.

    3- no file system means that in a policy based sandbox, not everything inherits sandbox rules. Therefore files known to be of no risks (for example .txt files) are not concerned.

    In SBIE, everything is supposed to inherit the sandboxed status: files, programs, process, threads, registry... This allows to permit much more behaviours inside the sandbox (not so limiting rules), but the problem arises when something needs things simultaneously from insise and outside or when you need to put on real system something from inside the sanbox (eg how to deal with mail programs...)
     
Thread Status:
Not open for further replies.