Combining OA with Defensewall?

I am currently using Online Armor with Sandboxie and apart from one little issue they work well together.
I read a lot of positive reviews about Defensewall and looked at this as an alternative to Sandboxie. However, I am a bit confused on how DW differs from Sandboxie and if it could work well with OA?
I understand that

OA already provides a facility to run programs with limited rights (safer) - so my first query is if this duplication between the HIPS part of the firewall and DW may cause problems.
Secondly, I understand how sandboxie works (in practical terms only) but what would be advantages of DW over Sandboxie and vice versa?

Third, to cause more confusion - would threatfire be a good addition or just be overkill?

 

It is a policy-based sandbox with no file system and almost no registry virtualization (its defense is based on a inner ruleset) instead of SBIE.

Yes.

 

That's funny. I installed OA Free Firewall today combined with DefenseWall, Anti-Executable and ScripTrap.
I use DefenseWall mainly to lock my data partition, while I'm surfing on the internet (Sandboxie can do this too).
So far no problems, but one day isn't much to evaluate this combinaton.
I can't make up my mind regarding DW (policy-based) or SB (isolation).

 

Hi,

You can try this:

Put SBIE inside of DW (folder: C:/Sandbox ) as untrust, and disable your browser in DW.

Each time you surf net, everything is contained in SBIE, whatever leaks out of SBIE will be caught by DW. Double insulation normally will not go very wrong.

 

hmm...interesting approach...

 

Many thanks. I copied your post in my installation file. Next time when I need to change my on-line snapshot, I will follow your instructions. This way I can use both paid softwares.

PS: I ditched ScripTrap already, I couldn't read my .doc-files anymore.

 

When there is time, even triple insulation will go wrong. Infact such double insulation is a bit abnormal.

 

Hi,

Abnormal ? I am not quite sure about that. But I do know

There are something that DW can't do while SBIE can OR viceversa. although both are excellent products.

Therefore, compensating each other may not be a bad idea at all, and so far so good.

 

I will have a triple insulation :

1. Sandboxie
2. DefenseWall
3. System Partition : when a malware bypasses SB and DW, it has only access to my System Partition, because my Data Partition is locked.

A malware can indeed damage my boring System Partition without data, but I don't care about that, because one reboot and I'm back in business. The worst case scenario is a restore of a clean image.

I'm years ahead with my approach, which kills three kinds of malware :
- existing malware
- undiscovered malware
- unborn malware
while all these scanner-fans are still talking about viruses, trojans, keyloggers, spyware, worms, zero-day attacks, etc.
I'm only talking about "changes" and I remove any change during each reboot. That's why I remove virtumondo like peanuts, while 5 scanners couldn't remove it. It wasn't me but read this true story :

 

thank you - could you or someone explain this in somewhat easier terms? How exactly do these rulesets work and are they static, depend on the set-up or user decision (which would require some knowledge)?

 

1- policy-based sandbox: There is a list of applications to be watched. In order to do that, rules are created for each of these application, eg, forbidden to delete files, to modify files, or even read and/or access some area of the disk... These rulesets therefore depend on set-up, but depending on the sanbox, custom rules can be created (and require user decision - DW philosophy is to minimize to the strict minimum custom rules).

2- These predefined rules are "static", but through the mechanism of inheritance (or contamination), programs created by watched applications (sandboxed) inherit the sandboxed status and the rules applying to the parent process. This insures that nothing potentially bad will slip out the sandbox. The drawback is that some legitimate processes contaminated by the status of the parent application might not work properly due to sandbox rules (impossible to update a sandboxed application without running it first out of the sanbox.

3- no file system means that in a policy based sandbox, not everything inherits sandbox rules. Therefore files known to be of no risks (for example .txt files) are not concerned.

In SBIE, everything is supposed to inherit the sandboxed status: files, programs, process, threads, registry... This allows to permit much more behaviours inside the sandbox (not so limiting rules), but the problem arises when something needs things simultaneously from insise and outside or when you need to put on real system something from inside the sanbox (eg how to deal with mail programs...)