DefenseWall and SandBoxIE

Discussion in 'other anti-malware software' started by Kaupp, Jul 24, 2006.

Thread Status:
Not open for further replies.
  1. Kaupp

    Kaupp Registered Member

    Joined:
    May 17, 2005
    Posts:
    59
    The protection offered by DefenseWall and SandBoxIE looks very similar to me but I noticed that with SandBoxIE system file and registry changes made during a session are intercepted and never touch the real system and can be cleaned in one go by emptying the sandbox.

    But with DefenseWall I think the changes are not isolated from the system in the same way and you must use a rollback feature or a separate malware cleaner if you want to remove traces from the system.

    Can anyone confirm if that is true?

    regards
    Kaupp
     
  2. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    Yes, mostly, it is true.
     
  3. Edwin024

    Edwin024 Registered Member

    Joined:
    Nov 14, 2004
    Posts:
    1,000
    I wish I knew that before I bought the license to your proggie, Ilya... I think that SandBox is better in protecting when i read that you agree on the firt post. Why not make DW as good as the other?
     
  4. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    But why do you think that total virtualization sceme is something good? I can name you a lot of disadvantages of this technologie.

    1. I may install proxy/extension with your browser and control all your traffic. It is very silent thing, you won't know. DefenseWall blocks it.

    2. When you empty virtualization container, all your data and settings will be lost. DefenseWall allow you to clean up malware tracks manually under your full control. Your data and settings won't be lost.

    3. File system virtualization generates a lot of problems if you use 3-rd part file managers (I use FAR, for instance).

    4. I don't think file system virtualization have a good learning curve for non-technical users (but, maybe, I'm wrong).

    5. It is possible to achive good protection level even without virtualization and it is possible to have a bad protection with using of it, because defense itself is, mostly, based on sandbox's strength.

    Yes, I understand that othere vendors show you only advantages of virtualization technologie and they are, in fact, exists, but I mostly believe in disadvantages as I positionate DefenseWall for avarage users use. In fact, there is some registry virtualization inside, but highly limited.
     
  5. Edwin024

    Edwin024 Registered Member

    Joined:
    Nov 14, 2004
    Posts:
    1,000
    Ok, sounds ok to me. I hope others will shed some light on this too. Just out of my curiosity I want to learn things I don't know yet :)
     
  6. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I have not use DefeseWall but I have used GesWall( that is similar to DefenseWall) and Sndboxie. I am just an average use but I think though Sandboxie gives more protection because of total virtualiztion but it is on the expense of decresed performance. I have got serious issues with Opera, yahoo messenger etc while running in Sandboxie( they will just stuck) but not such issues so far with GesWall. So I think u have to choose in between the two and for average user esp as I do safe surfing I will prefer more performance rather than more security(n what is the yse of a security application if it becomes a hassle).
    BTW, i think both GesWall and DefenseWall use virtualization for registry. Am I right Ilya?
     
  7. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    U mean to say that it is the disadvantage of virtualization itself? Can u explain it more pls.
     
    Last edited: Jul 25, 2006
  8. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,038
    Location:
    The Netherlands
    Yes more info on this please.

    This doesn´t sound good to me. Does this mean that malware will actually be able to reach the real system? And I still don´t exactly understand the difference between tools like DefenseWall and BufferZone and GreenBorder.

    Isn´t there some kind of workaround? Data (favorites, browser settings, saved files) must not be lost if you clean/reset the sandbox. I´m not sure how this works in BufferZone and GreenBorder, maybe someone else can answer this.

    OT:

    @ Ilya

    When are you going to fix DefenseWall´s GUI? It´s simply horrible. :blink:
     
  9. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    It means that, if I install extension with your browser, it will be working with it untill you won't clean up virtualization container. But cleaning it up means that you have to dig into it to rescue your legitimely downloaded files. Same with the hidden proxy installation.

    Yup.

    Not quite. Even if you use virtualization, malware will be contained within your real file system. Only in another place. There are rules within DefenseWall what files types are possible to modify by untrusted and what are not.


    It is, mostly, in using of virtualization technique. They believe in advantages of this technique, I, mostly, believe in disadvantages- I'm just very careful with it. In fact, virtualization is just a tool, but any tool have pros and cons. The main aim of the developer is to use all the technologie's advantages and minimize disadvantages.

    I'm just in progress. If you have any suggestions about- PM me.
     
  10. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Thanks for the replies. I think a good firewall or other HIPS sure will catch it. So how DefenseWall protects against it? By protecting registry of browser I think? Is it just like some spywares add a browser toolbar?
     
    Last edited: Jul 26, 2006
  11. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,038
    Location:
    The Netherlands
    Thanks for the feedback, it´s still a bit confusing but I guess I will have to test these tools myself in order to get to understand them better. I think sandboxing can be a very effective protection against malware but they also seem to have drawbacks, for example, if you clean/reset a session all your data will be erased. However, for example Sandboxie gives you an option to recover certain files before cleaning the sandbox, perhaps DW can also offer this?
     
  12. toadbee

    toadbee Registered Member

    Joined:
    Nov 10, 2003
    Posts:
    123
    The function is already there. The "clean up center". Essentially a list of files and registry settings DW has let an Untrusted application save to your hard drive. You can either remove items from the list (allow items to remain cahnged on your computer), erase items (removes from Harddrive), or "Rollback" to a certain point in time ie. " I know I got wacked by something around noon so I'll rollback to this morning to be sure i remove everthing bad" etc.
     
  13. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    Yes, but not only registry! Mozilla/Firefox and Opera store this information into it's files.

    Yup!

    Yes, it is. But, in fact, this option is for the advanced users who clearly understand what are they doing. I always recommend use AV engine to clean up malware modules in other case- inactive malware is not dangerous, it could be cleaned up later, when it's signature will be added into AV database. And, I suspect, most of the users will choose AV to clean up malware.
     
  14. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    A bit OT but I think Opera does not allow any attachments to itself, but not sure, may be some plug in like thing?
     
  15. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    BTW, i did an experiment few days back. I scanned my system with SupaerAntispywrae, installed some spywares by running exe files as untrusted in DefenseWall, scanned again with SAS, obviously it found many files and registries. Then I rolledback and removed all files and reg enteries by DW. Re-scanned with SAS and still found few files and many reg enteries. So Rollback or cleaning by DW seems incomplete at least by this experimentation.
     
  16. nicM

    nicM nico-nico

    Joined:
    Jul 15, 2004
    Posts:
    631
    Location:
    France
    There were *perhaps* dangerous files not seen by DW, even if this sounds unlikely (it did work fine with important files, during my tests), but be careful before jumping to conclusions here : SAS does include all files created by spywares, including stuffs like .ico, .ini, and .pf files, etc.

    These extensions are not logged by DW, but that doesn't mean that DW did let some nasty files creep in ! (most of the time, these extensions are harmless).

    And make sure to check for folders, in DW's Rollback panel : I've noticed that sometimes, files are listed here individually, aside from the folder they're located in (listed too). When you rollback these folders, all files inside are removed.

    Anyway I'm sure Ilya will make a more detailed reply about this matter ;) .

    nicM
     
  17. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    So what about registry enteries?
     
  18. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    Well, it is possible that some entries could not to be logged within 'Rollback'. This functionality is quite new and I'm still working on it's improvement.
     
  19. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,038
    Location:
    The Netherlands
    @ Ilya

    Btw, now that I think of it, can´t you give some more info (in detail) about DefenseWall on your site? For example, you say that untrusted processes are not allowed to do certain stuff. Perhaps you can tell us which things can´t be modified by untrusted processes? I mean it´s all a bit vague. I also do not understand the part about needing anti malware tools to clean up your system from malware traces.
     
  20. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    Maybe, but I'm not sure avarage user will understand it. Too technical information.

    You see, most of the users are afraid to do something wrong with their computers. That is why they prefer not to use rollback (they afraid to erase something important), but use their AV already installed (OEM-based one, for instance).
     
  21. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,038
    Location:
    The Netherlands
    Ilya, you don´t have to go into complete technical details but a bit more info would be nice. Look at SBIE´s or GreenBorder´s site for example, they give a lot more info. Why not try to describe how DefenseWall is able to prevent malware from infecting your computer, and you can perhaps also give more info about the "rollback" feature. ;)
     
Thread Status:
Not open for further replies.