DefenseWall & SBIE

Discussion in 'other anti-malware software' started by stevan4, Jul 1, 2011.

Thread Status:
Not open for further replies.
  1. stevan4

    stevan4 Registered Member

    Joined:
    Feb 25, 2011
    Posts:
    85
    Simple question:
    Just answer me shortly what are the similarities and differences between Sandboxie and DefenseWall.
    I'm a little confused which one should I use according to my needs.
    I'm using Sandboxie and I've tried DW. I feel them similar in many aspects.
     
  2. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    Sandboxie alllows you to run web browser,email programs and any other programs of your choosing in a virtual enviroment.Defensewall automatically sandboxes your browser,email,istant messaging and other programs it considers a potential of introducing infection onto your computer.defensewall using a inbuilt list of untrusted application. short that the best I can do but there is a lot more to sandboxie and Defensewall.
     
  3. stevan4

    stevan4 Registered Member

    Joined:
    Feb 25, 2011
    Posts:
    85
    I want to choose the best of those two for my setup in signature.
    Mamutu is permanent, L'n'S and Hitman Pro also.

    I can't figure, by my self, the real advantages of DW and SBIE and I'm in hurry to buy a license for one of them.
     
  4. G1111

    G1111 Registered Member

    Joined:
    May 11, 2005
    Posts:
    2,127
    Location:
    USA
    I've been using DefenseWall for over a year along with Emsisoft Anti-Malware with no problems. EAM includes the behavior blocker (Mamutu). I added Look'n'Stop firewall a few months ago (with Phant0m's ruleset) and they all work together fine. See my post here: https://www.wilderssecurity.com/showpost.php?p=1897053&postcount=16358 for my setup.
     
  5. HAN

    HAN Registered Member

    Joined:
    Feb 24, 2005
    Posts:
    2,080
    Location:
    USA
    If you are looking for full time, always on Windows protection, DW gives that. Sandboxie delivers its protection only to the apps running inside the sandbox.

    In my case, I have tried them both and like them both. But as time went on, I examined my needs closer and felt that Sandboxie was the best overall fit for me. So that is all I run now...
     
  6. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    Similarities - they both are sandboxes (which means they protect a system by isolating selected processes and applying to them different restriction policies).

    Differences - SB tries to be "transparent" sandbox (which virtualizes service requests), while DW is rather "blocking" (as far as I know, for I didn't deal with DW recently).

    Edit: And this is nothing but a poor attempt to answer your question and this is too far from being perfect.
     
    Last edited: Jul 1, 2011
  7. kjdemuth

    kjdemuth Registered Member

    Joined:
    Jul 29, 2005
    Posts:
    2,960
    Location:
    Boston, MA
    Easy answer.
    DW is stupid proof
    Sandboxie is configurable.
     
  8. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
  9. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,279
    Location:
    UK
    Sandboxie is an application sandbox. The key feature of a sandbox is isolation not restriction. The only restrictions that a sandbox program must enforce are those necessary to prevent programs running inside the sandbox from stepping outside the boundaries of the sandbox. Sandboxie uses file system and registry redirection to a monitored folder to create a virtual sandbox environment in which programs can be run. Sandboxie does not provide system-wide protection as it only protects programs that the user chooses to run inside the sandbox. Because by default Sandboxie does not restrict what sandboxed programs can do, beyond the need to contain them within the boundaries of the sandbox, it is possible for malware to run inside the sandbox but it will be contained and cannot harm the real system. Sandboxie also has a rich set of policy restriction features that can be used to lock down the sandbox and make it very difficult for malware to even run. Sandboxie is well positioned to protect Internet facing applications such as browsers, but its use is not restricted to any specific type of program. Some people also use Sandboxie for testing software that does not need to install drivers or services.

    DefenseWall is not a sandbox. It is a policy restriction program that restricts what programs can do but it does not isolate them from the real system. It is very similar to HIPS, except that instead of having to build up a custom policy for each application by answering behavioural alerts, you simply choose whether the application should be treated as trusted or untrusted and an appropriate policy is automatically applied. Because DefenseWall operates by policy restriction rather than by isolation, it does provide system-wide protection for all programs running on the system. Policy enforcement for untrusted applications such as browsers should stop most if not all malware from being able to harm the system. However, as there is no isolation from the real system as with a sandbox, it is possible that a running program may leave traces on the real system before it is terminated. DefenseWall compensates for this by tracking changes and allowing a rollback of unwanted side effects. I think that DefenseWall also has partial registry virtualisation.

    DefenseWall and Sandboxie both provide excellent protection and because they are different types of application, they can be used together.
     
    Last edited: Jul 1, 2011
  10. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,829
    Location:
    Last Breath Farm
    Terrific answers, Kees1958 and pegr. :thumb:
    I had no idea that SBIE and DW could be effectively run together....
    creating what Scoobs72 coined, Defenseboxie. ;)
     
  11. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
  12. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,279
    Location:
    UK
    Thanks. :)

    Regards
     
  13. kjdemuth

    kjdemuth Registered Member

    Joined:
    Jul 29, 2005
    Posts:
    2,960
    Location:
    Boston, MA
    I would have done that but I didn't have time. ;) My kids were screaming for lunch.
     
  14. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,877
    Location:
    New England
    All the posts that were debating the proper way to ask the question have been removed along with a couple off-topic replies.
     
  15. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    What is restriction? Something that makes it go different from what you want/think it goes, something that limits a freedom, something that prevents something from achieving real result and just mimics it or denies a request. From this point of view virtualization/isolation is a kind of restriction. It restricts you from affecting real resources. Any words here are imperfect and allow a fault. This is why you need many words and still it does not help much to give a perfect explanation.

    And this is why correctly stated question helps much to answer it :)
     
    Last edited: Jul 1, 2011
  16. Scoobs72

    Scoobs72 Registered Member

    Joined:
    Jul 16, 2007
    Posts:
    1,108
    Location:
    Sofa (left side)
    Hey, I've got that trademarked...you get one free use of it, then royalties are due :D

    Seriously though, there have been some issues seen in the past when you use the two together. In principle they are the ideal pair - you can:

    1. Trust all your internet facing apps in DW, but then...
    2. run those same apps under Sandboxie, but...
    3. set the Sandboxie container as Untrusted so that anything that you recover from it is automatically untrusted by DW.

    Brilliant! But it didn't work 100% reliably when I tried it. I noticed some unreliability after a while (can't remember what exactly). But, it's well worth trying again as both apps have improved considerably since then.
     
  17. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,279
    Location:
    UK
    All security software monitors and applies restrictions to running processes; otherwise it would be useless to prevent malware from running and causing harm to the system. The differences lie in the type of restrictions applied and the reasons for the restrictions in order to fulfil the strategic objectives of the solution.

    The key requirement of sandboxing programs, and what differentiates them from non-sandboxing programs, is the creation of a dual environment. A sandbox has to have an inside and an outside. The restrictions have to be just sufficient to prevent a breach of the boundaries of the sandbox, but they don't have to be able to prevent malware from running. The point of a sandbox is to contain and isolate the threat, not to prevent it from running.
     
  18. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    While generally I agree with many things you say, I wonder, where have you got description of what is _true_sandboxing_ vs _not true_ one ? :) It may be I have missed something, but I never saw any official resource like RFC to find accurate definitions. Though I saw a lot of unofficial resources, ideas, disputes, FAQs etc :)
     
  19. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,279
    Location:
    UK
    I think I understand where you're coming from and you raise some interesting points. :) Here's my perspective on this.

    Concepts aren't statements of fact so they are not in themselves true or false. When clearly defined, concepts help us to make useful distinctions when analysing the characteristics of things, but if not clearly defined they can obscure distinctions, which can lead to confusion. There is also the question as to what extent there is common agreement as to meaning. There's no point in defining something in a way that runs counter to what most people would accept, apart from the case where a concept is given a specific and precise meaning within a particular field of study that might not accord with its everyday usage.

    Taking the concept 'sandbox', there isn't a single definition that everybody would agree on. Some people talk of 'policy sandboxes' versus 'virtualisation sandboxes'. It's not wrong to do this but it's questionable as to how useful it is. The problem is that the only thing that a 'policy sandbox' and a 'virtualisation sandbox' have in common is that they both apply restrictions to running processes, but that's where the similarity ends. Without adding the qualification 'policy' or 'virtualisation' it's difficult to see what the term 'sandbox' is supposed to mean when used on its own.

    I chose to use the term sandbox in a way that does have a clear and specific meaning. There is fairly widespread support for this view. For example, the following entry in Wikipedia defines sandbox pretty much in agreement with the way I've used it:

    http://en.wikipedia.org/wiki/Sandbox_(computer_security)

    It's interesting to see that the developers of GeSWall, which is a similar type of application to DefenseWall, don't consider GeSWall to be a sandbox for exactly the same reasons, as described here in the GeSWall FAQS:

    http://www.gentlesecurity.com/docs/geswallfaq01.html#q4

    I accept that what I mean by the term sandbox is not the only possible definition, but I do think it's the most useful one. As this thread is about the differences between Sandboxie and DefenseWall, I tried to use the term sandbox in a way that helps to clarify the differences between the two programs. :)
     
    Last edited: Jul 1, 2011
  20. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    Sandboxie is natively 64-bit compatible.
     
  21. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    maybe DW will have 64 bit version in the future;)
     
  22. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    3,770
    Location:
    Nicaragua
    Both are great programs, I think you should use the one that you feel more
    comfortable using. I used both and even used them together, never noticed
    a conflict but my better senses told me that I had to choose one or the
    other. I choose Sandboxie but if there was no Sandboxie, certainly I would
    be using DefenseWall now.
    I know some people see them as very different but to me, they are similar,
    even though they achieve what they do differently.
    I trust both and recommend both, take your pick, its a winner.

    Bo
     
  23. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    Some facts/ideas to add.

    At the moment Avast and Comodo (at least) claim to use sandboxing. Not to forget about Chrome. This is not a complete list, just the examples that should be taken in account once we talk about sandboxing.

    Is their claim valid? To be fair I can't say. The main problem I see is an absence of a stable terminology, which makes me try to avoid terminology-based conclusions in favor of description-based conclusions. Unstable terminology has a high risk to start "holy war" and allows to turn a dispute into a mess :)
     
  24. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    That is to say MS made a great step toward restricting third-party vendors from being able to create reliable protection for x64 platform. While they pushed out the vendors from the kernel, they left a way for malware to use kernel services by syscall (which is impossible to monitor). And I have a feeling that they (MS) are not going to stop to move in this direction, which makes me feel sceptic about a future of the third-party security under x64.
     
  25. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,279
    Location:
    UK
    I agree that unstable terminology is undesirable. Among the vendors you mention though, there does seem to be a consensus between them as to what they mean when they claim to have added sandboxes to their products.

    Avast, Comodo, and Google Chrome sandboxes all create isolated environments for running untrusted software. They are more than just policy restriction within the context of the real system. For example, Comodo has always been based on restriction by policy - it's a classical HIPS - but it's only recently (starting with Version 4) that a sandbox has been added.

    http://support.avast.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=455#idt_09

    http://forums.comodo.com/defense-sa...-technical-discussion-t50176.0.html;msg364229

    http://dev.chromium.org/developers/design-documents/sandbox/Sandbox-FAQ

    The fundamental issue as I see it is that, if the term sandbox is no more than a synonym for restriction, it ceases to have any real meaning and identity of its own as an independent concept. Irrespective of whether we agree on this point, hopefully the discussion we have been having will be of some value to other people reading this thread in terms of an understanding of the similarities and differences between DefenseWall and Sandboxie, whatever we choose to call them. :)
     
Thread Status:
Not open for further replies.