Eight Sandboxes Reviewed

Discussion in 'sandboxing & virtualization' started by CogitoErgoSum, Sep 13, 2006.

Thread Status:
Not open for further replies.
  1. CogitoErgoSum

    CogitoErgoSum Registered Member

    Joined:
    Aug 22, 2005
    Posts:
    641
    Location:
    Cerritos, California
    I have posted a link to Tech Support Alerts "Eight Security Sandboxes Reviewed and Rated" article below. My only disappointment is that DefenseWall was not tested. If it had been tested it would have done well.

    http://www.techsupportalert.com/security_virtualization.htm


    Peace & Love,

    CogitoErgoSum
     
  2. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I think u can put the DefenceWall near about GesWall. Both look similar.
    Review did not take into account the point that some of these like GesWall don,t isolate the file system, rather just the registry, to maintain functionality while others like sandboxie isolate every file/ reg enteries. U can,t compare the two in the same way.
     
  3. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    Thanks for the link CogitoErgoSum.:)

    Will admit I am a Sandboxie fanboy and it's great it did so well considering it's a 260 kb download and 900 kb installed.

    Have been playing with SB for a while now and have set it's top level folder on another partition so C doesn't fragment as much.No slowdowns at all.

    Just an observation I tried once:
    Another quirk is that if you set the recycle bin on another partition as the top level folder it can't be seen by windows even though the properties show it is there.

    You can still access the folder through Sandboxie.

    Icesword can also see the folder.
     
  4. CogitoErgoSum

    CogitoErgoSum Registered Member

    Joined:
    Aug 22, 2005
    Posts:
    641
    Location:
    Cerritos, California
    Franklin, you are very welcome.


    Peace & Love,

    CogitoErgoSum
     
  5. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    I've red carefully all this "review".

    1. Malware isolation. If there is no file system virtualization it doesn't mean that malware is not isolated from the trusted system. If you create new file- does it isolated?

    2. VELite and Altris are virtualization tools, there is no sandbox-based restrictions. They doesn't have to be there.

    3. "I suspect that malware was penetrating the sandbox by getting access to raw memory through buffer overflow". o_O No comments!

    4. What does mean "raw memory access"? \Device\PhysicalMemory? Direct disk access?

    5. If you terminate main GUI process of defense it doesn't mean defense is broken- good defense must be total driver-based (as my DefenseWall, for instance).

    6. ShadowSurfer can be bypassed if malware loads driver, it doesn't protect from unauthorised driver installation.

    7. What about other type of attacks? There are a lot of them!

    My conclution- this review is an unprofessional :thumbd: .
     
  6. ShinyThings

    ShinyThings Registered Member

    Joined:
    May 8, 2006
    Posts:
    1
    The link for the testing methodologies does not exist.

    Altiris, VELite, and Virtual Sandbox would certainly pass the malware isolation test. That should have tipped him that something was not right with his methodologies for either testing or measuring.

    How did GreenBorder do so well with its user mode only sandboxing. If you download any 16 bit DOS program or a Windows program that runs in NTVDM it will perform all operations outside of the GreenBorder sandbox.

    Again, where is the testing methodology?

    This test seems not very useful or meaningful.
     
  7. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    Geez,is there a testing where nobody complains.:)

    Feathers get ruffled whenever anyone does objective testing.

    That's because many forum users work on the basis that if they use a product it must be good and if anyone says otherwise they must be wrong.

    Quote from the link:

    "To answer these questions I used a number of different technical test procedures. Several of these were based upon the methodology devised by Michel Aparicio at his blog site: http://kareldjag.over-blog.com/10-category-69553.html Full details of the technical tests can be found below."

    In this test the sandboxed PC was infected using a number of different methods.

    The first (and perhaps most testing) infection method was to browse while sandboxed to a hostile "drive-by" web site.

    The site I used, a Russian cracked software site, uses flaws in Windows and Internet Explorer to download malware without any user action or knowledge. Typical exploits include the well known iFrame and WMF exploits though the sites will repeatedly try a sequence of exploits if not initially successful. If finally successful, the sites download multiple malware products, often running into tens of megabytes.
     
  8. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    I can never ever trust these so-called "reviews" of any type of security software. The results are not accurate in any way at all.
     
  9. Devil's Advocate

    Devil's Advocate Registered Member

    Joined:
    Feb 5, 2006
    Posts:
    549
    Good question. I was wondering that too. I don't think he was just looking at left over files, but whether they were still running after you cleared it. Otherwise I think GESwall would fail by default.



    he admited that for Altris already he still tested it. :)

    LOL.

    For what's it worth I think he recognise this. Sandboxie failed because the sandboxed programs could access the system, so it means the driver was defeated.

    True, but again I don't know what Shadowsurfer is doing in this test. Heck he even admits it. It's a totally different product, even though we tend to put it in the same category.

    Well I don't think he is a professional or claims to be. He's at about the level of the average-higher level wilders member I think (does he read here? It sure looks like it!). Somewhat knowledgable but no expert.
     
  10. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    In fact, SS is an advanced snapshot utility, not a sandbox.

    Sorry, you are wrong. http://www.techsupportalert.com/contact.htm. "As a computer professional"....
     
  11. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    Definately no expert here and from my laymans point of view I would just like to thank the author of those tests for taking the the time to do as such.:)

    Whether nooby,amateur or professional hopefully we all have our objectives.

    Keeping safe,learning and teaching!
     
  12. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    nice link...my Sandboxie is excellent. :thumb: :-*
     
  13. stewieg

    stewieg Registered Member

    Joined:
    May 24, 2006
    Posts:
    3
    I agree that these tests seem a bit suspicious ( whether intentional or not ). I've been using the Virtual Sandbox product for a few months now, and have not had any problems.

    I noticed that VS failed this first test, do you have the link to this Russion website? I ran similar tests before I started using VS in VMWare by going to similar sites (such as astalavista.com and going to serials.ws or whatever search engine and allow anything to be installed (activeX objects)). I would watch as the malware was being ran as well as downloading more malware to launch. When I cleared the sandbox, everything was removed. Any information would be greatly appreciated, thanks!
     
  14. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    GesWall clears the registry but not the files. However the files remain isolated in any case I think.
     
  15. Perman

    Perman Registered Member

    Joined:
    Nov 23, 2005
    Posts:
    2,160
    Hi, folks: Does this mean that DeepFreeze is an advanced snapshot utility, in the same catagory as ShadowUser and ShadowSurfer? rather than a sandbox app?
     
  16. nicM

    nicM nico-nico

    Joined:
    Jul 15, 2004
    Posts:
    631
    Location:
    France
    Hi,

    Snapshots, I don't think, but for sure this is more something as recovery software : There's no distinguishing in sandboxing (eg. all is sandboxed), whereas sandbox software are meant to isolate some datas from the rest of the system.

    nicM
     
  17. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    Thanks for posting this excellent link, CES! The test info therein led me to initiate a trial of Sandboxie -- its good results & small footprint are 2 things I admire.

    So far Sandboxie is cruising along splendidly. My only objection is that its system tray icon made me hungry because it rather resembles a slice of pepperoni pizza.;)

    Are the tests perfect? Of course not. But I think that they are a lot better than basing my selection on nothing, or upon merely the subjective opinions of other folks.
     
  18. CogitoErgoSum

    CogitoErgoSum Registered Member

    Joined:
    Aug 22, 2005
    Posts:
    641
    Location:
    Cerritos, California
    bellgamin, thanks for the kudos. Just doing my part to bring attention to application sandboxes which I have generally found to be unobtrusive, effective and a complimentary part of a layered defense strategy.


    Peace & Love,

    CogitoErgoSum
     
  19. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I totally agree.
     
  20. SirMalware

    SirMalware Registered Member

    Joined:
    Jun 6, 2006
    Posts:
    133
    Has anyone here ever had any experience with malware being able to leak outside the sandbox or be able to terminate Sandboxie itself? I suppose it's fair to say....it's coming.
     
  21. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    In that case it will be fixed by the author of Sandboxie, just like Mozilla fixes Firefox constantly. It's a neverending story and is common for ALL softwares. :)
     
  22. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    `````````````Greenborder is also nice. Ewido finds nothing because there isnt anything leftover to find.
     
  23. zopzop

    zopzop Registered Member

    Joined:
    Apr 6, 2006
    Posts:
    632
    yup the files remain but are "sterile" and can be deleted whenever you want. i've thrown lot's of horrible virri, trojans, and malware at geswall and it hasnt' let me down yet.
     
  24. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I like this approach as it gives a good balance of security and usability. I think both GeSwall and DefenceWall use this approach.
     
  25. BrianW

    BrianW Registered Member

    Joined:
    Sep 23, 2006
    Posts:
    2
    Franklin, could you please clarify on the “first infection method”. You wrote:
    So, your criterion is "the sites download multiple malware products", I assume it means you see some new files downloaded on your system and consider that as a successful attack, right? Please correct me if I’m wrong.
     
Loading...
Thread Status:
Not open for further replies.