Eight Sandboxes Reviewed

I have posted a link to Tech Support Alerts "Eight Security Sandboxes Reviewed and Rated" article below. My only disappointment is that DefenseWall was not tested. If it had been tested it would have done well.

http://www.techsupportalert.com/security_virtualization.htm


Peace & Love,

CogitoErgoSum

 

I think u can put the DefenceWall near about GesWall. Both look similar.
Review did not take into account the point that some of these like GesWall don,t isolate the file system, rather just the registry, to maintain functionality while others like sandboxie isolate every file/ reg enteries. U can,t compare the two in the same way.

 

Thanks for the link CogitoErgoSum.

Will admit I am a Sandboxie fanboy and it's great it did so well considering it's a 260 kb download and 900 kb installed.

Have been playing with SB for a while now and have set it's top level folder on another partition so C doesn't fragment as much.No slowdowns at all.

Just an observation I tried once:
Another quirk is that if you set the recycle bin on another partition as the top level folder it can't be seen by windows even though the properties show it is there.

You can still access the folder through Sandboxie.

Icesword can also see the folder.

 

Franklin, you are very welcome.


Peace & Love,

CogitoErgoSum

 

I've red carefully all this "review".

1. Malware isolation. If there is no file system virtualization it doesn't mean that malware is not isolated from the trusted system. If you create new file- does it isolated?

2. VELite and Altris are virtualization tools, there is no sandbox-based restrictions. They doesn't have to be there.

3. "I suspect that malware was penetrating the sandbox by getting access to raw memory through buffer overflow". No comments!

4. What does mean "raw memory access"? \Device\PhysicalMemory? Direct disk access?

5. If you terminate main GUI process of defense it doesn't mean defense is broken- good defense must be total driver-based (as my DefenseWall, for instance).

6. ShadowSurfer can be bypassed if malware loads driver, it doesn't protect from unauthorised driver installation.

7. What about other type of attacks? There are a lot of them!

My conclution- this review is an unprofessional .

 

The link for the testing methodologies does not exist.

Altiris, VELite, and Virtual Sandbox would certainly pass the malware isolation test. That should have tipped him that something was not right with his methodologies for either testing or measuring.

How did GreenBorder do so well with its user mode only sandboxing. If you download any 16 bit DOS program or a Windows program that runs in NTVDM it will perform all operations outside of the GreenBorder sandbox.

Again, where is the testing methodology?

This test seems not very useful or meaningful.

 

Geez,is there a testing where nobody complains.

Feathers get ruffled whenever anyone does objective testing.

That's because many forum users work on the basis that if they use a product it must be good and if anyone says otherwise they must be wrong.

Quote from the link:

"To answer these questions I used a number of different technical test procedures. Several of these were based upon the methodology devised by Michel Aparicio at his blog site: http://kareldjag.over-blog.com/10-category-69553.html Full details of the technical tests can be found below."

In this test the sandboxed PC was infected using a number of different methods.

The first (and perhaps most testing) infection method was to browse while sandboxed to a hostile "drive-by" web site.

The site I used, a Russian cracked software site, uses flaws in Windows and Internet Explorer to download malware without any user action or knowledge. Typical exploits include the well known iFrame and WMF exploits though the sites will repeatedly try a sequence of exploits if not initially successful. If finally successful, the sites download multiple malware products, often running into tens of megabytes.

 

I can never ever trust these so-called "reviews" of any type of security software. The results are not accurate in any way at all.

 

Good question. I was wondering that too. I don't think he was just looking at left over files, but whether they were still running after you cleared it. Otherwise I think GESwall would fail by default.

he admited that for Altris already he still tested it.

LOL.

For what's it worth I think he recognise this. Sandboxie failed because the sandboxed programs could access the system, so it means the driver was defeated.

True, but again I don't know what Shadowsurfer is doing in this test. Heck he even admits it. It's a totally different product, even though we tend to put it in the same category.

Well I don't think he is a professional or claims to be. He's at about the level of the average-higher level wilders member I think (does he read here? It sure looks like it!). Somewhat knowledgable but no expert.

 

In fact, SS is an advanced snapshot utility, not a sandbox.

Sorry, you are wrong. http://www.techsupportalert.com/contact.htm. "As a computer professional"....

 

Definately no expert here and from my laymans point of view I would just like to thank the author of those tests for taking the the time to do as such.

Whether nooby,amateur or professional hopefully we all have our objectives.

Keeping safe,learning and teaching!

 

nice link...my Sandboxie is excellent.

 

I agree that these tests seem a bit suspicious ( whether intentional or not ). I've been using the Virtual Sandbox product for a few months now, and have not had any problems.

I noticed that VS failed this first test, do you have the link to this Russion website? I ran similar tests before I started using VS in VMWare by going to similar sites (such as astalavista.com and going to serials.ws or whatever search engine and allow anything to be installed (activeX objects)). I would watch as the malware was being ran as well as downloading more malware to launch. When I cleared the sandbox, everything was removed. Any information would be greatly appreciated, thanks!

 

GesWall clears the registry but not the files. However the files remain isolated in any case I think.

 

Hi, folks: Does this mean that DeepFreeze is an advanced snapshot utility, in the same catagory as ShadowUser and ShadowSurfer? rather than a sandbox app?

 

Hi,

Snapshots, I don't think, but for sure this is more something as recovery software : There's no distinguishing in sandboxing (eg. all is sandboxed), whereas sandbox software are meant to isolate some datas from the rest of the system.

nicM

 

Thanks for posting this excellent link, CES! The test info therein led me to initiate a trial of Sandboxie -- its good results & small footprint are 2 things I admire.

So far Sandboxie is cruising along splendidly. My only objection is that its system tray icon made me hungry because it rather resembles a slice of pepperoni pizza.

Are the tests perfect? Of course not. But I think that they are a lot better than basing my selection on nothing, or upon merely the subjective opinions of other folks.

 

bellgamin, thanks for the kudos. Just doing my part to bring attention to application sandboxes which I have generally found to be unobtrusive, effective and a complimentary part of a layered defense strategy.


Peace & Love,

CogitoErgoSum

 

I totally agree.

 

Has anyone here ever had any experience with malware being able to leak outside the sandbox or be able to terminate Sandboxie itself? I suppose it's fair to say....it's coming.

 

In that case it will be fixed by the author of Sandboxie, just like Mozilla fixes Firefox constantly. It's a neverending story and is common for ALL softwares.

 

`````````````Greenborder is also nice. Ewido finds nothing because there isnt anything leftover to find.

 

yup the files remain but are "sterile" and can be deleted whenever you want. i've thrown lot's of horrible virri, trojans, and malware at geswall and it hasnt' let me down yet.

 

I like this approach as it gives a good balance of security and usability. I think both GeSwall and DefenceWall use this approach.

 

Franklin, could you please clarify on the “first infection method”. You wrote:

So, your criterion is "the sites download multiple malware products", I assume it means you see some new files downloaded on your system and consider that as a successful attack, right? Please correct me if I’m wrong.