Geswall, SandBoxie & Keyloggers

Discussion in 'other anti-malware software' started by TerryWood, Mar 18, 2009.

Thread Status:
Not open for further replies.
  1. TerryWood

    TerryWood Registered Member

    Joined:
    Jan 14, 2006
    Posts:
    703
    Hi

    Recently there has been a spate of "keylogger" posts among which Geswall has featured in its reported failure to contain them.

    I am particularly interested in Geswall (because I like it) even though I use Sandboxie. Geswall certainly does not slow down my browsers on start up in the way that Sandboxie does.

    The reason for using Sandboxie is that on browsing it is possible to set it up so that it contains everything (does not allow anything to run other than the browser) so that, providing your system is clean, it is my understanding that if a keylogger is resident in the sandbox it cannot run.

    With Geswall if it cannot contain the Keylogger then it is insecure. It is my impression that when loopholes are found in Geswall they do take some time to plug whereas Sandboxie appears to be under constant development.

    Geswalls ability to track files is a real benefit particularly on mail files because you "can have your cake and eat it" whereas with Sandboxie you either cannot recover on a permanent basis your mail files in order to protect your system or if you do allow access to your mail files for permanent storeage you are relatively unprotected.

    Question

    1) Because I am not an expert in the way that a number in this forum could claim to be. Is the above analysis of the protection differences fair and reasonable?

    2) Is it it considered that Geswall vulnerability to Keyloggers is serious as is the rather slow program updates to counter these threats?

    Thanks for your help

    Terry
     
  2. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    New GeSWall has some issues with Vista's UAC, but its protection against keyloggers is good. Where did you read about GW failing?

    Main differences with GeSWall and Sandboxie

    With sandboxie you can easily flush the toilet (sandbox), it keeps everything in the sandbox while fully functioning. Everything in teh sandbox can not harm things outside the sandbox. When you decide to clear the sandbox, you files are gone.


    With GW you have a both files and internet facing programs contained in a policy sandbox. So the file system is not seperated. All things marked untrusted can't harm trusted sources (same as SBIE, only there is not a seperate sandbox area, untrusted files are stored normally in directories etc).


    With GW you alsa have a virtualisation option like SBIE, only this sandbox is cleared when you close the program which created these files. This is realised by using the REDIRECT option.

    I have IE for instance running normally with GW (used for on-line banking and shopping, also using the freebie keyscrambler for IE), but use Chrome (chromium actually) for daily browsing. Although Chrome has a sandbox (a policy sandbox like DefenseWall and GeSWall), I have added the following options

    a) File D:\ redirect (meaning all files written by Chrome are thrown away after chrome closes, Chrome is not allowed to write exceptions to my programs directory by default = out of the box GW configuration setting).

    b) File D:\DOWNLOAD allow access (meaning Chrome is allowed to write to download directory which I also have specified in Chrome, these files survive after chrome closes)

    c) Registry HKU redirect (meaning all HKEY_CURRENT_USER keys changed by Chrome are made in a copy and thrown away after Chrome closes. The HKLM hive is protected out of the box with GW)

    When you rate current sandbox programs (rough description or written with a fork as we say in dutch, because it neglects the nuances of those great aps).

    SBIE (pure virtualisation sandbox)
    SafeSpace (both partition [=like returnil] and file virtualisation with some policy exception for easier saving of files/containing files = still a pitty this project is abondoned, I had gotten an extra 'policy' option which existing application did not show in drop down box, but was under development )
    GeSWall (policy sandbox with some virtualisation capability)
    DefenseWall (pure policy sandbox or HIPS like Ilya likes to call it).

    Cheers Kees
     
    Last edited: Mar 18, 2009
  3. a320ca

    a320ca Registered Member

    Joined:
    Mar 21, 2008
    Posts:
    97
    Location:
    USA
    Question(s) for the many knowledgable folks here...

    Could you break down the differences in GeSWALL and DefenseWall a little further?

    Advantages/Disadvantages of one over the other?

    Personal preference of one over the other and why?

    Which would be the better option with a setup including OA Premium, A-Squared AM 4.0, PrevX Edge and SandboxIE in a XP laptop?

    Thanks!
     
    Last edited: Mar 19, 2009
  4. HAL 9000

    HAL 9000 Registered Member

    Joined:
    Mar 18, 2009
    Posts:
    4
    Hi Kess1958,
    Thank you for your explanation.

    I have tried to set up the “%HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache%” as Redirect but after, HTTP requests are slow.

    Do you have an idea about this?
     
  5. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    you can still save your email and still be safe with sandboxie,just remenber to force your documents and/or destop to run sandbox,so any thing you save or run in those places will for sure run sandbox,the benefit is you dont have to go hunting for files or pictures anymore,plus auto recover to those places/my documents/destop will do it for you automaticly:)
     
  6. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    again if you auto recover to my documents/destop and force them to run sandbox these files will remain if even if delete sandbox and they stll stay sandbox when you open them:thumb:
     
  7. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    As said written with a fork. :D My knowledge of SBIE is quite rusty (had it on an image until 4 years ago). I knew the VM concept, was my first encounter with application virtualisation on the desktop. It is perfect for someone who knows what he/she is doing.
     
  8. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    GesWall is very strong against keyloggers except it doesn,t intercept web cam logging and a bug with clip board logger interception.

    SBIE doesn,t intercept most of keyloggers.

    GesWall and DefenceWalll are more or less similar with some differences but DW support is much better.
     
  9. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    But, if set to only allow the applications you wish to connect to the Internet, it will do a decent job?
     
  10. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Data should not leak via internet then. But what about an injected dll in browser? I am not sure.
     
  11. fce

    fce Registered Member

    Joined:
    May 20, 2007
    Posts:
    758
    OT: how to set up that using Sandboxie? add outlook to force program?
     
  12. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    what i do,first quick recovery(my documents/destop)then
    force folders(my documents/destop)then droprigths.
    when you save emails to ducuments/destop will not be deleted after delete the content of sandbox when force my documents/destop to run sandbox,the sandbox will be empty but not your emails,files you recover to those locations.and when opening them they will be force to open in the sandbox;)
    that's the way i had been playing with sandboxie at the moment,so anything/files that are download in those location my documents/destop will be force to open sandbox without loosing them or going hunting for hiden files in the sandbox:) for example even if i run my browser unsandbox then try and save or run anyfiles in my documents/destop will be force to run/open sandbox,i always add the droprigths feature on all the time,so i feel like if i am in safe mode:D
     
  13. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    you can add outlook to always run sandbox in force programs and then save your email in documents,try;) that:)
     
  14. coen99

    coen99 Registered Member

    Joined:
    Mar 23, 2007
    Posts:
    55
    :thumbd:
     
    Last edited: Mar 19, 2009
  15. newbie2247

    newbie2247 Registered Member

    Joined:
    Jan 8, 2008
    Posts:
    199
    Superantispyware, SandBoxie & Threatfire

    Recently I did a HijackThis due to computer acting hinky and slow. I submitted it to the first 5 analyzers that I could find where you didn't have to register and all that rot. The first one I went to (castlecops) wasn't reading them anymore or something like that to my surprise. I had always heard they were good.

    Anyway, several of the results I got back of the 5 said I had a Trojan. I forget the name now. Immediately I sent all this to ESET and said: "I probably caught this while you guys were shut down for the weekend and not giving us paying customers any updates leaving us wide open to everything and dangerously vulnerable" - only I was a million times more civil, diplomatic and polite. You get the gist I think. ;-)

    Yesterday they sent me an email telling me to dump Sandboxie, Threatfire and Superantispyware, see how things go and get back to them.

    This totally surprises me since THEY are the one's who once told me to install Superanitspyware and send them the results on a different problem at least a year ago along with Antimalwarebytes. That one they did not tell me to dump.

    In here I asked and was told that Sandboxie and Threatfire pose no conflicts with ESET and are OK to use along with it.

    Bottom line: Why would they tell me to dump these programs? Do they pose risks? Leave me vulnerable to any kind of malware at all?

    I hate dumping Superantispyware because so far, it's the one and only program I've ever found online that detects and deletes ADWARE cookies. The only one. I only run a scan once every couple of weeks to get rid of the adware cookies. I certainly do not run it and keep it on with ESET. I know enough NOT to do that.

    I could use some feedback and answers on ESET's rather odd advice to me. Last I heard, Sandboxie + Threatfire were compatible with ESET Smart Security Suite.

    Color me baffled, surprised and confused.

    Looking forward to any and all help before I take their drastic action very, very, reluctantly. Naturally I want what's best for my Windows Vista Premium. On the other hand I don't want to walk around in cyberspace half undressed.

    Thanks all.
     
  16. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    ~removed whole quote of inital post~

    note:i am not a sandboxie expert but with some experimentation i know that you can also achieve this with sandboxie if you force the user space to run sandbox my document/destop:thumb: so when you recover a file or emails to your destop/my documents any files saved in this location will open with a doble click(sandbox)the saved files will show the # sign:thumb: sandboxing the userspace it is extra layer withing sandboxie;)
     
    Last edited by a moderator: Jun 4, 2009
  17. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Re: Superantispyware, SandBoxie & Threatfire

    i don't think you need to dump these. You can even use super anti spyware in real time provided on conflicts are there.
     
  18. newbie2247

    newbie2247 Registered Member

    Joined:
    Jan 8, 2008
    Posts:
    199
    Re: Originally Posted by newbie2247

    No conflicts like what for example?

    Thank you.
     
  19. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Re: Originally Posted by newbie2247

    Any system slow down, crashes etc etc.
     
  20. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    hi i was just looking at the diference between the free and paid version of geswall:)some question came to my mind that how does the free version geswall to to block malware when it can not have the option to terminate malware?does a reboot gets rid of malware without problems or the malware process still present?i know that with the pro version is not a problem terminating malware:)
    http://gentlesecurity.com/professional.html
     
  21. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Yes and you don,t need to be in hurry to reboot. Malware will remain contained and isolated from rest of ur system no matter how long it runs.
    Moreover u can always terminate it manually via GW console.
     
  22. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,054
    This could in theory be a threat. My solution though is just exit the browser, which deletes the sandbox, and thus any mods to the browser.

    Pete
     
  23. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,054

    With Outlook it's not a problem. I force Outlook into the sandbox, but leave the pst files outside. So an email comes with a nasty in it. With Outlook closed that email and attachment is internal to the pst file and can't affect the system. Open Outlook sandboxed, and if you read the email and open the attachment or whatever the virus might do it's all contained in the sandbox.

    Works great this way and is transparent to the user.

    Pete
     
  24. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    nice to know there is a solution for it:thumb: thanks pete
     
  25. s23

    s23 Registered Member

    Joined:
    Feb 22, 2009
    Posts:
    263
    "Data should not leak via internet then. But what about an injected dll in browser? I am not sure."

    little question about : If you put the Drop rights option for the sandboxie will prevent or maybe make this more hard to occur?
     
Loading...
Thread Status:
Not open for further replies.