help recommending hip/sandbox program for my needs

Discussion in 'sandboxing & virtualization' started by sunrise, Mar 28, 2007.

Thread Status:
Not open for further replies.
  1. sunrise

    sunrise Registered Member

    Joined:
    Mar 28, 2007
    Posts:
    75
    Hi,

    I am relatively new to security stuff, need experts help here or those who have experience in these areas..
    I bought a pc with vista, 1gb ram.

    I understand that for well protection, the basic is to have antivirus, firewall, antispyware. as such,
    i am planning to get KIS 6. In addition, getting superantispyware pro (after reading many posts here, seems good and light).
    for further antispyware stuff, SpywareSD and Spyware blaster, since they are free, to compliment saas and kis.

    For these basics, i have read that having a HIP/sandbox protection is good as well to round it off everything. But its the first time i come across hip stuff, after reading up, there are many applications such as defensewall, geswall, prevx1, sandboxie etc. i check their website, as well as the postings here, their features etc, but too much for me to really appreciate or understand whether which one is better in terms of meeting my needs..

    can someone recommend me a hip and/or sandbox program (paid or free)? based on:
    1. Easy to use (many pop up asking permission for this dll access/service etc..i dun really understand much what dll it is or service actually..) so i hope to be able to safely do my daily stuff without worrying too much..
    2. I know that when i execute some exe file, it may require reading of dll files (system or a program) for it to work. the program should allow, but not modify or introduce trojan etc after that..
    3. easy on my 1gb memory
    4. works with vista

    any help? thanks!!
     
  2. lodore

    lodore Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    9,006
    hello Sunrise,
    Kis6.0 already has HIPS its called proactive defence.
    if you install another HIPS it could conflict with proactive defence.
    kis6.0 and sas pro is like my setup.
    you could use an alternate browser such as opera or firefox.
    i know that IE7 in vista is safer than IE7 in Xp but its still not as safe as firefox or opera.
    lodore
     
  3. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    1,596
    Location:
    Singidunum
    Hey sunrise :D

    For sandboxing solution, you can go with SandboxIE, DefenseWall or GesWall. They are all light on resources, but Defensewall is more user-friendly option, while GesWall is the most configurable of the three. I tried Greenborder also, but I found it unstable on my systems, so I didn't play with it much.

    Cheers :)
     
  4. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Hi Sunrise, I think KIS and SAS will be enough. No need for SD and SB.
    U will be Ok with the addition of a sandbox rather than a HIPS.
    GeSWall, DefenceWall and SandBoxie all are good but I can,t say about Vista as I am using XP.
    Let,s wait for a Vista user here.
     
  5. sunrise

    sunrise Registered Member

    Joined:
    Mar 28, 2007
    Posts:
    75
    Hi Lodore,
    I was looking through the KIS use guide, and on the section regarding Proactive defence, it says something like application behavior stuff not supported for vista..
    since others respondents mention having kis and sas is good enough, i guess i will just stick to those, as other hips program i check not compatible with vista yet..
    Thanks!
     
  6. sunrise

    sunrise Registered Member

    Joined:
    Mar 28, 2007
    Posts:
    75
    Hello aigle,
    will sandbox allow programs (.exe) stuff to install/run normally? The website explain it will create a environment,virtual, block from my system and run programs in that box, without writing to my system. But if program requires reading of system files or dll loading? Recently my friend mention my laptop was hit by something 'dll injection'while running a program (but if i reject it using firewall, i cant runthe program at all..which i need to, maybe the program was being corrupted perhaps..will sandbox help in this? as in let me run, then close w/o suffering anything, deleting everything in the sandbox

    Thanks!
     
  7. CJsDad

    CJsDad Registered Member

    Joined:
    Jan 22, 2006
    Posts:
    618
    Runs with Vista, that was one of the recommendations.

    I know Sandboxie does but what about DefenseWall?
     
  8. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    There are two types of sansboxes.

    1- Virtualize registry and fiules both, like SandBoxie, BufferZone etc. U can delete every thing with one clicvk and save the files which u want.

    2- Virtualize registry but noit files, though files are marked untrusted and can,t damage the OS, like GesWall, DefenceWall etc. Virtual registry will be deleted automatiucally and fiules can be deleted either manually or via sandbox,s GUI if needed( u don,t need to delete them though).

    Both types of sandboxes use policy restictions in addition to Virtualization so that sandboxed applications like web browsers, mail clients etc( and malware as well) can,t change/ damage the OS.

    The davantage of first type is more security( atleast in theory) and the advantage of second type is more usability without loosing any significant functionality. The choice depends upon u. U can try both types and see which one u like( and which one ur system likes as well, there might be conflicts sometimes). There are both free and paid options and most are good.

    Regarding dll alert form FireWall, these alerts are common and mostly for legitimate dlls/ applications( when u r using ur firewall,s Componenet Control feature). If u will block it, ofcourse whole of the browser will be blocked. I will usually keep firewall,s compoenent control turned off or at learning to get rid of these intrusive pop ups. If u really want to control dlls etc, u need a classical HIPS like System Safety Monitor( SSM) or ProSecurity ( PS), but as u said u don,t like pop ups so I did not suggest it. If u want u can try free version of anyone. PS might be easier for u but u must read its manual etc before u use it.
     
  9. sunrise

    sunrise Registered Member

    Joined:
    Mar 28, 2007
    Posts:
    75
    Hello Aigle,

    Thanks for the information!
    for sandox, i guess will stick to sandboxie cos the rest GesWall/DW not vista compatible yet (thought beta have). For classical ones, the same, no vista yet...guess have to wait. Spyware terminator's HIP belongs to which category?

    As i mention in the first post, me getting kis 6 and sas, i saw a post regarding leak test, its relevancy and accuracy etc, i went to see the leak test, matosec?, and saw that the first two is jetico v2 beta and comodo. jetico v2 beta is vista compatible while comodo is not yet.

    Though results may not mean everything, somehow i got feeling that if i get a av software+firewall e.g. jeticov2+sas, its may be more 'lighter on resources' than having kis6 + sas..true?

    i know this may not be the truth for za.many posters here mention heavy and slow startup and for me, slow startup is a big no-no
     
  10. KikiBibi

    KikiBibi Registered Member

    Joined:
    Oct 23, 2006
    Posts:
    173
    GesWall is Vista 32-bit ready if I'm not wrong. Only 64-bit is not vista ready.
     
  11. sunrise

    sunrise Registered Member

    Joined:
    Mar 28, 2007
    Posts:
    75
    Hi aigle,

    i check ssm, it allows control of dll, allow whether modify/inject etc..but i think if one wants to allow changes to dll for that application, then go back to original state once application close, ssm cant go back original state right? virtualization program can from what i read, like geswall/powershadow/sandboxie..is it right?

    sorry, for geswall, powershadow and sandboxie, which of them allows changes to registry/ allow dll loading / allow dll modification/injection when running a program, but when close, all changes are back to original state? assuming the changes made by program is malicious and we need to fool the program in order for it to run. i heard this is call virtualization or something..
     
    Last edited: Mar 29, 2007
  12. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Hi Sunrise,
    I am not so exper but will try to answer.

    1- If u don,t make a particular rule in SSM, the very next time the same dll u denied/ allowed before, wants to be loaded/ injected into the browser, u will get an alert from SSM and u can deny or allow again s needed.

    2- SandBoxes usually don,t stop benign dll injections, they will stop only dangerous stuff according to their policy restrictions.

    3- ST,s HIPS is classical HIPS but with limited control( no dll injection, memeory access control etc) but it might suffice.

    4- I already explined the difference in GW, DW, SIE and BZ. Power Shadow is an advanced virtualization sodtware, it virtualizes whole of the Hard Drive or C partition and all changes are made absolutely in virtual environment and are erased on reboot. The disadvantage is that u loose everything that happened during virtualization like windows updates, AV, S updates etc.

    5- Acc to matosec site, Kaspersky firewall is the only firewall that has strong security features, Comodo and Jetico though better in leaktests, might not be better in other regards. Personally I will go with any of them and as long as Kaspersky one is part of ur suite and is likght, u can continue with that one. However if u like to play morw with FWs, u can try Jetico and Comodo and keep the one u like.
     
  13. Metal425

    Metal425 Registered Member

    Joined:
    Mar 20, 2007
    Posts:
    188
    Location:
    Southern California
    Try UnHackMe, I like it.
    It's an Anti Root Kit, and Trojan program.
     
  14. sunrise

    sunrise Registered Member

    Joined:
    Mar 28, 2007
    Posts:
    75
    I think i really need to try the power shadow now..got hit lately by dll injection,keylogger when running program.tried sandboxie and run program, still got it. but before powershadow, me going try geswall first, if i can allow dll loading for the program for it to work,then denied injection,that will be good.

    now trying desperately to sas to start working...keeps freezing at 'protect homepage' screen..cant clean the indicdll, though nowblock from connecting via comodo since comodo alerted me...

    run spySD, didnt detect at all..

    perhaps its a false positive? but i dun recall running other things to trigger that dll. only, that stupid program.
     
  15. walking paradox

    walking paradox Registered Member

    Joined:
    Feb 9, 2007
    Posts:
    234
    Cyberhawk might be what you are looking for, at the very least it is worth trying it out, especially if your concern is keyloggers (see below). It is fairly light and very quiet (not many popups, etc). Though I'm not sure if it works with Vista yet, so someone else will have to comment on that.

    Ian 'Gizmo' Richards did a comprehensive tests on several HIPS programs, and Cyberhawk was the only one to detect and block all the keyloggers in the test.

    http://techsupportalert.com/security_HIPS.htm
     
    Last edited: Mar 29, 2007
  16. dja2k

    dja2k Registered Member

    Joined:
    Feb 15, 2005
    Posts:
    2,040
    Location:
    South Texas, USA
    I can confirm that Geswall 2.6 Beta2 works well with Vista 32 Bit and is very stable.

    dja2k
     
Loading...
Thread Status:
Not open for further replies.