Playing around with GreenBorder

Discussion in 'other anti-malware software' started by wir.sing, Oct 27, 2006.

Thread Status:
Not open for further replies.
  1. wir.sing

    wir.sing Registered Member

    Joined:
    Oct 12, 2006
    Posts:
    60
    Got curious about sandboxing tools. So I looked at different ones and found a couple of interesting ones. Since most of the programs are already discussed here I thougth I would start with playing around with GreenBorder.

    Sounded like a nice program. So downloaded it and installed it. Boot up was a bit longer and system seems and is slower. So to test it out I got myself the infamous DFK Threat Simulator from morgud.com. So bottom line: GreenBorder failed misserably at first look. The "owned" window came within second, even though I ran the program inside the GreenBorder and by this inside of the Sandbox. The funny thing is actually that KIS that normally always went crazy and detected and block nearly all of DFK, didn detect any of the included trojans this time because they ran inside the Sandbox.

    But the really funny thing was that the second I pressed the "Clean & Reset GreenBorder" Button the whole thing was gone and everything was back again. So the whole thing ran but never left the sandbox. So it actually did what its supposed to do. And it also blocked the DFK Keylogger.

    So Im actually quite happy with the tool. Makes me wonder though why you read so little about it here. Is it because its payware? Or is it known to be bad and I just missed that. And I actually got one reall question. Does anyone if the Sandbox is automatically reset when you shut down the system.

    Cheers
     
  2. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    I have written about it a lot. I think it is one of the most securest apps out there. I use to have issues with it because it didnt support Firefox so you had to do your Microsoft updates manually in a session that wasnt protected. Now it allows you to choose either browser for protection. I choose Firefox and now XP can update outside the box automatcally. On one machine that I have it own, it has never left anything behind, cookies included.
     
  3. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    You literally go go with an AV for email scanning, Greenborder and a firewall, and be more secure then some who are running 10 different apps.
     
  4. wir.sing

    wir.sing Registered Member

    Joined:
    Oct 12, 2006
    Posts:
    60
    Thats exactly what is was thinking about. Using KIS atm and im sitting behind a NAT Router. So KIS + Router + GreenBorder should be pretty secure.

    Btw if you know the program quite well, is there any way to configure the program more? Like setting the folders that you can move protected files to or the possibility to allow some things inside GreenBorder. My XFire always gets detected as Keylogger (since it has the ability to show if a user is typing), but the program is safe. So I would love to be able to allow it fully and not get blocked by GB.

    And does GB support by default any Mail Clients. Tested it with my windows live mail desktop and thats not supported.
     
    Last edited: Oct 27, 2006
  5. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    look for a member here called BillyGreenborder. He is the one to PM and answer all.
     
  6. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    IMO Greenborder (GB) should have stopped the execution of DFK, that didn't happen and that's why you thought that GB failed at first sight. I wouldn't be happy with this. :)
     
  7. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,047
    Why? Sandbox's don't stop execution of anything any more than FDISR does. They just prevent anything from doing harm. It's very much akin to a separate FDISR snapshot.

    Pete
     
  8. Devil's Advocate

    Devil's Advocate Registered Member

    Joined:
    Feb 5, 2006
    Posts:
    549
    It's not like FDISR at all.
     
  9. wir.sing

    wir.sing Registered Member

    Joined:
    Oct 12, 2006
    Posts:
    60
    So should you expect from a sandbox then to block something like that or not?
    Gonna try it now with Bufferzone just to see how that reacts to morguds
     
  10. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,047
    I know. It is only in the sense neither program will detect or prevent malware. They just isolate it keeping it from harming anythinig else. That was my point to Erik

    Pete
     
  11. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    GB isolated DFK, so it knows that DFK is something bad, why doesn't GB block DFK's execution.
    I find GB's reaction very confusing for users and unlogical and don't forget it confused you too and most probably it would confuse me too.
    The final result is of course the same, because DFK was removed by GB.

    If all sandboxes act like that, I have many doubts to use it in my frozen snapshot.
    I don't need to be "scared" first and then feel relieved and that's what GB did to you and will do to me. :)
     
    Last edited: Oct 27, 2006
  12. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Wir Sing,

    Greenborder gets less attention, because it is payware and not exactly cheap. When you start to poke around with virtu/sandbox it is natural you go for a 'discovery', e.g: Sandboxie (free), GeSWall (free), BufferZone (free for one ap, but allows adding others, and DefenseWall (30 us$ life time lisence).

    Please publish your experience. After trying some (Sandboxie, GeSWall, BufferZone, DefenseWall) we use both BufferZone (son's PC) and DefenseWall (paid on wife's PC). On my laptop I use GeSWall.

    Why, using 3 different?
    - Son prefers BufferZone, because it is free, easy to use and he claims has better protection than GeSwall from real life drive by threats (DefenseWall was as good, but is paid)
    - I installed DefenseWall on wife's PC because it has really seamless protection (once installed it us use and forget) and is faster than BufferZone (below her irritation level).
    - I use GeSWall on my laptop, because I like the concept of using policy restrictions of windows (some how, based on nothing, I have the idea it is the best guarantee of compatability with OS).



    Still I would like to know something more of both GreenBorder and CoreForce, so please publish your findings.
     
    Last edited: Oct 27, 2006
  13. brekmeister

    brekmeister Registered Member

    Joined:
    Oct 27, 2006
    Posts:
    6
    ErikAlbert,

    There is a very important point here you are missing.

    GreenBorder doesn't "know" that DFK is bad - in fact, it specifically doesn't care. There is no scanning involved at all (signature-based or heuristics-based). GreenBorder simply runs IE/FireFox inside a safe environment and the files you download to the desktop (for example the DFK) get tagged so that when you choose to run them they will also run inside the GreenBorder environment.

    We probably all know by now that signature scanning is useless (when it comes to protecting against 0-day attacks, that is) and heuristics scanning is also problematic (because it will always suffer from false negatives as well as false positives). Having that extra layer of protection that doesn't rely on any scanning is a huge benefit in my mind.

    Brekmeister.
     
  14. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Thanks for the info.
    I prefer softwares that
    - block the installation of malwares immediately and
    - block the execution of malwares immediately, if the malware succeeded to install itself.
    That sandboxes allow the execution in a virtual environment is good, but that depends on how strong the virtual environment is.
     
  15. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
Thread Status:
Not open for further replies.