Playing with SandBox HIPS

Discussion in 'sandboxing & virtualization' started by aigle, Sep 29, 2006.

Thread Status:
Not open for further replies.
  1. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Hi users, very brief play around with different sandboxes.

    BufferZone---- Stopped KillDisk virus
    Stopped Morgud,s threat simulator
    Could not stop Martin,s Undetectable Keylogger( MUK)
    Stopped Elite keylogger rootkit installation
    Sysinternals process explore while running inside GesWall failed to terminate IE running as trusted( outside BZ)

    Virtual Sandbox free version ----Stopped KillDisk Virus
    Stopped Morgud,s threat simulator on two systems with slightly different results but stopped in both cases altogether
    MUK failed to install in VS
    Elite Keylogger rootkit failed to install itself in VS
    Sysinternals process explore could not run inside VS, windows task manager while running inside VS was able to terminate IE running outside VS.( zopzops,s findings are different here as he posted in another thread, I am not sure what is the problem but I tried VS on two system witl almost similar findings, he has posted to the support and will see the reply)


    GeSwall-----Stopped KillDisk virus
    Stopped Morgud,s threat simulator
    Stopped Martin,s Undetectable Keylogger( MUK) from logging keydtrokes but not mouse clicks
    Stopped Elite keylogger rootkit installation
    Sysinternals process explore while running inside GesWall failed to terminate IE running as trusted( outside GW)


    SandBoxie
    ----- Stopped KillDisk virus
    Stopped Morgud,s threat simulator
    Could not stop Martin,s Undetectable Keylogger( MUK)
    Stopped Elite keylogger rootkit installation
    Sysinternals process explore while running inside GesWall failed to terminate IE running outside sandboxie.



    DefenceWall
    version 1.61,
    may not be latest --Stopped KillDisk virus
    Stopped Morgud,s threat simulator
    Could not stop Martin,s Undetectable Keylogger( MUK)
    Stopped Elite keylogger rootkit installation
    Sysinternals process explore while running inside DerfenceWall failed to terminate IE running as trusted( outside DW).


    Just few related/ unrelated notes--

    Antivir classic detected Morgud,s threat simulator by heuristics( that,s nice) but failed to stop it.

    EAZ-FIX protects against KillDisk virus except taht u loose ur current working snapshot( or u can make a snapshot just before running KillDisk). I covered C partition of my single HD with EAZ-FIX and D, E, F were unprotected. Ran KillDisk from C and it could not damage any of the partitions at all. That,s nice.

    FDISR does not protect against KillDisk virus, u loose all ur system.

    BZ paid version has maximum features( like a true sandboxing HIPS) and I really like its features. The least slowdown I noted was with GesWall, DefenceWall and Sandboxie followed by BufferZone and the worst slowdown with Virtual Sandbox. VS has almost all features(except firewall) of BZ paied version but I think it still need lot of work to be tweaked. I have used all of them for a while. I like its features but dislike the slow down in its loading on boot up and start of applications inside VS. Also it seems aggressive and I faced loss of functionality like issues so I jsut uninstalled it.


    Thanks.
     
    Last edited: Sep 30, 2006
  2. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    A little addition. While testing this, I collected the malware samples on my PC.
    Antivir detected MUK by heuristics. I never expected such a nice detection, so I uploaded it to virus total, no other scaner detects it. Wonderful work by Avira.
     

    Attached Files:

    • 11.jpg
      11.jpg
      File size:
      119.2 KB
      Views:
      1,365
  3. Tommy

    Tommy Registered Member

    Joined:
    Dec 24, 2002
    Posts:
    1,169
    Location:
    Buenos Aires - Munic
    Looking at a view other threads at Wilder, AntiVir is getting more and more points. Amazing :thumb:
     
  4. davidleu

    davidleu Registered Member

    Joined:
    Sep 27, 2006
    Posts:
    19
    Yeah very nice! Its another proof that you dont need to spend a single penny for professional security software! :thumb:
     
  5. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Will post back the scanning results of Morgud,s threat simulator also.
     
  6. Lucy

    Lucy Registered Member

    Joined:
    Apr 25, 2006
    Posts:
    401
    Location:
    France
    Hi Aigle,

    A little correction:
    BZ 1.90 doesn't stop Martin,s Undetectable Keylogger( MUK) (version 1.6 did, but they forgot to implement it in 1.90)

    But new beta version 2.10-20 does. Release version, which will do, is expected for end of october.

    Regards
     
  7. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Thank a lot for the info.
    That,s nice. I am liking BZ.
     
  8. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Results of DFK threat simulator exe file. NOD,s heuristics are great. Panda is also good here( it is TruPrevent I think)!

    Antivir detects some componants on its execution but can,t stop the threat.
     

    Attached Files:

    • 3.jpg
      3.jpg
      File size:
      126.6 KB
      Views:
      1,351
  9. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Results of DFK threat simulator Zip

    NOD and Panada gain.
    It seems I am going a lot OT now, so I will stop here. Back to sandboxes.:)
     

    Attached Files:

    • 4.jpg
      4.jpg
      File size:
      87 KB
      Views:
      1,345
  10. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Re: Playing with SandBox HIPS-- TESTING WITH APT

    Some more testing here.
    I ran a process as trusted ( ouside Sandbox) and tried to kill it via APT( Advanced Process Terminator) running as untrusted( inside sandbox).
    Here are the results.

    BufferZone-- APT failed to kill trusted process( all 16 Kill methods)

    GesWall ---- APT failed to kill trusted process except by Kill method 7 and 8

    Sandboxie-- APT failed to kill trusted process except by Kill method 10. I did all my testing with version 2.42 that was available at the time of testing, it mightb be fixed in latest version. If anybody knows pls post here. Thanks.

    Virtual Sandbox --- It seems quite buggy and even Process Explorer was able to kill trusted process, I did not test it with APT.

    DefenceWall-- I was not able to test as APT while running untrusted failed to show any processes running as trusted. Anyway to test it?

    BTW, I tried to kill sanbox process itself via process explorer running as trusted, it killed DefenceWall, GesWall, VS and Sandboxie.
    In case of BufferZone--- I was really impressed here-- even APT running as trusted was not able to terminate its protection with all 16 kill methods( though its GUI can be killed even by Process Explorer but it does not affect its protection at all). Very strong software indeed!!

    Edit-- DefenceWall GUI is killed but protection remain as it is driver based.
    I will have to re-check about Sandboxie as i misinterpreted these tests probably.
     
    Last edited: Sep 30, 2006
  11. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    Re: Playing with SandBox HIPS-- TESTING WITH APT

    1. I would suggest you use the latest version of DefenseWall- 1.65, this will block APT. 1.70 is coming soon.

    2. For APT test you need use direct PID numbers input.

    3. Killing DW's GUI won't stop proteciton- it is pure driver-level.

    As about MUK- just check if they use ring3 hooks for it (I'm more than sure in it). If they are- they gives you false feeling of security.
     
  12. zopzop

    zopzop Registered Member

    Joined:
    Apr 6, 2006
    Posts:
    632
    Re: Playing with SandBox HIPS-- TESTING WITH APT

    method 8 is a bug and they are working on it. method 7 is left open on purpose (i forgot why exactly). but geswall itself is immune to all 16 attempts to shut it down.

    you know what you should try next aigle. ghostsecurity's reg test. that's the real eye opener, especially test 2.
     
  13. Lucy

    Lucy Registered Member

    Joined:
    Apr 25, 2006
    Posts:
    401
    Location:
    France
    I asked about BZ and I have been answered the drive is fully ring0... as defensewall.

    I disagree. regtest2 could maybe shut down your PC, but the purpose is to prove that by doing it, you can add a key to system startup. If your prog is running untrusted, then anyway it should go to the ubtrusted registry... So even with shutdown, regtest2 should fail with a proper virtualization / sandbox protection...
     
  14. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Re: Playing with SandBox HIPS-- TESTING WITH APT

    Sorry u are right. It was my mistake. I was only mistaken by GUI. I just checked it now and protection remains there. I shall correct it.
    I think they use GetKeyState method but i am not sure. CAn anybody tell more about MUK.

    What about this false sense of security? Can u expolain more. Thanks
     
  15. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Re: Playing with SandBox HIPS-- TESTING WITH APT

    Thanks.
    Will tryt it sometime. I tried it in the past but forgot the results.
     
  16. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Some more testing using syssafety SPT( instaed of APT)-- settings same as in post no.10 above. ( I did not use parameter f with SPT, only e parameter used).

    http://syssafety.com/leaktests.html

    BZ-- failed with method 15 and 16( with 16 message came that killing failed but infact the target was became unresponsive so I will take it equivalent to killing).
    GW--- failed with method 16 just like above
    DW
    -- failed with many, 9, 10, 11, 12, 14, 15, 16( may be i missed something)
    Sandboxie-- not tested

    Also tried keylogger test from syssafety.

    GW
    -- failed with method 3 and 4
    BZ-- failed with method 1 only
    DW--- failed with method 1 and 2
    Sandboxie-- not checked, may be later.

    BTW, SnoopFree tested here detected and successfully stopped all methods except method 1. SnoopFree is always wonderful. A tiny but great piece of software that detect keyloggers generically.

    Edit-- I am not expert here. I did not test SPT full and there may be mistakes. Feel free to correct me if I am wrong.
     
  17. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    Re: Playing with SandBox HIPS-- TESTING WITH APT

    GetAsyncKeyState. This function is, mostly, using shared keystate buffer without using native API.

    I still haven't found good driver-based way how to prevent GetAsyncKeyState-based keyloggers from it's job. All the ring3 hooks may be easily bypassed. Also, there could be GetMessage/PeekMessage and TranslateMessage intercepting keyloggers and subclassing- based keyloggers that can not be stoped from driver level. That is why keylogger defense is really limited in Windows. It's architecture is not built perfectly from the point of view of security.
     
  18. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Another killing method-- IceSword and DarkSpy

    DarkSpy and IceSword failed to initialize in DW, GW and BufferZone.
     
  19. zopzop

    zopzop Registered Member

    Joined:
    Apr 6, 2006
    Posts:
    632
    i realize it won't faze the real registry, but the annoyance of a malware being able to force a shutdown/restart is...................annoying. :D
     
  20. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    And the winner is --- (Tah-Dah!) BufferZone! Or did I misinterpret the comments here? If BZ did not "win" then am I correct in saying that none of the tested apps did the job?

    By the way, why wasn't the redoubtable Prevx included, I wonder?
     
  21. Tommy

    Tommy Registered Member

    Joined:
    Dec 24, 2002
    Posts:
    1,169
    Location:
    Buenos Aires - Munic
    Neova Guard is also restistent agains those tests :thumb:
     
  22. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    Just tested DefenseWall 1.70 with APT and SPT. All the tests are passed. 1.70 will be released tomorrow.

    2 aigle- don't use old versions of DefenseWall for your tests! 1.61 have been released two mounths ago, it's a huge period of time!
     
  23. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Wasn,t it the latest version when I tested?
     
  24. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Just as I mainly checked for sandboxes. I did mention some other software but ther were on my system so if I found something incidently, I just posted that as well.
    APT and SPT were tested specifically for SandBoxes only.
    Prevx will come in HIPS.
     
  25. Lucy

    Lucy Registered Member

    Joined:
    Apr 25, 2006
    Posts:
    401
    Location:
    France
    Hi,

    And nobody did:D

    Anyway, to give echo to an old discussion we had once, keyloggers are not really a problem for virtualization / sandbox security tools... as long as the user understands what he is doing.

    If you go to your online banking account, I guess you should at least stop all untrusted processes before logging... BZ team even advises to open IE or whatever surfer you use outside the virtualized area before going to online banking, so that it is safe from the untrusted zone...

    I let the last word to Uriel from Trustware:
     
Loading...
Thread Status:
Not open for further replies.