Playing with SandBox HIPS

DefenseWall is 1.70 now.

 

I always advize close all untrusted processes before go online banking or online puchase process. It is more then enought for DefenseWall...

 

Re: Playing with SandBox HIPS-- TESTING WITH APT

I am not sure that this test will play good gere as there is virtialization so inspite of failed test, infact test will be passed.
BTW, GesWall stops test 2 nicely. Very nice to see hundreds of policy violations stopped notifications with latese GesWall beta during this test.

 

SandBoxie tested now,

It failed against Kill method 12.
And ailed against all KeyLogger methods but the log file was contained inside SandBox anyway.

 

DarkSpy and IceSword failed to initialize in SandBoxie as well.

 

Now that is a totally new information for me!!

 

Re: Playing with SandBox HIPS-- TESTING WITH APT

While running out of BZ, DarkSpy was not able to kill ClnSvc.exe of Bufferzone normally but forced method killed it. IceSword was able to kill while running outside..

 

Re: Playing with SandBox HIPS-- TESTING WITH APT

Are there any product that can block this? Does PGs global block?

 

Re: Playing with SandBox HIPS-- TESTING WITH APT

I don,t think so. Coming version of Online Armor may be? However it is just my guess as I am not expert. Hopefully someone will correct me if I am wrong.

 

Re: Playing with SandBox HIPS-- TESTING WITH APT

I don't think so.

 

I also played with these 2 leaktests in my new security setup.
http://syssafety.com/leaktests.html
Prevx1 blocked both and my frozen snapshot removed both leaktests.
Are there any stronger leaktests to play with ?

 

Re: Playing with SandBox HIPS-- TESTING WITH APT

Thanks

 

hi,

Aigle,

You said:

This is the answer I got from BZ Team:

 

Blocked them by not allowing to execute the exe file or blocking the logging?

spt.exe:
I allowed to execute the spt.exe file with Neova everytime i was asked and spt.exe could not kill Neoava Guard at the end with any method.
keylogger.exe:
Neoava Guard failed to block the logging itself of the keylogger after i aloud to execute the exe file.

 

Thanks for that.

 

When I tried to run both malwares, Prevx1 showed a popup window with "Blocked" and that's what I expected.
I'm not really familiar yet with Prevx1, I have it installed permanently since yesterday.

According my Prevx1-settings,
- I block "Unknown Programs"
- I block "Caution Programs"

Of course these tests don't tell me much. Visiting the most dangerous websites on the net without a frozen snapshot during a very long period, would be a better test IMO.

 

The deal in this testing szenario is to allow this programs to execute, and let them go one with there malicious work. Stopping an unknow program from executing should do every better HIPS, but preventing that this application is doing his malicious work is an other thing.

 

I assume that blocking = stopping the execution of malwares. If that is not true, I don't need Prevx1. I'm looking for softwares that STOP or PREVENT the execution.

 

Generally you are 100% right, but as i told before the testing scenario in this case is different, meaning to discover if the here tested HIPS are immun against several 'killing methods' which other undetected malicious programs can use. For that you need to allow the execution - in this case spt.exe - of the used testing application. Execute it with the different parameters to see if it can kill the prevx1 process. This way you can dicover if prevx1 itself is immun against this kind of attacks.
Same for the keylogger, allow the process so that you can see if prevx1 can intercept the logging itself.

 

OK, but I'm just an average user and I don't know much about malwares and internet. So I have to trust these softwares, because I don't have the knowledge to control them and I'm not going to spend the rest of my life to become a malware expert and it has nothing to do with my job either.

If the execution is done completely or partial, I have bad luck, but I will remove them completely during the next reboot with a frozen snapshot.
There is no other way for a newbie like me, because I don't have the knowledge to do better.

 

Re: Playing with SandBox HIPS-- TESTING WITH APT

OA2 will detect this.

 

I totally agree here. Blocking the execution of these kills the purpose of these tests itself.

 

Re: Playing with SandBox HIPS-- TESTING WITH APT

Thanks. I read it before but was really waiting for u to post it here.

 

Tried with latest version. Ran SPT from command prompt as untrusted and tried to kill Process explorer running as trusted.

SPT Kill method 12 -- DW failed and Process Explorer was terminated.
method 14 --- DW failed, Process Explorer was terminated and very strange that after that DW lost its protection/ ot at least GUI part, not sure exactly . Closed and restarted DW, message came--

Driver could ne be initialized properly.

It was fixed only on reboot. Tried two times with same results. Seems some bug here.

Method 16 -- Process Explore was killed though SPT reprted wrongly that termination failed.

 

Yes, that is what housewives do : testing, analyzing and watching how malwares do their evil job step by step. LOL.
Millions of users, including me, just want to get rid of malwares.
You both are just looking at malwares from a different angle.

I've been a member for one year at SWI and all these qualified helpers are addicted to solving HijackThis Logs like solving crossword puzzles, until they are blushed out and give up, because this a tiresome and unpaid job.

You can blame the bad guys alot of things, but they gave alot of people hobbies, work and food on the table. They changed the whole world wide web and created an entire billion dollar industry of malwares and anti-malwares.

And what is the final result of all this : NOTHING, but we wasted alot of time, talent and money.
Malware + Anti-Malware = nothing. I have a healthy PC, it gets infected, I spend my time on cleaning it and I get the very same PC back. That's absurd, what did I do all that time to get something back, I already had and lots of users world-wide are wasting their time on ... nothing.

Alot of things change, when you look at it from a different angle and it also depends on which side you are.