Questions about files that are virtualized

Discussion in 'sandboxing & virtualization' started by trjam, Nov 19, 2008.

Thread Status:
Not open for further replies.
  1. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    I am trying to understand or make sure I understand so I will use Geswall for the example. Sandboxie is easy to understand because once it is closed, it flushes to the toilet. With a product like Geswall my OS in protected, but if malware attaches itself to any files tha are virtualized, when does, it get flushed. Or does it reside their for good.

    If it does, does it just continue to build up over time.
    or does it disapperar on reboot, sort of like ShadowDefender.

    thanks
     
  2. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Dear Trjam,

    Sandboxie and Safe Space are virtualisation sandboxes, they apply a policy limitation (sandbox) AND have a seperate file system (virtualisation). GesWall is partly visualisation sandbox (the redirect option) and mainly policy sandbox. DefenseWall ia a pure policy sandbox (or HIPS as Ilya prefers to call it).

    The advantage of GeSWall and DefenseWall is that they integrate their security seamlessly with the file system. Meaning a file gets an untrusted tag. This tag leashes them (or better chains them) to an improved limited user environment. So you do not have to worry whether it is in or out of the sandbox, you are ALWAYS protected.

    Difference between DW and GW is that DW applies a simple deny or allow (and only asks for user permission when assessing protected resources), GW has some more options (depending on choice leading to automated containment or pop-ups).

    GW also has a redirect option (meaning a virtualisation of protected resources), which allows access of protected resources but virtualises the changes (while DW only knows a deny or allow). This set of changes (e.g. registry) is thrown away after untrusted process executon has finished. This redirect option makes it easier for users to solve incompatibility problems themselves (which is an advantage of GW as is the application wizard of GW which builds rules automatically)

    Basically the toilet should never be flushed with DW or GW. :eek: :eek: :eek:

    DW has a roll back option in which you can manually flush the toilet. This is only for power user intended. Normal users should not have to use or know about this feature, because DW has total untrusted file protection.

    This total untrusted file protection is the competitive advantage of DW over GW. GW will change a file's status from untrusted to trusted when you move it from disk partition to another. GW wil also change the status from untrusted to trusted when an untrusted file is modified by a trusted application. For instance when you install 7-zip in a different folder than the default folder, GW will not recognise 7-zip and untrusted zipped files will change to trusted zipped content. DW has a much smarter way of recognising build in programs.


    By the way I am using GW Pro now, so when used with care this disadvantage of GW is not a big deal in daily practise. Only in the hands of security noob I would advise DW over GW (as a matter of fact my mom of 75 is able to use DW, because the application is so easy to use).

    Hope this helps
     
    Last edited: Nov 19, 2008
  3. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    thanks Kees, now I understand.:)
     
  4. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,057
    When comparing policy based sandboxes to sandboxie, there is one big difference. IF the malware doesn't require admin privileges then a policy based sandbox is helpless.

    There was a discussion a while back about an extortion based malware, the encrypted all your data type files. It didn't require admin privilege so it went merrily on it's way regardless of any policy based protection. Sandboxie stopped it mainly because the malware re wrote the files in the sandbox, not the real system, and then were deleted.

    Something to be aware of.

    Pete
     
  5. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Yep, GW stopped them all also and DefenseWall stopped 'only' the important ones. It is a strengthened limited user environment. See edgeguard solo same principle, so user based restriction should not be taken to literately.

    On the other hand when Comodo's HIPS and leaktest set was launched, DW stopped them all cold, while SBIE missed one.

    This user limitation / outside sandbox problem is not related to the architecture of the program, but with the quality it is made. Bufferzone for instance is vulnarable for key loggers being able to grasp data inside the sandbox, while SBIE slaps all of them on the fingers.

    Greenborder and Bufferzone belong to the same category as Sandboxie and SafeSpace, SBIE is just clearly the best in its category, while DW and GW comparison is a complex one
     
  6. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    Sorry, but you are definitely wrong here. DefenseWall do protect important files against its modification by untrusted processes unless they are into the "Defense Excludes" list.
     
  7. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    yeap i was thinking about it too and the separation of trusted and untrusted is the main idea here nothing untrusted can hurt or modify the system(trusted):thumb: every thing that is untrusted is black listed and separated:thumb: and can not do any harm to the pc.i like this aproach better than the pure sandbox,cause if by accident let a file outside the sandbox can easily harm the real system and the policy base sandbox restrict the action or damage that can be done by untrusted process.some thing like that
     
    Last edited: Nov 19, 2008
  8. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    GW n DW are a bit hybrid. The virtualized files are flushed automatically as soon as they are closed( gone from memory). The isolated files remain there unless they are deleted manually or via GW/ DW console. In nay case they can,t damage the system as they are isolated.
     
  9. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    As I intended to say, it is simular, but not the same (because stronger and enforced using different means,
     
  10. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,057
    Okay. I'll retest and see what happens.

    Pete
     
  11. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,057
    Update. Retested and sure enough, DW did indeed protect against the files being encrypted.

    Pete
     
  12. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    yeahhhhhhhh i knew it:D :thumb: :D
     
Loading...
Thread Status:
Not open for further replies.