Restricting Process Rights vs. DefenseWall/GesWall/SafeSpace

Discussion in 'other anti-malware software' started by Reimer, Apr 6, 2008.

Thread Status:
Not open for further replies.
  1. Reimer

    Reimer Registered Member

    Joined:
    Apr 6, 2008
    Posts:
    217
    I currently have a setup in XP Pro SP2 which, aside from AntiVir and Online Armor, includes using Software Restriction Policies to 'lower' the rights of certain processes such as my internet browsers and instant messaging clients. I believe this practice is similar to using DropMyRights, for example.

    My question is, does this process restriction work in the same way that DefenseWall/GesWall/SafeSpace 'lowers' the rights of the same processes?


    I know that these programs also have advantages such as isolating objects that are opened by these processes. Are there any other advantages?

    Is it also a good idea to replace the 'Program Guard' feature of Online Armor with DefenseWall, GesWall, or SafeSpace? I'm personally not too fond of the constant popups with Program Guard.

    Thanks for reading my first post ;) :thumb:
     
  2. l0_0l

    l0_0l Registered Member

    Joined:
    Mar 29, 2008
    Posts:
    18
    I am not running (and had never ran) DW, GW, or SS but only used SBIE. I think that SBIE (and maybe GW and SS as well) are virtualization programs that work as containers to programs with full rights in the virtual environment. Most badware cannot penetrate through the container and is deleted when the sandbox is deleted so therefore the actual system is not affected. I am not about the rest of the software but I am interested in this as well.
     
  3. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    My opinion is "Yes". Sandboxes gives more defense and more configurable that Windows "lower privileged" user account.
     
  4. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,039
    I don't think so. First using OA's program guard, you can set your browsers, and email clients to run at lower rights. Second configured properly OA shouldn't bother you with many pop up's.

    Pete
     
  5. Cerxes

    Cerxes Registered Member

    Joined:
    Sep 6, 2005
    Posts:
    581
    Location:
    Northern Europe
    Yes, it´s using the OS's internal functions for creating restricted tokens for the processes/objects - no magic AFAIK...

    More defence - No (if not added an internal "black-list/white-list" for blocking/allowing certain "known" processes).

    More configurable - Yes, since managing the OS's internals seems to scare some users then using third-part security applications can hopefully (with some few exceptions) lower the treshold.

    /C.
     
    Last edited: Apr 7, 2008
  6. subset

    subset Registered Member

    Joined:
    Nov 17, 2007
    Posts:
    825
    Location:
    Austria
    If I set Firefox to Untrusted and Run safer in OA, I get two prompts for every download (create temp file and download file).
    If I use GeSWall I get one prompt when opening the downloaded file.

    Cheers
     
  7. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Policy-based sandboxes do more things than merely restricting rights. Shatter attacks are a possibility under LUA, not so with a sandbox. Sandboxes also deal with code injection to trusted processes (AFAIK, you can inject code to explorer.exe even under LUA, can someone confirm this?) and other things.
     
  8. Cerxes

    Cerxes Registered Member

    Joined:
    Sep 6, 2005
    Posts:
    581
    Location:
    Northern Europe
    Reimer's question:

    My answer:

    My answer is strictly based on the question and nothing else. How do you think DefenceWall/GesWall/SafeSpace and similar applications manage to restrict the rights of the chosen applications? That's what I mean with the "no magic" comment. If you go further down in my post you will notice my answer to Ilya's post:

    This answer would be more appropriate to comment based on your insinuation:

    As you see in my comment I mention that they could, which the named HIPS application developers also have done, add functions to increase the generic protection against certain malware code. I don´t even mention in my post possible attack vectors when applying LUA/SRP which I´m fully aware of exists, as that wasn´t the topic of my post.

    For example you mention "shatter attacks", exploiting this design flaw would be very hard to conduct in the first place since this vulnerability was patched years ago (the NT-based kernel). Even if it only was a work-around, you can only set the callback method for pointing to the malware code by exploiting third-part applications, thereby the necessity of well-designed third-part applications (and plug-ins) for secure input and output handling. HIPS applications of sandbox type could indeed (if not targeted themselves of course) isolate/restrict those third-part applications for known/unknown exploits which I´m not objecting against.

    By the way Lucas, when we already are speaking of possible attack vectors in a LUA/SRP environment, could you then please give me an example of the general approach of a "shatter attack"?

    /C.
     
  9. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Oh, yes, they use the NT security architecture:
    I don't know enough to give you an example. BTW, when I talk about LUA I don't consider SRP, because they require a fair involvement of the end-user which isn't the case for LUA (the default environment in Vista and few clicks away in 2000/XP with almost no thinking)
     
  10. Reimer

    Reimer Registered Member

    Joined:
    Apr 6, 2008
    Posts:
    217
    Thanks for the info guys.

    Now I just have to decide between Sandboxie and Defensewall.

    Since the restriction of rights that policy-based sandboxes provide is the same method in which SRP provides the protection, I'm curious as to exactly what else they do to protect. I'm a little weary since I already lower the rights using SRP even though the sandboxes, I'm sure, provides better protection.

    I guess my way of thinking may be a little off because when I think 'sandbox', I think isolation. So automatically, sandoxie sounds like it would be more effective even if it may not be true
     
    Last edited: Apr 7, 2008
  11. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Reimer,

    Why Sandboxie (free nag or paid) versus DefenseWall (paid), why not SafeSpace (free) versus DefenseWall (paid)?

    Few years ago I started with SBIE and ended up with GeSWall and DefenseWall. Reason for choosing policy over virtualisation is that with a policy sandbox you do not need to know what's virtualised, it all works seamless. For people trying out a lot of software virtualisation sandboxes have an advantage because of the simple clean up. SBIE has a long track record of solid protection and provides additional power settings (that is in my opinion the only advantage over SafeSpace, take heart I found SafeSpace also to be solid, it is just a newer application and a bit simpler). This is one of the reasons why a lot of members use it. DW is also around for quite a while.

    I purchased both GW and DW because wife liked the ease of use of DW and Son liked the little speed advantage (at that time) of GW. He is also a power user and appreciated the configuration options of GW.

    After a while I found that DW was the only one which did not give any hassle when purchasing digital rights of music and video's. Because SafeSapce is working on the *.wav problem with DRM, I have a pesonal preference of SafeSpace (despite the .Net requirement). Also their user interface looks better (also personal no rational argumentation).

    So when you purchase music etc, or have others working on the PC, DW is the one to choose (so easy to use). When your wallet is your limitation and you like to use default settings, then SafeSpace is the one to choose. When you are a real power user than SBIE or GW are the way to go.

    Regards Kees
     
    Last edited: Apr 8, 2008
  12. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    Another advantage over SafeSpace is that you can actually SEE what is being virtualized. I find this useful sometimes, over SafeSpace's approach of hiding virtualized items from the user.

    And of course, let's not forget resource usage.
     
Loading...
Thread Status:
Not open for further replies.