Restricting Process Rights vs. DefenseWall/GesWall/SafeSpace

I currently have a setup in XP Pro SP2 which, aside from AntiVir and Online Armor, includes using Software Restriction Policies to 'lower' the rights of certain processes such as my internet browsers and instant messaging clients. I believe this practice is similar to using DropMyRights, for example.

My question is, does this process restriction work in the same way that DefenseWall/GesWall/SafeSpace 'lowers' the rights of the same processes?


I know that these programs also have advantages such as isolating objects that are opened by these processes. Are there any other advantages?

Is it also a good idea to replace the 'Program Guard' feature of Online Armor with DefenseWall, GesWall, or SafeSpace? I'm personally not too fond of the constant popups with Program Guard.

Thanks for reading my first post

 

I am not running (and had never ran) DW, GW, or SS but only used SBIE. I think that SBIE (and maybe GW and SS as well) are virtualization programs that work as containers to programs with full rights in the virtual environment. Most badware cannot penetrate through the container and is deleted when the sandbox is deleted so therefore the actual system is not affected. I am not about the rest of the software but I am interested in this as well.

 

My opinion is "Yes". Sandboxes gives more defense and more configurable that Windows "lower privileged" user account.

 

Yes, it´s using the OS's internal functions for creating restricted tokens for the processes/objects - no magic AFAIK...

More defence - No (if not added an internal "black-list/white-list" for blocking/allowing certain "known" processes).

More configurable - Yes, since managing the OS's internals seems to scare some users then using third-part security applications can hopefully (with some few exceptions) lower the treshold.

/C.

 

If I set Firefox to Untrusted and Run safer in OA, I get two prompts for every download (create temp file and download file).
If I use GeSWall I get one prompt when opening the downloaded file.

Cheers

 

Policy-based sandboxes do more things than merely restricting rights. Shatter attacks are a possibility under LUA, not so with a sandbox. Sandboxes also deal with code injection to trusted processes (AFAIK, you can inject code to explorer.exe even under LUA, can someone confirm this?) and other things.

 

Reimer's question:

My answer:

My answer is strictly based on the question and nothing else. How do you think DefenceWall/GesWall/SafeSpace and similar applications manage to restrict the rights of the chosen applications? That's what I mean with the "no magic" comment. If you go further down in my post you will notice my answer to Ilya's post:

This answer would be more appropriate to comment based on your insinuation:

As you see in my comment I mention that they could, which the named HIPS application developers also have done, add functions to increase the generic protection against certain malware code. I don´t even mention in my post possible attack vectors when applying LUA/SRP which I´m fully aware of exists, as that wasn´t the topic of my post.

For example you mention "shatter attacks", exploiting this design flaw would be very hard to conduct in the first place since this vulnerability was patched years ago (the NT-based kernel). Even if it only was a work-around, you can only set the callback method for pointing to the malware code by exploiting third-part applications, thereby the necessity of well-designed third-part applications (and plug-ins) for secure input and output handling. HIPS applications of sandbox type could indeed (if not targeted themselves of course) isolate/restrict those third-part applications for known/unknown exploits which I´m not objecting against.

By the way Lucas, when we already are speaking of possible attack vectors in a LUA/SRP environment, could you then please give me an example of the general approach of a "shatter attack"?

/C.

 

Oh, yes, they use the NT security architecture:

I don't know enough to give you an example. BTW, when I talk about LUA I don't consider SRP, because they require a fair involvement of the end-user which isn't the case for LUA (the default environment in Vista and few clicks away in 2000/XP with almost no thinking)

 

Thanks for the info guys.

Now I just have to decide between Sandboxie and Defensewall.

Since the restriction of rights that policy-based sandboxes provide is the same method in which SRP provides the protection, I'm curious as to exactly what else they do to protect. I'm a little weary since I already lower the rights using SRP even though the sandboxes, I'm sure, provides better protection.

I guess my way of thinking may be a little off because when I think 'sandbox', I think isolation. So automatically, sandoxie sounds like it would be more effective even if it may not be true

 

Reimer,

Why Sandboxie (free nag or paid) versus DefenseWall (paid), why not SafeSpace (free) versus DefenseWall (paid)?

Few years ago I started with SBIE and ended up with GeSWall and DefenseWall. Reason for choosing policy over virtualisation is that with a policy sandbox you do not need to know what's virtualised, it all works seamless. For people trying out a lot of software virtualisation sandboxes have an advantage because of the simple clean up. SBIE has a long track record of solid protection and provides additional power settings (that is in my opinion the only advantage over SafeSpace, take heart I found SafeSpace also to be solid, it is just a newer application and a bit simpler). This is one of the reasons why a lot of members use it. DW is also around for quite a while.

I purchased both GW and DW because wife liked the ease of use of DW and Son liked the little speed advantage (at that time) of GW. He is also a power user and appreciated the configuration options of GW.

After a while I found that DW was the only one which did not give any hassle when purchasing digital rights of music and video's. Because SafeSapce is working on the *.wav problem with DRM, I have a pesonal preference of SafeSpace (despite the .Net requirement). Also their user interface looks better (also personal no rational argumentation).

So when you purchase music etc, or have others working on the PC, DW is the one to choose (so easy to use). When your wallet is your limitation and you like to use default settings, then SafeSpace is the one to choose. When you are a real power user than SBIE or GW are the way to go.

Regards Kees

 

Another advantage over SafeSpace is that you can actually SEE what is being virtualized. I find this useful sometimes, over SafeSpace's approach of hiding virtualized items from the user.

And of course, let's not forget resource usage.