Sandbox & Virtualization HIPS

Discussion in 'sandboxing & virtualization' started by CogitoErgoSum, Jul 20, 2006.

Thread Status:
Not open for further replies.
  1. CogitoErgoSum

    CogitoErgoSum Registered Member

    Joined:
    Aug 22, 2005
    Posts:
    641
    Location:
    Cerritos, California
    The past six and a half months has truly convinced me that a host intrusion prevention system(HIPS) that employs non-admin./limited user, sandboxing and virtualization technologies is the ultimate security setup for malware prevention alongside an antivirus and firewall. The links posted below explain or demonstrate the virtue of a non-admin./limited user account.

    http://blogs.msdn.com/aaron_margosis/archive/2004/06/17/157962.aspx
    http://blogs.msdn.com/aaron_margosis/archive/2004/06/25/166039.aspx
    http://eweek.com/article2/0,1759,1891447,00.asp

    In an objective and open minded fashion I have posted links below to current HIPS that incorporate some or all of the above mentioned technologies.

    DefenseWall - http://www.softsphere.com/
    BufferZone SAE/Home/Pro - http://www.trustware.com/
    GreenBorder - http://greenborder.com/
    Virtual Sandbox - http://www.fortresgrand.com/products/vsb/vsb.htm
    VELite - http://www.secureol.com/
    SandBoxie - http://sandboxie.com/
    RunSafe - http://www.runsafe.com/
    1-Defender - http://amustsoft.com/1-defender/

    Out of the eight, for whatever reason, my sole experience is with DefenseWall. Interestingly, I found out about DW at both CastleCops - http://www.castlecops.com/postlite140478-defensewall.html and Wilders - https://www.wilderssecurity.com/showthread.php?t=98240&highlight=defensewall. It is my opinion that DW is the most effective and refined example of this kind of software at any price. In addition to being both simple and easy to use, it uses a relatively modest amount of resources. Ilya Rabinovich, DW's creator, provides excellent customer and technical support and timely program updates and fixes. I have provided links regarding DW below that may be of interest to you.

    DefenseWall Test - http://security.over-blog.com/article-3030160.html
    DefenseWall Support Forums - http://gladiator-antivirus.com/forum/index.php?showforum=192

    Peace & Love,

    CogitoErgoSum
     
    Last edited: Jul 25, 2006
  2. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    U forgot GesWall!
     
  3. WilliamP

    WilliamP Registered Member

    Joined:
    Jun 1, 2003
    Posts:
    2,201
    Location:
    Fayetteville, Ga
    I have been using DefenceWall for a while and I feel that it great. I am not a security expert but from what I have seen I feel that it is one of ,if not the best security programs I have. I would much rather keep things off my computer than try to get them off.
     
  4. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    I tried RunSafe, but I don't like its design. The box with the secured applications isn't a good idea IMO.
    Each choosen application is in fact double on your desktop : insecured and secured. If I click on the wrong icon of MSIE I'm not secured.
    MSIE is secured, but if I click on a website-icon on my desktop, the website isn't secured. What a mess.
     
  5. nicM

    nicM nico-nico

    Joined:
    Jul 15, 2004
    Posts:
    631
    Location:
    France
  6. Frank the Perv

    Frank the Perv Banned

    Joined:
    Dec 16, 2005
    Posts:
    882
    Location:
    Virginia, USA
    DefenseWall seems good.

    Has anybody tried both DefenseWall and Prevx?

    I like the sound of both programs.
     
  7. Tommy

    Tommy Registered Member

    Joined:
    Dec 24, 2002
    Posts:
    1,169
    Location:
    Buenos Aires - Munic
    I think i have to mention a similiar soft called Blackice here, which is IMHO one of the best IDS - you _could_ call it also HIPS - out there.
     
  8. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    I've tested both together and have found no problems.

    Wrong- IDS are based on signature methods, HIPS are not.
     
  9. Tommy

    Tommy Registered Member

    Joined:
    Dec 24, 2002
    Posts:
    1,169
    Location:
    Buenos Aires - Munic
    Learned something again today. Wasn't aware of this.
     
  10. CogitoErgoSum

    CogitoErgoSum Registered Member

    Joined:
    Aug 22, 2005
    Posts:
    641
    Location:
    Cerritos, California
    It has been brought to my attention that the first two links that I originally posted regarding the virtues of a non-admin./limited user account apparently do not work. I revised the links in the original post up above so that they do work. Thanks nicM for pointing that out.

    The Wilder's link apparently does not work either. I also revised this link in the OP so that it works.


    Peace & Love,

    CogitoErgoSum
     
  11. kareldjag

    kareldjag Registered Member

    Joined:
    Nov 13, 2004
    Posts:
    622
    Location:
    PARIS AND ITS SUBURBS
    Hi,

    Juts some links about different classes of programs and HIPS:

    http://wiki.castlecops.com/Different_classes_of_security_software

    Focused on HIPS: http://kareldjag.over-blog.com/article-1693696.html

    Amust and Runsafe can't be considered as HIPS!
    They're only administrator tools.
    An HIPS is generally integrated at a low level and intercepts API calls in order to control system's activity (behaviour).
    Most HIPS use policy and privileges restrictions (service/driver, physical memory etc); and are mostly designed to protect the local host where the're installed.

    It's true that an IDS is based on signatures, but the main difference is somewhere else: an IDS focus its protection on a network perimeter, an HIPS on the local host (desktop for home users, server for a corporate environment).

    The problem is that the administrator account is the default Windows account, and that the majority of users run under this account simply because it's the easiest way to use their pc for most of them.

    HIPS based sandboxing and virtualization are ineteresting, but this is not the panacea: for VMWare for instance, finguerprint scanning methods exist to find if a system is under Vmware or not,and then a buffer overflow exploit can be applied.
    This is the same if an attacker has a remote command or a phisical access to the machine: there's documented and undocumented methods to verify if the system is under Vmware or not (see image here : http://idata.over-blog.com/0/22/17/61/vmwarefing.jpg. ).

    The kind of HIPS is not the most important since the user run under a limited account and has the right HIPS for him.

    regards
     
    Last edited: Jul 25, 2006
  12. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Do u mean to say that running as limited user is more safer than running as administrator with sandboxing of vulnerable applications?

    BTW, Ur tests of DefenseWall were nice but I really missed the comparison, without any other similar application being tested at the same time, it is hard to guess how good is DefenseWall esp as compared to other similar applications. Pls if possible can u do a comparative testing of DefenceWall with other applictions like Sandboxie or GesWall? It will be really iunteresting to see.
     
    Last edited: Jul 25, 2006
  13. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    Agree 100% !

    Not quite! There are some local host - based end-user IDS systems. SocketShield, for instance...

    Well, it is possible for malware to operate even under limited rights user account. The fact is that Windows were designed in 80-th years- there was no malware those time, and there was no tools included into it's core to protect users from this stuff. That is the main reason for HIPS products to be here.

    Panacea is not exists, we all know about it! This is just new protection method for the tools increasing protection level against unknown malware. It has advantages and disadvantages as all the protection schemes in the real world- nobody's perfect (we just discuss it in parallel thread)!

    BTW- add your new blog's address into your signature!
     
  14. CogitoErgoSum

    CogitoErgoSum Registered Member

    Joined:
    Aug 22, 2005
    Posts:
    641
    Location:
    Cerritos, California
    Hello kareldjag,

    Thanks for sharing your wisdom with us and setting the record straight.


    Peace & Love,

    CogitoErgoSum
     
  15. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    doesn't matter that much if someone knows if I have a VmWare Station aboard .. and fingerprint scanner .. hmmm the first one entering my living room with something like a VmWare Fingerprinting tool .. I bet I'll buy him a nice belgian beer lol :)
     
  16. CogitoErgoSum

    CogitoErgoSum Registered Member

    Joined:
    Aug 22, 2005
    Posts:
    641
    Location:
    Cerritos, California
    Hello Ilya,

    Thanks for sharing your experience with sandboxes, virtualization, non-admin./limited user accounts and HIPS. As usual, they are very much appreciated.


    Peace & Love,

    CogitoErgoSum
     
  17. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    I didn´t understand the part about the VMware "fingerprint scanner", can you give a bit more info about this? I mean are you saying that malware is able to fool the virtual machine (avoiding detection), or can they break out of the virtual machine? :blink:
     
    Last edited: Jul 25, 2006
  18. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    No. It means that malware is able to determine if it is running under VM and to stop working or use some specialized techniques to break out from it.
     
  19. angus49

    angus49 Registered Member

    Joined:
    Jun 26, 2006
    Posts:
    106
    Location:
    Hudson,Florida - USA
    Has anyone compared Virtual Sandbox by Fortresgrand and BufferZone?
    The concept is great but I'm reading an awful lot of install, uninstall, and compatability issue in BZ forums but I haven't seen a forum for Virtual Sandbox.
     
  20. crazy4stef

    crazy4stef Registered Member

    Joined:
    Aug 26, 2005
    Posts:
    14
    I'm using system safety monitor and safe system 2006.
    or Ghost security suite and parador .

    These 2 suite is both good!
     
  21. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Never used VS. Used BZ for a very short period so can,t comment. There are soem threads in the forums about both esp BZ. U can try to search them.
     
  22. nicM

    nicM nico-nico

    Joined:
    Jul 15, 2004
    Posts:
    631
    Location:
    France
    aigle, sorry for being off topic, but where you running Rollback when you installed BZ??

    nicM
     
  23. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    I also think that AMUST 1-Defender and RunSafe can´t be considered to be sandbox HIPS, the only thing they do is make processes run in non admin mode, so it´s not really sandboxing. RunSafe does however also cover process spawning so it´s more advanced than 1-Defender.
     
  24. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I am not sure now but I think probably not. I had not bought RollbackRx at that time.
    Does BZ plays with MBR?
     
  25. nicM

    nicM nico-nico

    Joined:
    Jul 15, 2004
    Posts:
    631
    Location:
    France
    No, I don't think, about MBR. The reason I asked you about that is, since I'm running Rollback, there is no way to install BZ anymore for me :cautious: . Each times I've tried, the computer gets unbootable, in normal or even safe mode.

    The problem is it seems that nobody else could reproduce this bug, at least in my knowledge. That's why I asked you, just to know if you were one more successful Rollback/BZ user, or not : This issue is really weird.

    nicM
     
Loading...
Thread Status:
Not open for further replies.