Sandbox vs HIPS

Discussion in 'other anti-malware software' started by TVH, Jan 16, 2008.

Thread Status:
Not open for further replies.
  1. TVH

    TVH Registered Member

    Joined:
    Aug 9, 2007
    Posts:
    227
    I currentley have Prosecurity Free and SandboxIE paid. Are they bith as effective at preventing malware?

    I find sandboxIE easier to use, but does Prosecurity provide better protection?
     
  2. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    Sandboxie would be my first choice of any software period. :)
     
  3. jrmhng

    jrmhng Registered Member

    Joined:
    Nov 4, 2007
    Posts:
    1,268
    Location:
    Australia
    Yea I have read in these forums before that there are malware that behavior blockers miss but Sandboxie contains.
     
  4. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    AFAIK I know, Sandboxie isolates each object in a sandbox, that is downloaded by myself or something else via Firefox + Noscript.
    As long I don't do anything with these isolates objects, they will be removed by Sandboxie manually or automatically.
    If I LOCK my data partition/folders, these isolated objects can't read, write or steal my data.
    All this without doing anything than an one-time configuration of Sandboxie
    Except for installation files of legitimate softwares, why would I recover and click on any other object in the sandbox ?
    It's not even my habit to click on objects in my system partition, there is no reason for me to do this, because I start all my applications via icons on my desktop and lots of malware need some kind of trigger first in order to do their evil job.

    On top of that, I use Anti-Executable (HIPS) to terminate any unauthorized executable in my system partition immediately. Anti-Executable also requires a one-time configuration and that's it.

    Last but not least, my system partition is frozen to make sure that any change is removed, in case SB or AE or my firewall + router, failed to do their job. I only need SB and AE to stop the execution of malware, because a frozen system partition, doesn't do that.

    My personal goal was not to waste any time on malware anymore, because I learned in malware forums, how much time less-knowledgeable users spend on malware and repairing their system partition : one hour, several hours, one day or even several days.
    But most members seem to have another goal : play with any kind of security software, even when they don't need it.

    The only security softwares, I'm still considering are script blockers and behavior blockers and I still have a big problem : NEW objects, but every user has that problem. :)
     
    Last edited: Jan 16, 2008
  5. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Behav. blockers will always miss malware, because of their blacklist nature. This said, they're order of magnitude more effective against malware than AVs. The approach of behav. blockers is the same as the approach of AVs, only alert you of real malware and don't bother configuring. Sandboxes are a bit stronger, but they requiere more imput from you.
     
  6. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    In that case I don't need behavior blockers, it's against my principle of not using any blacklist security softwares. One worry less. :)
     
  7. Long View

    Long View Registered Member

    Joined:
    Apr 30, 2004
    Posts:
    2,295
    Location:
    Cromwell Country
    what sort of malwares have been getting thru ? do you know how your machine is becoming contaminated ?
     
  8. TVH

    TVH Registered Member

    Joined:
    Aug 9, 2007
    Posts:
    227
    Nothing has really been getting through mainly due to the vast amount of AV's and antispywares i used to use. Ive decided enough is enough and am cutting back. Thats why i was wondering which would be the better option to run, and have now decided to run both.

    My pc with my new setup in xp sp2 takes just under 30 secs to start after the welcome screen.
     
  9. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    That question, I asked myself once and the answer is simple : I don't know and I will never know, because I don't see any difference between good and bad objects, they all look the same to me.
    The only way for me to see, I'm infected is when a malware uses special visual effects, like a black screen when I reboot my computer and can't get to Windows. :)
     
  10. LoneWolf

    LoneWolf Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    3,408

    I thought behavior blocker(AntiBot/PRSC/TF) did just that, monitored software that's running/active for certin types of behaviur, not blacklisting. But I could very well be wrong here.
     
  11. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Behav. blockers do blacklisting, because they enforce a default-permit policy until they detect malicious behaviour.
    AVs do blacklisting, but with a weaker technology (file scanning throu signatures, heuristics and emulation)
     
  12. LoneWolf

    LoneWolf Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    3,408
    Looking at PRSC which is a BB, I don't see blacklisting anywhere here.

    2008-01-16_191443.png

    What am I missing here?
     
  13. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    Behavior blocking plus Blacklisting (Antivirus module or build-in blacklists )

    * Cyberhawk (now ThreatFire) Liteware (Build-in lists used for specific identification, also includes optional AV module)
    * DriveSentry - Liteware (Build-in lists)
    * Online Armor - Liteware (Build-in lists, also includes optional AV module)
    * Prevx Community protection Liteware (Build-in lists)
    * Safe n Sec (Includes optional AV module)


    Smart expert based Behavior blockering

    * Primary Response SafeConnect & Norton AntiBot
    * ThreatFire - Free version
    * Micropoint Proactive Defense - English version is free?
    * Mamutu
    * DriveSentry - Liteware
     
  14. LoneWolf

    LoneWolf Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    3,408
    Thanks trjam. :thumb:
     
  15. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    I have to admit I really like Antibot. The one option it has over TF is that you can set it to make the choice for you without the popup.
     
  16. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Blacklisting = enumeration of badness.
    AVs enumerate badness by signatures/heuristics, behav. blockers enumerate badness by behaviours.
    "intelligently analyzing a combination of known bad behaviours to determine if a program is malicious"
    Do you see it now?
    Do some thinking about what sandboxes do, what classical HIPS do and what whitelist HIPS do and you'll see the differences.
     
  17. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    U are just playing with the words. This way every application, even the classical HIPS are blacklisters. After all every HIPS has a set of filters that it watches and intercepts. No HIPS can intercept each and eevry movement on the OS.
     
  18. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    True, that's why HIPS are regularly updated to cope with the latest leak-test/PoC. However:
    - Classical HIPS don't make decisions on their own, you make the decisions.
    - They are first and foremost anti-executables (secondarily you have interprocess communication, file defence, registry defense, etc) which stops 100 % of ITW malware.
     
  19. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    So by ue definition HIPS are also black listers.
     
  20. LoneWolf

    LoneWolf Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    3,408
    Sorry but I just do not agree with you on this.
    True behavior blocking is not blacklisting IMO.
    Maybe you should think about it some more.
     
  21. Hermescomputers

    Hermescomputers Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    1,069
    Location:
    Toronto, Ontario, Canada, eh?

    I think you can add that behavior blockers work on rules, which are variables that must be part of some type of lists, whether created dynamically or part of a database of functions ie good or bad they are still using lists...
     
  22. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    Instead of blacklisting code, behavior blockers blacklist actions.
     
  23. Hermescomputers

    Hermescomputers Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    1,069
    Location:
    Toronto, Ontario, Canada, eh?
    I have to agree with loneWolf here:
    Black listing is simply labeling a checksum as hostile, giving it a name and linking it to some other database such as perhaps a disinfection methodology for a specific Trojan for example.

    I wrote a small explanation on both in another post here:
    https://www.wilderssecurity.com/showpost.php?p=1162450&postcount=27
     
  24. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    Wrong. Blacklisting has nothing to do with giving names and cleaning. It's just a process of identifying a string of code as bad; end of story. Whether you want to give that code string a name or write a cleaning routine for it is irrelevant.

    Same goes for behavior blocking. Only difference is that you're blacklisting actions, instead of code.
     
  25. Hermescomputers

    Hermescomputers Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    1,069
    Location:
    Toronto, Ontario, Canada, eh?
    Of course you are right as for the behavior algorithms themselves:

    Read my "other" explanation. We could get lost in semantics here forever...
    I wrote a small explanation on both in another post here:
    https://www.wilderssecurity.com/showpost.php?p=1162450&postcount=27
     
    Last edited: Jan 17, 2008
Loading...
Thread Status:
Not open for further replies.