Sandboxes-Comparison Test.

Discussion in 'sandboxing & virtualization' started by Blackcat, Dec 15, 2010.

Thread Status:
Not open for further replies.
  1. Blackcat

    Blackcat Registered Member

    Joined:
    Nov 22, 2002
    Posts:
    4,010
    Location:
    Christchurch, UK
  2. HAN

    HAN Registered Member

    Joined:
    Feb 24, 2005
    Posts:
    2,080
    Location:
    USA
    Interesting test. Thanks!

    (FYI...The site is in German but you can use Google Translate to view it.)
     
  3. whitedragon551

    whitedragon551 Registered Member

    Joined:
    Sep 30, 2008
    Posts:
    3,188
    Location:
    USA
  4. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    No. It,s a sandbox like SBIE.
     
  5. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    SandBoxie did well, as expected.
     
  6. drhu22

    drhu22 Registered Member

    Joined:
    Aug 21, 2010
    Posts:
    343
    So if i change that rule in geswall to read only, am i safe from the gamania exploit?
     
    Last edited: Dec 15, 2010
  7. IceCube1010

    IceCube1010 Registered Member

    Joined:
    Apr 26, 2008
    Posts:
    963
    Location:
    Earth
    Pretty good test. I think all the programs tested are very good. Sandboxing and policy restrictions are really the first line of defense.
    Ice
     
  8. waters

    waters Registered Member

    Joined:
    Nov 8, 2004
    Posts:
    934
    Problem is it is not practical to empty Geswall and Defencewall as shown
     
  9. tipo

    tipo Registered Member

    Joined:
    Dec 29, 2008
    Posts:
    408
    Location:
    romania
    interesting test. thanks!
    i`ll adjust my bufferzone settings!
     
  10. Boyfriend

    Boyfriend Registered Member

    Joined:
    Jun 7, 2010
    Posts:
    1,070
    Location:
    Pakistan
    Thanks Blackcat for good share :) It is very good and comprehensive comparison test of sandboxes against real world malwares. Glad to know that DefenseWall rocks :thumb: without need of any user interaction/settings change.
     
  11. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Blackcat nice find :thumb:

    Some Remarks though:

    DefenseWall: a pure policy HIPS to contain threatgate programs and their downloads, also a great firewall

    Sandboxie: an application virtualisation application with full control (execution, lowering rights, firewall) on specific sandboxes (e.g. application based or directory based = forced folder). Flush the sandbox and malware is gone, save something outside the sandbox and you are gone.

    GesWall: a Policy HIPS with some virtualisation posibilities (the redirect option). As with DefenseWall covers also the downloads of the threatgates (only when moving/copying from one partition to another this protection is lost). It has a firewall option which does not pop-up (more like Vista/Windows internal FW)

    Bufferzone: an application virtualisation application which ALSO protects against downloads (even from trusted sources, which gives it the widest protection of all) and USB sources. Unlike SBIE it has one Sandbox which is kept all the time. Also has the option to save and restore Sandbox snapshots. It has an outbound firewall option, same as GW, no pop-ups to guide you

    SBIE and GW are more geek's tools, DW and BZ are more fit for average PC users.

    When you want single session sandboxing: choose SBIE

    When you want an easy to use HIPS/FW on threatgates and related downloads: choose DW

    When you want low overhead/full control selective defense: choose GW

    When you want system wide protection and occasionally clear sandbox for dodgy browsing and want an releatively easy user interface: choose BZ

    IMO they are all great
    Regards
     
  12. Boost

    Boost Registered Member

    Joined:
    Feb 2, 2007
    Posts:
    1,293
    Thanks for sharing :thumb:
     
  13. PJC

    PJC Very Frequent Poster

    Joined:
    Feb 17, 2010
    Posts:
    2,959
    Location:
    Internet
    @Blackcat : Thanks for the heads up. :thumb:

    @Kees: Informative Summary! :thumb:
     
  14. SIR****TMG

    SIR****TMG Registered Member

    Joined:
    May 31, 2004
    Posts:
    757
    Good Info
     
  15. subset

    subset Registered Member

    Joined:
    Nov 17, 2007
    Posts:
    825
    Location:
    Austria
    Yes, that's correct.

    However, in general this problem is known for more than a year now.
    "Setting TabProcGrowth to a value of zero disables Protected Mode for IE Security Zones."
    http://www.ie8blog.com/2009/09/22/s...isables-protected-mode-for-ie-security-zones/

    It didn't hurt too much during the tests. :doubt:
    But I assume you mean this is not practical in the long run.

    Cheers
     
  16. drhu22

    drhu22 Registered Member

    Joined:
    Aug 21, 2010
    Posts:
    343
    re: subset: Yes, that's correct.
    However, in general this problem is known for more than a year now.
    "Setting TabProcGrowth to a value of zero disables Protected Mode for IE Security Zones."

    Thank you very much for that
     
  17. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I don,t think that it,s crucial to change this setting, all that malware did was it disabled IE,s protected mode but as IE is still sandboxed it doesn,t make much of a difference I guess.

    The default allow settings for this in GW are probably due to usability reasons. And they can be changed if some one wants more tighter control.
     
  18. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    They wrote that Trojan Gamania was able to disable IE protected mode. I don,t know how trojan can do this. Only IE itself is allowed to do so.

    The threat expert report attached by them shows no such reg modifications. I tried two samples of this trojan but it doesn,t see to disable IE protected mode however these samples were not exactly same as the one used by them( MD5 is different).

    I wish if I could access their sample and try it. I am curious to know how this trojan can do this( I really doubt that). o_O
     
  19. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Ok, I found the sample and tested it.

    If I run it isolated directly via context menue, geswall Passes and sample is well contained.
    If I run it via isolated internet explorer( IE being the parent), it,s still isolated but does changes the registry that it should not have changed. It,s a bypass for sure. Well caught. :thumb: Will report it to them.
     
  20. Henk1956

    Henk1956 Registered Member

    Joined:
    Dec 3, 2007
    Posts:
    55
    Aigle,

    Problem is the same as with network access you have reported here:
    http://gentlesecurity.com/board/viewtopic.php?t=289&highlight=network

    Note the respons of geswall:
    Application started from isolated one gets the same permissions (rules) as parent, unless child application has its own rules in the console.

    So, when you run the sample via isolated internet explorer it will get the same permissions as the parent (being internet explorer for which the registry access is allowed), since the sample does not have its own rules in the console.

    To solve the problem in a general way, no permissions should be inherited at all from the starting application (like you suggested for network access in the post mentioned above).

    In the same post, mentioned above, geswall also states:
    The behaviour is correct, but in scenario you described security would defenitly benefit from blocked inheritance.

    This statement might suggest that not inheriting any permissions from the starting application might result in some things not to work (although at this moment I can not imagine a scenario for which this would hold).

    As a last note, in the same post mentioned above (last entry) geswall also says:
    Inhetitance option for application rules is scheduled for 3.0

    So, I hope this option will be included in version 3.0
     
  21. cheater87

    cheater87 Registered Member

    Joined:
    Apr 22, 2005
    Posts:
    3,121
    Location:
    Pennsylvania.
    So as long as a non IE based browser is being used your safe?
     
  22. subset

    subset Registered Member

    Joined:
    Nov 17, 2007
    Posts:
    825
    Location:
    Austria
    Avant and Maxthon have also the same rule.

    Cheers
     
  23. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Hi, I am almost sure that child applications only inherit network permissions of the parent in GW, other permissions are mot inherited. Rather geswall applies default restrictions to any child, regardless of permissions of the parent.

    Am I right?
     
    Last edited: Dec 20, 2010
  24. Henk1956

    Henk1956 Registered Member

    Joined:
    Dec 3, 2007
    Posts:
    55
    Aigle,

    No, you are not right.

    You can try the following test I performed:

    Make a copy of notepad.exe on the C: drive, rename it into note1.exe and label it as untrusted.
    Make a text file C:\test.txt (and put some text in it).

    Make rule in Resources: C:\test.txt File Confidential
    Make rule for Internet Explorer: C:\test.txt File Allow

    Using Geswall Security Level = High, I get following results:
    1. If I run note1.exe via Explorer, it will be isolated and is not able to read C:\test.txt (using File\Open menu).
    2. If I start Internet Explorer (isolated) and type C:\note1.exe (in the same place as you type a URL), IE will start note1.exe isolated. Using File\Open menu, note1.exe is now allowed to open C:\test.txt

    From this I have to conclude that note1.exe inherits the rules of Internet Explorer (when started by it).
     
  25. ExtremeGamerBR

    ExtremeGamerBR Registered Member

    Joined:
    Aug 3, 2010
    Posts:
    1,115
    All very good, as one might imagine Sandboxie would block everything, really am becoming a fan of that software, and it work perfectly on my W7 x64 and have a free option.
     
Loading...
Thread Status:
Not open for further replies.