Sandboxie vs Geswall vs Bufferzone

I haven't used virtualization software and am interested in trying it.

Tell me about these 3 programs; which is the best in your opinion/offers the most security? How hard are they to use?

I did see in Gizmos test that Geswall totally failed.

 

well from experience (i've tried all three) geswall gives you the best bang for the buck : program termination protection, keyloggers, and various nasty disk killing virii and malware. i haven't yet tried sandboxie 3.0 (last version i tried was 2.4 or soemthing) or bufferzone 2.5 beta (the last version i tried was 2.1xx and didn't like it) so i don't know what's changed since i last tried them. geswall is also relatively bug free, the only major bug that comes to mind was the "explorer isloation" bug (but i personally never experienced it) and i think that's been addressed.

 

I cannot comment on Geswall due to my inexperience with it.
However, I have become quite enamored with SandboxIE.
Efficacy (if using Gizmo's findings as a benchmark) is among the best.
I find it easy to use/intuitive.
System impact is minimal.
Tzuk (the developer) is very active in it's continued evolution.
I was sufficiently enamored that I sent him my $.

 

hello bob d, are you using version 3 of sandboxie? if so can you do me a favor?

can you (or any other user of sandboxie 3.0 reading this thread) run these 3 tests? they are non-destructive (ie they are not virii or malware) and should only take a few seconds to run them.

1) the advanced process termination test by DCS :
http://www.diamondcs.com.au/freeutilities/apt.php

run this program sandboxed and select a non-sandboxed program (like calculator or notepad) and see if any of the tests can terminate the non-sandboxed program.

2) martin's undetectable keylogger test (this is NOT malware) :

http://www.winsite.com/bin/Info?26000000037599

run this program sandboxed and open up a non-sandboxed notepad and type some gibberish in it. see if any keys are logged.

3) http://www.firewallleaktester.com/aklt.htm

again run this program sandboxed and then open up a non-sandboxed verion of notepad and type gibberish there again. see if any keys are logged.

 

Don't forget DefenseWall

 

I'm looking at freeware only. I know Defensewall is about the best security program you can get!

 

Hi zopzop

Ver. 3
Will run tests shortly when I get some play time.

 

Notes:
My AV (VBA32) flagged apt, keylog files. So I had to disable monitor.
Of course my HIPS (PS) alerted to everything (had to select "allow" for all).

1)apt: I could not kill running instance of notepad.

2)keylogger test: Keystrokes were logged.
(log.txt file was saved automatically within the sandbox).

3)aklt: No keystrokes logged.
Screenshot does take a screenie of desktop.
(Paint program with screen shot is of course running sandboxed).

 

so does this mean it passed or failed. Sorry, ignorant joe here.

 

What about Gizmos findings in his test where Geswall totally failed? What do you guys have to say about that?

 

That depends what you are looking for. We'll have to wait for zopzop's comments.
Bear in mind that by design SandboxIE keeps just about anything from getting on your system.
I love the idea of surfing the dark side (if one is so inclined) with virtual impunity.
It does not do as well preventing stuff from leaving your system.
Hence the rationale for outgoing protection, be it a FW w/ good outbound protection or a substantial HIPs proggie.

 

all i can say is he needs to redo those tests. geswall has passed everything i (and some others) have thrown at it. and when holes were found they were quickly addressed by gentlesecurity. so the less said about gizmo and his tests the better.

excellent result! thank you.

not good. just to double check you ran the keylogger sandboxed and notepad (or whatever test program you used) unsandboxed right? that means that martin's keylogger sandboxed was logging keystrokes in programs running outside the sandbox

excellent, this is a pass. as long as it passed all 3 keylogging tests in the aklt it's a pass.

thank you very much bob d. can i trouble you with one more round of tests? again they are nondestructive and are not malware.

 

zopzop, have you tried Geswall on some of the ubber nasty drive by exploit sites at all?

 

You're quite welcome
re: keylogger:

Correct, Notepad was not sandboxed. But log.txt file was saved within the sandbox.
I'm not really surprised here.
Keyloggers are quite benign unless they are allowed to send that info out. (Not to be redundant here, but..) Hence the rationale for outgoing protection...
Also, if you terminate the sandboxed program (before your logged key strokes are sent out), the log.txt file goes away.

And that would be...?

 

yes. back when i actually had a test machine to mess around with, i'd visit some really bad sites (what was on those sites i really can't mention here cause i'd be banned ).

the HIPS leak tests by the makers of SSM found here :
http://www.syssafety.com/leaktests.html

i forgot how to run these sandboxed. they are not regular windows programs where you just click or double click them to get them to run. you need to go to the command line to run them.

the simple process termination is a series of 16 tests that attempt to shut down a process. i found some programs that passed the DCS advanced process termination tests failed against one or two of these.

ditto with the simple keylogger test.

same testing method, run the HIPS leaktests sandboxed and make sure the targets of their fury are outside the sandbox

ooops before i forget. there is one more test by ghostsecurity, it attempts to modify the registry and checks to see if your HIPS or sandbox can prevent it. it consists of 2 tests. the second test forces a reboot upon completion. when i tested sandboxie 2.4 against it, it did indeed pass both tests. what i found annoying was that a sandboxed process could actually force a restart. i just wanted to see if the test can still force a restart if sandboxed in sandboxie 3.0. it's found here :

http://www.ghostsecurity.com/registrytest/

that's it. i won't pester you anymore

 

keylogger.exe gets flagged by PS.
Dbl click does nothing.
spt.exe does nothing.
Will have to play with these to figure out how to execute them.
Running (dbl click) of .exe yields nothing.

Ghost Security's tests: (All flagged by PS)
Regtest 1 fails (I think).
Registry modification was allowed. I don't know if modification was constrained to sandbox.
Will have to investigate.

Test 2:
Access was denied. No reboot was invoked.
However, it did make a mess. K-Meleon crashed, desktop got screwed up.
Reboot and all OK.

Yea, right

Cheers

 

is this the case on both pro and free version of geswall?

 

yup. the only differences between pro and free are the pro version gives you :

1) application wizard - so you can automatically create rules for applications you want to run isolated and have them function correctly

2) custom rules for apps - if you know what you are doing you can make your own rules for applications/resources/etc...

3) much larger safe application list - HUGE list of preconfigured apps

all in all. i still like the free version (even though i have the paid version). since you can still right click an application's icon and run it isolated.

 

Does Geswall help with the test below.

Lockup Test

FF with Noscript stops it.

 

PS?

you have to click on the start menu, select "run", then type "cmd". then type cd\xxxx where xxx is the directory where you downloaded and saved the HIPS leaktests. once you are in the directory type the name of the file and hit enter. text will scroll by telling you what the options are for the test and how to proceed. it helps if you download and save the file to someplace easy to remember like c:\temp (if you have a temp directory that is). the HIPS leaktests from the makers of system safety monitor are kind of difficult at first to get the hang of.

sandboxie easily passes this test. the registry changes that were allowed are all done virtually. as long as the test was run sandboxed, they aren't real again what is PS? prosecurity?

system still crashed? hmm this is what irked me last time too. i know that sandboxie passes both tests when it comes to altering the registry (which is the key function of the ghostsecurity tests), i just want to see if sandboxie ver3 stopped the reboot/crash.

i'm done i swear ;-) and thanks again for running these tests for us

 

If you want to try something really nasty, try this:

http://www.morgud.com/interests/security/dfk-threat-simulator-v2.asp

Its a threat simulator that pull of the whole spectrum of infections. From rootkit, to adware, spyware and so on. Its not destructive. Its just to show how easily you can get your system completly f*cked. Theres a cleaner supplied to get rid of it.

The intresting part of that thing is mainly to see how good the sandbox works. Because if you start that thing inside the sandbox, everything that gets installed through it should stay inside the sandbox. So all the adware windows should be sandboxed and so on. So technically if you "clean/reset" your sandbox that thing should be gone.

Tried it back in the day with Greenborder and Bufferzone. Greenborder "passed" as in everything stayed within the Sandbox. Reseting Greenborder and that thing was gone. Bufferzone (Version: 1.something) wasn't able to run the test, since it doesn't have "deep" enough virtualisation aka it doesn virtualise the ability to install kernel drivers.

 

A little o/t but i find the best free virtualization software is virtual pc.

 

Ditto and running on a 22 inch lcd screen!

 

Correct

 

Do I reed Geswall's website correctly in that it controls outbound internet access?