Sandboxie vs Geswall vs Bufferzone

Discussion in 'sandboxing & virtualization' started by Drew99GT, Jul 25, 2007.

Thread Status:
Not open for further replies.
  1. Drew99GT

    Drew99GT Registered Member

    Joined:
    Jun 27, 2006
    Posts:
    338
    Location:
    Colorado Springs
    I haven't used virtualization software and am interested in trying it.

    Tell me about these 3 programs; which is the best in your opinion/offers the most security? How hard are they to use?

    I did see in Gizmos test that Geswall totally failed.
     
  2. zopzop

    zopzop Registered Member

    Joined:
    Apr 6, 2006
    Posts:
    632
    well from experience (i've tried all three) geswall gives you the best bang for the buck : program termination protection, keyloggers, and various nasty disk killing virii and malware. i haven't yet tried sandboxie 3.0 (last version i tried was 2.4 or soemthing) or bufferzone 2.5 beta (the last version i tried was 2.1xx and didn't like it) so i don't know what's changed since i last tried them. geswall is also relatively bug free, the only major bug that comes to mind was the "explorer isloation" bug (but i personally never experienced it) and i think that's been addressed.
     
  3. Bob D

    Bob D Registered Member

    Joined:
    Apr 18, 2005
    Posts:
    1,150
    Location:
    Mass., USA
    I cannot comment on Geswall due to my inexperience with it.
    However, I have become quite enamored with SandboxIE.
    Efficacy (if using Gizmo's findings as a benchmark) is among the best.
    I find it easy to use/intuitive.
    System impact is minimal.
    Tzuk (the developer) is very active in it's continued evolution.
    I was sufficiently enamored that I sent him my $.
     
  4. zopzop

    zopzop Registered Member

    Joined:
    Apr 6, 2006
    Posts:
    632
    hello bob d, are you using version 3 of sandboxie? if so can you do me a favor?

    can you (or any other user of sandboxie 3.0 reading this thread) run these 3 tests? they are non-destructive (ie they are not virii or malware) and should only take a few seconds to run them.

    1) the advanced process termination test by DCS :
    http://www.diamondcs.com.au/freeutilities/apt.php

    run this program sandboxed and select a non-sandboxed program (like calculator or notepad) and see if any of the tests can terminate the non-sandboxed program.

    2) martin's undetectable keylogger test (this is NOT malware) :

    http://www.winsite.com/bin/Info?26000000037599

    run this program sandboxed and open up a non-sandboxed notepad and type some gibberish in it. see if any keys are logged.

    3) http://www.firewallleaktester.com/aklt.htm

    again run this program sandboxed and then open up a non-sandboxed verion of notepad and type gibberish there again. see if any keys are logged.
     
  5. Blackcat

    Blackcat Registered Member

    Joined:
    Nov 22, 2002
    Posts:
    4,010
    Location:
    Christchurch, UK
    Don't forget DefenseWall ;)
     
  6. Drew99GT

    Drew99GT Registered Member

    Joined:
    Jun 27, 2006
    Posts:
    338
    Location:
    Colorado Springs
    I'm looking at freeware only. I know Defensewall is about the best security program you can get!
     
  7. Bob D

    Bob D Registered Member

    Joined:
    Apr 18, 2005
    Posts:
    1,150
    Location:
    Mass., USA
    Hi zopzop

    Ver. 3
    Will run tests shortly when I get some play time.
     
  8. Bob D

    Bob D Registered Member

    Joined:
    Apr 18, 2005
    Posts:
    1,150
    Location:
    Mass., USA
    Notes:
    My AV (VBA32) flagged apt, keylog files. So I had to disable monitor.
    Of course my HIPS (PS) alerted to everything (had to select "allow" for all).

    1)apt: I could not kill running instance of notepad.

    2)keylogger test: Keystrokes were logged.
    (log.txt file was saved automatically within the sandbox).

    3)aklt: No keystrokes logged.
    Screenshot does take a screenie of desktop.
    (Paint program with screen shot is of course running sandboxed).
     
  9. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    so does this mean it passed or failed. Sorry, ignorant joe here.:rolleyes:
     
  10. Drew99GT

    Drew99GT Registered Member

    Joined:
    Jun 27, 2006
    Posts:
    338
    Location:
    Colorado Springs
    What about Gizmos findings in his test where Geswall totally failed? What do you guys have to say about that?
     
  11. Bob D

    Bob D Registered Member

    Joined:
    Apr 18, 2005
    Posts:
    1,150
    Location:
    Mass., USA
    That depends what you are looking for. We'll have to wait for zopzop's comments.
    Bear in mind that by design SandboxIE keeps just about anything from getting on your system.
    I love the idea of surfing the dark side (if one is so inclined) with virtual impunity.
    It does not do as well preventing stuff from leaving your system.
    Hence the rationale for outgoing protection, be it a FW w/ good outbound protection or a substantial HIPs proggie.
     
  12. zopzop

    zopzop Registered Member

    Joined:
    Apr 6, 2006
    Posts:
    632
    all i can say is he needs to redo those tests. geswall has passed everything i (and some others) have thrown at it. and when holes were found they were quickly addressed by gentlesecurity. so the less said about gizmo and his tests the better.

    excellent result! thank you.

    not good. just to double check you ran the keylogger sandboxed and notepad (or whatever test program you used) unsandboxed right? that means that martin's keylogger sandboxed was logging keystrokes in programs running outside the sandbox :(

    excellent, this is a pass. as long as it passed all 3 keylogging tests in the aklt it's a pass.

    thank you very much bob d. can i trouble you with one more round of tests? again they are nondestructive and are not malware. :D
     
  13. Drew99GT

    Drew99GT Registered Member

    Joined:
    Jun 27, 2006
    Posts:
    338
    Location:
    Colorado Springs
    zopzop, have you tried Geswall on some of the ubber nasty drive by exploit sites at all?
     
  14. Bob D

    Bob D Registered Member

    Joined:
    Apr 18, 2005
    Posts:
    1,150
    Location:
    Mass., USA
    You're quite welcome
    re: keylogger:
    Correct, Notepad was not sandboxed. But log.txt file was saved within the sandbox.
    I'm not really surprised here.
    Keyloggers are quite benign unless they are allowed to send that info out. (Not to be redundant here, but..) Hence the rationale for outgoing protection...
    Also, if you terminate the sandboxed program (before your logged key strokes are sent out), the log.txt file goes away.
    And that would be...?
     
  15. zopzop

    zopzop Registered Member

    Joined:
    Apr 6, 2006
    Posts:
    632
    yes. back when i actually had a test machine to mess around with, i'd visit some really bad sites (what was on those sites i really can't mention here cause i'd be banned :D ).

    the HIPS leak tests by the makers of SSM found here :
    http://www.syssafety.com/leaktests.html

    i forgot how to run these sandboxed. they are not regular windows programs where you just click or double click them to get them to run. you need to go to the command line to run them.

    the simple process termination is a series of 16 tests that attempt to shut down a process. i found some programs that passed the DCS advanced process termination tests failed against one or two of these.

    ditto with the simple keylogger test.

    same testing method, run the HIPS leaktests sandboxed and make sure the targets of their fury are outside the sandbox :D

    ooops before i forget. there is one more test by ghostsecurity, it attempts to modify the registry and checks to see if your HIPS or sandbox can prevent it. it consists of 2 tests. the second test forces a reboot upon completion. when i tested sandboxie 2.4 against it, it did indeed pass both tests. what i found annoying was that a sandboxed process could actually force a restart. i just wanted to see if the test can still force a restart if sandboxed in sandboxie 3.0. it's found here :

    http://www.ghostsecurity.com/registrytest/

    that's it. i won't pester you anymore :D
     
  16. Bob D

    Bob D Registered Member

    Joined:
    Apr 18, 2005
    Posts:
    1,150
    Location:
    Mass., USA
    keylogger.exe gets flagged by PS.
    Dbl click does nothing.
    spt.exe does nothing.
    Will have to play with these to figure out how to execute them.
    Running (dbl click) of .exe yields nothing.

    Ghost Security's tests: (All flagged by PS)
    Regtest 1 fails (I think).
    Registry modification was allowed. I don't know if modification was constrained to sandbox.
    Will have to investigate.

    Test 2:
    Access was denied. No reboot was invoked.
    However, it did make a mess. K-Meleon crashed, desktop got screwed up.
    Reboot and all OK.

    Yea, right :)

    Cheers
     
  17. glentrino2duo

    glentrino2duo Registered Member

    Joined:
    May 8, 2006
    Posts:
    310
    is this the case on both pro and free version of geswall?
     
  18. zopzop

    zopzop Registered Member

    Joined:
    Apr 6, 2006
    Posts:
    632
    yup. the only differences between pro and free are the pro version gives you :

    1) application wizard - so you can automatically create rules for applications you want to run isolated and have them function correctly

    2) custom rules for apps - if you know what you are doing you can make your own rules for applications/resources/etc...

    3) much larger safe application list - HUGE list of preconfigured apps

    all in all. i still like the free version (even though i have the paid version). since you can still right click an application's icon and run it isolated.
     
  19. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    Does Geswall help with the test below.

    Lockup Test

    FF with Noscript stops it.
     
  20. zopzop

    zopzop Registered Member

    Joined:
    Apr 6, 2006
    Posts:
    632
    PS?

    you have to click on the start menu, select "run", then type "cmd". then type cd\xxxx where xxx is the directory where you downloaded and saved the HIPS leaktests. once you are in the directory type the name of the file and hit enter. text will scroll by telling you what the options are for the test and how to proceed. it helps if you download and save the file to someplace easy to remember like c:\temp (if you have a temp directory that is). the HIPS leaktests from the makers of system safety monitor are kind of difficult at first to get the hang of.

    sandboxie easily passes this test. the registry changes that were allowed are all done virtually. as long as the test was run sandboxed, they aren't real :) again what is PS? prosecurity?

    system still crashed? hmm this is what irked me last time too. i know that sandboxie passes both tests when it comes to altering the registry (which is the key function of the ghostsecurity tests), i just want to see if sandboxie ver3 stopped the reboot/crash.


    i'm done i swear ;-) and thanks again for running these tests for us :)
     
  21. wir.sing

    wir.sing Registered Member

    Joined:
    Oct 12, 2006
    Posts:
    60
    If you want to try something really nasty, try this:

    http://www.morgud.com/interests/security/dfk-threat-simulator-v2.asp

    Its a threat simulator that pull of the whole spectrum of infections. From rootkit, to adware, spyware and so on. Its not destructive. Its just to show how easily you can get your system completly f*cked. Theres a cleaner supplied to get rid of it.

    The intresting part of that thing is mainly to see how good the sandbox works. Because if you start that thing inside the sandbox, everything that gets installed through it should stay inside the sandbox. So all the adware windows should be sandboxed and so on. So technically if you "clean/reset" your sandbox that thing should be gone.

    Tried it back in the day with Greenborder and Bufferzone. Greenborder "passed" as in everything stayed within the Sandbox. Reseting Greenborder and that thing was gone. Bufferzone (Version: 1.something) wasn't able to run the test, since it doesn't have "deep" enough virtualisation aka it doesn virtualise the ability to install kernel drivers.
     
  22. farmerlee

    farmerlee Registered Member

    Joined:
    Jul 1, 2006
    Posts:
    2,585
    A little o/t but i find the best free virtualization software is virtual pc.
     
  23. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    Ditto and running on a 22 inch lcd screen!;)
    VPC.JPG
     
  24. Bob D

    Bob D Registered Member

    Joined:
    Apr 18, 2005
    Posts:
    1,150
    Location:
    Mass., USA
    Correct
     
  25. Drew99GT

    Drew99GT Registered Member

    Joined:
    Jun 27, 2006
    Posts:
    338
    Location:
    Colorado Springs
    Do I reed Geswall's website correctly in that it controls outbound internet access?
     
Loading...
Thread Status:
Not open for further replies.