Sandboxing/HIPS

Discussion in 'other anti-malware software' started by btman, Apr 10, 2007.

Thread Status:
Not open for further replies.
  1. btman

    btman Registered Member

    Joined:
    Feb 11, 2006
    Posts:
    576
    I'm not convinced yet these are the best way for 100% prevention of malware...

    Any comments on all 6 pages of this test of specifically DefenseWall (Which is Virtualization/HIPS or something of the sort... I'm not sure lol) which might achieve the same results as other Virtualization technologies.

    http://security.over-blog.com/0-categorie-566881.html
     
  2. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    My comments are that the tests are 9 months old and Defensewall has improved quite a bit since then.

    And if you want go back further when those 200 or so variants of that zero attack hit in JAN 2006 Defensewall protected better than any AV.

    IMHO Defensewall will offer better protection than any blacklist scanner whilst using less resources with the install being small compared to most AV's.
     
  3. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    Yes, DefenseWall have been significantly improved against screen capturing,trusted process termination, keyboard/mouse input emulation, shatter attacks and keylogging. And its improvement never stops- bugfix and compatibility are the first-queue targets.
     
  4. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Hi Btman,

    I favour policy restriction sandboxes, because they are seamless, unlike file virtualisation sandboxes (you have to move around with files downloaded to NOT delete them).

    At home we use two different applications

    Wife's PC: DefenseWall - it is simple, quite (no pop-up) and strong. Remember you have to check whether your chat, e-mail, browser, etc applications are listed in the untrusted aps. You can also harden your defense by adding your uncompresss program as untrusted (normal windows zip is covered by default).

    Son's PC: GeSWall Pro - it has more configuration options, but asks what to do when one of the pre-defined programs is started, also proved to be very protective. You can configure the aps yourself or ask for a 'new application". Response is quick (about 2 to 3 days).

    A free file virtualisation program you might try is PowerShadow, you can virtualize your OS-partition and leave your data partition untouched. After re-boot your OS-partition is reset. When you need extra protection you just go into single shadow mode. Also a very effective program without the downside of accidental (downloaded) file removal of your Data partition.

    Offcourse some like File virtualisation sandboxes, due to the fact that they clear all changes and files when a 'contained treath gate session' is removed. SandboxIE is popular on this forum.

    Regards K
     
  5. WilliamP

    WilliamP Registered Member

    Joined:
    Jun 1, 2003
    Posts:
    2,201
    Location:
    Fayetteville, Ga
    I have used DefenseWall for a year. It has been updated and improved very often. The support has been great. I feel that it is the best protection for 0 day baddies. It is great because you can turn on or off the protection without re-booting.
     
  6. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    Yes, SandboxIE is popular. Not only for what is said above, but also there aren't problems with some uncompress program not being supported (as in being run unsandboxed...).

    My uneducated hint is that policy based are more problematic to develop, because all sorts of programs rise and evolve, and these have to be supported. It seems more tricky to keep up. SandboxIE should get them all as is. It intercepts everything coming from the isolated program, and redirects it to the sandbox, where the limited rights are enforced. It seems a more generalistic approach, and yes, i can clean everything from a session (CCleaner, wait a month or so ok?).

    Ilya Rabinovich, i expect you to correct me or complete what i said.:D
     
  7. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Pedro,

    Ilya will problably correct you. DefenseWall does not need program specific settings like GeSWall. Just mark it as untrusted that is all.
     
  8. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    Ok, thanks. But you still have to mark programs as untrusted. With SandboxIE you just run whatever you want untrusted, and everything else that is derived from that is untrusted/isolated/sandboxed too. Or it should be, unless some bug arises.
     
  9. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    Same with DW.

    Same with DW.

    Right and wrong same time. There are not a big number of well-known threat-gate programs to write rules for them or use general-used ruleset ("plugin injection protection", for example).

    1. Not to sandbox, but to virtualization container. Lets do not mix sandboxing and virtualization.

    2. Yes, it is more generalisttic in approach, and, thus, have their pros and cons.

    In fact, there is a balance between simplicity in everyday use and security strength. SBIE is balanced for (theoritically) more file system defense by the price of simplicity. DW is balanced for simplicity, thus, theoretically, it have less file system defense settings (at leats, for now, later on I'm going to improve this situation). But practically, under ITW malware, both of the sandboxes are the same defense value plus/minus programming-level mistakes.
     
  10. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    It,s exactly same with DefneceWall and GeSWall.
     
  11. Rivalen

    Rivalen Registered Member

    Joined:
    Oct 18, 2005
    Posts:
    413
    100%?? I dont know if that exists.

    If you dont want anything to stick to your system I suggest Power Shadow in automated startup mode. It doesnt protect you during your session, you need your ordinary protection software for that, but after reboot Power Shadow has reset everything to what it was before. Havent read that its been broken yet. But its impractical if you want to really save something. Even downloaded emails are gone - nothing sticks.

    Partly virtulized like I believe Sandboxie does with IE OE etc I suppose mean you have to know what your doing to keep all gates likes USB , CD etc protected. How you save a downloaded file - I dont know how it works.

    I have choosen a - for me - practical way and try to protect my gates with DefenseWall. For me its sort of a hybrid. Some malware can resend via email but not hurt your system. You can Rollback the whole sessions untrusted events or even further back. Your system is protected from untrusted activity. Its my Zero-minute protection. I dont expect it to be 100%, but its percent enough for me sofar. Support is awesome.

    If your a highrisksurfer I would go with Power Shadow either autostart or manual start when needed - as a complement to ordinary security software - read the long PS-thread. Impractical, but could be worth it. Seems PS virtulizes most security software without problems - all maybe? Havent read the thread for a while.

    Best Regards
     
    Last edited: Apr 11, 2007
  12. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    I was refering to the browser calling for the pdf reader to read a document, IZarc to unzip a file, etc. Is it the same with DW? Does it intercept all that and isolate regardless of being known or not?
    (i'm sorry if i lack the proper words, or understanding:( )
    You're right, but i think i wasn't confusing. It is a sandbox, with file system virtualization yes. Your words seem appropriate, but is it not still a sandbox?
    In fact, i would have a hard time explaining it to a friend how to retrieve from the sandbox. Some would get it, some would uninstall.
    I still like GeSWall and DW's concept note, there's nothing to do. Just run it.
    But since using SandboxIE, i also think it's way simple. And in my head, it's more comfortable, since things are not where there were meant to be, they are all in one folder, where they can't do anything. My head, not fact.

    Thanks for the time to explain.
     
  13. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    I've never heard about pdf-based malware, so "untrusted" state doesn't inherits for .pdf files- there is no sense in it, but you can always run it as untrusted. IZarc- yes, it is supported.


    Well, there are two ways to isolate potential unwanted software from the rest of the system- sandboxing and virtualization. Virtualization creates a fake environment (in case of file system and registry one- redirect calls from real to fake records within virtualization container). Sandboxing relies on policy-based allow/deny ideology- forbidden actions simply blocks. So, as you can see, the core of sandbox HIPS ideolofy is the same- isolation, but the tools to achieve this aim are slightly different.

    One more time- from virtulization container, not from sandbox.
     
  14. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    It's not that pdf has or not security issues, i was providing examples of programs being used while browsing.
    You did give an example of one program that won't run isolated. That's the whole point i'm making: it's not only your design (of course, and a good one), but it's also your choice of policy. Everything is not isolated. With SandboxIE it is.
    So it's a sandbox. Sandbox..... IE. Another method.
    Gentle Security even states that GeSWall is not a sandbox, so you see i think there is no consensus. I agree on your terminology, but SandboxIE is a sandbox, a sandbox with file system virtualization, while DW is a policy based sandbox.
    No?:D
    Sorry, it says here sandbox. Explore sandbox contents, delete sandbox contents... If i am to explain how to use SandboxIE,and i say the virtualization container, i lose my audience.
     
  15. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    I'm just not so paranoid. Have you ever seen or heard about .txt malware?


    Yes, that is correct.

    Virtualization container.
     
    Last edited: Apr 12, 2007
  16. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,047
    Take the average mom and pop computer user and they probably would understand Sandbox. Virtualization container would almost certainly get you a blank stare.

    Pedro is absolutely right, you have to speak in terms your audience understands, not in techno babble.
     
  17. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    Well, you are right, but I can't as I'm technician. Can't think other way.
     
  18. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    No, lol.
    But you are obligated to know all programs that must be isolated, and insert that into DW's code, or am i still picturing it wrong?
    I do understand what you're saying, you isolate the ones that are vulnerable.
    lol
    Good sense of humour:D
     
  19. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,047
    Sometimes you have to take off the technicians hat, and wear a sales hat.:D
     
  20. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    Potentially vulnerable ot threat-gates applications.
     
  21. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    I know that. That is why I've cooked DefenseWall the way I don't need to explain what virtualization container is!
     
    Last edited: Apr 13, 2007
  22. Perman

    Perman Registered Member

    Joined:
    Nov 23, 2005
    Posts:
    2,160
    Hi, folks: I realize that DefenseWall is an excellent sandbox/virtualization app, but it still requires users's hand-on approach to decide which are trusted or untrusted. Is there any possibility that any given average user may have lapsed his/her judgement and triggered the unthinkable? If so, DW somehow requires user possessing some degree of computer knowhow, in other words, it is not a tool for PC idiots like me. Am I right here? I currently use DeepFreeze standard. It has only three options, yes three only, no more. One is for clone, second is for freezemode, the last one is for thaw state. No miskes can possibly be made. Simple , straightforward, and secure, IMO, it is the toy for everyday idiots, counting me. Just my loonie sense for the day.
     
  23. lu_chin

    lu_chin Registered Member

    Joined:
    Oct 27, 2005
    Posts:
    294
    I think the use of a system snapshot program like DeepFreeze does not have the same objective as using a sandbox/HIPS programs like DW. For example, beta 2 of DW can stop the DirectInput based keylogger test while even with a frozen snapshot the user is still vulnerable to it. A system snapshot program by itself is mainly for "cleaning" up after allowing everything.

     
  24. Perman

    Perman Registered Member

    Joined:
    Nov 23, 2005
    Posts:
    2,160
    hi, folks: I appreciate your point. But the most important thing is that at the end of any given day, my system is NOT compromised, no matter how nasty these malwares/threats may be. My system is still as pure as a white sheet. The snapshot theory of DF is not only for "cleaning up" but also for "ensuring the purity of system". One quick question:What would happen if DW only can stop 99 of 100 keyloggers thrown at it? would that only one undetected spoil the whole basket? Just my curiosity.
     
  25. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    Mistakes are always possible...
     
Loading...
Thread Status:
Not open for further replies.