Some unique HIPS features

Discussion in 'other anti-malware software' started by aigle, Jul 5, 2008.

Thread Status:
Not open for further replies.
  1. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Okay, I understand

    But Aigle tested this in his confidential folder, to which untrusted programs are not allowed to write. That is why I asked Aigle to test again, because
    a) Confidential implies extra policy containment
    b) You have to explictely specify such a folder (in both GW and DW)

    So your comment was valid when this should be the case
     
  2. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    Na your Avira detects if I am not mistaken,Sanboxies contain it correct? and returnil washes away any ways.I would think no need for paranoia.
     
  3. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,161
    Location:
    UK / Pakistan
    No, condidential folder was juat a part of other folders that contained text files. GW stops its damage to ANY file , folder on ur HD. It allows read to all files, folders but denies encrption/ modification by malware. In confidential folder it even denies READ also.
     
  4. hammerman

    hammerman Registered Member

    Joined:
    Jul 14, 2007
    Posts:
    283
    Location:
    UK
    I believe this is the same as Defensewall. An untrusted application cannot change any file (with a few exceptions as pointed out by Ilya). If files/folders are in the Secured List, they cannot even be read.

    I only use Sandboxie for browsing. If malware comes through e-mail or other route, I am only protected by Avira. Don't use Returnil much apart from testing.

    I really want to include Defensewall as part of my setup so that all internet facing apps are protected and anything recovered from the sandbox becomes untrusted. Big problem I have is that Sandboxie will not run correctly when I have OA and DW installed together. I'm thinking that changing my firewall is only option.
     
  5. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,161
    Location:
    UK / Pakistan
    I will not suggest to combine SBIE n DW. Use one of them.
     
  6. hammerman

    hammerman Registered Member

    Joined:
    Jul 14, 2007
    Posts:
    283
    Location:
    UK
    I have used these two together before and I like the setup. Sandboxie for browsing only with all other iinternet facing apps covered by defensewall. Sandbox folder added as untrusted in Defensewall ensures that anything recovered from the sandbox becomes untrusted in Defensewall.
     
  7. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    On contrary- untrusted may change files but the ones included into built-in extension protection section group (.exe, .jpg, .txt, .doc, .rtf and so on).
     
  8. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    13,744
    Location:
    Canada
    aigle i use both with no problems and feel xtra secure.:thumb:
     
  9. hammerman

    hammerman Registered Member

    Joined:
    Jul 14, 2007
    Posts:
    283
    Location:
    UK
    Thanks Ilya, I didn't realise that.

    Aigle
    Is this the same with Geswall or are ALL files protected from modification by an isolated application?
     
  10. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    If I remember correctly you also can check emails sandboxed to be sure there safe and save the ones you want or recover, rather then soley rely on AV email scanners.Example what if avira Detects nothing with a infected email you open,In the mean time you check them outside the box and no Returnil on or session lock.You would be infected with out knowledge with out the chance of Sanboxie containig it or Returnil to rectify the changes.Please correct me if I am wrongly thinking here.
     
  11. hammerman

    hammerman Registered Member

    Joined:
    Jul 14, 2007
    Posts:
    283
    Location:
    UK
    I have never used Outlook Express sandboxed. Sandboxie is great for browsing but I think it's inconvenient to keep having to recover mail from a sandbox. 99% of e-mails I want to keep. The setup I use also needs to be wife and teenager-friendly. If I ask them to recover e-mails from the sandbox, I think I may get an old-fashioned look.

    Back on-topic, I have now installed DW 2.44 and will check it against GPcode just to satisfy myself that it protects and to see if it misses any particular file types.
     
  12. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    I see very understandable and congrats on DW Good choice indeed.best of luck:thumb:
     
  13. hammerman

    hammerman Registered Member

    Joined:
    Jul 14, 2007
    Posts:
    283
    Location:
    UK
    Can confirm that DW protects against GPcode out-of-the-box with no special settings.

    GPcode attempted to delete .jpg, .dwg, .txt and .doc files without success. Original files were retained alongside a new encrypted version. The only files not protected by DW were .bak files and these were deleted by GPcode.
     
  14. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Hi Hammerman

    Don't know about Outlook Express, but the way I have Outlook setup, I don't have to retrieve email out of the sandbox. Outlook stores everything in PST files and I leave them outside the sandbox. So if an email contains something evil it is in the pst and harmless. But it does something while open, that action is sandboxed.

    Pete
     
  15. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    You can already do this (protect against GPcode) with CFP 3. Add those folders that contain your personal data to the protected files/folders list.
     
  16. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,161
    Location:
    UK / Pakistan
    I am not sure but I think it protects all files by default.
     
  17. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,161
    Location:
    UK / Pakistan
    I have no special folders for that. My data is scateered all over my three non-OS partitions.
     
  18. hammerman

    hammerman Registered Member

    Joined:
    Jul 14, 2007
    Posts:
    283
    Location:
    UK
    Thanks for the tip Pete, I have done the same as you by sandboxing Outlook Express. I decided to use registered version to contribute to a fine program and to use the Forced Programs feature to ensure browser and OE start sandboxed.
     
  19. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    AHHH, another valued member opposing this strange idea that double is better, thanks Aigle :thumb: :thumb: :thumb:
     
  20. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,781
    Location:
    U.S.A. (South)
    With keeping OT i will suggest some "unique" features that i personally feel "ALL" HIPS should impliment without delay or question, and i think i mentioned a few before, but for subject's sake and comparison from other users of this type of security protection, it might be worthy of some comments of their own.

    It should be and cannot be denied in usefullness if all HIPS made provision for auto-restarting any running processes that might suddenly and/or without notice either be forcefully terminated or crashed as sometimes can be the case with Windows. Users shouldn't have to go on a hunt to add this additional prevention to their security programs IMHO. They should have already been implimented, and in at least one instance i'm aware of, System Safety Monitor was the first (correct me if in error) to offer this useful feature in it's first HIPS version.

    Sorry, but i dunno about Prevx or Comodo or others, because i tend to concentrate on a choice few or couple of HIPS when determining needs.

    MD5 checksums are implimented in some HIPS. How dependable are they really? Windows is much too vast for a single researcher to examine this Redwood Forest of so many aspects of the Windows operating system, so i would be all eyes in reading other's opinions to this, but it would appear another useful aspect of verifying the content and integrity of files without relying on connecting to microsoft's database thru internet connection to assure a perfect match, although i am not against this practice, it's more favorable in my experience to operate from a local database instead. Just a personal preference, thats all.

    Theres been much debate over Behavioral Blockers/HIPS that rely on checking an online database automatically. Theres probably as many in favor as opposed to this approach because if i read things right, not even AV's/AS's go to this extreme, but again some may, i could be missing those that actually do.

    I must attest with my sincerest testimony however that with the introduction of HIPS, i've personally and in research have realized a positive net increase in security and much less drive-by hijacking compared to when all that was depended on was an AV. I know their not perfect, and they are vital in so many ways as well as have stepped up their own research and improvements with Heuristics and the like, and with that they can confidently make a positive case when matched up to a Classical HIPS, so theres no tipping of the scale in either's favor on effort.

    Lastly, i would like to see HIPS expand deeper (where possible for stability) and set up UNMOVEABLE hooks in both the SSDT Table & Shadow SSDT as well. SSM fills up that first table when observed via deep explorer tools, but the key IMO is to prevent from beng unseated
    by any Table unhooker (if possible).

    Tall order? I think not, but then i don't clock into their Labs every day like they do and go over notes and reports.

    So, whatta ya think?

    EASTER
     
  21. Hugger

    Hugger Registered Member

    Joined:
    Oct 27, 2007
    Posts:
    1,003
    Location:
    Hackensack, USA
    I've been reading this and some of the other threads and am wondering about HIPS with other security software.
    For example, if I buy Defensewall or Geswall for my new pc do I still need to run a firewall?
    Or a full time AV?
    Same question for on demand anti malware/spyware.
    HIPS seem to have come a long way over the past few years. But they have a long way to go too.
    Am I missing the point with these HIPS?
    Just curious.
    Thanks.
    Hugger
     
  22. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,781
    Location:
    U.S.A. (South)
    No, your right on-target, HIPS as extremely formidable as they are at present, need improvememts to cover not just what i suggested but they have the where with all to advance even more in the way of near total security, and their not quite at that level just yet.
     
  23. Someone

    Someone Registered Member

    Joined:
    Jan 18, 2008
    Posts:
    1,106
    Hi

    I don't really get what's wrong with it if there's no conflicts.

    A user can use DW for ALL their internet facing apps, and Sandboxie just for their browser in addition to DW. In this case, Sandboxie can be used primarily as clean-up tool as everything is gone, including if there is any inactive malware.

    Thanks
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.