Some unique HIPS features

Okay, I understand

But Aigle tested this in his confidential folder, to which untrusted programs are not allowed to write. That is why I asked Aigle to test again, because
a) Confidential implies extra policy containment
b) You have to explictely specify such a folder (in both GW and DW)

So your comment was valid when this should be the case

 

Na your Avira detects if I am not mistaken,Sanboxies contain it correct? and returnil washes away any ways.I would think no need for paranoia.

 

No, condidential folder was juat a part of other folders that contained text files. GW stops its damage to ANY file , folder on ur HD. It allows read to all files, folders but denies encrption/ modification by malware. In confidential folder it even denies READ also.

 

I believe this is the same as Defensewall. An untrusted application cannot change any file (with a few exceptions as pointed out by Ilya). If files/folders are in the Secured List, they cannot even be read.

I only use Sandboxie for browsing. If malware comes through e-mail or other route, I am only protected by Avira. Don't use Returnil much apart from testing.

I really want to include Defensewall as part of my setup so that all internet facing apps are protected and anything recovered from the sandbox becomes untrusted. Big problem I have is that Sandboxie will not run correctly when I have OA and DW installed together. I'm thinking that changing my firewall is only option.

 

I will not suggest to combine SBIE n DW. Use one of them.

 

I have used these two together before and I like the setup. Sandboxie for browsing only with all other iinternet facing apps covered by defensewall. Sandbox folder added as untrusted in Defensewall ensures that anything recovered from the sandbox becomes untrusted in Defensewall.

 

On contrary- untrusted may change files but the ones included into built-in extension protection section group (.exe, .jpg, .txt, .doc, .rtf and so on).

 

aigle i use both with no problems and feel xtra secure.

 

Thanks Ilya, I didn't realise that.

Aigle
Is this the same with Geswall or are ALL files protected from modification by an isolated application?

 

If I remember correctly you also can check emails sandboxed to be sure there safe and save the ones you want or recover, rather then soley rely on AV email scanners.Example what if avira Detects nothing with a infected email you open,In the mean time you check them outside the box and no Returnil on or session lock.You would be infected with out knowledge with out the chance of Sanboxie containig it or Returnil to rectify the changes.Please correct me if I am wrongly thinking here.

 

I have never used Outlook Express sandboxed. Sandboxie is great for browsing but I think it's inconvenient to keep having to recover mail from a sandbox. 99% of e-mails I want to keep. The setup I use also needs to be wife and teenager-friendly. If I ask them to recover e-mails from the sandbox, I think I may get an old-fashioned look.

Back on-topic, I have now installed DW 2.44 and will check it against GPcode just to satisfy myself that it protects and to see if it misses any particular file types.

 

I see very understandable and congrats on DW Good choice indeed.best of luck

 

Can confirm that DW protects against GPcode out-of-the-box with no special settings.

GPcode attempted to delete .jpg, .dwg, .txt and .doc files without success. Original files were retained alongside a new encrypted version. The only files not protected by DW were .bak files and these were deleted by GPcode.

 

You can already do this (protect against GPcode) with CFP 3. Add those folders that contain your personal data to the protected files/folders list.

 

I am not sure but I think it protects all files by default.

 

I have no special folders for that. My data is scateered all over my three non-OS partitions.

 

Thanks for the tip Pete, I have done the same as you by sandboxing Outlook Express. I decided to use registered version to contribute to a fine program and to use the Forced Programs feature to ensure browser and OE start sandboxed.

 

AHHH, another valued member opposing this strange idea that double is better, thanks Aigle

 

With keeping OT i will suggest some "unique" features that i personally feel "ALL" HIPS should impliment without delay or question, and i think i mentioned a few before, but for subject's sake and comparison from other users of this type of security protection, it might be worthy of some comments of their own.

It should be and cannot be denied in usefullness if all HIPS made provision for auto-restarting any running processes that might suddenly and/or without notice either be forcefully terminated or crashed as sometimes can be the case with Windows. Users shouldn't have to go on a hunt to add this additional prevention to their security programs IMHO. They should have already been implimented, and in at least one instance i'm aware of, System Safety Monitor was the first (correct me if in error) to offer this useful feature in it's first HIPS version.

Sorry, but i dunno about Prevx or Comodo or others, because i tend to concentrate on a choice few or couple of HIPS when determining needs.

MD5 checksums are implimented in some HIPS. How dependable are they really? Windows is much too vast for a single researcher to examine this Redwood Forest of so many aspects of the Windows operating system, so i would be all eyes in reading other's opinions to this, but it would appear another useful aspect of verifying the content and integrity of files without relying on connecting to microsoft's database thru internet connection to assure a perfect match, although i am not against this practice, it's more favorable in my experience to operate from a local database instead. Just a personal preference, thats all.

Theres been much debate over Behavioral Blockers/HIPS that rely on checking an online database automatically. Theres probably as many in favor as opposed to this approach because if i read things right, not even AV's/AS's go to this extreme, but again some may, i could be missing those that actually do.

I must attest with my sincerest testimony however that with the introduction of HIPS, i've personally and in research have realized a positive net increase in security and much less drive-by hijacking compared to when all that was depended on was an AV. I know their not perfect, and they are vital in so many ways as well as have stepped up their own research and improvements with Heuristics and the like, and with that they can confidently make a positive case when matched up to a Classical HIPS, so theres no tipping of the scale in either's favor on effort.

Lastly, i would like to see HIPS expand deeper (where possible for stability) and set up UNMOVEABLE hooks in both the SSDT Table & Shadow SSDT as well. SSM fills up that first table when observed via deep explorer tools, but the key IMO is to prevent from beng unseated
by any Table unhooker (if possible).

Tall order? I think not, but then i don't clock into their Labs every day like they do and go over notes and reports.

So, whatta ya think?

EASTER

 

I've been reading this and some of the other threads and am wondering about HIPS with other security software.
For example, if I buy Defensewall or Geswall for my new pc do I still need to run a firewall?
Or a full time AV?
Same question for on demand anti malware/spyware.
HIPS seem to have come a long way over the past few years. But they have a long way to go too.
Am I missing the point with these HIPS?
Just curious.
Thanks.
Hugger

 

No, your right on-target, HIPS as extremely formidable as they are at present, need improvememts to cover not just what i suggested but they have the where with all to advance even more in the way of near total security, and their not quite at that level just yet.

 

Hi

I don't really get what's wrong with it if there's no conflicts.

A user can use DW for ALL their internet facing apps, and Sandboxie just for their browser in addition to DW. In this case, Sandboxie can be used primarily as clean-up tool as everything is gone, including if there is any inactive malware.

Thanks