The ErikAlbert Approach - A test

Discussion in 'FirstDefense-ISR Forum' started by Peter2150, Nov 27, 2007.

Thread Status:
Not open for further replies.
  1. starfish_001

    starfish_001 Registered Member

    Joined:
    Jan 31, 2005
    Posts:
    1,046


    Using version 1.30 I can protect the whole of a partition ....

    but some application (trusted apps) seem to be able to write new files. Need a bit more time playing to work out what is going on with my config
     
  2. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Yes I saw my mistake after Peter's reply on your post. Sorry my bad.
    DefenseWall is not as easy as PC Security, because I already tried this myself because I have DefenseWall on board, but I might contact Ilya to make it easier.
    I dunno about DevCon, have to try this first.
     
  3. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Okay testing done. First a couple of comments.

    1) Can't speak to many AV's but F-Prot would have caught it.
    2) There are two two different meanings to security.
    .....a) Security in the sense that if someone sits down at your computer they
    can't snoop at your private stuff. Really Privacy
    .....b) Security in the sense while your are surfing you are protected, and also when you install something new, it's what you think it is.

    3) Since this was really taking a look at Erik's approach, my main emphasis was attacking my 2nd internal disk drive. (a concern of mine also)



    1) Someone asked about ProSecurity, the HIPS. You can indeed set file protection, but then during the Virus install it asks you, and if you allow it, bingo. So I classify it along with SSM, OA, etc. Helpful to evaluate what an unknown program, but still leaves you with the undoing.

    2) PCSecurity. Tried the Lock and Hide. Tried 3 attacks on my E: drive. First was the ErikAlbert special delete test from a command prompt. PASSED. Couldn't access. Then I tried format e: also from the command prompt. PASSED. Couldn't access the drive. Then I did the virus install. FAILED. Installed the stuff on the E: drive with no problem.

    3) Some one also asked me about Folder Security 4.1 I protected the whole E: drive and attacked. EA's del test - PASS couldn't access. Format test. FAILED. It formated the drive. When I looked it was still locked, but when I unlocked it, it was indeed reformated and empty. I didn't bother with the virus as I assumed it wouldn't have a problem.

    4) ShadowDefender I used Shadowdefender as it can protect both c: and E: drives. First I attacked with Erik's del test. PASSED. Files were deleted but back after reboot. THen I did the Format e: test. PASSED. It did format the drive, but couldn't write the final boot sector. Result was a drive that was apparently allocated, but the format was wiped out, leaving it unformatted. Reboot and all was fine. Then ran the virus installer. Again here all the HIPS programs were of value in you could see stuff that you wouldn't want to happen happening. Result both disks infected. Reboot and both disks clean. PASSED.

    Note, I wouldn't want to do the shadowdefender reboot, with the FDISR freeze function active. My hunch is this would be less then pretty.

    5) Couldn't leave this without testing Sandboxie. I have My Documents excluded in the Sandbox. It was easy to add e:\ to the exclusion. I then ran Windows Explorer in the sandbox. Couldn't access E: at all. Then watching the HIPS alerts closely, I ran the Virus installer sandboxed. It was able to modify the registry, add files to the c:\ root and also to c:\recycler. It got messed up when it tried to do stuff with e:\ basically it hung. Looking at the c: drive in the sandbox, I could see what the installer had done. Looking at it outside the sandbox both c: and e: were clean. I terminated all sandboxed processes and rebooted. No sign of the virus either in terms what it's payload did, or evidence on either drive. I could look in the sandbox and the files were still present there. Deleting the sandbox and everything was gone. PASSED.

    My conclusions. PCSecurity and Folder Security are good for privacy but not malware prevention.

    Erik, knowing your objectives my recommendation would be take another long and hard look at Sandboxie. It's very different from your last test. It would do exactly what you want, and protect your data drive, and when you reboot with your frozen FDISR archive, that would also have the effect of cleaning out the Sandbox.

    For me. This tells me how I can monitor a install I am not sure about protcting myself as I go, for easy clean up, if it's bad. Also how I can protect my 2nd internal hard drive, which has been a concern.

    Others. Based on your needs you can draw your own conclusions.

    Cheers,
    Pete

    As a PS. One of the beauty's of the VM machine environoment, at least with VMware, you can even format the drives, and rollback a snapshot, and all it back like it was. Truly unique.
     
  4. Acadia

    Acadia Registered Member

    Joined:
    Sep 8, 2002
    Posts:
    4,325
    Location:
    US
    Hey, guys, I had never even heard of PC Security until this thread. Can I have a link?

    Thanks,
    Acadia
     
  5. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
  6. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    Peter! did u play with my samples?
     
  7. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Thanks alot for the testing and I'm very disappointed, regarding PC Security, because it doesn't do what I expected in the first place. Waste of money.
    Back to the drawing board : SandboxIE, DefenseWall, ...
     
  8. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    HI Aigle.

    No not yet. I am to a degree time impaired. But I will look at them.

    PEte
     
  9. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    If I have time, I might play at DefenseWall. What I've never liked is it doesn't have a means to get rid of stuff. Am I now wrong.
     
  10. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Defensewall test quick and painless. I must have install the trial in my vm machine ages ago. Trial won't run. Oh well.
     
  11. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    I never investigated DefenseWall that far. I use DefenseWall as an additional protection for Firefox.
    If I go back to SandboxIE, I don't see much advantage in keeping DefenseWall anymore. Two software with the same function is absurd with possible conflicts.
    I'm only glad that you proved that PC Security is worthless as a protection against malware and that was my main goal.

    You can test DefenseWall as well, because it is interesting to know for EVERY MEMBER, how good DefenseWall really is. :)
     
  12. Cerxes

    Cerxes Registered Member

    Joined:
    Sep 6, 2005
    Posts:
    581
    Location:
    Northern Europe
    Yes, I´m very nosey about the outcome of such a test too... ;)

    /C.
     
    Last edited: Nov 29, 2007
  13. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    I couldn't install Defensewall. I must have had it on the VM way back as it just says my trial has expired. Hmm
     
  14. Cerxes

    Cerxes Registered Member

    Joined:
    Sep 6, 2005
    Posts:
    581
    Location:
    Northern Europe
    A suggestion: could it be possible if I send you my licensefile for you to run the test, and that you delete (I´ll trust you on this ;)) the licensefile afterwards? I don´t use DW right now because of some issues with my system. So I don´t think it will conflict with Ilyas terms for DW but I´m not sure about this.

    /C.
     
  15. markymoo

    markymoo Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    1,212
    Location:
    England
    Hi Pete,

    yes sure in that case. a simple frontend gui would help in this case for devcon just with hard drives switches.

    as Eric wants a hardcore solution - i don't think any other solution would suffice(original thread) all other solutions rely on trusting the software to lock it and if someone comes along either local or over the net they can see what software you have installed and if these softwares keep there settings in the registry or simple etc then they could turn it back on. so that is a weakness. thanks for the compliment, don't worry i'm not after your job lol , many thanks
     
    Last edited: Nov 29, 2007
  16. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    OK Peter. I've something more urgent.
    I uninstalled PC Security for now.
    I uninstalled DefenseWall for now.
    I installed Sandboxie without troubles I assume.

    Since the protection of my data partition [D:] is gone, one question.
    How do I have to protect my complete harddisk "D:\" with Sandboxie, because I don't know Sandboxie that good yet ?
    I assume something in the configuration file ?
     
  17. markymoo

    markymoo Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    1,212
    Location:
    England
    example with pc security goto HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\trsys\LckdFldrs and you see whats been locked..hardly hardcore
     
  18. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Okay. Right click on the systray Icon Select show windows. Once the gui is open sandbox>default box>sandbox settings. Then resource access>file access>blocked access. Once you are there click add Then select the drive you want to protect and click apply>okay>okay then close gui.

    Now to test. First with windows explorer look and you can see your 2nd drive. Then again right click the sys tray icon>Default Box>Run Windows Explorer. It didn't like opening with a browser open, but once it opens you will notice youj've sandboxed explorer completely. Now you can't access the 2nd drive at all.

    Note it's only protected from with in the sandbox. If you pay the $25 and register, then you can set your browsers forced, so whenever you open the browser it's sandboxed. At this point nothing that happens in the browser can access your drive.

    That was the last test I did. The virus I was playing with was contained with in the sandbox for my c: drive, and never could get to my E: drive. When you are done, just delete the sandbox.

    If you want help with any of my other settings. I'll be glad to help.

    Note that running Killdisk from with in the sandbox Killdisk was also contained.

    Pete
     
  19. markymoo

    markymoo Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    1,212
    Location:
    England
    Heres a possible new free tiny software solution - sits in your system tray

    - lock all partitions on the specified hard disk
    - dismount all partitions on the specified hard disk
    - sleep the specified hard disk
    - put all volumes on the specified hard disk in offline state (vista)
    - deactivate the driver for the specified hard disk
    - the locked drives won't wake up
    - u can unlock/lock different drives

    http://revosleep.realspooky.de/

    :)
     
  20. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Not ment to be. It's ment to keep out people who don't know what a registry is, and can't guess passwords.:D
     
  21. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    The beauty of Sandboxie assuiming they came in thru the browser(remember here we are just talking online security) they would be editing the registry in the sandbox, not the system, thats what my virus test was doing. Modifying the registry in the sandbox, but not the computer itself.
     
  22. markymoo

    markymoo Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    1,212
    Location:
    England
    yesss, try the software i sent revosleep. it works a treat and its fairly new and has forum. let's see your virus get thru.
    http://home.arcor.de/realspooky/downloads/revoSleep_v0.2.4_BETA (x86).rar



    EDIT by Peter2150. To any other mods. I've tested this link. It's valid and good, no malware.
     
    Last edited by a moderator: Nov 29, 2007
  23. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    By the way I have protected my data partitions by GesWall. Since long I have created a deny create rule for my D and E partitions( read is allowed but write is not allowed). So all isolated applicatrions like my browsers, messengers etc can,t write in n0n-system partitions. I have tested it with blackday trojan, Viking worm and some other malware samples also that create autorun files in all partitions, they were unable to breakout to non-system partitions. It was few months back when I tested them and it was quite interesting.

    Additionally I have added rules in EQSecure,s file protection so that my browsers can read non-system partitions but can,t write to them.
     
  24. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    What I've like about Sandboxie above the 'walls, is the ability to delete everything. I know the 'walls isolate, but can they clean up and delete. That's important to me.
     
  25. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Marky

    Can you give us a description of this. I downloaded it, but it will make forum mods nervous.

    Pete


    Edit: I tested the link. It's good, clean, and very cool.
     
    Last edited: Nov 29, 2007
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.