The ErikAlbert Approach - A test

Discussion in 'FirstDefense-ISR Forum' started by Peter2150, Nov 27, 2007.

Thread Status:
Not open for further replies.
Page 6 of 6
  1. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Defense Wall is on the list. Should have a trial key to do it after Monday. Probably smart uninstalling one of them. I uninstalled Sandboxie to test Geswall. They didn't seem to lilke each other. Should be interesting to see if DF and Sandboxie play, although from a thread in the sandboxie forum, I suspect not. Stay tuned.

    Pete
     
    Peter2150, Dec 1, 2007
    #126
  2. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    I have used SBIE and GW together multiple times( just for testing) without troubles.
     
    aigle, Dec 2, 2007
    #127
  3. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    Not sure what u mean. If I understand corectly GW isolates files but doesn,t stop there creation. It tags isolated files but this tagging info is probably stored on system partition. So if u run a virus on freezed system partition/ drive C and it makes a copy on partition D, the copy will be isolated. But now if u de-freeze system partition/ disk C and reboot, tagging for isolated copy on D will be gone and file will be free to do anything. It,s just my understanding. I will test to check whether I am true.
    GW will not remove all isolated files on uninstall as in this case u might loose so many imp files related to ur isolated appllications( browsers) etc. This is because of very nature of GW as there is no virtualization for files, only policy based sandboxing. However newer version 2.7 will have an option to scan isolated files and to delete them if user wishes to do so.

    By the way, the best way to protect non-system partition/ disk in GW is to create a Deny Create rule for them as shown below. In this way nothing will be written to non-system partition/ disk. I have tested it with malware and it works great.
     

    Attached Files:

    aigle, Dec 2, 2007
    #128
  4. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    THose will be some good improvements. I missed the add resources. So indeed for the EA approach geswall would be good. Is that add resources in 2.6? If so I may retest. Or is there a link to the 2.7 beta. I couldn't find it.

    Pete
     
    Peter2150, Dec 2, 2007
    #129
  5. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    aigle, Dec 2, 2007
    #130
  6. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Hi Mitch

    I have all my recycle bins disabled. Don't use them. This malware used them as a hiding place. Yes the c:\windows\recycler was created by the malware. It's a long thread, but the basic idea was taking Erik's original approach to security of using a frozen FDISR snapshot to protect his c: drive and then protect his data drive with other software. What I was looking at was how well other software actually protected the other drive.

    Pete
     
    Peter2150, Dec 2, 2007
    #131
  7. MitchE323

    MitchE323 Registered Member

    Joined:
    Nov 22, 2007
    Posts:
    156
    Thanx Pete, I was actually rephrasing my question as I felt it was too confusing - but you nailed it. I'm good to go now, thanx again.
    MitchE323
     
    MitchE323, Dec 3, 2007
    #132
  8. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Okay, as promised the final test. Defense Wall. My thanks to Ilya for enabling me do to this.

    Ran the test two different ways. First I just ran the test with out of the box settings. Virus did install on the drives, but was rendered harmless. At that point I hadn't figured out the rollback option, but never the less the protection worked.

    For Erik's purpose, I would rate this a marginal pass, although had I known what I was doing, I probably could have removed it.

    Reset VM machine, and retested. This time I put in an exclusion on the e: drive, and reran test. DW did blocks to the e: drive, but the pop up wouldn't stop and efforts to do so, caused a gui crash. Restarted and did a rollback, which at this point also cause a gui crash. However, the virus never installed on the e: drive, and was cleaned from the c: drive.

    So inspite of the problems, Defense Wall was a PASS for the purpose of Erik's Approach.

    Pete
     
    Peter2150, Dec 3, 2007
    #133
  9. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Thanks Peter. So I have the choice : DefenseWall or Sandboxie or both with possible conflicts.
    I keep on using Sandboxie for awhile to detect possible problems.
    I consider both as evergreens, like AE, so I don't mind the money.
     
    ErikAlbert, Dec 3, 2007
    #134
  10. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    It all comes down to what blend of features, speed, ease of use, tweakability, support and price do you want/need. All the sandboxes (Sandboxie, GeSWall, Defensewall, SafeSpace, Bufferzone and others) offer pretty strong and hassle-free security against current malware.
     
    lucas1985, Dec 3, 2007
    #135
  11. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Yep, they both are strong contenders.
     
    Peter2150, Dec 3, 2007
    #136
  12. Cerxes

    Cerxes Registered Member

    Joined:
    Sep 6, 2005
    Posts:
    581
    Location:
    Northern Europe
    I don´t think this is a good idea for the above reason.

    Thanks Peter for running the test. It passed (as expected :)). Yes, both Sandboxie and DW seeems to be equally good. The only reason to choose SB before DW, would be for the fact that it seems to have a lower impact on performance (according to Process Explorer).

    /C.
     
    Cerxes, Dec 4, 2007
    #137
  13. jdjudy

    jdjudy Registered Member

    Joined:
    Apr 3, 2007
    Posts:
    26
    Peter:

    Can you try this test with the current software on giveawayoftheday.com? They are offering "Folder Castle", which has the statement in the offer of; "Also the program protects files from accessing by viruses, trojans and spyware." I am curious how this would compare to PC Security...

    Thanks
     
    jdjudy, Dec 5, 2007
    #138
  14. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Hi jdjudy

    I downloaded it. Got say getting it going was a pain. Wasn't one of my favorite of the folder protection softwares. That having been said, I tested it. FAILED.

    With the whole drive protected, and unaccessable in Windows Explorer, the virus still was able to write it's files to the drive.

    Pete
     
    Peter2150, Dec 5, 2007
    #139
  15. jdjudy

    jdjudy Registered Member

    Joined:
    Apr 3, 2007
    Posts:
    26
    Thanks Peter. That is the result I figured would have happen. Talk about false advertising...
     
    jdjudy, Dec 5, 2007
    #140
Page 6 of 6
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...