Very interesting tests of DW,SBIE,BufferZone and GesWall

Discussion in 'other anti-malware software' started by Perman, Mar 11, 2008.

Thread Status:
Not open for further replies.
  1. Perman

    Perman Registered Member

    Joined:
    Nov 23, 2005
    Posts:
    2,160
    Hi,

    While browsing a Chinese Security Forum, an expert, who is a casual contributor here too , has post an interesting testing results by comparing the said four leading Sandbox applications against several modules.

    I manage to have the page translated by Google.

    Hoping this can initiate some or even more discussions/debates among our members. The link:
    http://translate.google.com/transla...an.cn/viewthread.php?tid=212242&extra=&page=1

    Take care.
     
  2. the_sly_dog

    the_sly_dog Registered Member

    Joined:
    Feb 28, 2006
    Posts:
    297
    Location:
    The Heart Of London
    Thanks perman

    That was a very intresting read seems like any of them 3 will protect you very well, :thumb:
     
  3. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    One my stupid error during product's improvement process costs me one point :(
     
  4. the_sly_dog

    the_sly_dog Registered Member

    Joined:
    Feb 28, 2006
    Posts:
    297
    Location:
    The Heart Of London
    Ilya what do you mean ??
     
  5. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    I had an error with GetAsyncKeyboardState function ID determinition with 2.10/2.20 versions under WinXP. This was made during program's improvement work. It is already fixed now and will be released with the next version update. This error, as you can see with AKLT test section, costs me one point.
     
  6. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Ilya,
    Do you think it's worthwhile to use a sandbox (specially a policy-based one) in a LUA + SRP environment?
     
  7. Antarctica

    Antarctica Registered Member

    Joined:
    Feb 25, 2003
    Posts:
    1,618
    Location:
    Canada
    Don't worry Ilya, your product is perfect even if you loose one point.
     
  8. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    Well, I think that sandboxes do the job more comfortable and simple way. So, it's just up to you. You just need to take into account that Vista virtualize %Program Files% and %Windows Directory%.

    Update: Brontok is using %Application Data% folder for its work. Restricted user can modify "HKEY_CURRENT_USER" and %Startup% folder. So, my answer is "yes" even with LUA and SRP (at least, with the SRP's page descrition, more advanced tuning may fill the gaps) , but, one more time- it's up to you to make a final decision.
     
    Last edited: Mar 11, 2008
  9. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    I'm just a perfectionist. :D
     
  10. the_sly_dog

    the_sly_dog Registered Member

    Joined:
    Feb 28, 2006
    Posts:
    297
    Location:
    The Heart Of London
    I will second that great work Ilya
     
  11. wat0114

    wat0114 Guest

    You still smoked the competition :)

    From working in a corporate environment for many years, I know all too well this works (LUA/SRP) but I refuse to lock my pc into a "nanny state". The problems this causes at least with W2K and XP is infuriating. Some programs don't work right and constant error messages and freeze-ups are the norm. Maybe it's better with Vista, but I don't use it so I'm not sure, but it's a joke with XP and W2K. This means no disrespect to you either, lucas. It's just my opinion based on experience working on these type (fully locked down) machines.
     
  12. MaB69

    MaB69 Registered Member

    Joined:
    Dec 9, 2005
    Posts:
    540
    Location:
    Paris
    Hi,

    Thank you Perman, it is really a very interesting test as the results are : the 2 first are my preferred Sandbox progs.
    Congrats to Ilya and Gentle Security team.

    Regards,

    MaB
     
  13. muf

    muf Registered Member

    Joined:
    Dec 30, 2003
    Posts:
    926
    Location:
    Manchester, England
    Interesting test, and I feel is very worthwhile. I use SBIE and for example have a sandbox setup for Firefox where Firefox is the only application that is allowed to access the internet. So even if the keylogger runs and logs(of course), then once I close down the sandbox and the data get cleared then the keylogger and the log files will go with it! Of course I run Defensewall as well, so the keylogger doesn't get the opportunity :p

    muf
     
  14. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Thanks Ilya :)
    How does Brontok execute? AFAIK, it spreads throu removable drives (I have autorun disabled) and it needs to bypass the SRP (execution permission only for WinDir, Program Files and some custom folders)
    If this security setup can be breached, I think that some form of integrity checking (RunScanner, Autoruns, Tiny Watcher, rootkit scanners) will detect the changes and I have an image handy for restoring the system partition and data backups safely stored.
     
  15. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,048
    One thing to remember, though is Sandboxie isn't designed to be an antiKeylogger, but a sandbox, so testing it as such mean much. Also with the latest version, you can setup so that only one program the browser can access the net.

    Finally, say I am browsing, pick up a keylogger. So what. Before I go online else where to use a critical password, I am going to close the browser, and empty the sandbox. Keylogger gone.
     
  16. Wake2

    Wake2 Registered Member

    Joined:
    Apr 30, 2005
    Posts:
    205
    Thanks Perman for the link to the test results.

    Congratulations Ilya !
     
  17. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    To tell the truth- I don't remember. :rolleyes: It is using multiple startup strategies + on-board rootkit, I only remember how to clean this piece of sh*t off the computer with AVZ. :)
     
  18. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Thanks again Ilya. So, I'll have to find a current sample and do some tests :D Last question, that rootkit is user-mode or kernel-mode?
     
  19. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    Kernel mode. And yes, it is using flash drives for spreading.
     
  20. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Thanks Perman.
     
  21. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Thanks :thumb:
     
  22. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I have seen it very common here, travelling by USB memeory sticks. It,s icon is just like a folder and user clicks it by mistake thinking it a folder. Interestingly it takes the names of nearby executables etc as name of folder-looking executable. By default XP doesn,t show file extensions and users are tricked.

    It,s dead inside sandboxes.

    Intererstingly i cleaned two PCs infected by it via Antivir and after that desktop GUI diod not appear, explorer.exe was not loaded probably, i had to do a repair of windows. Avst cleaned it OK but only if it did not go so deep. It has something bad to do with explorer.
     
    Last edited: Mar 11, 2008
  23. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    The sample that i had got doesn,t seem to install any service or driver though.
     
  24. Cerxes

    Cerxes Registered Member

    Joined:
    Sep 6, 2005
    Posts:
    581
    Location:
    Northern Europe
    You should try the updated SuRun (1.1.0.1) for easily solving these LUA bugs.

    /C.
     
  25. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,633
    Location:
    U.S.A. (South)
    I agree, even with minus one point DefenseWall trumps them big time, but also understand the "Perfectionist!" developer, a creator who is never satisfied and will not rest untill EVERYTHING is balanced & covered as possible.

    And all that perfectionist effort really shows in DW! :) A masterful app!

    I really had a difficult time getting my mind to accept it's concept as a HIPS, because although it does the HIPS protections, it is also multi-faceted with benefits even HIPS doesn't offer like the rollback feature and immediately/at-once dismissing registry entries/files from a list as well as dropping rights etc..

    EASTER
     
Loading...
Thread Status:
Not open for further replies.