Very interesting tests of DW,SBIE,BufferZone and GesWall

Hi,

While browsing a Chinese Security Forum, an expert, who is a casual contributor here too , has post an interesting testing results by comparing the said four leading Sandbox applications against several modules.

I manage to have the page translated by Google.

Hoping this can initiate some or even more discussions/debates among our members. The link:
http://translate.google.com/transla...an.cn/viewthread.php?tid=212242&extra=&page=1

Take care.

 

Thanks perman

That was a very intresting read seems like any of them 3 will protect you very well,

 

One my stupid error during product's improvement process costs me one point

 

Ilya what do you mean ??

 

I had an error with GetAsyncKeyboardState function ID determinition with 2.10/2.20 versions under WinXP. This was made during program's improvement work. It is already fixed now and will be released with the next version update. This error, as you can see with AKLT test section, costs me one point.

 

Ilya,
Do you think it's worthwhile to use a sandbox (specially a policy-based one) in a LUA + SRP environment?

 

Don't worry Ilya, your product is perfect even if you loose one point.

 

Well, I think that sandboxes do the job more comfortable and simple way. So, it's just up to you. You just need to take into account that Vista virtualize %Program Files% and %Windows Directory%.

Update: Brontok is using %Application Data% folder for its work. Restricted user can modify "HKEY_CURRENT_USER" and %Startup% folder. So, my answer is "yes" even with LUA and SRP (at least, with the SRP's page descrition, more advanced tuning may fill the gaps) , but, one more time- it's up to you to make a final decision.

 

I'm just a perfectionist.

 

I will second that great work Ilya

 

You still smoked the competition

From working in a corporate environment for many years, I know all too well this works (LUA/SRP) but I refuse to lock my pc into a "nanny state". The problems this causes at least with W2K and XP is infuriating. Some programs don't work right and constant error messages and freeze-ups are the norm. Maybe it's better with Vista, but I don't use it so I'm not sure, but it's a joke with XP and W2K. This means no disrespect to you either, lucas. It's just my opinion based on experience working on these type (fully locked down) machines.

 

Hi,

Thank you Perman, it is really a very interesting test as the results are : the 2 first are my preferred Sandbox progs.
Congrats to Ilya and Gentle Security team.

Regards,

MaB

 

Interesting test, and I feel is very worthwhile. I use SBIE and for example have a sandbox setup for Firefox where Firefox is the only application that is allowed to access the internet. So even if the keylogger runs and logs(of course), then once I close down the sandbox and the data get cleared then the keylogger and the log files will go with it! Of course I run Defensewall as well, so the keylogger doesn't get the opportunity

muf

 

Thanks Ilya
How does Brontok execute? AFAIK, it spreads throu removable drives (I have autorun disabled) and it needs to bypass the SRP (execution permission only for WinDir, Program Files and some custom folders)
If this security setup can be breached, I think that some form of integrity checking (RunScanner, Autoruns, Tiny Watcher, rootkit scanners) will detect the changes and I have an image handy for restoring the system partition and data backups safely stored.

 

Thanks Perman for the link to the test results.

Congratulations Ilya !

 

To tell the truth- I don't remember. It is using multiple startup strategies + on-board rootkit, I only remember how to clean this piece of sh*t off the computer with AVZ.

 

Thanks again Ilya. So, I'll have to find a current sample and do some tests Last question, that rootkit is user-mode or kernel-mode?

 

Kernel mode. And yes, it is using flash drives for spreading.

 

Thanks Perman.

 

Thanks

 

I have seen it very common here, travelling by USB memeory sticks. It,s icon is just like a folder and user clicks it by mistake thinking it a folder. Interestingly it takes the names of nearby executables etc as name of folder-looking executable. By default XP doesn,t show file extensions and users are tricked.

It,s dead inside sandboxes.

Intererstingly i cleaned two PCs infected by it via Antivir and after that desktop GUI diod not appear, explorer.exe was not loaded probably, i had to do a repair of windows. Avst cleaned it OK but only if it did not go so deep. It has something bad to do with explorer.

 

The sample that i had got doesn,t seem to install any service or driver though.

 

You should try the updated SuRun (1.1.0.1) for easily solving these LUA bugs.

/C.

 

I agree, even with minus one point DefenseWall trumps them big time, but also understand the "Perfectionist!" developer, a creator who is never satisfied and will not rest untill EVERYTHING is balanced & covered as possible.

And all that perfectionist effort really shows in DW! A masterful app!

I really had a difficult time getting my mind to accept it's concept as a HIPS, because although it does the HIPS protections, it is also multi-faceted with benefits even HIPS doesn't offer like the rollback feature and immediately/at-once dismissing registry entries/files from a list as well as dropping rights etc..

EASTER