Virtual Sandbox 1.0

Discussion in 'sandboxing & virtualization' started by zopzop, Sep 25, 2006.

Thread Status:
Not open for further replies.
  1. zopzop

    zopzop Registered Member

    Joined:
    Apr 6, 2006
    Posts:
    632
    anyone try this program? i gave it a whirl, while waiting for the newest versions of bufferzone and geswall to be released :D

    I put it through the following tests :
    xpkiller trojan
    martin's undetectable keylogger
    advanced process termination
    morgud's threat simulator 2 (it replaces version 1)
    ghostsecurity's registry test
    spycar.org
    the results were mixed.

    the good :
    • it stopped xpkiller trojan in it's tracks! no damage was done outside the sandbox
    • it contained the rootkit, all the trojans, the virii, and all attempts to alter my OS by morguds simulator with one exception (see the bad section below)
    • it withstood all of spycar's attempts to alter my IE and hosts file
    • it withstood part 1 and part 2 of ghostsecurity's registry test

    the bad :
    • morgud's simulator was able to jump the sandbox and disable my AV program (antivir)! that's kinda scarey

    the ugly :
    • apt completely had it's way with virtual sandbox. while sandboxed apt was shutting down process running OUTSIDE the sandbox! that's not good
    • martin's undetectable keylogger was running wild also. while sandboxed it was logging keys both from sandboxed process and those running OUTSIDE the sandbox! that's not good :(
    the last few results scared the bejesus outta me and i didn't dare run my last test : killdisk virus. i think this program has potential but it still needs alot of work.

    edit: editted to include more tests
    edit: ran part 2 of ghostsecurity's reg test
     
    Last edited: Sep 26, 2006
  2. Perman

    Perman Registered Member

    Joined:
    Nov 23, 2005
    Posts:
    2,160
    Hi, folks: Zopzop, may I ask you a big favor; Since you have done a thorough test on Virtual Sandbox, can you also conduct the same tests towards the following sandbox apps: deepfreeze standard, shadowuser, sandboxie, bufferzone and geswall. If not for all, perhaps at least few, I am very anxious to know the comparision results. I wish I can do this myself; I am just an average joe in computer science.:gack: Thanks in advance.
     
  3. Lucy

    Lucy Registered Member

    Joined:
    Apr 25, 2006
    Posts:
    401
    Location:
    France
    Hi,

    Concerning BZ, these tests have already been done:

    xpkiller trojan
    martin's undetectable keylogger
    advanced process termination
    morgud's threat simulator 2
    killdisk
    All of these are a pass for BZ.
    About ghostsecurity's registry test, first one indicates BZ failed but in fact registry keys have written to virtual zone, so it is a pass for BZ. Concerning the 2nd test, the test manages to turn off computer, but the autostart key, once again is written to the virtual zone.

    The same for spycar, this test can do everything so it looks like BZ fails when it is actually a pass. No modification to the trusted area can be done.
     
  4. zopzop

    zopzop Registered Member

    Joined:
    Apr 6, 2006
    Posts:
    632
    deepfreeze*, shadowuser*, bufferzone** and geswall all pass these tests.

    *with these programs you must make sure you don't download a keylogger by mistake. the reason being, even though once you restart your computer they will be gone, they will be running undetected unless you have some other software that detects them. i should mention that i haven't used deepfreeze or shadowuser in a while and i don't know if they added new features to them.

    **i dont' have the latest version of bufferzone, i just missed the latest beta (2.10+) test :( but i did read the developers comments on martin's keylogger vs the latest version of bufferzone. when run inside the sandbox, martin's keylogger will still be free to log keystrokes in programs also inside the bufferzone, BUT it won't be able to log keystrokes in programs outside the bufferzone. geswall, once it has the keylogger isolated, prevents it from logging ANY alphanumeric keys, period.

    hope that helps
     
  5. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Thanks for doing these tests, it confirms my second thoughts about this type of softwares, I just didn't know it for sure.
    Well, it was never my intention to use them. :)
     
  6. zopzop

    zopzop Registered Member

    Joined:
    Apr 6, 2006
    Posts:
    632
    erik, sandboxes are very important as part of a layered defense strategy vs malware. a good sandbox + a good firewall + a good AV is the best way to go defense wise, and there's a lot of good free sandboxes/firewalls/AVs. i wouldn't give up my sandbox for the world!
     
  7. MICRO

    MICRO Registered Member

    Joined:
    Jun 8, 2004
    Posts:
    1,020
    You lads might want to check this out,

    www.techsupportalert.com/security_virtualization.htm

    HTH,

    Regards.
     
  8. Perman

    Perman Registered Member

    Joined:
    Nov 23, 2005
    Posts:
    2,160
    Hi,folks: Zopzop, thank you for your prompt and imformative reply. I did not buy the idea of using sandbox and virtualization app until recent. I thought they were just a sort of surplus. Soon after I use deepfreeze standard, I did not have to scan system w/ AV ,AT and AS that often, and also cut down disk/registry cleanning task by a lot. Simply to say this, it make my house(PC) cleanning chores much easier, and more comfortable.And Adding a good sense of security.
     
  9. zopzop

    zopzop Registered Member

    Joined:
    Apr 6, 2006
    Posts:
    632
  10. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    I created a kind of sandbox myself as you can see in my signature.
    I didn't do any serious tests yet due to lack of time, but I will in the future.
    I hope it works. :D
     
  11. dah145

    dah145 Registered Member

    Joined:
    Jul 3, 2006
    Posts:
    262
    Location:
    n/a
    And what about sandboxie?
     
  12. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Hi zopzop, thanks for the tests.
    BTW, as u are using GesWall, how u compare it to GW in regards ease of use,
    resourse uses and any advanced options etc.
     
  13. zopzop

    zopzop Registered Member

    Joined:
    Apr 6, 2006
    Posts:
    632
    hello aigle. virtual sandbox 1.0 :
    • is very easy to use. set and forget
    • it uses up more ran than geswall but ONLY IF you are running the virtual sandbox explorer (which you don't need to run at all if you dont' want too). virtual sandbox explorer let's you see all the files/registry changes/etc.. that would have taken place/been created on your machine had they not been sandboxed. it's a cool feature.
    • since 1.0 is the freeware version of virtual sandbox it's missing features found in the pay version 2.0 (just like geswall personal vs geswall server).

    overall it seems like a nice product but they need to improve it more. the fact that martin's keylogger isn't being stopped and that programs inside the sandbox can disable programs running outside the sandbox must be looked into. in fairness i emailed their tech support and am waiting for an answer. also i have yet to run the killdisk test. i'm too scared. anyone up for it? :D
     
  14. Wai_Wai

    Wai_Wai Registered Member

    Joined:
    Dec 28, 2004
    Posts:
    556
    The page says it cannot even pass the malware isolation test.
    This product is a sandboxing application, so this result is disappointing.
     
  15. Wai_Wai

    Wai_Wai Registered Member

    Joined:
    Dec 28, 2004
    Posts:
    556
    I prefer SandBoxie and BufferZone.
    It appears GreenBorder is just for Internet, and it has compatilibility issues with other security products.
     
    Last edited: Sep 26, 2006
  16. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    That is correct. In the very beginning GreenBorder only seemed to work with MS Applications. Meanwhile alot has been improved, but there are still issues with 3th party softwares. I ditched it, too much time for me to report issues.
     
  17. Wai_Wai

    Wai_Wai Registered Member

    Joined:
    Dec 28, 2004
    Posts:
    556
    I'm still looking for a powerful sandboxing application.
    So far, it seems every sandboxing application is still in its infancy stage.
     
  18. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Comes close to my favorite saying about softwares :
    "What I don't want, I find everywhere, what I really want, I can't find anywhere." :D
     
  19. zopzop

    zopzop Registered Member

    Joined:
    Apr 6, 2006
    Posts:
    632
    no offense to the guy that ran those tests, but i don't think he's correct (infact i think he's wrong by a long shot). i've visited p0rn and warez sites notorious for driveby installs (i can't mention them here) while using IE inside virtual sandbox 1.0, and nothing so far escaped the sandbox (spyfalcon, coolweb search, and spyware quake to name a few).
     
  20. Bill Stout

    Bill Stout Registered Member

    Joined:
    Oct 14, 2004
    Posts:
    100
    Location:
    Mountain View, CA
    None that you know of. ;)
     
  21. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Hi zopzop, I tested KillDisk virus with VS, it stopped the virus dead.
     
    Last edited: Sep 28, 2006
  22. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    BTW, I wonder how u were able to run any exe files in VS. In my experience it is very aggressive type of sandboxI tried so many spyware installers but all failed to even execute in VS with error messages.

    I was not able to run any of them. Just see the example of Martin,s Keylogger.
     

    Attached Files:

    • 1.jpg
      1.jpg
      File size:
      17.9 KB
      Views:
      408
  23. zopzop

    zopzop Registered Member

    Joined:
    Apr 6, 2006
    Posts:
    632
    thanks for that aigle. i'm a little amazed by your martin's keylogger test. i downloaded it and it ran fine inside virtual sandbox. what was your test setup? all i had was winxp sp2 with no antivirus/antispyware/antikeylogger/geswall etc... running in the background.
     
  24. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I tried on XP Home SP2 alongwith Antivir( guard disabled) and Comodo. Of couse I uninstalled GeSWall, and also snooppfree( it was causing lock ups if i try to go to virtual desktop).

    To be clear I was not able to run even a single exe file inside virtual sandbox with similar errors. I tried about 15 or more of spyware installers/ keylogger and none of them was able to run/ install at all itself inside sandbox. On the contrary already installed software like Opera, FF, IE etc ran fine inside VS with some loss of functionality( that was of course a price of aggressive sandboxing).
    My conclusion is that Unlike sandboxie, u can,t install any software inside VS.
    I still wonder how you were able to run exe files inside it, i tried my best and failed.
     
  25. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Hi zopzop, I think u might need to re-check ur results. If ever u run again, pls post a snapshot of malware installed and running inside sandbox.
    The only way I can run them inside sandbox is to install them out of sandbox and then run inside sandbox from installed software but that makes no sense.

    It seems a very aggressive sandboxing to me. It is like IE with ofcourse mush user friendly and feature-rich interface but functionality is much reduced as compared to Sandboxie. I remember I was able to install and run some software inside sandboxie but not inside VS.
    BTW, if they impropve it, it will be my first chice as I found that it is very configurable and has lot of nicec feature, a real sanboxing HIPS.
     
Loading...
Thread Status:
Not open for further replies.