Virtual Sandbox 1.0

anyone try this program? i gave it a whirl, while waiting for the newest versions of bufferzone and geswall to be released

I put it through the following tests :
xpkiller trojan
martin's undetectable keylogger
advanced process termination
morgud's threat simulator 2 (it replaces version 1)
ghostsecurity's registry test
spycar.org
the results were mixed.

the good :

• it stopped xpkiller trojan in it's tracks! no damage was done outside the sandbox
• it contained the rootkit, all the trojans, the virii, and all attempts to alter my OS by morguds simulator with one exception (see the bad section below)
• it withstood all of spycar's attempts to alter my IE and hosts file
• it withstood part 1 and part 2 of ghostsecurity's registry test

the bad :

• morgud's simulator was able to jump the sandbox and disable my AV program (antivir)! that's kinda scarey

the ugly :

• apt completely had it's way with virtual sandbox. while sandboxed apt was shutting down process running OUTSIDE the sandbox! that's not good
• martin's undetectable keylogger was running wild also. while sandboxed it was logging keys both from sandboxed process and those running OUTSIDE the sandbox! that's not good

the last few results scared the bejesus outta me and i didn't dare run my last test : killdisk virus. i think this program has potential but it still needs alot of work.

edit: editted to include more tests
edit: ran part 2 of ghostsecurity's reg test

 

Hi, folks: Zopzop, may I ask you a big favor; Since you have done a thorough test on Virtual Sandbox, can you also conduct the same tests towards the following sandbox apps: deepfreeze standard, shadowuser, sandboxie, bufferzone and geswall. If not for all, perhaps at least few, I am very anxious to know the comparision results. I wish I can do this myself; I am just an average joe in computer science. Thanks in advance.

 

Hi,

Concerning BZ, these tests have already been done:

xpkiller trojan
martin's undetectable keylogger
advanced process termination
morgud's threat simulator 2
killdisk
All of these are a pass for BZ.
About ghostsecurity's registry test, first one indicates BZ failed but in fact registry keys have written to virtual zone, so it is a pass for BZ. Concerning the 2nd test, the test manages to turn off computer, but the autostart key, once again is written to the virtual zone.

The same for spycar, this test can do everything so it looks like BZ fails when it is actually a pass. No modification to the trusted area can be done.

 

deepfreeze*, shadowuser*, bufferzone** and geswall all pass these tests.

*with these programs you must make sure you don't download a keylogger by mistake. the reason being, even though once you restart your computer they will be gone, they will be running undetected unless you have some other software that detects them. i should mention that i haven't used deepfreeze or shadowuser in a while and i don't know if they added new features to them.

**i dont' have the latest version of bufferzone, i just missed the latest beta (2.10+) test but i did read the developers comments on martin's keylogger vs the latest version of bufferzone. when run inside the sandbox, martin's keylogger will still be free to log keystrokes in programs also inside the bufferzone, BUT it won't be able to log keystrokes in programs outside the bufferzone. geswall, once it has the keylogger isolated, prevents it from logging ANY alphanumeric keys, period.

hope that helps

 

Thanks for doing these tests, it confirms my second thoughts about this type of softwares, I just didn't know it for sure.
Well, it was never my intention to use them.

 

erik, sandboxes are very important as part of a layered defense strategy vs malware. a good sandbox + a good firewall + a good AV is the best way to go defense wise, and there's a lot of good free sandboxes/firewalls/AVs. i wouldn't give up my sandbox for the world!

 

You lads might want to check this out,

www.techsupportalert.com/security_virtualization.htm

HTH,

Regards.

 

Hi,folks: Zopzop, thank you for your prompt and imformative reply. I did not buy the idea of using sandbox and virtualization app until recent. I thought they were just a sort of surplus. Soon after I use deepfreeze standard, I did not have to scan system w/ AV ,AT and AS that often, and also cut down disk/registry cleanning task by a lot. Simply to say this, it make my house(PC) cleanning chores much easier, and more comfortable.And Adding a good sense of security.

 

yeah i saw that posted on the forums somewhere but i think his tests and results are screwy.

 

I created a kind of sandbox myself as you can see in my signature.
I didn't do any serious tests yet due to lack of time, but I will in the future.
I hope it works.

 

And what about sandboxie?

 

Hi zopzop, thanks for the tests.
BTW, as u are using GesWall, how u compare it to GW in regards ease of use,
resourse uses and any advanced options etc.

 

hello aigle. virtual sandbox 1.0 :

• is very easy to use. set and forget
• it uses up more ran than geswall but ONLY IF you are running the virtual sandbox explorer (which you don't need to run at all if you dont' want too). virtual sandbox explorer let's you see all the files/registry changes/etc.. that would have taken place/been created on your machine had they not been sandboxed. it's a cool feature.
• since 1.0 is the freeware version of virtual sandbox it's missing features found in the pay version 2.0 (just like geswall personal vs geswall server).

overall it seems like a nice product but they need to improve it more. the fact that martin's keylogger isn't being stopped and that programs inside the sandbox can disable programs running outside the sandbox must be looked into. in fairness i emailed their tech support and am waiting for an answer. also i have yet to run the killdisk test. i'm too scared. anyone up for it?

 

The page says it cannot even pass the malware isolation test.
This product is a sandboxing application, so this result is disappointing.

 

I prefer SandBoxie and BufferZone.
It appears GreenBorder is just for Internet, and it has compatilibility issues with other security products.

 

That is correct. In the very beginning GreenBorder only seemed to work with MS Applications. Meanwhile alot has been improved, but there are still issues with 3th party softwares. I ditched it, too much time for me to report issues.

 

I'm still looking for a powerful sandboxing application.
So far, it seems every sandboxing application is still in its infancy stage.

 

Comes close to my favorite saying about softwares :
"What I don't want, I find everywhere, what I really want, I can't find anywhere."

 

no offense to the guy that ran those tests, but i don't think he's correct (infact i think he's wrong by a long shot). i've visited p0rn and warez sites notorious for driveby installs (i can't mention them here) while using IE inside virtual sandbox 1.0, and nothing so far escaped the sandbox (spyfalcon, coolweb search, and spyware quake to name a few).

 

None that you know of.

 

Hi zopzop, I tested KillDisk virus with VS, it stopped the virus dead.

 

BTW, I wonder how u were able to run any exe files in VS. In my experience it is very aggressive type of sandboxI tried so many spyware installers but all failed to even execute in VS with error messages.

I was not able to run any of them. Just see the example of Martin,s Keylogger.

 

thanks for that aigle. i'm a little amazed by your martin's keylogger test. i downloaded it and it ran fine inside virtual sandbox. what was your test setup? all i had was winxp sp2 with no antivirus/antispyware/antikeylogger/geswall etc... running in the background.

 

I tried on XP Home SP2 alongwith Antivir( guard disabled) and Comodo. Of couse I uninstalled GeSWall, and also snooppfree( it was causing lock ups if i try to go to virtual desktop).

To be clear I was not able to run even a single exe file inside virtual sandbox with similar errors. I tried about 15 or more of spyware installers/ keylogger and none of them was able to run/ install at all itself inside sandbox. On the contrary already installed software like Opera, FF, IE etc ran fine inside VS with some loss of functionality( that was of course a price of aggressive sandboxing).
My conclusion is that Unlike sandboxie, u can,t install any software inside VS.
I still wonder how you were able to run exe files inside it, i tried my best and failed.

 

Hi zopzop, I think u might need to re-check ur results. If ever u run again, pls post a snapshot of malware installed and running inside sandbox.
The only way I can run them inside sandbox is to install them out of sandbox and then run inside sandbox from installed software but that makes no sense.

It seems a very aggressive sandboxing to me. It is like IE with ofcourse mush user friendly and feature-rich interface but functionality is much reduced as compared to Sandboxie. I remember I was able to install and run some software inside sandboxie but not inside VS.
BTW, if they impropve it, it will be my first chice as I found that it is very configurable and has lot of nicec feature, a real sanboxing HIPS.