Which is the most stable sandbox program?

Discussion in 'other anti-malware software' started by dja2k, May 3, 2006.

Thread Status:
Not open for further replies.
  1. dja2k

    dja2k Registered Member

    Joined:
    Feb 15, 2005
    Posts:
    2,040
    Location:
    South Texas, USA
    Which of the programs that are out is the most stable to date? Is it bufferzone, defensewall, geswall, or other? I don't mind testing it out just as long as you can minimize which one is working better and not conflicting with other active software.

    dja2k
     
  2. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    The only way to find out, that it is stable or not, is using it on your own computer. Isn't that common for all softwares ?

    My main concern with these softwares is this and I quote from :
    http://www.trustware.com/products_home.php
    If I read this, it SEEMS I don't need any AV/AS/AT/AK-scanners anymore and that would be GREAT for me, because I don't like/trust any scanner for many reasons.
    But is it TRUE or is it just a statement to sell BufferZone better.

    For a less-knowledgeable user like me, there is only one simple way to find out :
    I would use BufferZone as my MAIN protection and then run the best scanners to verify the reliability of BufferZone.
    If these scanners find one or more threats, it would prove that BufferZone isn't reliable enough.
    If these scanners don't find anything, I could assume, that BufferZone does the same job as all these scanners.
    BufferZone isn't as popular as all these scanners and I don't know the reason why and for what purpose other people are using BufferZone.

    The same counts for DefenseWall, GesWall, ... are they really an alternative for scanners or NOT o_O
     
  3. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    Different programs are going to have different compatibility issues. What's most stable on my machine may not be what's most stable on yours. Like Erik says, the only way to really know for sure is to try it out.

    Defense in-depth (a.k.a. layered) is always best, no matter what app you're talking about. After all, maybe you get something that installs without a trace.. there's no sign of any problem in the sandbox, so you decide to move it out so it will be permanently installed and protected from things inside the sandbox...
     
  4. Vikorr

    Vikorr Registered Member

    Joined:
    May 1, 2005
    Posts:
    662
    Hi Erik

    Just a correction on your concept of BZ. It doesn't stop spyware, or any other software from installing onto your computer (so your antivirus scanners would still pick spyware up). What BZ does is stop spyware etc from working.

    Basically when you install it, anything on your computer at that time is marked as 'trusted' (actually, the home version doesn't your existing files...it just marks anything new).

    Anything new that comes onto your computer gets marked 'untrusted' and goes into a virtual sandbox (unless you manually release it into the 'trusted' zone).

    Things like web browsers, IM's etc run as untrusted...and anything untrusted that creates a new file...the new file is also untrusted.

    Untrusted items have many restrictions placed on what they can and can't do (I don't recall all the restrictions - the site lists a number of them), and those programs have their own virtual registry <this virtual registry doesn't autostart at windows startup>...this means that any programs requiring registry access to work can still work <which you need for legit programs in the bufferzone>...but...on the other hand...programs requiring drivers won't work in BZ's virtual zone (last I knew of - I havent looked at it for a while now, and there's been a lot of development on it)

    Hope it clarifies BZ some.
     
  5. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    I like that expression in bold, because that's what I might need in my new security setup.
    Well, I've time enough to figure it out. ;)
     
  6. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    It may or may not stop it from working (depending on which one you use), but it certainly won't be able to take hold in your system. If you couple it with one like DropMyRights it will have a much better chance of stopping it from working.
     
  7. Rivalen

    Rivalen Registered Member

    Joined:
    Oct 18, 2005
    Posts:
    413
    Defensewall is very stable, but my PC hanged during use of new Rollback function. It seemed to be fixed until I updated to Outpost 3.51 a couple of days ago and there seems to be a conflict between the two.
    This is only what I believe - Ilya is looking in to it and meanwhile I run with Windows FW - everything including DWs Rollback works fine with this setup - made my PC surf faster and I got the same result at Security Space "No Risk Audit" as I do with OP, so I guess I am all good.

    I cant compare to others cause I have only used DW and will stick to it until it fails me.

    Whats protection? I would say; damage control.
    If my PC is protected from damage - thats what I want, but I also do not want viruses active in the sandbox to spread to my friends computer, so I use a free AV as a complement to DW.

    Being an amateur enduser I still strongly believe these sandbox solutions to be the best protection against "0-day" malware or malware that arent - and never will be - in your AVs signature base.
    I have used Norton - at work - all updated and got infected due to that they updated so seldom - that is possibly better now - I dont know. Ive used AVG and got infected - no surprise according to some.

    DW will close these "windows of oppurtunity" for malware - at least thats what I believe.

    Best Regards
     
  8. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Were you infected BEFORE using DW or AFTER using DW?
     
  9. dja2k

    dja2k Registered Member

    Joined:
    Feb 15, 2005
    Posts:
    2,040
    Location:
    South Texas, USA
    Is defensewall more customizable to exclude folders cause if I remenber correctly to fix the problem with suck programs messing up Firefox and your profile, you had to exclude the profile folder. I might be wrong so I don't really know. I tried Geswall already , but it would freeze my system after firefox would close every time. So Geswall is out of my list and on to Defensewall. I don't know about this , but does security software work will your in the sandbox. The reason I as is I am currious if programs like socketshield works while you are browsing in the sandbox.

    dja2k
     
  10. Rivalen

    Rivalen Registered Member

    Joined:
    Oct 18, 2005
    Posts:
    413
    I have not been infected after using DW (5months now?), but that doesnt say very much because I am normally a "safe surfer" and very seldom my protection catches viruses and of course even more seldom I get infected.

    DW will be tested during spring/summer and that will be very interesting to follow.

    But there will still be different opinions on what is protection.

    I have a friend who got a fairly harmless trojan and he asked me what to do and we ran Ewido and removed it. I then suggested he should use DW since it should deactivate such a trojan at reboot.
    Sadly I did not manage to explain the difference between a malware being active in the sandbox but not being able to damage your computer to being malware-infected the way everybody thinks about when we talk about malware-infections - something that damages your computer or at least compromises your privacy and is still active after reboot.

    So it might be a pedagogic challenge explain the function of ie DW - and the difference to other antimalwaresoftware - to ordinary enduser - I know I wasnt succesful.
    I felt like someone trying to explain the basics of how a car works to someone who, when you ask them what kind of car the have, answers; a red one!
    Just a confrimation that they are not interested - it shall only do its work cars and computers the same.

    Something that protects you but under certain circumstances allows malware to spread from your PCs sandbox to your friends PCs - is that good protection?

    Best Regards
     
    Last edited: May 4, 2006
  11. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,702
    Hello,
    Blaming AVG for your infection is like blaming your car for a car accident. The car did not crash - you did. And so your anti-virus, in that regard, failed your user abilities.
    Mrk
     
  12. Rivalen

    Rivalen Registered Member

    Joined:
    Oct 18, 2005
    Posts:
    413
    I am not sure I fully understand you.
    An updated antivirus that lets a virus through - is that success or failiure?

    Best Regards
     
  13. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    It's definitely a failure and a big disappointment for newbies, who thought their computer would be virus-free forever after buying an AV. :)
     
  14. dja2k

    dja2k Registered Member

    Joined:
    Feb 15, 2005
    Posts:
    2,040
    Location:
    South Texas, USA
    Does anyone know where I can learn more on the logic and how defensewall works in a computer enviornment. I Have defenswall trial installed and it is working without problems, but I am still wondering how its working. I understand that how to use it like firefox for example is in the untrusted list (I liked that it installed my profile and plugins to go along in the untrusted program liste) and I can see that in the header, but what happens when I download a file? I can see the file after I close firefox, does that mean that file was sent to a trusted enviornment and I can run it like normal? Also if I put my p2p programs in the untrusted list, will I be able to recover the downloaded files after the download is finished and the p2p programs is turned off? I might be wrong on this, but my security software is not actively protecting programs in the untrusted list right since they are inside the defensewall. If I have online armor installed and I run firefox, the webshield in OA won't really work correctly or would it? Any answers and help would be appriciated.

    dja2k
     
  15. Lucy

    Lucy Registered Member

    Joined:
    Apr 25, 2006
    Posts:
    401
    Location:
    France
    Hi Dja2k,

    I guess Ilya is pest placed to answer. I will nevertheless try one:

    Everything works on the idee of inheritance. If an untrusted prog creates (or download, basically the same) another prog, DW intercepts the action and "flags" the new created prog as untrusted (because his "father" is untrusted).

    So you end up in your system with a collection of untrusted files.

    The second thing is that DW has set up different rules applying to files wether they are trusted or not. For example, untrusted files do not have the right to modify, add or delete some registry keys, or simply files and programs. Furthermore autostart capabilities are disable for these untrusted files.

    So based on this idee, you can safely run a malware, as long as it is untrusted or created by an untrusted prog. Any action which is not allowed by the rule set will be simply denied.

    Regards
     
  16. toadbee

    toadbee Registered Member

    Joined:
    Nov 10, 2003
    Posts:
    123
    Yes. Or you can right click on the file and "run as Untrusted". If you choose to open a file directly from firefox (assuming FF is untrusted) - the file will be opened/run as untrusted automatically.


    Yes you will. DW does not use a Virtual file system - all the files are live and real, just limited in what they can do if they are "untrusted".
     
  17. Lucy

    Lucy Registered Member

    Joined:
    Apr 25, 2006
    Posts:
    401
    Location:
    France
    toadbee,

    a litlle correction, if I may:

    Not right. Even with a virtual file system, untrusted files are still live and real. They are just emulated in a virtual environment with limitations (as in BZ). And you can run them either the parent process is turned off or not.
     
  18. toadbee

    toadbee Registered Member

    Joined:
    Nov 10, 2003
    Posts:
    123
    Hi BZ -

    I'm not sure what you mean by "not right" - I'm referring to Defensewall (DW) only.
     
  19. Lucy

    Lucy Registered Member

    Joined:
    Apr 25, 2006
    Posts:
    401
    Location:
    France
    I know toadbee,

    I was answering to this:
    And I said, it is not because files are handled in a virtual file system that they are not "live" nor "real".

    Sorry if I hurt you.

    BTW, my login is BZJet, not BZ ;) I take this opportunity to say that I am in no way linked to BZ whatsoever (in case you tried to be a little nasty:p ). I am just testing it and Jetico on my computer.
     
  20. dja2k

    dja2k Registered Member

    Joined:
    Feb 15, 2005
    Posts:
    2,040
    Location:
    South Texas, USA
    Thanks for clarrifying that about Defensewall. Anyways, the defualt list is what I am using, don't know if you guys add some other files or delete any of the defaults.

    dja2k
     
    Last edited: May 5, 2006
  21. lu_chin

    lu_chin Registered Member

    Joined:
    Oct 27, 2005
    Posts:
    294
  22. Lucy

    Lucy Registered Member

    Joined:
    Apr 25, 2006
    Posts:
    401
    Location:
    France
    Lu_chin,

    The aforementioned sandbox programs will not protect against IE exploits like the latest "Arbitrary Content Disclosure Vulnerability". They will protect against the consequences of it.

    In your scenario, IE runs untrusted under DW for example, and you browse a page wit this kind of expoit. So IE is going to run the arbitrary code (as a child, this running code is untrusted), which can not do more harm than the rule set allows to do.
     
  23. Rivalen

    Rivalen Registered Member

    Joined:
    Oct 18, 2005
    Posts:
    413
    The exploit described by Lu Chin can be stopped by not allowing active scripting in IE - right? What will that do to my surfing?

    From a users point of view - I do not understand all the tech stuff -
    when I shall go banking I always hit DWs "BIG RED" first whichs "kills" all active untrusted processes and then I start IE new and surf directly to my bank - would that protect me from that exploit? Even if I have active scripting allowed in IE?
    I do this because DW has not - yet - any warning system whats going on in the untrusted zone.

    DW handles downloaded files differently depending on wether you run in expert mode or not - right? Could someone explain the difference?

    Best Regards
     
  24. Rivalen

    Rivalen Registered Member

    Joined:
    Oct 18, 2005
    Posts:
    413
    dja2k!

    Are you using Outpost 3.51 with DW 1.55? If so - have you experienced any problems?

    I had problems that I thought was due to OP 3.51 so now I am back on OP 3.0.

    Best Regards
     
  25. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    First of all- there is no virtualization for the file system, because DefenseWal is desined to be as simple in use as possible. So, you don't need to recover anything. Now, if you download an executable, interpretated or archive file with your browser (or P2P client, wherever), it will be automatically added (in case you are not in the expert mode) into the untrusted list. So, in the case of executable/interpretated file, now you can run it with Explorer or your favourite file manager- it will be runed as untrusted. In the case of the archive file, DefenseWall tracks extraction process with build-in Windows XP unzip utility or when you use external unachive utility with double-click on the archive file.

    There is build-in list of the untrusted applications which will be grow in the future. If you don't find something you need to be runed as untrusted- add it manually.
     
Loading...
Thread Status:
Not open for further replies.