Which is the most stable sandbox program?

Which of the programs that are out is the most stable to date? Is it bufferzone, defensewall, geswall, or other? I don't mind testing it out just as long as you can minimize which one is working better and not conflicting with other active software.

dja2k

 

The only way to find out, that it is stable or not, is using it on your own computer. Isn't that common for all softwares ?

My main concern with these softwares is this and I quote from :
http://www.trustware.com/products_home.php

If I read this, it SEEMS I don't need any AV/AS/AT/AK-scanners anymore and that would be GREAT for me, because I don't like/trust any scanner for many reasons.
But is it TRUE or is it just a statement to sell BufferZone better.

For a less-knowledgeable user like me, there is only one simple way to find out :
I would use BufferZone as my MAIN protection and then run the best scanners to verify the reliability of BufferZone.
If these scanners find one or more threats, it would prove that BufferZone isn't reliable enough.
If these scanners don't find anything, I could assume, that BufferZone does the same job as all these scanners.
BufferZone isn't as popular as all these scanners and I don't know the reason why and for what purpose other people are using BufferZone.

The same counts for DefenseWall, GesWall, ... are they really an alternative for scanners or NOT

 

Different programs are going to have different compatibility issues. What's most stable on my machine may not be what's most stable on yours. Like Erik says, the only way to really know for sure is to try it out.

Defense in-depth (a.k.a. layered) is always best, no matter what app you're talking about. After all, maybe you get something that installs without a trace.. there's no sign of any problem in the sandbox, so you decide to move it out so it will be permanently installed and protected from things inside the sandbox...

 

Hi Erik

Just a correction on your concept of BZ. It doesn't stop spyware, or any other software from installing onto your computer (so your antivirus scanners would still pick spyware up). What BZ does is stop spyware etc from working.

Basically when you install it, anything on your computer at that time is marked as 'trusted' (actually, the home version doesn't your existing files...it just marks anything new).

Anything new that comes onto your computer gets marked 'untrusted' and goes into a virtual sandbox (unless you manually release it into the 'trusted' zone).

Things like web browsers, IM's etc run as untrusted...and anything untrusted that creates a new file...the new file is also untrusted.

Untrusted items have many restrictions placed on what they can and can't do (I don't recall all the restrictions - the site lists a number of them), and those programs have their own virtual registry <this virtual registry doesn't autostart at windows startup>...this means that any programs requiring registry access to work can still work <which you need for legit programs in the bufferzone>...but...on the other hand...programs requiring drivers won't work in BZ's virtual zone (last I knew of - I havent looked at it for a while now, and there's been a lot of development on it)

Hope it clarifies BZ some.

 

I like that expression in bold, because that's what I might need in my new security setup.
Well, I've time enough to figure it out.

 

It may or may not stop it from working (depending on which one you use), but it certainly won't be able to take hold in your system. If you couple it with one like DropMyRights it will have a much better chance of stopping it from working.

 

Defensewall is very stable, but my PC hanged during use of new Rollback function. It seemed to be fixed until I updated to Outpost 3.51 a couple of days ago and there seems to be a conflict between the two.
This is only what I believe - Ilya is looking in to it and meanwhile I run with Windows FW - everything including DWs Rollback works fine with this setup - made my PC surf faster and I got the same result at Security Space "No Risk Audit" as I do with OP, so I guess I am all good.

I cant compare to others cause I have only used DW and will stick to it until it fails me.

Whats protection? I would say; damage control.
If my PC is protected from damage - thats what I want, but I also do not want viruses active in the sandbox to spread to my friends computer, so I use a free AV as a complement to DW.

Being an amateur enduser I still strongly believe these sandbox solutions to be the best protection against "0-day" malware or malware that arent - and never will be - in your AVs signature base.
I have used Norton - at work - all updated and got infected due to that they updated so seldom - that is possibly better now - I dont know. Ive used AVG and got infected - no surprise according to some.

DW will close these "windows of oppurtunity" for malware - at least thats what I believe.

Best Regards

 

Were you infected BEFORE using DW or AFTER using DW?

 

Is defensewall more customizable to exclude folders cause if I remenber correctly to fix the problem with suck programs messing up Firefox and your profile, you had to exclude the profile folder. I might be wrong so I don't really know. I tried Geswall already , but it would freeze my system after firefox would close every time. So Geswall is out of my list and on to Defensewall. I don't know about this , but does security software work will your in the sandbox. The reason I as is I am currious if programs like socketshield works while you are browsing in the sandbox.

dja2k

 

I have not been infected after using DW (5months now?), but that doesnt say very much because I am normally a "safe surfer" and very seldom my protection catches viruses and of course even more seldom I get infected.

DW will be tested during spring/summer and that will be very interesting to follow.

But there will still be different opinions on what is protection.

I have a friend who got a fairly harmless trojan and he asked me what to do and we ran Ewido and removed it. I then suggested he should use DW since it should deactivate such a trojan at reboot.
Sadly I did not manage to explain the difference between a malware being active in the sandbox but not being able to damage your computer to being malware-infected the way everybody thinks about when we talk about malware-infections - something that damages your computer or at least compromises your privacy and is still active after reboot.

So it might be a pedagogic challenge explain the function of ie DW - and the difference to other antimalwaresoftware - to ordinary enduser - I know I wasnt succesful.
I felt like someone trying to explain the basics of how a car works to someone who, when you ask them what kind of car the have, answers; a red one!
Just a confrimation that they are not interested - it shall only do its work cars and computers the same.

Something that protects you but under certain circumstances allows malware to spread from your PCs sandbox to your friends PCs - is that good protection?

Best Regards

 

Hello,
Blaming AVG for your infection is like blaming your car for a car accident. The car did not crash - you did. And so your anti-virus, in that regard, failed your user abilities.
Mrk

 

I am not sure I fully understand you.
An updated antivirus that lets a virus through - is that success or failiure?

Best Regards

 

It's definitely a failure and a big disappointment for newbies, who thought their computer would be virus-free forever after buying an AV.

 

Does anyone know where I can learn more on the logic and how defensewall works in a computer enviornment. I Have defenswall trial installed and it is working without problems, but I am still wondering how its working. I understand that how to use it like firefox for example is in the untrusted list (I liked that it installed my profile and plugins to go along in the untrusted program liste) and I can see that in the header, but what happens when I download a file? I can see the file after I close firefox, does that mean that file was sent to a trusted enviornment and I can run it like normal? Also if I put my p2p programs in the untrusted list, will I be able to recover the downloaded files after the download is finished and the p2p programs is turned off? I might be wrong on this, but my security software is not actively protecting programs in the untrusted list right since they are inside the defensewall. If I have online armor installed and I run firefox, the webshield in OA won't really work correctly or would it? Any answers and help would be appriciated.

dja2k

 

Hi Dja2k,

I guess Ilya is pest placed to answer. I will nevertheless try one:

Everything works on the idee of inheritance. If an untrusted prog creates (or download, basically the same) another prog, DW intercepts the action and "flags" the new created prog as untrusted (because his "father" is untrusted).

So you end up in your system with a collection of untrusted files.

The second thing is that DW has set up different rules applying to files wether they are trusted or not. For example, untrusted files do not have the right to modify, add or delete some registry keys, or simply files and programs. Furthermore autostart capabilities are disable for these untrusted files.

So based on this idee, you can safely run a malware, as long as it is untrusted or created by an untrusted prog. Any action which is not allowed by the rule set will be simply denied.

Regards

 

Yes. Or you can right click on the file and "run as Untrusted". If you choose to open a file directly from firefox (assuming FF is untrusted) - the file will be opened/run as untrusted automatically.

Yes you will. DW does not use a Virtual file system - all the files are live and real, just limited in what they can do if they are "untrusted".

 

toadbee,

a litlle correction, if I may:

Not right. Even with a virtual file system, untrusted files are still live and real. They are just emulated in a virtual environment with limitations (as in BZ). And you can run them either the parent process is turned off or not.

 

Hi BZ -

I'm not sure what you mean by "not right" - I'm referring to Defensewall (DW) only.

 

I know toadbee,

I was answering to this:

And I said, it is not because files are handled in a virtual file system that they are not "live" nor "real".

Sorry if I hurt you.

BTW, my login is BZJet, not BZ I take this opportunity to say that I am in no way linked to BZ whatsoever (in case you tried to be a little nasty ). I am just testing it and Jetico on my computer.

 

Thanks for clarrifying that about Defensewall. Anyways, the defualt list is what I am using, don't know if you guys add some other files or delete any of the defaults.

dja2k

 

Does anyone know if any of the aforementioned sandbox programs will protect against IE exploits like the latest "Arbitrary Content Disclosure Vulnerability". A test had been created by Secunia for it at http://secunia.com/Internet_Explorer_Arbitrary_Content_Disclosure_Vulnerability_Test/

Thanks,
Lu Chin

 

Lu_chin,

The aforementioned sandbox programs will not protect against IE exploits like the latest "Arbitrary Content Disclosure Vulnerability". They will protect against the consequences of it.

In your scenario, IE runs untrusted under DW for example, and you browse a page wit this kind of expoit. So IE is going to run the arbitrary code (as a child, this running code is untrusted), which can not do more harm than the rule set allows to do.

 

The exploit described by Lu Chin can be stopped by not allowing active scripting in IE - right? What will that do to my surfing?

From a users point of view - I do not understand all the tech stuff -
when I shall go banking I always hit DWs "BIG RED" first whichs "kills" all active untrusted processes and then I start IE new and surf directly to my bank - would that protect me from that exploit? Even if I have active scripting allowed in IE?
I do this because DW has not - yet - any warning system whats going on in the untrusted zone.

DW handles downloaded files differently depending on wether you run in expert mode or not - right? Could someone explain the difference?

Best Regards

 

dja2k!

Are you using Outpost 3.51 with DW 1.55? If so - have you experienced any problems?

I had problems that I thought was due to OP 3.51 so now I am back on OP 3.0.

Best Regards

 

First of all- there is no virtualization for the file system, because DefenseWal is desined to be as simple in use as possible. So, you don't need to recover anything. Now, if you download an executable, interpretated or archive file with your browser (or P2P client, wherever), it will be automatically added (in case you are not in the expert mode) into the untrusted list. So, in the case of executable/interpretated file, now you can run it with Explorer or your favourite file manager- it will be runed as untrusted. In the case of the archive file, DefenseWall tracks extraction process with build-in Windows XP unzip utility or when you use external unachive utility with double-click on the archive file.

There is build-in list of the untrusted applications which will be grow in the future. If you don't find something you need to be runed as untrusted- add it manually.