Which? Sandboxie, BufferZone Home or DeepFreeze

Discussion in 'sandboxing & virtualization' started by Dooku, Dec 26, 2006.

Thread Status:
Not open for further replies.
  1. Perman

    Perman Registered Member

    Joined:
    Nov 23, 2005
    Posts:
    2,161
    Hi, folks: hi, jarmo: The phrase you highlighted simply means to this effect; My box has been attacked by unknown bad-ware,to this day I still have no clue at all, very likely is trojan. This is a kind of phrase that every member of this forum wishes not to use or to have. Have a nice one.:)
     
  2. Chuck57

    Chuck57 Registered Member

    Joined:
    Sep 2, 2002
    Posts:
    1,770
    Location:
    New Mexico, USA
    For Sandboxie users, there's a beta available for download from their forum. It's beta 2.71.5 Looks like no restrictions on who downloads and uses it. I did, but haven't installed it. Still happy with Bufferzone here.
     
  3. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    For first time users I advise to stick with Sandboxie 2.64 as the 2.7 beta series has quite a few bugs.

    Quote:

    http://www.sandboxie.com/index.php?VersionChanges_2_71

    Released on 28 December 2006.

    * THIS IS A BETA VERSION. There are a few known problems, which are noted towards the end of this page.
     
  4. zopzop

    zopzop Registered Member

    Joined:
    Apr 6, 2006
    Posts:
    642

    hello tobacco. the reason why i switched to geswall from bufferzone is that the folks over at gentlesecurity take their product seriously. apt, spt, martin's keylogger, the keylogger test from the folks at system safety monitor, killdisk, xpkiller, etc.. i've thrown all this and more at geswall and it's never let me down once. for example, when i was testing geswall a few months ago vs the spt from the folks that make system safety monitor, geswall failed test 16. i emailed the guys at tech support from gentlesecurity and a fix was issued in 15 minutes! how the heck do you beat that? to my knowledge only geswall and system safety monitor resist all shutdown/kill attempts from both apt (from diamondcss) and spt (from system safety monitor). geswall is also kick@$$ vs keyloggers too! it's just a really really good program that's extremely easy to use.
     
  5. Chuck57

    Chuck57 Registered Member

    Joined:
    Sep 2, 2002
    Posts:
    1,770
    Location:
    New Mexico, USA
    I have no criticism of geswall. I've never used it and can only go on this test of it and others software. It's been referenced here a number of times, so I'm sure you've seen it. Geswall didn't do very well, but I don't know, or remember, which version was used nor what improvements may have been made to it since then. I made my choice of bufferzone based on the tests.

    http://www.techsupportalert.com/security_virtualization.htm
     
  6. zopzop

    zopzop Registered Member

    Joined:
    Apr 6, 2006
    Posts:
    642
    @Chuck57

    yeah i've seen the results of that "test". i can't believe that guy didn't correct his page yet. those "tests" were a joke. he didn't understand how geswall worked. for a more professional test by a site that many here respect as nonbiased and professional, see here :
    http://www.av-comparatives.org/

    scroll down to the link "Comparative of various protection tools", it's a pdf file. you'll see that geswall passed all their tests.
     
  7. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    I think that the Gizmo´s methodology doesn´t favor GeSWall because:
    -it allows malware to write to real disk and doesn´t have a rollback function that wipes dropped files.
    -it allows malware to read registry (although a virtual one) and files from real system.
    -it only denies access to files sited in folders labeled as "Confidential".
    Since GeSWall didn´t pass the first test (malware isolated) it wasn´t tested further.
    As zopzop said, GeSWall pass all common HIPS´ tests (keyloggers, termination, DFX threat, etc) with flying colours.
     
  8. Chuck57

    Chuck57 Registered Member

    Joined:
    Sep 2, 2002
    Posts:
    1,770
    Location:
    New Mexico, USA
    Thanks zopzop and Lucas. Read the comp org tests and I will trust those more than the others. As I said, I've never used geswall and wasn't criticizing it in any way.

    I made my decision based on the other thing. I expect I'll be trying geswall some day, since I can't seem to stick with anything more than a month. Too many new (to me) softwares to play with. Right now, I'm happy with Bufferzone. I could feel the crazed need to experiment with something else tomorrow.
     
  9. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    I think that those tests should be left without changes. Instead, I propose new tests with up to date versions and refined methodology.
    I don´t think so. I think that the methodology is flawed to a great degree. Kareldjag´s tests are more accurate and extensive. In addition, each application is tested individually. I´m really waiting for his thoughts about GeSWall.
    That´s my point. GentleSecurity´s blog has a track of all tests that GeSWall pass.
    Glad I´ve informed you. HIPS -specially sandbox/virtualization apps- are a fast changing scene. Bugs/leaks are quickly fixed, the developers pay attention to their customers and new ways on how to deal with unknown threats are discovered quite often.
     
    Last edited: Dec 31, 2006
  10. Devil's Advocate

    Devil's Advocate Registered Member

    Joined:
    Feb 5, 2006
    Posts:
    549
    And yet in the very next text, he gave defensewall the highest marks compared to other none-sandbox hips and the only thing defensewall has on ges is the rollback function.
     
  11. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    I have been using all three: GeSWall Pro paid, DefenseWall paid and Bufferzone free.

    From a user point of view I like them all in this order: BufferZone, DefenseWall, GesWall.

    From a security point of view I prefer DefenseWall, it is a absolute miracle. I have tested it (together with SSM) on several russion crack sites. No problems encountered. The rollback option are (mostly harmless) registry changes by untrusted applications and untrusted downloaded files. So there is no mistery about that, just check the clean up centre every now and then (are there downloaded files in it you want to keep, then remove them from the list) and throw all changes away. In release 2 the user interface will be improved (from what I have seen).

    From an architectural point of view I like GeSWall, although the confoguration for unknown aps can be difficult. GeSWall uses the windows security framework: consider GeSWall as a sort of policy manager for WIndows Home users which is easier to configure than the Windows Pro policy rights manager (!).

    The reason for not choosing BufferZone (meaning to pay for it) was it's slow down of our home systems (AMD 3900 and AMD 3400). What also was a minor consideration was the story of contest BufferZone had written out to crack its security. Ilya of DefenseWall was able to crack it in 15 minutes (!).
    I still use the free version on a ultra fast laptop I use for work when I am not working behind the company's militerised zone (e.g. access point abroad).
    The reason for using bufferzone was that a student of our IT-service manager allowed me to put on an extra security application on th ecompany laptop, only he wanted to do this and did not want to configurate it (again proving the ease of use of BufferZone).


    Setups:
    AMD 3900: Antivir free + CyberHawk free + GeSWall pro paid
    AMD 3400: Antivir free + SSM free + DefenseWall paid
     
  12. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    You are right. In addition, GeSWall virtualizes registry calls and keeps track of objects created by isolated apps.
    That would be manipulation of testing methodologies to favor certain app. That doesn´t prevent the tester to educate himself about the architecture, strengths and weakness of tested products.
     
  13. Chuck57

    Chuck57 Registered Member

    Joined:
    Sep 2, 2002
    Posts:
    1,770
    Location:
    New Mexico, USA
    I remember reading the posts somewhere between Ilya and Bufferzone. I don't know about breaking in within 15 minutes. As I recall, he said it wasn't easy, even for him, or words to that effect. But, he did do it and won the $100 dollars.

    On the other hand, what software is absolutely, positively, unquestionably, without any shadow of a doubt 100% unbeatable? The only absolute security is never going online and never loading a program into the pc.

    Bufferzone apparently wasn't easy for Ilya to break, by his own words. That of itself says a lot about the product.
     
  14. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857

    That is why a explicitly mentioned the "story . . . ", I could not check it from first hand, but there were so many references it was a (minor) consideration to me.

    Years ago, before I became a sales director I started in IT. Being part of a sort of development program I nearly did all the jobs (programming, analist/designer, data base admin, network/communication, security, project manager). In the days when main frames programs were limited to 16 or 64KB, source codes of old programs sometimes got lost (stanced/punched cards). To back/reverse engineer a program or break through security took so much more knowledge than to write/program it. I remember it once took me three months to reverse engineer just two bank account savings accumaltion control programs (daily security/integrity check and monthly security/integrity check).

    I figured when the story goes that Ilya broke BufferZone in 15 minutes, it might have been days or weeks. Still knowing what additional knowledge it takes before a hacker out skils the original programmer it is a major feat.

    Combined with the the fanatic commitment Ilya has to its product and the extra ordinary good results DefenseWall obtained in tests and my personal test I put more trust in DefenseWall.

    Rationally security is all about probability and impact (from the vendor's point of view), emotionally security is all about fear and trust (from the buyer//users point of view).

    That is why I have a personal preference, but also think other products for different type of users and use are better alternatives than the ones I have chosen. PrevX1 for instance is a very promising approach (combining several easy to use security mechanismes) KIS and NOD AV's are making great extensions on their products or Comodo firewall which has (according to this forum) intended to combine behavioral and virtualization protection into their product (besides blacklist and whitelist). I will be watching Comodo closely, because from the architectural point of view, a comms/application firewall already knows what the threat gates of a PC are. It's traffic analysing capabilities makes it the ideal candidate to track down 'bad' behavior. Already COmodo is preventing changed aps to connect to network. When it is capable of recognising this the obvious thing to do is to shift up the detection chain and prevent processes from being changed. The same applies to Coreforce (still in Beta) and Blink personal (tested but rules have to given on IP address, so for P2P pretty useless because you keep on allowing other IP's to connect to your PC).

    Regards and happy new year Kees
     
  15. Chuck57

    Chuck57 Registered Member

    Joined:
    Sep 2, 2002
    Posts:
    1,770
    Location:
    New Mexico, USA
    Here's the thread, naturally in the last place I looked, trustware's own forum.

    http://www.trustware.com/forum/viewtopic.php?t=99

    There is a mention of another thread in the very first post. Didn't check that one, but read down the posts and found this. Now, I'm not sure if he was talking about it not simple to break BZ or replace the ring3's with ring0 hooks.

    This was from Dec 2005, and ver 1.60.xx version of BZ, by the way. The problem was fixed in ver 1.70.xx

    Guest (Ilya) said: "2. You see, even if I will publish PoC, it, in fact, will change nothing, because you will have to replace your weak ring3 "protection" module with the ring0 hooks. It was not simple, I may insure you, even for me! Otherwise, I'll be able to publish PoC's on your every beta release!"

    I'll run over and see what he had to say at castlecops, if the link is still good.
     
    Last edited: Jan 1, 2007
  16. Mr. Y

    Mr. Y Registered Member

    Joined:
    Jan 11, 2006
    Posts:
    257
    The free Shadowsurfer with coupon is available only until the end of this month.
     
  17. KDNeese

    KDNeese Registered Member

    Joined:
    Dec 16, 2005
    Posts:
    236
    I tried using Sandboxie but didn't care for it. Also, there are some security issues with sandboxing utilities as well as new malware being created to specifically target sandboxing applications. There is one I haven't seem mentioned here, and that is VMWare. It is virtualization software that actually allows you to run another virtual computer (along with other operating system) that remains separate from your PC. For example, although I have an XP machine, I am running Ubuntu Linux as I type this on a separate virtual computer. I only have 512MB of memory and VMWare runs smooth as silk. Running Linux, you are not vulnerable to the malware that targets Windows computers. And, since the Linux virtual system is separate from my XP machine, even if it were to get infected with malware that targets Linux, I can discard my changes and start over, much like an actual sandboxing application. If you would be interested in looking at this app, you can find it at the following URL, which is the link to VMware's free products:

    http://www.vmware.com/products/free_virtualization.html

    Also, there is a lot of documentation available for VMPlayer and VMServer if you want to do some advanced things with the program or install a completely new operating system that will be separate from your host Windows system. Plus, the free open source software provided with the programs is astounding. I would really encourage you to check it out. It's pretty awsome stuff. There are some good threads available here at Wilders if you wanted to research it further:

    https://www.wilderssecurity.com/showthread.php?t=157504&highlight=VMWare

    https://www.wilderssecurity.com/showthread.php?t=144042&highlight=VMPlayer

    https://www.wilderssecurity.com/showthread.php?t=146910&highlight=VMPlayer

    https://www.wilderssecurity.com/showthread.php?t=106452&highlight=VMPlayer

    There are many more threads - I've only included a few I found at random.
     
  18. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    Can you give me links that mentions those issues, and malware that target sandboxes (and breaks them i assume?)?
    Nothing is bulletproof, but i'd sure like to see that.
     
  19. FastGame

    FastGame Registered Member

    Joined:
    Jan 15, 2005
    Posts:
    715
    Location:
    Blasters worm farm
    Yep, lets see them....o_O?
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.