Jump to content


Photo

Sandbox & Virtualization HIPS


  • Please log in to reply
4 replies to this topic

#1 CogitoErgoSum

CogitoErgoSum

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 20 July 2006 - 03:38 PM

The past six and a half months has truly convinced me that a host intrusion prevention system(HIPS) that employs non-admin./limited user, sandboxing and virtualization technologies is the ultimate security setup for malware prevention alongside an antivirus and firewall. The links posted below explain or demonstrate the virtue of a non-admin./limited user account.

http://blogs.msdn.co.../17/157962.aspx
http://blogs.msdn.co.../25/166039.aspx
http://eweek.com/art...,1891447,00.asp

In an objective and open minded fashion I have posted links below to current HIPS that incorporate some or all of the above mentioned technologies.

DefenseWall - http://www.softsphere.com/
BufferZone SAE/Home/Pro - http://www.trustware.com/
GreenBorder - http://greenborder.com/
Virtual Sandbox - http://www.fortresgr...cts/vsb/vsb.htm
VELite - http://www.secureol.com/
SandBoxie - http://sandboxie.com/
RunSafe - http://www.runsafe.com/
1-Defender - http://amustsoft.com/1-defender/

Out of the eight, for whatever reason, my sole experience is with DefenseWall. Interestingly, I found out about DW at both CastleCops - http://www.castlecop...efensewall.html and Wilders - http://wilderssecuri...ght=defensewall. It is my opinion that DW is the most effective and refined example of this kind of software at any price. In addition to being both simple and easy to use, it uses a relatively modest amount of resources. Ilya Rabinovich, DW's creator, provides excellent customer and technical support and timely program updates and fixes. I have provided links regarding DW below that may be of interest to you.

DefenseWall Test - http://security.over...le-3030160.html
DefenseWall Support Forums - http://gladiator-ant...p?showforum=192

Peace & Love,

CogitoErgoSum

Edited by CogitoErgoSum, 24 July 2006 - 01:36 PM.


#2 tsitraveler

tsitraveler

    Member

  • Full Member
  • Pip
  • 54 posts

Posted 21 July 2006 - 10:58 AM

Seems like a blatant Defencewall advertisment, first post and all. Oh well.

Sounds like the product has some effectiveness; looks good in canned tests. However, it doesn't do well in real world situations:

http://security.over...le-2907976.html

I don't write code, so I won't pretend to understand the nuances of HIPS. What I do get is, there are some well known methods used by malware writers that simply aren't addressed by Defencewall. Follow that link, and you'll see examples of this.

Defencewall failed against about half the real world threats it was tested against.

Next?

#3 CogitoErgoSum

CogitoErgoSum

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 21 July 2006 - 03:40 PM

tsitraveler,

In defense of DefenseWall, I would like to make three points. First of all, keep in mind that version 1.40 was evaluated by both Kereldjag and nicM in this test and not the latest version 1.61. FYI, there have been eight program updates since v1.40. Secondly, this test was helpful in providing clues to Ilya Rabinovich in the form of program updates and refinements to address weaknesses which were subsequently implemented in versions 1.50-1.61. Lastly, some of the tests that DW fails are best addressed by a firewall.


Peace & Love,

CogitoErgoSum

#4 CogitoErgoSum

CogitoErgoSum

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 22 July 2006 - 09:04 AM

tsitraveler,

Contrary to what you may believe, DefenseWall has successfully passed all the real world tests but some backdoors(this is a firewall's job to control network connections and traffic). Regarding the "failed" tests, you should read the test headers very carefully. These tests are for exploits prevention and not for malware ones. DW doesn't provide protection from exploits, it protects against the resulting consequences(i.e. malware itself).


Peace & Love,

CogitoErgoSum

#5 nargd

nargd

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 28 July 2006 - 10:45 AM

Personally, I use GreenBorder. I find it very effective. My only complaint is that is does slow the Firefox browse down a bit. :techsupport:
There once was a bat named Splat. The reason Splat was named Splat was because he always smacked into windows. Anyway this story starts where Splat goes on vacation but forgets his dentures. Anywho he . . .




Member of UNITE
Support SpywareInfo Forum - click the button