Playing with SandBox HIPS

Discussion in 'sandboxing & virtualization' started by aigle, Sep 29, 2006.

Thread Status:
Not open for further replies.
  1. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    DefenseWall is 1.70 now.
     
  2. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    I always advize close all untrusted processes before go online banking or online puchase process. It is more then enought for DefenseWall...
     
  3. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,167
    Location:
    UK / Pakistan
    Re: Playing with SandBox HIPS-- TESTING WITH APT

    I am not sure that this test will play good gere as there is virtialization so inspite of failed test, infact test will be passed.
    BTW, GesWall stops test 2 nicely. Very nice to see hundreds of policy violations stopped notifications with latese GesWall beta during this test.
     
  4. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,167
    Location:
    UK / Pakistan

    SandBoxie tested now,

    It failed against Kill method 12.
    And ailed against all KeyLogger methods but the log file was contained inside SandBox anyway.
     
  5. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,167
    Location:
    UK / Pakistan
    DarkSpy and IceSword failed to initialize in SandBoxie as well.
     
    Last edited: Oct 2, 2006
  6. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,167
    Location:
    UK / Pakistan
    Now that is a totally new information for me!!
     
  7. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,167
    Location:
    UK / Pakistan
    Re: Playing with SandBox HIPS-- TESTING WITH APT

    While running out of BZ, DarkSpy was not able to kill ClnSvc.exe of Bufferzone normally but forced method killed it. IceSword was able to kill while running outside..
     
  8. starfish_001

    starfish_001 Registered Member

    Joined:
    Jan 31, 2005
    Posts:
    1,046
    Re: Playing with SandBox HIPS-- TESTING WITH APT


    Are there any product that can block this? Does PGs global block?
     
  9. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,167
    Location:
    UK / Pakistan
    Re: Playing with SandBox HIPS-- TESTING WITH APT

    I don,t think so. Coming version of Online Armor may be? However it is just my guess as I am not expert. Hopefully someone will correct me if I am wrong.
     
  10. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    Re: Playing with SandBox HIPS-- TESTING WITH APT

    I don't think so.
     
  11. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    I also played with these 2 leaktests in my new security setup.
    http://syssafety.com/leaktests.html
    Prevx1 blocked both and my frozen snapshot removed both leaktests.
    Are there any stronger leaktests to play with ?
     
  12. starfish_001

    starfish_001 Registered Member

    Joined:
    Jan 31, 2005
    Posts:
    1,046
    Re: Playing with SandBox HIPS-- TESTING WITH APT


    Thanks
     
  13. Lucy

    Lucy Registered Member

    Joined:
    Apr 25, 2006
    Posts:
    404
    Location:
    France
    hi,

    Aigle,

    You said:
    This is the answer I got from BZ Team:
     
  14. Tommy

    Tommy Registered Member

    Joined:
    Dec 24, 2002
    Posts:
    1,169
    Location:
    Buenos Aires - Munic
    Blocked them by not allowing to execute the exe file or blocking the logging?

    spt.exe:
    I allowed to execute the spt.exe file with Neova everytime i was asked and spt.exe could not kill Neoava Guard at the end with any method.
    keylogger.exe:
    Neoava Guard failed to block the logging itself of the keylogger after i aloud to execute the exe file.
     
  15. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,167
    Location:
    UK / Pakistan
    Thanks for that.
     
  16. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    When I tried to run both malwares, Prevx1 showed a popup window with "Blocked" and that's what I expected.
    I'm not really familiar yet with Prevx1, I have it installed permanently since yesterday.

    According my Prevx1-settings,
    - I block "Unknown Programs"
    - I block "Caution Programs"

    Of course these tests don't tell me much. Visiting the most dangerous websites on the net without a frozen snapshot during a very long period, would be a better test IMO. :)
     
  17. Tommy

    Tommy Registered Member

    Joined:
    Dec 24, 2002
    Posts:
    1,169
    Location:
    Buenos Aires - Munic
    The deal in this testing szenario is to allow this programs to execute, and let them go one with there malicious work. Stopping an unknow program from executing should do every better HIPS, but preventing that this application is doing his malicious work is an other thing.
     
  18. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    I assume that blocking = stopping the execution of malwares. If that is not true, I don't need Prevx1. I'm looking for softwares that STOP or PREVENT the execution.
     
  19. Tommy

    Tommy Registered Member

    Joined:
    Dec 24, 2002
    Posts:
    1,169
    Location:
    Buenos Aires - Munic
    Generally you are 100% right, but as i told before the testing scenario in this case is different, meaning to discover if the here tested HIPS are immun against several 'killing methods' which other undetected malicious programs can use. For that you need to allow the execution - in this case spt.exe - of the used testing application. Execute it with the different parameters to see if it can kill the prevx1 process. This way you can dicover if prevx1 itself is immun against this kind of attacks.
    Same for the keylogger, allow the process so that you can see if prevx1 can intercept the logging itself.
     
  20. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    OK, but I'm just an average user and I don't know much about malwares and internet. So I have to trust these softwares, because I don't have the knowledge to control them and I'm not going to spend the rest of my life to become a malware expert and it has nothing to do with my job either.

    If the execution is done completely or partial, I have bad luck, but I will remove them completely during the next reboot with a frozen snapshot.
    There is no other way for a newbie like me, because I don't have the knowledge to do better. :)
     
  21. MikeNash

    MikeNash Security Expert

    Joined:
    Jun 9, 2005
    Posts:
    1,658
    Location:
    Sydney, Australia
    Re: Playing with SandBox HIPS-- TESTING WITH APT

    OA2 will detect this.
     
  22. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,167
    Location:
    UK / Pakistan
    I totally agree here. Blocking the execution of these kills the purpose of these tests itself.
     
  23. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,167
    Location:
    UK / Pakistan
    Re: Playing with SandBox HIPS-- TESTING WITH APT

    Thanks. I read it before but was really waiting for u to post it here.
     
  24. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,167
    Location:
    UK / Pakistan

    Tried with latest version. Ran SPT from command prompt as untrusted and tried to kill Process explorer running as trusted.

    SPT Kill method 12 -- DW failed and Process Explorer was terminated.
    method 14 --- DW failed, Process Explorer was terminated and very strange that after that DW lost its protection/ ot at least GUI part, not sure exactly . Closed and restarted DW, message came--

    Driver could ne be initialized properly.

    It was fixed only on reboot. Tried two times with same results. Seems some bug here.

    Method 16 -- Process Explore was killed though SPT reprted wrongly that termination failed.
     
  25. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Yes, that is what housewives do : testing, analyzing and watching how malwares do their evil job step by step. LOL.
    Millions of users, including me, just want to get rid of malwares.
    You both are just looking at malwares from a different angle.

    I've been a member for one year at SWI and all these qualified helpers are addicted to solving HijackThis Logs like solving crossword puzzles, until they are blushed out and give up, because this a tiresome and unpaid job.

    You can blame the bad guys alot of things, but they gave alot of people hobbies, work and food on the table. They changed the whole world wide web and created an entire billion dollar industry of malwares and anti-malwares.

    And what is the final result of all this : NOTHING, but we wasted alot of time, talent and money.
    Malware + Anti-Malware = nothing. I have a healthy PC, it gets infected, I spend my time on cleaning it and I get the very same PC back. That's absurd, what did I do all that time to get something back, I already had and lots of users world-wide are wasting their time on ... nothing.

    Alot of things change, when you look at it from a different angle and it also depends on which side you are. :)
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.