BufferZone and other virtual machine like safe program executors

[mouser]

can someone reply to this post with links to the other posts on the forum where we talked about similar programs.. their names escape me at the moment.

Trustware tm Patent Pending BufferZone virtualization technology provides you with an easy to use solution, it allows you to safely run any software from any source with the confidence that BufferZone will continue to safe keep your PC assets. BufferZone provides you with a complete protection against both known and unknown Viruses, Spyware and Malware on a contiuous basis with no need for any updates.

http://www.trustware.com/

from osnews.com

[Rover]

As requested:

Another intresting option is to use a sandbox tool, for example the free Sandboxie.

Once an app is run trough Sandboxie, all disk & registry access go trough a transient temporary area.
That is, if you run Notepad trough Sandboxie, open a file, modify and save it, that file will results modified for that Notepad instance, but the "real" file (outside the sandbox) will remain intact.

You could also run a virus trough it, without worrying about it infecting/modifying the registry or any files, so it come handy if you need to run some EXE that you don't trust too much.

-Mark0 (September 19, 2005, 06:30 AM)

Topic: better than using an unistaller? Altiris SVS
https://www.donation...76.msg22102#msg22102

This is nice if you test many new apps a day. it does not change your system, as all the changes are captured in the virtualization layer. I guess it is safer than writing to the registry etc and then undo the changes *using e.g., your uninstaller 2006). It's kind of like UT3 but clearer (to me).

[mouser]

thanks rover.

also let's add to the collection:
http://greenborder.com/

this also seems to be specialize for internet explorer.

[tomos]

has anyone tried runasadmin
that is  RunAsAdmin Explorer Shim

available from Sourceforge
https://sourceforge..../projects/runasadmin

I tried it myself a while back & had some problems with my machine, but i was pretty sure afterwards they were to do with something else.

As far as I remember everything runs as a user (?- NOT as administrator) unless you dictate otherwise, but think there were various options\settings.

They have a new beta out i might give it a go - just got DSL\broadband\cable whatever you call it & find it a bit scary being simply connected all the time

[mouser]

truth be told i'm wary of all of these executable-wrapper protection tools, and prefer using a full virtual machine tool like vwware or virtualpc.

[f0dder]

truth be told i'm wary of all of these executable-wrapper protection tools, and prefer using a full virtual machine tool like vwware or virtualpc.

-mouser (July 19, 2006, 09:45 AM)

Yeah, it's more secure. Anything based on API hooking shouldn't be too hard to circumvent. BufferZone does sound a bit interesting, though, in that it uses a kernel mode filter driver instead of simple ring3 API hooking.

[Curt]

BufferZone PRO is the GiveAwayOfTheDay today, Friday 24'th of August 2007

[justice]

You should try some of the tools listed at http://nonadmin.editme.com/UsefulTools
for example DropMyRights can run applications as Limited User.
Not the same as sandbox, but using limited and restricted windows account spyware can't infect either.

[Lusher]

Besides full-blown Virtual machines (VirtualPC, VMware server is free) there are application level virtualization sandboxes..

Sandboxie is perhaps the most famous - http://www.sandboxie.com/

A recent new entry is SafeSpace (beta/freeware) - http://www.artificia...gister-personal.aspx

BufferZone as already being mentioned (freeware for single app), GreenBorder has being sold to google and might be released free in the future.

Another one  lesser known is Virtual Sandbox  - http://www.fortresgrand.com/

There's also http://www.vappware.com/vapp/ but I don't recommend it.

There are other sandboxes that are "policy control type sandboxes" , they don't virtualize the file system but just sandbox programs and prevents them from carrying out certain potentially dangerous actions.

Popular examples are

GeSWall (free version), Coreforce (free), Defensewall, DriveSentry (free) etc

http://www.gentlesec....com/getstarted.html
http://www.drivesentry.com/index.htm
http://force.coresec...se&page=download

Next there are apps that use windows own built in policy management. They either make it easier to run all the time in none-admin accounts (Sudown) or conversely run selected programs like browsers with restricted rights (drop myrights).

http://sudown.sourceforge.net/
http://cybercoyote.o.../security/drop.shtml

There's also Altiris Software Virtualization Solution (free)- http://www.svsdownloads.com/ which I don't know how to classify but that one isn't meant as a sandbox/ for security purposes.

Lastly there is Retunril (free) , PowerShadow, Shadowsurfer, firstdefense, rollback rx, Windows SteadyState (free) which are often called virtualization, but are closer to rollback tools.

These software allow you to "freeze" the system partition (and sometimes other partitions). Once in this frozen stages (often called Shadow , virtualization or protected mode as well) any further file changes made to the partition during this period will only be temporary stored elsewhere (though it appears as normal to the user) and will be discarded once the system gets out of the frozen or protected state (typically at the next re-start).

There is 0% protection while in that state, malware is free to act as usual, but you are certain to restore back to pre-clean state.

Of course if you are the paranoid type and want to watch all programs and want granular control so you can give specific and indidivual permissions to each and every program as compared to sandboxing where the bunch of permissions of sandboxed processes are generally fixed, you should try out other HIPS like System Safety monitor or ProSecurity, but that's a whole other kettle of fish.


http://wiki.castleco...ization_-_Comparison
http://wiki.castleco...ticing_Safe_Installs
http://wiki.castleco...f_freeware_sandboxes
http://wiki.castleco...eware_virtualization







 

[Lusher]

truth be told i'm wary of all of these executable-wrapper protection tools, and prefer using a full virtual machine tool like vwware or virtualpc.

-mouser (July 19, 2006, 09:45 AM)

Yeah, it's more secure. Anything based on API hooking shouldn't be too hard to circumvent. BufferZone does sound a bit interesting, though, in that it uses a kernel mode filter driver instead of simple ring3 API hooking.

-f0dder (July 19, 2006, 01:42 PM)

Actually most of the good ones implement drivers but it doesn't mean that 100% of the implementation is ring zero.

I think it doesn't provide as much protection as running a flow blown vmachine (not that those are 100% protection either) of course, but it
provides reasonable protection. While they don't stop zero days from say browsers from starting, they can prove to be fairly effective in mitigating the damage and preventing it from spreading , and in most cases,  clearing the sandbox will remove everything

[CWuestefeld]

I just spent a day and a half with BufferZone, and nuked it. I was rebuilding my machine after being pretty seriously hacked over the weekend, and thought this might prevent a recurrence.

My first problem with it was that I couldn't install Microsoft Office with BufferZone running. That is, simply running -- I wasn't trying to install office into the buffer zone, I was trying to do a regular install and BZ happened to be running. I wasted 1.5 hours getting to the bottom of that.

I had already installed Firefox, but I wanted to install all of the FF extensions I use at work. I'd packaged them all with FEBE, so I just needed to install them from the local disk. Unfortunately, this doesn't work. I restarted FF, and they were gone -- probably because you read them from protected disk space or something. So then I told BZ to "surf out of buffer zone", and installed the extensions there. Then I hopped back into the buffer zone, and FF wouldn't even start anymore! Played around some, and nothing would work. I went back to "surf out of buffer" and it won't work there anymore, either. I uninstalled BZ, and it still wouldn't work. I uninstalled and re-installed FF, and it still wouldn't work. Finally I blasted the directories that FF stores settings and extensions in, and that allowed it to work.

So the bottom line is that BZ is incompatible with some programs. And its sandboxing approach fundamentally clashes with the way FF handles extensions, at least if you ever intend to hop in and out of sandboxed surfing (I suspect any sandbox would have this problem).