Good PC security article about sandboxing/virtualization

This would be a good article for the developers of CPF V3 to read as well as for anyone interested in secruity.

this guy is a typical hack. he plays it safe referring to the Vista vulnerabilities that some woman discovered over a month ago, while neglecting to highlight what test he made on what products, and what precisely the results were. i am in a place where i am learning to despise journalist. instead of reporting facts, many are only concerned with advancing their own venomous agendas.

as i am typing this i am using Opera 9.10, which is operating behind a Bufferzone. i, in the last week, have personally tested the operation and researched the security of sandbox solutions Geswall, Defensewall, and now Bufferzone. i settled on Bufferzone (for the time being), because it’s tecnology is well explained by Trustware, and is conceptually easy to understand. all local applications are divided into trusted and untrusted applications. upon install of Bufferzone (and btw it should only be installed after ensuring your system is clean) all points of entry to the system (browsers {all of them} cd drives, and USB drives) are automatically moved into the “untrusted” Bufferzone. email clients run in the trusted zone, but attachments are automatically dropped to "untrusted. any program can be entered into that zone and moved out as well by the user. this is application sandboxing as opposed to system sandboxing, which i believe most of what "nay-sayer journalist is referring to. here is what makes this concept powerful (in my view) all “untrusted” applications in the Bufferzone can see system, registry files, etc, but any attempt to write to these files, and Bufferzone makes a copy of it and places it elsewhere on the drive, and the application is redirected there. it believes it is executing to system resources, and in fact it is not, and cannot. system integrity is intact and your applications operate (so they believe) normally. maleware since it cannot write to autostart, registry files, or other system resources are rendered toothless, and can be identified and cleaned up by our on-demand scanners, or by simply cleaning up the Bufferzone. this link describes better than i…

i am not naive enough to believe this technology is a panecea, i dont believe it replaces safe hex, or a layered approach to Windows PC security. i still have a firewall, which is why i am now on this board. Outpost and Bufferzone fought it out the moment they saw one another and my computer lost. i had to reformat. Bufferzone and Comodo, if not in luv, respect one anothers space, after a day and a half. but i am still running NOD 32 as a real-time scanner, have a couple of on-demand scanners that will stay in the arsenal, and am looking at either Prevx or Cyberhawk to patrol the borders of the Bufferzone. what this may free me from is SSM which i realise i am not computer savy enough to configure effectively. in essence nothing has changed other than i have automated a security process through technology, and moved myself further out of the loop as a security liability.


Mike (and everyone else too),

I read somewhere on Wilders Security Forum that IMON (the NOD32 internet monitor) cannot function properly when the browser is sandboxed. Have you tested this?

The other functions of NOD still work, just not the Internet Monitor.

Can you confirm that?

it seems to be functioning. the log shows 49 files have been examined. what it does not tell me is “when” these files were scanned, so i do not know if the log only tracks to-date activities or if it logs per session.

what i can tell you is that after only 2 days i now feel bare surfing without this little red border around my browser, and that Cyberhawk (just installed last night while holding breathe), Comodo, and Bufferzone seem to be playing well together. (:CLP)

edit: reading a thread on Wilders just now provided an idea for me to test the running of IMON…download Eicar. IMON works even though the browser (in this case Opera, which btw is not even close to nightmarish) is in the Bufferzone!


I agree with simmikie.

I’m not computer savvy, as you might have figured (and that guy is, supposedly), but here goes my rant lol:

“1. No sandbox product is foolproof. I’ve yet to meet one that could not be easily circumvented.”
No product is foolproof. And how did he easily passed it?

“Most sandbox protection products only protect against a dozen or so file and registry locations.”
from sandboxIE: “the key component of Sandboxie: a transient storage area, or sandbox. Data flows in both directions between programs and the sandbox. During read operations, data may flow from the hard disk into the sandbox. But data never flows back from the sandbox into the hard disk.”

“All OS virtual machine products, which might be able to protect all vulnerable locations, can be detected by the bad guys and be circumvented.”
So far i’ve heard of malware refusing to run in a VM when detected. As for circumvention, care to say how?

“2. Most virtual protection products don’t respond well to encoded attacks. Encoding is a popular malicious method for bypassing the initial inbound checks of a security product. Hackers and malware writers often encode malicious HTML commands into hexadecimal, double-byte, dotted decimal notation, or Unicode, instead of the ASCII text we, and protection products, expect. In many cases, the end result is that slight modifications to malicious commands are not detected or prevented.”
Isn’t the key to virtualization no write capabilities??

“3. Many sandbox products cover only a small subset of user applications.”
so we’re talking about the concept, or now we’re talking about it’s development stage? It’s like saying the firewall doesn’t protect from malware coming from the browser.

“4. All sandbox products prevent some small percentage of legitimate applications from installing or running.”
Well do you want security or what? If the product doesn’t make it that easy, and it’s a trusted download, just don’t run it sandboxed. It’s not ideal, but what is?
“At the other end of the spectrum, some sandbox products are so secure that they don’t provide enough flexibility”

“Many, if not most, of these products contain their own vulnerabilities – buffer overflows, bugs that crash the system, hard-coded passwords, and so on. You end up trading one set of bugs for another. Although the program’s buffer overflow vulnerability is less likely to be exploited than IE’s, of course.”
Again garbagge. Buffer overflows, yes, it seems the biggest threat i’ve heard, but few products cover this until now. Care to code it for us?

“6. Most of these security add-ons do not have enterprise deployment and management tools.”

“7. Virtualization applications also complicate support and troubleshooting events. When the underlying OS or app is updated, the sandbox or virtualization product often has to be updated as well.”
welcome to the world of software…

“So, although sandbox or virtualization applications provide additional security, don’t begin to believe they are a panacea. Nothing beats a more secure application and OS.”
So what’s the product that provides that? And who said that?
“Nothing beats a more secure application and OS.”
Duh! If no vulnerabilities existed, no security is needed.

On the vulnerabilities, even if he’s right on all of them, since he doesn’t explain, this could well be regarded as worthless. The average user doesn’t care about sandboxing, so he wasn’t writing to the general public. This article should be specific, not a spooky abstract.

I must say solo, it’s good to bring these links for discussion, so well done.

But i simply think this one is too general. He doesn’t say anything specific to help us. Plus we don’t know what he’s referring to half the time (virtualisation, sandbox, or something else). He puts everything in one bag, and criticises the whole lot. Maybe the developers will understand the implications of what he says, but i sure don’t.

“worthless” was probably too strong, it’s just an article. Maybe he wrote something else more thorough. So it’s nothing personal, it’s a rant on a forum lol.