What is "Norman sandboxing" and comparison with Comodo autosandbox

Norman SandBox Anti-Malware Security Technology Recognized As Most Innovative Idea in Past Decade at VB2010 Conference: http://www.norman.com/about_norman/press_center/news_archive/2010/127159/en

http://www.norman.com/security_center/security_tools/

Norman SandBox® is a revolutionary way to detect new and unknown malware in a proactive way. It is a virtual environment where programs may perform in safe surroundings without interferring with the real processes, program files and network environment. If a program performs actions that the SandBox regards as suspicious, the program is "tagged" as a malicious program.
Norman SandBox Technology

Norman Sandbox is a virtualized environment(emulator) where executable files can be examined to see what kind of changes a specific file would do to a system. The emulator contains a BIOS, ROM, simulated hardware and networking capabilities. Based on the actions done by a file Norman Sandbox will automatically try to tell you if the file is behaving malicious or not.

Norman Sandbox is implemented in all Norman’s products, but on a different operating-level. Emulating CPU cycles can be a time-consuming task so for performance reasons this is not enabled on by default in the on-access scanner.

Symantec uses it! (see [ref 10]): Endpoint Protection - Symantec Enterprise

Seems an on access sandbox (off by default).
They don’t have claims of performance issues (seems to).

In which it is different from Comodo on access auto sandboxing?
Seems that Comodo is an user access limiter and Norman is a “true” virtualization.
Am I wrong?
Can we discuss this in a technical point of view?

I’ve seen on other forum thay said “Comodo Sandbox isn’t trusted and useless”.
I’m not sure about it But I’m agree with them a bit.

Yeah. I kinda agree on that, too. The sandbox doesn’t prevent the malware from running. It could probably still send data unless the firewall stops it. But I’ve seen cases before during version 4 of CIS of other spywares managing to send data. I had to manually block them. Lucky if the user knew about it.

The sandbox doesn't prevent the malware from running. It could probably still send data unless the firewall stops it
Like sandboxie, Comodo sandbox main purpose to prevent your computer from getting contaminated or crippled by malware or if you just want to isolate a program for whatever reason (like trying out a new software or something) Although a nice feature could be to add a option to stop sandboxed programs from going online :) like sandboxie does. I say "option" feature because they may be some programs that you sandboxed like firefox that you would still like to go online. <---just an idea :)

Please, the thread is about Norman sandboxing and its comparison with Comodo.
It’s not a Comodo sandbox thread.

I understand that. But I’d like to see a “Comodo Sandbox Thread”.
Particularly its weaknesses, because I still have serious misgivings about it and how it performs with the HIPS.
I`ve always, and still do, believe in a comprehensive whitelist as the best solution.

Open one. It’s free :slight_smile:

I don’t know. Since I pretty much don’t know Norman sandboxing, I can’t quite compare it with comodo sandbox. So instead, giving information about what comodo sandbox is based on user-experience is probably the next best alternative to comparing the two which, in turn, should allow you to analyze and compare the two (since you have read about norman sandboxing, you have the most background with it in comparison to me). Hence, giving information on what comodo sandbox does is still relevant to the thread. Once someone comes along with info about norman, you can just gather up the replies and compare. :smiley:

Getting back to the topic, I’ve also read about norman sandboxing yesterday and i think their approach is different with comodo. As I understand from what i’ve read, it is a full system virtualization which at the same time, determines which are malicious behaviors and terminates them. By using virtualization, termination and removal is easier and more efficient. Comodo sandbox does not virtualize the whole system yet alone the whole program (which i mean to say is that it does not sandbox the files that come from the actual program) but isolates the main executables and then lowers their rights.

I guess Norman’s approach would be a wee bit better. But I have yet to see this.

Comodo sandbox does not virtualize the whole system
some malware won't run if it realizes it's in a virtulized or sandbox setting. That can be a big issue Think of it like this, First step in writing malware code is to check if it's in a virutal or sandbox setting. If it is, malware won't do anything

This is what I’ve understand… But why does this receive an award right now?
Also, is it on access? It would have a huge impact in performance.

Hi Tech ,
Can you please be more specific re: your question
From what it’s written about Norman’s development & other similar ones - that is a real virtualization compare to improper & embedded (for no apparent reason :o) Comodo’s leaking “sandbox”
So what is “onAccess” virtualization according to your opinion?
Cheers!

Well, yes. But if the system is virtualized immediately after boot-up or start up, this wouldn’t be an issue. Rebooting will remove all of them and you can check which is which. Certainly the user’d know which is his and which isn’t. Plus, if it isn’t running on the virtual machine, it can’t do much damage. Then again, this could open a hole to your security if it were post-infection, so like any other security software, it is best installed on a clean system. Norman would have presumed this and probably thought their antivirus would catch the file on a scan or maybe when it begins access on a non-virtual system.

Norman SandBox® technology offers a powerful, [u][b]automated solution[/b][/u] that identifies and stops new and undiscovered malicious code before it can damage computer networks or compromise confidential business data.
Source: http://www.norman.com/about_norman/technology/norman_sandbox/

Yes. It is probably on-access and maybe even more. Perhaps it starts protection immediately in boot-time. It receives an award for this, and the fact that unlike other virtualization software, it analyzes the behavior of the processes within the virtual environment, tags them as malicious if found suspicious, alerts the user and offers to quarantine it (for unknown processes) or immediately removes them (for known malicious processes). That much I understand.

But if the system is virtualized immediately after boot-up or start up, this wouldn't be an issue. Rebooting will remove all of them and you can check which is which. Certainly the user'd know which is his and which isn't. Plus, if it isn't running on the virtual machine, it can't do much damage.
That could be a problem. Let's say you put firefox(an infected one like it's backdoored) in virtual mode. The user would run firefox in virtual mode and it would work perfectly normal. Then if it looks and run like it's supposed to, the user will think that the firefox is fine. Then WILL put it on the regular computer. Then when the user runs it, GAME OVER. Your now backdoored.

Were you referring to running any software (or maybe the infected firefox example from above in question in virtual mode PERMANENTLY?
Files that are questionable need to be isolated until it can be verified safe before running it on a normal computer

On demand: the user manually add the program into the sandbox.
On access: the program is automatically (on access) fully run into the sandbox (not only access rights limited).
In other words, how Norman decide if a program should or should not be fully sandboxed and virtualized?

Hmmm… Full virtualization is another thing… If this is the revolutionary technology of Norman, never mind (is a deep freeze/returnil technology then).
I’m thinking on sandboxing and virtualization of the malware, not the full system (different technology). If this is what Norman does, well, never mind… It won’t help what I want to achieve.

Well, is it a 1) full virtualization of the system or 2) virtualizes only certain executables according to their behavior (if this is the case, i.e., number 2, how does Norman detect it and run virtualized?).

What makes it so innovative is that it detects malware within a virtual environment. It’s a full virtualization. I haven’t tried it yet so I’m not quite sure how to explain it. It’s like having TF and DeepFreeze in one plus something else they’re not – at the very least, completely --telling. :wink: It’s a marketing strategy, maybe. They’re keeping you guessing so you’d try their product out and hope you like it.

Still do not understand the technology.
Is all computer virtualized and then the malware is detected there?
Is only the malware virtualized (and then how does it do it with some applications and not all of them)?

... what is "onAccess" virtualization according to your opinion?
[quote="Tech post:14, topic:259615"] On demand: the user manually add the program into the sandbox. On access: the program is automatically (on access) fully run into the sandbox (not only access rights limited). In other words, how Norman decide if a program should or should not be fully sandboxed and virtualized? [/quote] Thanks for the reply , Tech I see, the term "automatically" makes it clear Cheers!