GreenBorder cages malware
Unique approach to desktop security -- allowing content to execute in virtual space -- requires accepting a measure of riskFollow @rogeragrimes
GreenBorder Professional Edition is designed to protect against malicious content arriving in Internet Explorer and Outlook -- but it gives the traditional virtual environment security paradigm a nifty 180-degree twist.
GreenBorder forces untrusted content to execute in a virtualized protection “sandbox” environment where it can do no persistent harm to the local host or trusted network. Where GreenBorder differs is that most untrusted content, malicious or not, is allowed to execute and reside in the seamless virtual environment, but any subsequent host modifications can be discarded.
The goal of this is to prevent malware from permanently modifying the local host and from attacking other trusted hosts and networks, similar to what might be accomplished by resetting a VMware or Virtual PC session. Content arriving from untrusted networks is hosted in a controlled virtual environment indicated by a green border surrounding Outlook and IE.
GreenBorder removes this untrusted content when the user decides to remove it or when the user logs off. All content from any untrusted network is removed regardless of whether it is in fact malicious. So, while malware, worms, and spyware changes won’t be saved, neither will legitimate content such as patches from Microsoft Windows Update or Amazon.com cookies -- unless the sites are added as trusted locations.
GreenBorder was nearly flawless in its attempts to prevent manipulation of the underlying host environment. But in my tests, some minor spyware modifications, such as desktop shortcuts and new menus, did make it to the underlying host. GreenBorder says this is because the malware mimicked a normal user’s modifications too closely, as compared with most malware’s programmatic accesses. Still, the fact that malware can modify the host desktop at all means there are other potential weaknesses.
That doesn’t mean GreenBorder lacks innovation. For example, when a user saves a file from an untrusted source, the file is given a new header and then “wrapped” with a proprietary, nonconfidential encryption routine -- a process GreenBorder calls “mangling.” If users without GreenBorder attempt to access the file, they will be unable to open it.
When a GreenBorder user opens the file, however, the mangling is undone, and the original file is served up in the protected virtual environment. In a sense, content from an untrusted resource remains untrusted by default.
As interesting as this is, most security vendors have forsaken directly modifying files because doing so may elicit unforeseen operational consequences; for this reason, GreenBorder users can save files unmodified without the added protection. (A centralized management console, which I did not test, is available to configure GreenBorder settings across the enterprise.)
Adopting GreenBorder’s defense strategy has practical consequences. For example, any worm or virus launched will be allowed to modify the virtual environment, take up real CPU cycles (slowing the host machine), and interact with and attack other untrusted networks and hosts. Phishing e-mails and URL tricks will get through; script worms and macro viruses will still execute.
Because of its approach, however, GreenBorder works across a wider selection of malware and prevents unknown attacks without the need for daily signature updates. The ability to reset a session is akin to a quick reset of the user’s entire environment: no more system restores or re-ghosting machines. Administrators will have to decide whether the risk in allowing malware to execute is worth the instant reset payback.