Test Center: Sandbox security versus the evil Web
Five products strive to trap drive-by downloads and other threats in a virtual Web browsing space, with mixed resultsFollow @infoworld
SoftSphere DefenseWall HIPS 2.44
Although security is rarely a binary choice, SoftSphere's DefenseWall HIPS separates all applications into just two categories: trusted or untrusted. Applications that can be expected to interface with potentially malicious content should be placed into the untrusted category. Processes started by untrusted programs automatically inherit untrusted status. Automatically downloaded or executed content from an untrusted program is protected from execution and prevented from manipulating protected resources.
Installation of DefenseWall HIPS was simple and quick, and the accompanying help file covered the essentials. The DefenseWall HIPS comes preconfigured with 11 untrusted programs, including Internet Explorer, Firefox, QuickTime, and a few other frequently exploited programs (see Figure 1). However, Adobe's Flash Player was not automatically included on this list, and this allowed the clipboard hijack exploit demo to be successful.
[ View the companion video, "DefenseWall HIPS vs. the Adobe Flash clipboard hijack." Download the QuickTime version. ]
Untrusted programs can be launched in a trusted state by choosing the application in the Untrusted applications window and selecting the Run as Trusted button. This is a nice way to end up with both trusted and untrusted browser sessions to handle various Web sites. The untrusted browser sessions are marked in the title bar to help users distinguish between the two.
The SoftSphere program has many customizable options, including the ability to include or exclude specific Windows resources (such as files, folders, registry keys, and so on) as trusted or untrusted. You can roll back any identified resource changes on a per-resource basis, although the program does not always distinguish between legitimate and malicious changes, leaving the final trust decision to the end-user. I especially like that DefenseWall HIPS considers all programs from removable sources to be untrusted by default.
Overall, DefenseWall HIPS stopped most malicious threats from automatically executing, though at times in a disconcerting way. When I browsed to malicious Web sites with an untrusted browser, the DefenseWall HIPS added any further starting programs (in testing, these were always malicious programs) to the untrusted applications list (see Figure 2), which prevented much malicious activity. Further, it warned me (Figure 3) when a malicious program was trying to modify critical system files.
Auto-downloaded malware is saved to the disk, but in such a way that it is not a threat to your system. You can disable the program, remove it, or, if the program is legitimate, move it to the trusted applications area. If you manually save a file to the desktop, which is often the case with social engineering, DefenseWall HIPS attempts to keep it marked as untrusted, but I found instances where malicious files could escape to trusted areas.