[seskanda]

I have XP, i know IE in Vista has a "Protected Mode" that prevents malware from changing the registry. What can i do in XP?? Is there some program or setting that will block malware from altering the registry?

Thanks in advance.

[lunarlander]

You can try Sandboxie. It places the browser into a walled container.

[perfume]

Dear seskanda,
I use a program similar to SandboxIE,named GeSWall (Free version). Both these programs "isolate" the browser you are using, so that even if by mischance you are re-directed to a hacked website, no malware code can get out and execute itself to corrupt the registry. The one thing to remember is "installing programs", becomes a bit tricky and i suggest you read the "help" manual before you start using either of the softwares on offer! Returnil Virtual System is a terrific program, but it makes you feel"claustrophobic"! GeSWall download site : http://www.gentlesecurity.com/

[stantley]

You could get RegProt, a small freeware program that warns you when a change is going to be made to the registry and allows you to block it.

[perfume]

Dear seskanda,
Malwarebytes Anti-Malware (paid version) has real-time protection capability and sits in the system tray and i have seen it blocking malware from even entering the system in a FLASH! MBAM is highly recommended by most of us in the site! The R-T function is a stunner! Well worth buying.

[seskanda]

Well, it looks like BOTH Sandboxie and Returnil are lite Virtual machines, so i might as well use VMWare, instead, but my P4@2.8 GHz is slow with a VM of XP. I might give GeSWall a go, even if installing programs is a hassle with it. Can you just disable it when you install a program, and re-enable afterwards? RegProt looks small and sweet, but i wonder if it can really block the dozens of malware registry entries that come at the SAME time....

[Gizzy]

They're not virtual machines since with a virtual machine you have to install a separate OS on it and they consume a lot of resources where as those programs work differently,

Returnil - Virtualizes your current OS without consuming many resources, you'll need to restart your computer to get out of virtual mode.

Sandboxie - Virtualizes only programs you tell it to it doesn't virtualize the whole computer like returnil, it's a virtual sandbox for programs you put in it, if any programs in the sandbox try to change a file or registry key it will only be able to change a virtual one, not the real one.

I have both installed I only use returnil when I feel I need it and I want to virtualize my whole OS but I use sandboxie everyday with my browser sandboxed while browsing.

With Geswall I believe it uses a combination of virtual like sandboxie as well as policy restrictions, you should be able to install programs easily if you remember to unisolate or trust the install file you downloaded (it's been awhile since I've used geswall so I may have the terms a little off, since perfume is currently using it he should be able to explain it better) and if you have your browser protected with geswall save the file instead of just installing it through the broswer since the restrictions will get inherited.
Just make sure the install file isn't protected and being restricted by geswall and it should install normally.

[stantley]

Quote:

Originally Posted by seskanda

RegProt looks small and sweet, but i wonder if it can really block the dozens of malware registry entries that come at the SAME time....

It's highly unlikely that you would have "dozens of malware registry entries that come at the SAME time", but even if you did they would still be executed sequentially, one at a time and RegProt would give you an alert for each one.

However there's a lot of malware that doesn't access the registry so you still need a real-time anti-spyware program to catch that stuff. RegProt just gives another layer of protection that uses very little resources.

[perfume]

Dear Gizzy,
Nice talking to you!

GeSWall has the option of a setting the security to "low" when the program can be downloaded,but i would(in my opinion and experience) not advise anyone to tangle with the security settings! Copy/cut/paste the downloaded program to another partition of the disk. That should work fine as it will allow the installation to proceed well as the "tag of untrusted" will be removed!

There is an option to right click a file and label as safe but it says that feature is only available in the pro version.

[Gizzy]

Quote:

Originally Posted by perfume

Dear Gizzy,
Nice talking to you!

GeSWall has the option of a setting the security to "low" when the program can be downloaded,but i would(in my opinion and experience) not advise anyone to tangle with the security settings! Copy/cut/paste the downloaded program to another partition of the disk. That should work fine as it will allow the installation to proceed well as the "tag of untrusted" will be removed!

There is an option to right click a file and label as safe but it says that feature is only available in the pro version.

Yes I forgot about moving the file to another partition.

I've decided to try out GesWall again. (Can't resist the urge to try out different security programs every so often. )
I downloaded the free version and I have the option in my right-click menu to "Label as Trusted" Does that go away after a certain time like 30 days? or do you have a link to where it says it's only in the pro version? I couldn't seem to find a comparison between the free and pro, I think I've seen one before but now I can't find it.

Also I see in the console you can scan for untrusted files and right-click them and mark them as Trusted. how about that way?

See attachments.

[seskanda]

Wel, i did say 'LITE' virtual machines, what's the difference between a VM and 'virtualize' anyway? Nonetheless, since Malware CAN infect the virtual mode, there's a THIN line that prevents it from spreading to the REAL OS! That is, i still do NOT feel very secure with either Returnil or Sandboxie. I watched the 25 min video on GesWall, but i'm still NOT sure WHAT it IS exactly, the video explains what it DOES. It seems more like a Firewall, on steroids, to me, that somehow smart enough to shield Windoze from malware....

I'm gonna install the trial of the Pro version, soon. But, i expect my programs that are already installed to get blocked. I hope it does NOT do this, since it'll take a LONG time to "trust" 30+ programs on a PC. I wonder how it treats removable disks/drives? Does it block loading stuff from them, too? What about uploading? Will it let me do that, or do i have tell it to? Also, how long is a program trusted? I bet the Pro can set a time limit, i have to check this out.

Quote:

Originally Posted by stantley

It's highly unlikely that you would have "dozens of malware registry entries that come at the SAME time", but even if you did they would still be executed sequentially, one at a time and RegProt would give you an alert for each one.

Yeah, but that's A LOT of annoying POP-UP messages, right?

Quote:

Originally Posted by "stantley'

RegProt just gives another layer of protection that uses very little resources.

I hope GesWall uses less than 20 megs of RAM. Otherwise, i'll stick with Regprot and sandboxie/returnil.

[perfume]

Dear seskanda,
I hope you will enjoy the GeSWall experience! Regprot will be a useful add. Did you go thru' the post about getting around downloads while you're in The GeSWall box? Never forget that Sandboxie is considered a superior alternative. Kindly read this review on all these :http://www.techsupportalert.com/best...ity.htm?page=1

Best wishes.

[Gizzy]

I'm sure someone else can explain the differences better than me but here's some differences between returnil and a VM.
A VM virtualizes hardware and consumes part of your recources to run a completely separate OS, while in a VM you can install programs, reboot, take snapshots to revert back to.
But with returnil it just sits in the tray until you decide to turn it on, once you do that then anything that gets saved on your computer will be gone once you restart, so it's not an ideal way to install programs that need a restart along with other things that a more powerful program (VM) can do.
It depends on what you're doing to decide what you need
If you want to install and test out a different OS or programs that need a reboot then a VM is better but if you're looking at it for security and only using a low amount of resources then returnil is better.

Now as of for security there's a difference between the 2

Sandboxie: even though returnil virtualizes the whole OS I still feel sandboxie is safer with only virtualizing programs because if any malware gets in it will be chained to the sandbox the malware inside can't get higher rights than sandboxie, as well as malware can't install drivers, services, etc. inside the sandbox. and when you're done using your program inside the sandbox you can just empty it and everything including malware is gone.

Returnil: it virtualizes the whole OS now I said I thought sandboxie is safer because any malware can do whatever it wants to your system it's not restricted to a sandbox, now any malware should be gone when you restart but I feel that it would be possible for malware to tamper with returnil's files since there's nothing really stopping malware from getting as high of rights as returnil,
So I think returnil is best suited to be used in a limited account because the malware would be limited in what it can do and couldn't get as high of rights as returnil which would be installed with an admin account,
Now of course this is just opinion and the malware would probably have to be aware of returnil being installed.
Also newer versions of returnil have an anti-execute tool which will ask you what executables can execute.


Now there have been times in the past where malware has bypassed those 2 programs but it's very rare these days, especially sandboxie now I only say that since I see more people testing sandboxie with live malware than I do returnil.
And the developers of those products are very quick to fix any holes that malware breaks through once the hole is found and confirmed,

Now that's enough of those 2 programs.

Now onto GesWall the term most used for it is a "policy sandbox" just for reference sandboxie is called a "virtual sandbox",
The programs isolated inside GesWall's sandbox are restricted in what it can do to your system, I'm not entirely sure what it's restricts yet though I haven't had much time today to really try it out much.

I don't think there's any time limit with the trust, it's basically 2 options trusted and isolated. you'll actually want to keep your internet facing apps to isolated like browsers, email clients, etc. since that's where a lot of malware comes from. I think you'll mostly just need trusted for installation files so that when a program is installing it won't be restricted.

I don't know about the removable drives/disks I know it can't control files/programs on them that's why they lose their trusted/isolated label if a file is moved from drive to drive but I'm not sure if it can control files coming from them by isolating a drive perhaps...?....I need to test/try it some more.

Also since you seem willing to pay another option is DefenseWall sorry to make things harder by adding more to choose from but I wanted to add it since I've heard it's easier to use out of the box but I think geswal is said to be more configurable and I believe DefenseWall is more actively developed, I've never used it though.

Ram usage from task manager on my computer right now is

GesWall
gswserv.exe = 8,452
gswui.exe = 8,796

Sandboxie
SandboxieDcomLaunch.exe = 2,856
SandboxieRpcSs.exe = 3,632
SbieCtrl.exe = 7,836
SbieSvc.exe = 2,312

Returnil
Returnil.exe = 6,812

Now those numbers can vary from system to system since no 2 are alike.
Also I don't currently have returnil active so that might change if I activate it.
I'm actually only using sandboxie currently, I don't have anything running inside geswalls sandbox currently.
And ram usage isn't the only way to define a low resource program there's also CPU, disk writes, etc.

Wow that was a long post, hope you don't mind reading.
And sorry for any typos...I think I got them all.

[stantley]

Quote:

Originally Posted by seskanda

Yeah, but that's A LOT of annoying POP-UP messages, right?

Well, you can stop the program from running when you do a legitimate install, because you will get some pop-ups. But when you get a pop-up out of the blue, that's when it's warning you that something is trying to modify the registry and you can prevent it. I would think you'd be more relieved than annoyed.

[perfume]

Dear Gizzy,
You've summed it up nicely. When a program is downloaded within GeSWall'ed browser and copy the program and cut/paste it to another partition, the "unsafe" tag is off. Then the program can be installed without any hitches. That's what i do, because the "policies" of GeSWall are better left untouched. Will look up the new prog. you unleashed!

Dear stanley,
Regprot is excellent! Just downloaded it from http://softpedia.com/dyn-search.php and it has verified all my installed programs and has shown what keys were affected and got a "yea" from the Admin.(that's me). Thank you!