I just don't care to discuss these details. Is this a crime? While these last couple of questions are of a general nature, there is nothing to stop you from asking more detailed questions later on. Besides, I feel I answered these questions to some extent already, in that rootkit thread. Try to read between the lines.



I'm staying out of that one. I will say to SnD though, that I remember many people having serious doubts about Sandboxie early on, not to say ridiculing the idea. Things like, how can Sandboxie dare to promise real browser isolation when it is known that ActiveX components have free reign in Windows. Well, those people did not really understand the technology, and were wrong to comment about things they don't fully understand. In the same way, I would not be so quick to cast doubt on new ideas, like a hypervisor-based HIPS. Just my two cents.

Yeah, but Sandboxie always promised to be software and has stayed that way, it isn't trying to act as a piece of hardware.
It is like the hardware FW comparison, you could either install a program that acts as a hardware FW, though it will always just be a software FW, or you could use a real hardware FW instead, up to you...

Its like a program working in conjunction with your monitor to emulate a video card.

However, I will say one good thing about hypersight, and that is that hypersight might lead to the invention of a true hardware hips.

Just my views on a hypervisor-hips though...

No, and I do understand it, but like I said before, this stuff is already known by hackers, and don´t forget, I´m not like that guy who wanted to have a complete blueprint of how SBIE works. But OK cool, I guess you already answered it. The reason why I asked was because I´ve noticed that some HIPS are able to protect their kernel hooks, and also because I read that relying only on user mode hooks is a bad idea.



Yes exactly, and HyperSight already prooves that it can be useful. I just wondered if HIPS/Sandboxes could perhaps also be installed as a hypervisor in the future. And yes I know, it´s perhaps a stupid question, but I don´t have the technical know-how. At the moment I get the impression that the hypervisor is probably not meant for this, but it´s more meant to protect Windows and security tools against rootkits, so it does sound cool to me.



Ok, so you think this is a stupid idea, and now you come with something like hardware HIPS? Can you explain what this would look like? And don´t forget that this technique already makes use of the processor´s hardware virtualization capabilities (Vanderpool/Pacifica) and AFAIK, hardware will always need to be controlled by software.

Virtualization has nothing to do with HIPS, Virtualization is for virtualizing an enviroment within an OS, HIPS is a prevention system for the OS.
Apples and oranges baby!

Yes, I know, but you still haven´t explained to me what a "hardware HIPS" exactly is, I can´t visualize it. And besides, virtualization can indeed be used for security, as demonstrated by SBIE and now Hypersight.

Well I can't explain it cause it doesn't exist.
However, I guess just a box you plug in and it allows you control over processes (using an software interface of course) no different then a software hips, however, since it is hardware, it wouldn't be prone to being shutdown by malware as a software based hips would be!


Well Sandboxie isn't really virtualization, since it doesn't virtualize an enviroment, it is a sandboxing app.
Also I don't know if I'd really consider Hypersight a virtualization app as well, more of a HIPS, even though it uses the hypervisor, it isn't quite virtualization though...

Anyways this is just my opinion about a hypervisor-HIPS, I just dont think it will work out real great in the end. I mean, hell, it can't even block rootkits...
Just stick with the well known HIPS, such as SSM or PS.

I was just about to write that this is a silly idea, but then I read about Komoku (recently bought by M$) and guess what, they use a PCI Card to detect rootkits on the system, from outside the OS. But I´m not sure if this device can actually prevent rootkits from loading in the first place. They also offer a much cheaper software solution, btw.



Wrong, you´ve got different types of virtualization. And Hypersight actually turns the whole OS into a virtual machine. It runs in a layer below the OS and has complete control, or something like this.



I have to disagree, just because it´s software based doesn´t mean it´s crap. In fact, I would actually pay money for this stuff. AFAIK, it can detect AND prevent rootkits from loading. At least in theory, because I´m not sure if Hypersight already works correctly. Also, I´ve read that it can make use of security features from the processor (Intel Vanderpool/AMD Pacifica) plus a separate TPM chip to protect itself from attacks.

I have a question, have you tried the hyper-sight out yet?
Then I have one thing to ask....

64-bit support?

Why do I ask, cause I was thinking, currently it only supports Intel processors, however, they mentioned supporting AMD processors soon.
Thing is though, is that most AMD processors are 64-bit, and no hips right now can run on a 64-bit (OS atleast) due to many issues, such as the PatchGuard crap (which is OS related, but still...).
But I was thinking, if hypersight uses your Hypervisior as the base of the HIPS, then that means, it wouldn't be limited by the PatchGuard on the OS, since it doesn't need to make any kernel changes or whatnot, right?