I sort of understand the theory behind sandboxing and it appears to be a very useful tool. I have looked at Sanboxie and GESWall (not sure that this is a sandbox?) Could anyone explain to me the benefits and differences between the two products please.

Best wishes.

Davidpr,

Sandbox technology basically redirects file, registry calls and/or memory access to a safe location on disk or memory. Typically they utilize kernel mode API hooks to redirect IO to a safe location.

Sandbox technology and VM technology both have one significant flaw. Malicious code can detect their presence and behave until they are no longer running in or near them.

A very simple example to check for Sandboxie:

A malicious program can detect Sandboxie by using "OpenService" and then "QueryServiceStatusEx" for the service name of "SbieDrv" which is the driver name for SandBoxie. If the service is running then the malicious program does nothing bad and you assume the program is safe until you run it on another PC. There are a number of better ways of doing the same task but I hope this makes sense.

I will look as GESWall tonight and discover how they compare and get back to you with my findings.

~interact

-{ Quote: "Davidpr,

Sandbox technology basically redirects file, registry calls and/or memory access to a safe location on disk or memory. Typically they utilize kernel mode API hooks to redirect IO to a safe location.

Sandbox technology and VM technology both have one significant flaw. Malicious code can detect their presence and behave until they are no longer running in or near them.

A very simple example to check for Sandboxie:

A malicious program can detect Sandboxie by using "OpenService" and then "QueryServiceStatusEx" for the service name of "SbieDrv" which is the driver name for SandBoxie. If the service is running then the malicious program does nothing bad and you assume the program is safe until you run it on another PC. There are a number of better ways of doing the same task but I hope this makes sense.

I will look as GESWall tonight and discover how they compare and get back to you with my findings.

~interact" }-

Thank you for this. So if a nasty does nothing bad once you close the sandbox then the malware gets wiped fromthe PC?

-{ Quote: "Thank you for this. So if a nasty does nothing bad once you close the sandbox then the malware gets wiped fromthe PC?" }-
;D Yes.

-{ Quote: "Thank you for this. So if a nasty does nothing bad once you close the sandbox then the malware gets wiped fromthe PC?" }-

Davidpr - Any malicious activity would be contained in the sandbox so when it's closed down any changes the malware did would not be stored directly on your live O/S. The problem occurs when the malware detects the sandbox, behaves itself and you then assume it's safe to use on your "live" environment.

~interact

My understanding is that a sandbox isolates the malware.
1. So the installation of the malware is not a problem anymore, because it will be removed by the sandbox.
2. The EXECUTION of the malware might be a problem.
2a. If its evil job only affects your harddisk, than it won't hurt anything.
2b. If its evil job is to steal your data and it is able to do this even when isolated, than you have a problem.

DefenseWall treats your browser as an untrusted application and its my understanding that your browser and all applications opened via your brower (like Adobe Reader) will be very limited in their execution or no execution at all.

If I'm wrong correct me. I'm also trying to understand how these softwares work in practice.

-{ Quote: "2b. If its evil job is to steal your data and it is able to do this even when isolated, than you have a problem.
" }-
I guess there are many ways to deal with this problem. I believe I know how you deal with it Eric ;D. I don't have the ability at this moment to create any image except to my 1 and only hard drive. My burner just won't burn for me either. I think I can get within 99% of not letting data get stolen though.

1. Start a clean browser/sandbox session. You may have to empty the sandbox manually. That is the way I have Sandboxie set at the moment. In other words don't visit questionable sites then decide you need to do your online banking.

2. Make sure your computer is clean to begin with. There are many methods to achieve this, or get close.

3. Run real-time security applications while running sandboxed/virtualized. This is good advice period unless of course you collect malware. Sandboxie is good for collecting malware as you and pluck files from the sandbox as needed.

I am very new to Sandboxie and I already feel exposed when not using it. The same feeling that I had when running my browser as a limited user with dropmyrights. Now I'm using both and feel 99% confident as to my safety. The other 1% or less, lets just say ignorance is bliss. :)

The only downsides I see to Sandboxie is it using 4 processes not including Firefox. I'm not hurting for Ram so the trade off is the warm and fuzzy feeling of safety. I guess that there is also the possibility for something bad to "leak" out of the sandbox into your system. Again, what are the chances of that happening? Sandboxie is just another layer of security for me.

In fact, the main idea of any sandbox HIPS is isolation of the threat-gate applications and malware came thought it from the sensitive areas of your system. This could be based on policy restrictions or virtualization. SBIE is mostly rely on virtualization, DefenseWall - on policies, GeSWall- somewhere in the middle.

-{ Quote: "In fact, the main idea of any sandbox HIPS is isolation of the threat-gate applications and malware came thought it from the sensitive areas of your system. This could be based on policy restrictions or virtualization. SBIE is mostly rely on virtualization, DefenseWall - on policies, GeSWall- somewhere in the middle." }-
Yes, but which one stops the execution of malware. I know Anti-Executable does, but still not sure about DefenseWall, Sandboxie and GesWall. :)

-{ Quote: "Sandbox technology and VM technology both have one significant flaw. Malicious code can detect their presence and behave until they are no longer running in or near them." }-
I don't see how this is a flaw at all. The sandbox has succeeded in preventing any malicious payload from delivering in this case, and achieved its purpose perfectly.

-{ Quote: " The problem occurs when the malware detects the sandbox, behaves itself and you then assume it's safe to use on your "live" environment.

~interact" }-
That's interesting, I was not aware of this, good to know.

-{ Quote: "I don't see how this is a flaw at all. The sandbox has succeeded in preventing any malicious payload from delivering in this case, and achieved its purpose perfectly." }-
The flaw would be that people may use the sandbox to test unknown programs, by running windows installer inside the box and installing the program to see if it is malicious, say for example some novelty game that has a downloader tucked away in it to download lots of nasties to your machine, if it detects the sandboxie as interact says, then it simply does what it looks like it should do, behaves as a game. You then satisfied that nothing bad happened install it on your real machine, and now detecting it is free of the sandbox the downloader springs into action.

-{ Quote: "2a. If its evil job only affects your harddisk, than it won't hurt anything." }-What? How so? Are you saying, even if the disk is totally zeroed, since you have archives/snapshots/images stored someplace other the the hard drive that got toasted, you are go to go?

Mike

-{ Quote: "The flaw would be that people may use the sandbox to test unknown programs, by running windows installer inside the box and installing the program to see if it is malicious, say for example some novelty game that has a downloader tucked away in it to download lots of nasties to your machine, if it detects the sandboxie as interact says, then it simply does what it looks like it should do, behaves as a game. You then satisfied that nothing bad happened install it on your real machine, and now detecting it is free of the sandbox the downloader springs into action." }-
While it's an interesting conjecture, the SbieDrv service is active whether or not a program is running inside the sandbox; and querying the service status doesn't sound like a very smart way for a program to detect if it's running inside or outside the sandbox.

Does interact have any other ideas how a program may verify whether it's running in a virtualized or live environment?

-{ Quote: "What? How so? Are you saying, even if the disk is totally zeroed, since you have archives/snapshots/images stored someplace other the the hard drive that got toasted, you are go to go?

Mike" }-
No, that's not what I mean.
My assumption is that when a malware executes itself in a sandbox and this malware only changes something on my harddisk, those changes will be removed, when the sandbox is closed. Otherwise I don't see the purpose of a sandbox.
If the sandbox doesn't do that for some reason, my boot-to-restore will clean it up.

I'm not worried about changes on my harddisk, I'm worried about the execution of a malware, which is the worst part of malware. A malware on your harddisk without execution is harmless.

I only need security softwares that stop the execution of any infection between two reboots, after reboot everything is gone, because I replace my system partition with a clean one.

-{ Quote: "My assumption is that when a malware executes itself in a sandbox and this malware only changes something on my harddisk, those changes will be removed, when the sandbox is closed. Otherwise I don't see the purpose of a sandbox.
If the sandbox doesn't do that for some reason, my boot-to-restore will clean it up." }-I am sure mine and your boot-to-restore will clean normal files/folders. ;D ;D
-{ Quote: "I'm not worried about changes on my harddisk, I'm worried about the execution of a malware, which is the worst part of malware. A malware on your harddisk without execution is harmless." }-I am worried about changes on my harddisk... I mean the secret hidden data changes. I am sure mine and your boot-to-restore will not remove those... only zeroing a disk will.

Mike

Erik,

I was wondering if you'd explain your definition of execution to me, because on reflection it doesn't seem to be the same concept for you as it is for me. It seems somewhat strange for me to be obsessed over whether a malware executes or not, yet be so flippant about what payloads it delivers.

-{ Quote: "Erik,

I was wondering if you'd explain your definition of execution to me, because on reflection it doesn't seem to be the same concept for you as it is for me. It seems somewhat strange for me to be obsessed over whether a malware executes or not, yet be so flippant about what payloads it delivers." }-
If an infection destroys your harddisk, that's called execution.
If an infection steals your data, that's called execution.
If an infection hijacks your browser, that's called execution.
If an infection disables your AntiVirus, that's called execution.
An infection that is waiting for a trigger to execute itself, is not called execution, until it's triggered.
I guess you know now what I consider as execution. :)

Installation and execution are two different things.
When a malware installs itself doesn't necessarily mean it has done its evil job. Some malware executes themselves immediately after the installation, but not all of them.

-{ Quote: "While it's an interesting conjecture, the SbieDrv service is active whether or not a program is running inside the sandbox; and querying the service status doesn't sound like a very smart way for a program to detect if it's running inside or outside the sandbox.

Does interact have any other ideas how a program may verify whether it's running in a virtualized or live environment?" }-

solcroft - I have posted a URL in another thread in regards detecting execution in Virtual Machines.

Detecting the driver for Sandboxie is quick and easy I agree :) In the real world users don't run applications within a sandbox 24/7 they use them to check if a program is OK.

The definition in Wikipedia is this : In computer security, a sandbox is a security mechanism for safely running programs. It is often used to execute untested code, or programs from unverified third-parties, suppliers and untrusted users.

My technique is simply exploiting their defined use so when a company uses a Sandbox to test programs before rolling them out onto a corporate network. My malware behaves while being tested in the Sandbox then causes havoc when executed on users PCs. It might be a crude method but in the above example it would have been effective.

A more complex method is to Detect the API hooks (I have posted this URL to a presentation in regards removing kernel mode API hooks in another thread) but here it is again:

http://www.packetstormsecurity.org/hitb04/hitb04-chew-keong-tan.pdf

~interact

interact,

I'm already familiar with those PDFs, thank you very much anyway.

It'd be a stretch to imagine that companies would use SandboxIE, of all things, to test for malicious software though. SandboxIE is a poor testing ground to watch for malware activity, simply because so many API calls within the sandbox are restricted or blocked altogether. It was designed to contain malware, not provide them with an (entirely) unrestricted space to carry out their activities. If a file appears safe in SandboxIE, only someone who doesn't know how the sandbox works would declare it clean, much less roll it out across a "corporate network".

-{ Quote: "
I am worried about changes on my harddisk... I mean the secret hidden data changes. I am sure mine and your boot-to-restore will not remove those... only zeroing a disk will." }-
I don't think many users are interested in these secret hidden data on their harddisk. Your thread :
http://www.wilderssecurity.com/showthread.php?t=175658
didn't get much attention.

-{ Quote: "interact,

I'm already familiar with those PDFs, thank you very much anyway.

It'd be a stretch to imagine that companies would use SandboxIE, of all things, to test for malicious software though. SandboxIE is a poor testing ground to watch for malware activity, simply because so many API calls within the sandbox are restricted or blocked altogether. It was designed to contain malware, not provide them with an (entirely) unrestricted space to carry out their activities. If a file appears safe in SandboxIE, only someone who doesn't know how the sandbox works would declare it clean, much less roll it out across a "corporate network"." }-

solcroft,

I think the problem is that users can be convinced that VM and Sandbox technology are 100% safe. I hope our feedback has given some balanced feedback into this thread.

~interact

-{ Quote: "solcroft,

I think the problem is that users can be convinced that VM and Sandbox technology are 100% safe. I hope our feedback has given some balanced feedback into this thread.

~interact" }-

Interact, yes very interesting. Sandboxing seems to be a very useful additional layer of protection when using the internet. I am still not sure of the differences between Sandboxie and GESWall so I will try both.

As far as I understood Sandboxie isolates all good and bad objects of a sandboxed application, but doesn't see the difference between good and bad objects and the user has to decide which objects he wants to keep. If the user isn't knowledgeable enough he might keep the bad objects also.
If that is true then Sandboxie isn't a security software, but a recovery software.
The same counts for PowerShadow.

The question that stands out most in my mind to what Ilya pointed out in differences of techniques, is which is most vulnerable. Windows Policies are a good method, CoreForce used them in it's AIO program, but if the legit workers can manipulate policies for good, the bad ones can also force onto those same policies and make trouble, right? Again, how vulnerable is using Windows Policies compared to using Virtualizations like Sandboxie etc.

It's already a given that any program but moreover yet, windows core systems structure, are subject to some weakness. But is it to a greater degree than a virtualization/sandbox scenario?

Great Discussion Guys, i'm still learning too. LoL

-{ Quote: "The question that stands out most in my mind to what Ilya pointed out in differences of techniques, is which is most vulnerable. Windows Policies are a good method, CoreForce used them in it's AIO program, but if the legit workers can manipulate policies for good, the bad ones can also force onto those same policies and make trouble, right? Again, how vulnerable is using Windows Policies compared to using Virtualizations like Sandboxie etc.

It's already a given that any program but moreover yet, windows core systems structure, are subject to some weakness. But is it to a greater degree than a virtualization/sandbox scenario?

Great Discussion Guys, i'm still learning too. LoL" }-
What if I combine Sandboxie and DefenseWall, then I have virtualization AND Windows Policies to protect my computer.
If I add my boot-to-restore, based on the Industrial Snapshot Technology, to both technologies, I have probably the best guarded computer in the world. ::)

-{ Quote: "
If an infection destroys your harddisk, that's called execution.
If an infection steals your data, that's called execution.
If an infection hijacks your browser, that's called execution.
If an infection disables your AntiVirus, that's called execution.
" }-

Right. And I would maintain that the worst one of those - by far - is the stealing of data. That is why a termination resistant firewall with outbound control to restrict everything to selected ports, addresses, direction and protocol is of utmost importance. I can deal far better with malware simply destroying my data than malware stealing my data. As long as data is backed up to external media, and especially if imaging software is used, recovering a blown away h/drive is a relative minor inconvenience compared to the theft of private data.

-{ Quote: "And I would maintain that the worst one of those - by far - is the stealing of data. That is why a termination resistant firewall with outbound control to restrict everything to selected ports, addresses, direction and protocol is of utmost importance. I can deal far better with malware simply destroying my data than malware stealing my data. As long as data is backed up to external media, and especially if imaging software is used, recovering a blown away h/drive is a relative minor inconvenience compared to the theft of private data." }-

This is an acknowledged and recognised issue with Sandboxie.
While in the sandbox browsing, for eg a keylogger or datastripper can operate as long as there is no kernel driver installed ( blocked in sandboxie) and data 'could' be stripped. Any malware that can, will/may run in the current session.
Less likely with FF and noscript etc etc...

Firewall might be ok as long as config is tight to prevent o/going connection, but many trojans can install as 'trusted' outgoing connections.
Obviously if the mal requires a reboot to operate/install then not an issue when sandbox emptied after session. PrevX has for me been able to operate in the sandbox to catch any suspicious operations it recognises so far.

Any 'drive-by' type mals that might get past FF or other apps in the sandbox will be stripped out when sandbox emptied.

Obviously DO NOT use any passwords, banking logins, credit card details etc in same sessions as -heh- random browsing.

AFAIK DefenceWall can be set-up to stop this and provide a so far unbreakable barrier and rollback any changes. I dont have any experience of same; not using DW ( not sure why not lol) just from reading here and @Gladiator/DW forum. ( maybe waiting for next version of DW ;) )

I like the "per application" control of Sandboxie and with other tools all good so far. Just knowing potential weaknesses of any app is a boon in itself.

Regards.

Based on my reading of all the PowerShadow,DefenseWall,and assorted sand box and virtualization posts it seems that key loggers are the main concern. While surfing in PS or any other program that protects the system ,you could have data stolen. For me I can crank up PS in my FD-ISR snapshot then enable DW protection and my system will be safe. So what is the best program to ensure that nothing can get any data?

IMO sandboxes and virtualization, don't recognize evil objects, they only isolate them, just like they isolate good objects.
How can such softwares recognize malware, do they have signatures, heuristics, etc. ? I don't think so. If they don't recognize them, they can't stop their execution either.

Once the sandbox is closed, the malware is gone of course, but my frozen snapshot does the same thing. That's called recovery, not security.
Security is supposed to see the difference between good and bad objects.

Yes I agree completely. But while in the sand box, data can be stolen unless there is something so catch it.

-{ Quote: "Yes I agree completely. But while in the sand box, data can be stolen unless there is something so catch it." }-
Exactly. Sandboxes and virtualization are good REMOVAL tools for malware, nothing more than that.
If a good object remains in your sandbox and you don't save it in time, it will disappear with all the rest.

-{ Quote: "Security is supposed to see the difference between good and bad objects." }-
But even still, not all security apps can do that 100 percent. So to me, a good AV, and either Sandboxie or Power Shadow makes the most sense to me. Just started using Power Shadow and really like it.;)

-{ Quote: "But even still, not all security apps can do that 100 percent. So to me, a good AV, and either Sandboxie or Power Shadow makes the most sense to me. Just started using Power Shadow and really like it.;)" }-
As a cleaning tool yes, the problem is that Sandboxie, etc. will remove the good objects too, if you don't save them in time.
A scanner removes only the bad objects, except for false/positives of course.
My frozen snapshot removes also all changes, good and bad, but only in my system partition (Windows + Applications).

What I am doing is manually updating everything then kicking in Power Shadow. I also have Sandboxie, why? I may go a few days before rebooting with Power Shadow. At least this way, any crap that may grab hold during a browsing session is gone as soon as I close Sandboxie. Instead of it being there for a few days until I reboot.. This is working great and about once a week run Avira and SAS. But there isnt squat to be found.

-{ Quote: "How does Sandboxie protect me, technically?

Sandboxie extends the operating system (OS) with sandboxing capabilities by blending into it. Applications can never access hardware such as disk storage directly, they have to ask the OS to do it for them. Since Sandboxie integrates into the OS, it can do what it does without risk of being circumvented.

The following classes of system objects are supervised by Sandboxie: Files, Disk Devices, Registry Keys, Process and Thread objects, Driver objects, and objects used for Inter-process communication: Named Pipes and Mailbox Objects, Events, Mutexs (Mutants in NT speak), Semaphores, Sections and LPC Ports. For some more information on this, please see SandboxHierarchy.

Sandboxie also takes measures to prevent programs executing inside the sandbox from hijacking non-sandboxed programs and using them as a vehicle to operate outside the sandbox.

Sandboxie also prevents programs executing inside the sandbox from loading drivers directly. It also prevents programs from asking a central system component, known as the Service Control Manager, to load drivers on their behalf. In this way, drivers, and more importantly, rootkits, cannot be installed by a sandboxed program.

It should be noted, however, that Sandboxie does not typically stop sandboxed programs from reading your sensitive data. However, by careful configuration of the ClosedFilePath and ClosedKeyPath settings, you can achieve this goal as well.


Will Sandboxie protect me from malicious key-loggers?

Yes, to some extent. First of all, your system (outside the sandbox) must not have been already compromised by an installed key-logger. Sandboxie can not protect against key-loggers that are already running outside the sandbox.

You may want to consider always browsing sandboxed, so you don't accidentally get any key-loggers into your system.

It is very difficult to reliably detect a key-logger. For a lengthy explanation, please see DetectingKeyLoggers. So the most important tool Sandboxie offers you for protection against key-loggers, is to delete the sandbox.

When you stop all sandboxed activity (in all sandboxes), then proceed to delete the sandbox you're about to use, you can be fairly certain that all key-loggers are dead. " }-

-{ Quote: "Detecting Key Loggers

It is very difficult to reliably detect all classes of key-loggers. This section first explains why this is so, and closed by offering a possible defense against them.

First, a distinction must be made between three classes of key-loggers:

* rootkit key-loggers
* windows hook key-loggers
* windows message key-loggers

Rootkit Key-Loggers

Rootkit key-loggers record keystrokes at the hardware level, typically by positioning themselves as a second keyboard hardware driver (a filter driver, in Windows terminology).
(...)easily blocked by Sandboxie.

If such a key-logger attempts to install, Sandboxie should report an informational message SBOX1014.

Windows Hook Key-Loggers

These key-loggers don't masquerade as hardware drivers, but they still have to ask the operating-system to load them (or hook them) into every program executing on the desktop.

If the executable files for the program requesting the hook, are located inside the sandbox, then the request is silently denied. Otherwise, the request is silently allowed.

This means key-loggers downloaded and started as part of your Web browsing session will be blocked. But it also means that some hooks can still be installed, if the sandboxed program has been installed outside of the sandbox.

This behavior is not adequate and will be revised in future version of Sandboxie.

Windows Message Key-Loggers

This class of key-loggers don't need any assistance from the operating-system, and can only reliably record activity within one program. However, from the point of view of a supervisory program like Sandboxie, they don't do anything suspicious, and so cannot be stopped.

In order for a program running on the desktop to actually process the keyboard input, the operating-system sends that program a message describing the input. The message key-logger, which is likely running in the same process space as the program being logged, can snoop on these messages in a variety of ways, which don't raise suspicion.

Typically this key-logger will be a secret Web browser plugin (or a secret component of a plugin), so it can easily record keyboard activity related to the Web browser.

Defending Against Key-Logger

The first step is to make sure your system is not infected by malicious key-loggers, prior to using Sandboxie. A system scan by an anti-virus or anti-malware tool should help here.

Then carry out untrusted activity (such as Web browsing) only in the restricted area of the sandbox. This doesn't mean you won't be infected by key-loggers, but it does mean you can get rid of them:

* You can make sure you stop all of them, by telling Sandboxie to stop all sandboxed activity in all sandboxed.
* Once stopped, you can discard the traces of their program code, by deleting the contents of the sandbox.

Once discarded, they can no-loger record your keyboard activity, and you are safe to browse to trusted sites and enter your passwords.

Note that if you don't like to regularly delete your sandbox, you can set aside one sandbox for trusted browsing, and delete just that sandbox before carrying-out the trusted activity. But it is still important to first stop all sandboxed activity in all sandboxed, for maximum protection. " }-

Even in the worst scenario, you can visit your bank site without worry, and without reboot. Just clear the sandbox. Nothing malicious came from the sandboxed session, assuming you cleared it. No rootkits, keyloggers, nothing. No reboot.

FAQ (http://www.sandboxie.com/index.php?FrequentlyAskedQuestions)
Detecting Keyloggers (http://www.sandboxie.com/index.php?DetectingKeyLoggers)
Closed File Path (http://www.sandboxie.com/index.php?ClosedFilePath)
Closed Key Path (http://www.sandboxie.com/index.php?ClosedKeyPath)

I can see why some say that AV products ma be history before to long. My browsing speed is actually faster.

One thing you can do to help protect your self with sandboxie is keep any and all private stuff under my documents. Then edit the configuration file and add this line.

ClosedFilePath=%Personal%

with that nothing running in the sandbox can access anything in my documents. I tested it and it works.

Pete

Pedro,
First of all, many thanks for the explanation, I'm trying to understand how these software work and I don't have always much time.

Let me see if I get this right.
If an application is not sandboxed, it can install a certain rootkit.
If the same application is sandboxed, it cannot install the same rootkit.
So all depends on whether an application is sandboxed or not, because in both cases the rootkit IS malware and even the SAME malware.

This also means that it all depends on the user, if an application is sandboxed or not and hopefully he knows when an application needs to be sandboxed or not.
Am I right about this ? :)

In GeSWall (http://www.gentlesecurity.com/features.html):
-{ Quote: "
GeSWall Restrictions and Effect:
No access to kernel - prevents kernel mode rootkits and key loggers
Read only access to trusted files, registry, processes etc. - prevents user mode rootkits, keyloggers, malware infections.
No local communications to trusted processes, e.g. windows messages, RPC, COM, WMI - prevents shatter attacks, user mode rootkits, keyloggers and malware infections.
No scheduled re-start - prevents backdoors, zombie bots and worms.
No access to confidential files - prevents leaks of confidential information.
" }-
Defensewall also support confidential files/folders.
Combine data encryption with a sandbox, a tight firewall ruleset, browser security (NoScript) and common sense/safe hex and you shouldn't suffer data leaks.

I never get straight answers to my questions. I'm talking about sandboxie alone, not in combination with other softwares. Just sandboxie and put the rest aside. :)

-{ Quote: "Pedro,
First of all, many thanks for the explanation, I'm trying to understand how these software work and I don't have always much time.
" }-
Thanks, but note that i only copied directly from SandboxIE's site, word for word, minus a few things. Highlighting is also my doing.
-{ Quote: "
Let me see if I get this right.
If an application is not sandboxed, it can install a certain rootkit.
If the same application is sandboxed, it cannot install the same rootkit.
So all depends on whether an application is sandboxed or not, because in both cases the rootkit IS malware and even the SAME malware.

This also means that it all depends on the user, if an application is sandboxed or not and hopefully he knows when an application needs to be sandboxed or not.
Am I right about this ? :)" }-
Yes. You should note the quote from lucas regarding GeSWall, and his observation regarding DW. The main difference is virtualization in SandboxIE, everything is redirected to the "sandbox" folder (virtualization container), where the file system and registry is mirrored as it is needed. You then keep what you want, by copying to the real folders.

GeSWall does not redirect things to the "virtualization container, except for some registry keys if i'm not mistaken. It simply enforces a policy, which is strict. DW same deal. I'm sorry for not expanding this, but i haven't used it for a while.

Arguably GW and DW are more "housewife" material ;D .

Also note that i don't know how redundant this is when using something like AE. This is an open question in me head.

I do know that when i install an extension in FF (a possible working possible keylogger inside SandboxIE, for illustration purposes), SSM does not intercept it, neither does SandboxIE. But the latter can flush it. Of course, FF does ask for confirmation, on legitimate extensions at least (IE too, probably).

Also, another possible difference is you can sandbox anything with SandboxIE, and you don't need policies specific for Word, Powerpoint or whatever. It's the same policy for everything inside.
Again, forgive me for not expanding this. But there has to be someone who can!

Well, you can isolate everything in GW. Due to the rigid isolation policy, rules per app (the common ones) are needed if you don't want things breaking:
GeSWall's Access Control Policy (http://www.gentlesecurity.com/restriction.html)
-{ Quote: "
The GeSWall access control policy determines how GeSWall will restrict access by applications to system resources. Resources are files, registry keys, processes etc. and all resources are categorized as either untrusted, trusted or confidential.

The access restriction policy is composed of both generic rules which apply to all applications and specific rules which apply to only one application.


The generic rules for an isolated application are that the application:

- Can read but cannot modify trusted resources. Trusted base can't be modified
- Cannot read or modify confidential resources. Access to confidential resources is always forbidden
- May create new untrusted resources, e.g. files. For example, the browser cache
- May read or modify untrusted resources. An isolated app can read/write/delete untrusted browser cache

The only generic rule for a non-isolated application is that the application cannot load untrusted executables into its address space. All other resources access are allowed.

These generic rules are overridden by any application specific rules in the application database.


All resources are trusted except those created by isolated applications. Resources created by isolated applications are untrusted. Confidential resources are any resources, which are marked as confidential in the database. By default, any files in a user My Documents\Confidential folder are confidential. You may specify additional untrusted and confidential resources explicitly by their name or ownership.
" }-

-{ Quote: "I'm talking about sandboxie alone, not in combination with other softwares. Just sandboxie and put the rest aside. :)" }-
Security = layered approach. There's no silver bullet regarding security software.
A security setup needs to deal with different kind of threats:
- Network traffic (firewall)
- E-mail threats (read mail as text, drop unsolicited mail, etc)
- Execution control/interception (HIPS/whitelist)
- Browser security/privacy (NoScript, whitelist cookies, etc)
- Data leaks (firewall/sandbox/etc)
- Etc
When the security setup fails (there's no 100 % security, although the margin of failure is very very thin in a well thought security strategy) you go to the mitigation plan (imaging, reboot-to-restore, reinstalling, etc)

Thanks lucas :thumb:
Now i recall something. The policy for something unknown is strict, but could break it as SandboxIE can. Then it is less strict for known applications, where they designed the policy specifically for it, where certain things don't need be.

GeSWall deserves a revisit.

It's very important to know how the app (Sandboxie, GW, firewall, AE, etc) works in order to use it at its best.

-{ Quote: "Pedro,
First of all, many thanks for the explanation, I'm trying to understand how these software work and I don't have always much time.

Let me see if I get this right.
If an application is not sandboxed, it can install a certain rootkit.
If the same application is sandboxed, it cannot install the same rootkit.
So all depends on whether an application is sandboxed or not, because in both cases the rootkit IS malware and even the SAME malware.

This also means that it all depends on the user, if an application is sandboxed or not and hopefully he knows when an application needs to be sandboxed or not.
Am I right about this ? :)" }-

Yes you are. For example. If I download the kis.msi installer and run in normally it installs KIS. If I run it sandboxed, the install fails and when I delete the sandbox, everything goes away.

So how do I use this not being an expert on malware. Well a little common sense. If I download something from a location I trust, then I just install it. If it's from a location I know I don''t trust, then I better do something to protect myself. ie, the EA reboot-nuke procedure or something similiar.

The value of sandboxie lies in a couple of things. First of all, all the potential junk from browsing is gone without a reboot. Secondly, if a site downloads hidden junk, even if it runs, it can't harm my system. It even can protect the My Documents folder. Another example, suppose I download a video and I am not sure about it. I can run my media player from my desktop, but run it sandboxed. Then anything that video file might try is also sandboxed.

Another aspect is you can create several sandboxes and leave something it for a while, to see if either virus scanners get an updated signature, or you learn something about it. Then you can decide to either move it out of the sandbox or delete it.

Hopefully this helps,

Pete

-{ Quote: "Yes you are. For example. If I download the kis.msi installer and run in normally it installs KIS. If I run it sandboxed, the install fails and when I delete the sandbox, everything goes away.
So how do I use this not being an expert on malware. Well a little common sense. If I download something from a location I trust, then I just install it. If it's from a location I know I don''t trust, then I better do something to protect myself. ie, the EA reboot-nuke procedure or something similiar.
The value of sandboxie lies in a couple of things. First of all, all the potential junk from browsing is gone without a reboot. Secondly, if a site downloads hidden junk, even if it runs, it can't harm my system. It even can protect the My Documents folder. Another example, suppose I download a video and I am not sure about it. I can run my media player from my desktop, but run it sandboxed. Then anything that video file might try is also sandboxed.
Another aspect is you can create several sandboxes and leave something it for a while, to see if either virus scanners get an updated signature, or you learn something about it. Then you can decide to either move it out of the sandbox or delete it.
Hopefully this helps, Pete" }-
Thanks. I will think about it. Seems to me more like a little protection here, a little protection there and a little protection over here. :)

This is a very informative discussion. The vendors in question should pay for the detailed descriptions and exposure their products are getting here!

I friend asked me the other day about Sandbox stuff so I started reading some of the threads and referred them to him, and today, suggested that the next step for him is to evaluate one: until then, it's all talk.

One question came to mind: several have pointed out that a keylogging program or such might be able to send out from within the Sandbox while you are on line transacting business.

The question: under what circumstances do you imagine that a keylogger could get installed on your system?

I would imagine one would have a routine such as I use with Deep Freeze:1) Reboot to known good state


2) Connect to the internet, go directly to online site.


3) Log in - transact business


4) Log off

regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."
--Bruce Schneier

It's really helpful to have a thread like this going on at the moment. I have just started with sandboxie myself in the last few days and the learning curve is less steep with the helpful advice that I am reading here.

For instance, I had a hard time grasping the concept of sandboxie the first time I downloaded and ran a setup in it (artweaver). What I didn't realise at the time was that Online Armor would ask permission to run artweaver and keep a record of it in it's program list and history, but it would be nowhere else after deleting the sandbox and contents after deciding I didn't want to keep that software. In my ignorance I assumed NO ONE would see what I was doing but sandboxie.

Now I am a bit more aware that sandboxie does one thing, and HIPS and firewalls etc. do another...and that's how it should be I guess.

For me Sandboxie is a recovery tool. I know browsers like Firefox and IE can get corrupted, so I only run them inside SB. Privacy for one session before deleting sandbox contents is not the main concern for me but keeping my computer clean. Also it is a bother for me sometimes to operate NoScript, so I just allow all javascript etc. while having a browsing session, but then delete the sandbox afterwards.
I use Sandboxie also to test firefox extensions, but as told here, not to trust that they are safe to install outside SB, but only to see how they work.

I have not tested SB for installing software and if I would install something like Yahoo Messenger I would install it on trust normally.
But same time I run my Skype and Trillian always inside Sandboxie. And would run Yahoo too. In fact my Comodo firewall has only rules for Sandboxies Start.exe for starting IE and no normal rule for explorer.exe starting it. Same goes for Trillian too.

It is a bother to run utorrent inside Sandboxie since I am not sharing anything and feel actually sometimes bad for being so selfish. And needs to copy the downloads to a normal location.

Having started this thread I was hoping for a couple of answers to try and understand this better but the response has been really great.

I have installed both Sandboxie and GESWall to try. For me Sandboxie is what I am looking for - added protection for internet use and then when you close the browser it all gets wiped.

I have one really annoying problem though - I am unable touse my laptops mouse pad within the sandbox but it is ok in a non sanboxed session. I have posted this on the Sndboxie forum.

best wishes.

-{ Quote: "Having started this thread I was hoping for a couple of answers to try and understand this better but the response has been really great.

I have installed both Sandboxie and GESWall to try. For me Sandboxie is what I am looking for - added protection for internet use and then when you close the browser it all gets wiped.

I have one really annoying problem though - I am unable touse my laptops mouse pad within the sandbox but it is ok in a non sanboxed session. I have posted this on the Sndboxie forum.

best wishes." }-

not sure if a mouse pad does this, but if the mouse pad loads a driver Sandboxie will not support loading drivers. and not being critical, but i am curious, what security do you gain by running your mouse pad sandboxed?


Mike

-{ Quote: "<...>
I have one really annoying problem though - I am unable to use my laptops mouse pad within the sandbox but it is ok in a non sanboxed session. <...>" }-How do you move your cursor in Sandboxie?

I had used Sandboxie without problems running Firefox (my much preferred Browser), but a few sites require IE (with lowest privacy settings).

Whenever I would try Internet Explorer 6 (with the minimal security settings) within Sandboxie, the first symptom of problems would be a failure of my IntelliMouse to respond, the Built-in ALPS Touchpad system would continue to work.

This is a Microsoft Bluetooth Mouse using only the Windows generic drivers that has had no other problems,
after opening three or four pages within a Sandboxie'd IE, the IntelliMouse would quit.

This would just be the first symptom and problems would progress through slow-down to a frozen system.

On the last run of Sandboxie, the final symptom had been the shutdown of AntiVirus protection.:o

System has (and does) function perfectly in every respect with no other symptoms of security problems ever seen.

I was never able to determine why I encountered this issue with Sandboxie and have never seen this reported by others.

The installed Security Applications are listed on my sig below, with BufferZone's {Free for IE} (http://www.trustware.com/virtualization/freewb.html) replacing Sandboxie.

-{ Quote: "...I am unable to use my laptops mouse pad within the sandbox" }-
Is this a USB mouse?
Oh yes, and what other security proggies are u running?

Cheers

http://googleonlinesecurity.blogspot.com/2007/05/on-virtualisation.html

Interesting comment about Sandbox technology if anyone's interested.

~interact

Is the best thing since sliced bread,um er malware!
USE IT!