Hi

In terms of security, does a full virtualisation program like VMWare provide better security than an application sandbox like Sandboxie?

Because I just started using Browser Appliance in VMWare and have used Sandboxie for a while.

Thanks

In terms of security, it is a definite improvement in terms of security. Light virtualization programs probably wont cover all the bases while full virtualization will (assuming there are no crazy vulnerabilities in the VM software)

-{ Quote: "In terms of security, it is a definite improvement in terms of security. Light virtualization programs probably wont cover all the bases while full virtualization will (assuming there are no crazy vulnerabilities in the VM software)" }-

Hi

Thanks. But how does it provide better security? Won't I achieve the same level if I just do not allow anything onto my real computer?

Thanks

In all honesty, unless you really go looking for bad trouble, Sandboxie can probably provide the protection you need. There are some excellent idea's on configuring it there. There are folks there who have thrown some of the worst stuff they can find at Sandboxie and it holds up.

True a VM machine will provide another excellent layer if you are doing high risk stuff. When I play with nasty stuff, I do it on a vm machine. I also place my desktop in shadowmode with ShadowDefender just in case.

Pete

-{ Quote: "Hi

Thanks. But how does it provide better security? Won't I achieve the same level if I just do not allow anything onto my real computer?

Thanks" }-

When you are using light virtualization, everything is still executing natively on your computer. Sandboxie just intercepts disk and registery access saves it as part of the sandbox. However it is conceivable that here might be something that Sandboxie may allow something it shouldn't have.

With full virutalization, there is a much more robust containment.

-{ Quote: "In all honesty, unless you really go looking for bad trouble, Sandboxie can probably provide the protection you need. There are some excellent idea's on configuring it there. There are folks there who have thrown some of the worst stuff they can find at Sandboxie and it holds up.

" }-

Agreed. However were there not a few that did pass through?

-{ Quote: "In all honesty, unless you really go looking for bad trouble, Sandboxie can probably provide the protection you need. There are some excellent idea's on configuring it there. There are folks there who have thrown some of the worst stuff they can find at Sandboxie and it holds up.

True a VM machine will provide another excellent layer if you are doing high risk stuff. When I play with nasty stuff, I do it on a vm machine. I also place my desktop in shadowmode with ShadowDefender just in case.

Pete" }-

Hi

So would I gain any additional security if I browse the web (not looking for malware or anything) if I use VMWare instead of Sandboxie?

Thanks

-{ Quote: "Hi

So would I gain any additional security if I browse the web (not looking for malware or anything) if I use VMWare instead of Sandboxie?

Thanks" }-
If using a virtual machine it's sorta like using Returnil on the real system which can still be infected requiring a reboot to be rid of any infections.

Running your browser through Sandboxie contains any and all browsing data to the sandbox and only requires a deletion of the sandbox contents to be rid of anything.

Some user initiated and obscure methods have bypassed Sandboxie in the past but they are patched asap by Tzuk.

Sandboxie and Returnil combo is my setup on my XP/Vista installs.

Sometimes I do browse using a VM but they have Sandboxie and Returnil installed as well.;D

-{ Quote: "Hi

So would I gain any additional security if I browse the web (not looking for malware or anything) if I use VMWare instead of Sandboxie?

Thanks" }-

Yes you do. Think about 'additional security' as percentage of malware that would not have been been stopped by sandboxie but would have been stopped by a VM. This is a very small percentage.

-{ Quote: "If using a virtual machine it's sorta like using Returnil on the real system which can still be infected requiring a reboot to be rid of any infections.

" }-

I'm not sure how good a comparison a VM and Returnil is.

Depends on how you set the VM. You can configure it to remove all changes after every reboot or you can save the data even after reboots.

Also have a look at http://www.wilderssecurity.com/showthread.php?t=212092
I think that cs.exe would have bypassed RVS2008 when it would not have bypassed a VM.

run vmware in a setup with LUA...same with sandboxie..so even in the rarest of cases something does jump out of the box,it still has no access to your system

To me it's very simple : Sandboxie is security and full virtualisation is recovery and certainly not security. I never confused security with recovery. I combine both. Don't need VM either, I don't test softwares from an unknown source.

-{ Quote: "To me it's very simple : Sandboxie is security and full virtualisation is recovery and certainly not security. I never confused security with recovery. I combine both. Don't need VM either, I don't test softwares from an unknown source." }-

Why you always pointing out the differences,to me security is the all inclusive practice of preventing against mishaps from whatever source,so recovery is also included,they're just words needless to make a distinction.

-{ Quote: "To me it's very simple : Sandboxie is security and full virtualisation is recovery and certainly not security. I never confused security with recovery. I combine both. Don't need VM either, I don't test softwares from an unknown source." }-

Look this is just downright confusing if someone is trying to understand how light and full virtualization is different. OP is obviously in that scenario.

Full virtualization has many applications and 1 of them is security. If you are trying to compare the level of security between full and light virtualization, look at my previous post.

If you don't see it that way, that's OK with me, I'm just telling my opinion. I always separate things from one another, if they are not the same. If you consider it as the same, there is no difference and then you can ignore my opinion.
Opinions are like butts, everybody has one. :)

Actually VM machines are indeed full virtualization and not really recovery at all.

There is though one hugh difference. Take any of the malware that destroy's the mbr/partition table. Sandboxie(and other programs) do indeed protect against the malware. But the in the VM machine, I can let the malware do it's thing and watch what happens. And if the m alware trashes the disk, no big deal. Just revert to the previous snapshot and everything is back. None of the ISR software can match that.

I've used VMWare Server running XP in Linux so I'm not new to this. My thoughts are if you get infected while running in VMWare the infection is still going to be in your virtualized OS once you boot back into it. Sure, your host operating system is clean but the virtualized one isn't. How do you all deal with that? Sandboxie? An antivirus? You go to all that trouble to install a second OS and you still got to deal with an infection. Just curious...

Later....

Yes, you can delete the virtualized OS and problem solved but then you're facing another install. I fail to see the benefit.

Hi

OK, I think I get it. So full virtualisation (VMWare, VirtualBox, etc) has better security than light virtualisation (Sandboxie, Returnil, etc).

But in most cases if you're not specifically testing malware light virtualisation is adequate.

Is that right?

Thanks

-{ Quote: "My thoughts are if you get infected while running in VMWare the infection is still going to be in your virtualized OS once you boot back into it. Sure, your host operating system is clean but the virtualized one isn't. How do you all deal with that? Sandboxie? An antivirus? You go to all that trouble to install a second OS and you still got to deal with an infection. Just curious...

Later....

Yes, you can delete the virtualized OS and problem solved but then you're facing another install. I fail to see the benefit." }-

Farmerlee has the approach where he installs the security software inside the VM. If you only use the VM to browse and email, the slowdowns associated with security software are only relevant to the browser and email client and neither of these are intensive applications.

Alternatively, you can install an operationg system like linux that arent targeted by malware writers.

In either case, an infection in a VM is much easier to deal with than one on your actual computer. You can use snapshots to do a restore, you can mount the image to do a flat file scan etc.

-{ Quote: "If you don't see it that way, that's OK with me, I'm just telling my opinion. I always separate things from one another, if they are not the same. If you consider it as the same, there is no difference and then you can ignore my opinion.
Opinions are like butts, everybody has one. :)" }-

Sure you can have an opinion but it isnt relevant in this thread. The comparison by the OP is obviously between light and full virtualization as an extra layer of security to isolate attack vectors like the browser and email client. Let us try to focus on this issue rather than boot to restore.

-{ Quote: "Hi

OK, I think I get it. So full virtualisation (VMWare, VirtualBox, etc) has better security than light virtualisation (Sandboxie, Returnil, etc).

But in most cases if you're not specifically testing malware light virtualisation is adequate.

Is that right?

Thanks" }-

Yes that is my view. The additional risk minimization from using a VM is quite low. On my computer (low end laptop) the performance trade off is not worth it. If you have a 10k gaming rig, then performance is not an issue and you may well consider using a VM. It depends on your situation.

-{ Quote: "I've used VMWare Server running XP in Linux so I'm not new to this. My thoughts are if you get infected while running in VMWare the infection is still going to be in your virtualized OS once you boot back into it. Sure, your host operating system is clean but the virtualized one isn't. How do you all deal with that? Sandboxie? An antivirus? You go to all that trouble to install a second OS and you still got to deal with an infection. Just curious...
" }-

When making virtual machine state changes that I want to keep, I avoid doing anything dangerous. Then I shut down the virtual operating system and take a snapshot. During all other times, when I am done with a session, I revert back to the previous snapshot.

-{ Quote: "Yes that is my view. The additional risk minimization from using a VM is quite low. On my computer (low end laptop) the performance trade off is not worth it. If you have a 10k gaming rig, then performance is not an issue and you may well consider using a VM. It depends on your situation." }-

Hi

OK. Thanks! My laptop is not that good either so I think I'll just stick with Sandboxie.

-{ Quote: "
Yes, you can delete the virtualized OS and problem solved but then you're facing another install. I fail to see the benefit." }-
With MS Virtual PC I do a base install of XP and Vista then copy and paste the VHD's as needed to their own folders and assign a new VM.

Saves a reinstall and you can copy and paste forever.

I even have a VHD/VM that I copied and pasted to a usb stick and it runs fine on any machine that has MS Virtual PC installed.

These VMs are stored on another partition as I prefer C drive as slim as possible.

Yes, that's a pretty good combo. Virtualization software is a must these days.

-{ Quote: "So would I gain any additional security if I browse the web (not looking for malware or anything) if I use VMWare instead of Sandboxie?" }-This question is specifically constrained to security while browsing the web. In such a scenario, both SBIE and VM can conceivably allow a keylogger to grab and compromise private information.

To me, a keylogger (with ensuing loss of private information) is a VERY nasty sort of threat.

I use SBIE configured such that ONLY Firefox can access the internet. Thus, I feel well protected from keyloggers -- unless something manages to hi-jack Firefox itself.

If and only if a VM is configured to protect against keyloggers, then I agree with those who have said a VM is (at least theoretically) more secure than SBIE. Otherwise, I do not agree.

Yet another *super safe* option would be to run something like Deepfreeze or Shadowuser, and (in that mode) use SBIE to surf the web. I am not yet paranoid to the degree needed for me to do that, but it's something for OP to consider -- wot?

-{ Quote: "This question is specifically constrained to security while browsing the web. In such a scenario, both SBIE and VM can conceivably allow a keylogger to grab and compromise private information.

To me, a keylogger (with ensuing loss of private information) is a VERY nasty sort of threat.

I use SBIE configured such that ONLY Firefox can access the internet. Thus, I feel well protected from keyloggers -- unless something manages to hi-jack Firefox itself.

If and only if a VM is configured to protect against keyloggers, then I agree with those who have said a VM is (at least theoretically) more secure than SBIE. Otherwise, I do not agree.

Yet another *super safe* option would be to run something like Deepfreeze or Shadowuser, and (in that mode) use SBIE to surf the web. I am not yet paranoid to the degree needed for me to do that, but it's something for OP to consider -- wot?" }-

Hi

Well I don't think it's really necessary for me to use so many programs to only fractionally increase the security when Sandboxie will suffice in most cases.

Thanks

Well, the next best thing is going to be OS virtualization, MS has already launched Hyper V for Win 2008 server, and they might make it compatible with Vista. In theory this would be a killer tool, imagine having, let´s say 10 virtual instances of the Win OS all running at full speed, if you´re not sure about some app or game, or if you fear a drive by attack, just use one of the virtual OSes.

But I´m not really sure what´s possible with such a virtualized partition, I suppose you can still install your security tools on it and I hope there is no need to boot the virtual OS? That would be a serious drawback of course. The Soloris OS is already offering such features btw:

http://www.sun.com/software/solaris/virtualization.jsp

-{ Quote: "Well, the next best thing is going to be OS virtualization, MS has already launched Hyper V for Win 2008 server, and they might make it compatible with Vista. In theory this would be a killer tool, imagine having, let´s say 10 virtual instances of the Win OS all running at full speed, if you´re not sure about some app or game, or if you fear a drive by attack, just use one of the virtual OSes.

But I´m not really sure what´s possible with such a virtualized partition, I suppose you can still install your security tools on it and I hope there is no need to boot the virtual OS? That would be a serious drawback of course. The Soloris OS is already offering such features btw:

http://www.sun.com/software/solaris/virtualization.jsp" }-

Hi

How can it run at full speed? Wouldn't it slow down?

But even if there was such a feature, I don't think you need ten. Around 5 is enough.

-{ Quote: "Hi

How can it run at full speed? Wouldn't it slow down?

But even if there was such a feature, I don't think you need ten. Around 5 is enough." }-

It uses virtualization that is hardware accelerated so the performance decrease is far less than solutions like VMWare.

-{ Quote: "Hi

Thanks. But how does it provide better security? Won't I achieve the same level if I just do not allow anything onto my real computer?

Thanks" }-

Why?

Application virtualisation like Sandboxie cut through the OS and file system. Because the OS was not designed that way SBIE and SafeSpace will have implemented different hook strategies (regarding the OS) and different interface implementation (different virtualisation engine), there is no one thruth because you can not tackle all the handles (performance, maybe undocumented) and interfaces are no clean cuts. So two worlds live together on the same infrastructure

Machine Virtualisation is looks like this: Primary OS with the VM application, within the VM application a secondary OS and the applications using that OS, so a nice clean cut interface with complete seperation

Best
VM (Virtual PC, VM, etc) = shared HW, different OS, Seperated File System
[has a Microsoft implementation]

Better
Shadow Sandbox (Returnul, SteadyState, etc) = Shared HW, Shared OS, Seperate file system (at minimum a full data partition is shadowed) [has a microsoft implementation]

Good
Application Sandbox (SBIE, SafeSpace) = Shared HW, Shared OS, virtual file seperation = mixed file system (either file is in or out the Sandbox on a per application/file basis) [has no microsoft implementation]

Hi

@ Huangker and Kees1958

Thanks very much for the explanation! :thumb: