http://news.yahoo.com/s/infoworld/20080930/tc_infoworld/111070;_ylt=Al48NA.G1A0D8GuNv9XIJ_yDzdAF

Thoughts?

I thought Sandboxie, and especially Defensewall, were essentially impenetrable.

This tester rated Prevx as his favorite but states; "On just the fifth malware Web site, a password-stealing Trojan was able to infect the test system." What do you think the Sandboxie forum would look like if every fifth site allowed something out of the sandbox? He also states; "Sandboxie didn't prevent the clipboard hijack, and it did not remove all remnants of the XP Antivirus malware program when I told it to delete everything." I had no problem deleting everything in the XP Antivirus test, both with auto delete and no auto delete, so I don't know where that is coming from. As far as the clipboard, Sandboxie doesn't sandbox the clipboard cause what effect would that have - it would still be text. But there is no harm as anything pasted would be in a sandboxed address field anyway.

Tested heaps of rogues sandboxed, including XP Antivirus, with Sandboxie not having a problem containing, terminating and deleting all comers so far.

Can't understand what the author of the article means by:
-{ Quote: "Second, Sandboxie only protects one program or process at a time. When you use Sandboxie, you must choose which programs and processes to protect and when. " }-
203196

hahaha I missed that comment Franklin, good post. :D

He only tested the free version. Not a very impressive write up in my opinion.

pete, relax, we know sandboxie thwarts all ;D :thumb:

-{ Quote: "pete, relax, we know sandboxie thwarts all " }-But NOT the heartbreak of psoriasis. :(

hey bellgamin gimme a chance, im still relatively young at 34 - right about now there are about a billion things to kill me, all the while telling me I have just the one life - give them a chance to catch up to me - I know they catch up

If it's any consolation to the infection we missed, detection was added automatically for it by our Community Database about 30 minutes after the test took place. If he was to rescan, we would have then detected/cleaned/blocked it.

good try :shifty: but ids vs virtualization= nill

Yes, it is clear that a full virtualization solution will prevent anything from changing the underlying system, but how many "normal", non-techy users can actually use a virtualization solution? :)

For instance, my mother could definitely not use a virtualization program, a virtual machine, or UAC for that matter. They are just far too difficult to use by a non-experienced person who just wants to use a computer and assume that everything just "works".

-{ Quote: "Yes, it is clear that a full virtualization solution will prevent anything from changing the underlying system, but how many "normal", non-techy users can actually use a virtualization solution? :)

For instance, my mother could definitely not use a virtualization program, a virtual machine, or UAC for that matter. They are just far too difficult to use by a non-experienced person who just wants to use a computer and assume that everything just "works"." }-

That is true, that is why solutions like Threatfire and PrevX excel.

Regarding UAC and the perceived virtualisation of DefenseWall: it is an non techie implementation of internet faced programs security with policy management. It also works seamless (only requires a change of status to trusted to install software) in a way it is install and forget. It is also the only sandbox type application which works out of the box with Digital Rights Management. As a matter of fact my mother of 75 uses it with no problems at all (I did the installation of DW on her PC).

I agree with Kees.
I've got Mrs. Click nicely tucked in with DW. I also have Returnil because I don't want all the garbage that she downloads to stay on the machine.
She would give permissions to Satan himself.
Hugger

-{ Quote: "I agree with Kees.
I've got Mrs. Click nicely tucked in with DW. I also have Returnil because I don't want all the garbage that she downloads to stay on the machine.
She would give permissions to Satan himself.
Hugger" }-
LOL,I have mrs click as well that will click anything, if it had flashing banners saying please click here she would be all over it. Before My mrs happy click gets use I fire up Returnil.

For those who are interested,

The direct and original links that Drew99GT was referring to can be found below.

http://www.infoworld.com/article/08/09/30/40TC-sandbox-security_1.html (Test Center: Sandbox security versus the evil Web)
http://www.infoworld.com/article/08/09/30/40TC-sandbox-exploits_1.html (Two tenacious exploits debunk vendor claims)


Peace & Gratitude,

CogitoErgoSum

Just as an OT side note, I always prefer to used and give those kinda links

http://www.infoworld.com/archives/emailPrint.jsp?R=printThis&A=/article/08/09/30/40TC-sandbox-exploits_1.html
http://www.infoworld.com/archives/emailPrint.jsp?R=printThis&A=/article/08/09/30/40TC-sandbox-security_1.html

when referencing those otherwise slow loading mags' pages full of multimedia fluff...

-{ Quote: "http://news.yahoo.com/s/infoworld/20080930/tc_infoworld/111070;_ylt=Al48NA.G1A0D8GuNv9XIJ_yDzdAF

Thoughts?" }-

it seems to me the reviewer was comparing apples to oranges... a sandbox is malware agnostic... the fact that a bunch of the tools he looked at identified things as malicious points to the fact that they have additional functionality built in besides just sandboxing... additional protection is good, but if you're going to review sandboxing software you should stick to the sandbox functionality...

-{ Quote: "I thought Sandboxie, and especially Defensewall, were essentially impenetrable." }-

nothing is impenetrable... if you start believing something is then you'll get careless and quite possibly pwned...

Specifically, does anyone have anything to say about the 2 exploits that Sandboxie missed; Adobe Flash clipboard hijack and the XP Antivirus malware program?

Quote Mitch:
-{ Quote: "As far as the clipboard, Sandboxie doesn't sandbox the clipboard cause what effect would that have - it would still be text." }-
Quote Franklin:
-{ Quote: "Tested heaps of rogues sandboxed, including XP Antivirus, with Sandboxie not having a problem containing, terminating and deleting all comers so far." }-

-{ Quote: "Specifically, does anyone have anything to say about the 2 exploits that Sandboxie missed; Adobe Flash clipboard hijack and the XP Antivirus malware program?" }-
I addressed it in my earlier post. I can not reproduce his findings on the malware program.

-{ Quote: "I addressed it in my earlier post. I can not reproduce his findings on the malware program." }-
i dont have a screen shot for it but sandboxie blocks the antivirus2009 very easy with no problems and nothing to scape the sandbox:thumb:
so confident that i use sandboxie for testing malware insted of returnil or vm,thats me.

Tzuk answers the clipboard "exploit" here; http://sandboxie.com/phpbb/viewtopic.php?p=26999#26999

I tested Antivirus 2009 a while back in sandboxie it did show the program tray icon running on the task which was a concern at first but after the termination and deletion of the contents there where No remants on my system.Sandboxied passed with out a doubt.

-{ Quote: "I tested Antivirus 2009 a while back in sandboxie it did show the program tray icon running on the task which was a concern at first but after the termination and deletion of the contents there where No remants on my system.Sandboxied passed with out a doubt." }-the icon you saw was a virtual icon not real;D after deleting the sandbox is gone as the wind;D

My tests of SBIE vs. Antivirus2009 had the same results as those stated by djohn: The tray icon remained there until I passed the muose over it and then it dissapeared (no click needed, just pass the pointer over the icon). Otherwise, nothing at all stayed in my real system.

-{ Quote: "My tests of SBIE vs. Antivirus2009 had the same results as those stated by djohn: The tray icon remained there until I passed the muose over it and then it dissapeared (no click needed, just pass the pointer over the icon). Otherwise, nothing at all stayed in my real system." }-
it is nothing that is going to Hurt you Hurt;D not a big deal it will disapair anyhow:thumb:

-{ Quote: " ... the perceived virtualisation of DefenseWall ..." }- Why is DefenseWall even compared in the virtualization/sandboxing group? It marks programs as trusted and untrusted right? Plus what happens to everything on your system if later down the line, you decide to uninstall DefenseWall and try something different? What does it re-designate programs as after an uninstall?

-{ Quote: "Why is DefenseWall even compared in the virtualization/sandboxing group?" }-
Because it is a sandboxing-style behavior blocker.

-{ Quote: "It marks programs as trusted and untrusted right?" }-
Right.

-{ Quote: "Plus what happens to everything on your system if later down the line, you decide to uninstall DefenseWall and try something different? What does it re-designate programs as after an uninstall?" }-
You can uninstall without deleting its settings.

-{ Quote: "You can uninstall without deleting its settings." }-
Is that referring to having an intention to reinstall DefenseWall at some point and the previously used settings would be retained? My question is suppose you install a program on your system and DefenseWall marks it as untrusted. Now, you later decide to uninstall DefenseWall (forever). Is that previously installed program limited in some way?

-{ Quote: "it is nothing that is going to Hurt you Hurt not a big deal it will disapair anyhow" }-

I know that, just posting my results...

-{ Quote: "I know that, just posting my results..." }-
cool:thumb:

-{ Quote: "http://news.yahoo.com/s/infoworld/20080930/tc_infoworld/111070;_ylt=Al48NA.G1A0D8GuNv9XIJ_yDzdAF

Thoughts?

I thought Sandboxie, and especially Defensewall, were essentially impenetrable." }-

Have you tried running Linux using Virtualbox? It is very secure and a type of "Sandbox"

And if you use Linux using Virtualbox, you are immune from keyloggers when your host is windows. But as far as I know (someone correct me if I'm wrong), if your windows is infected with a keylogger, whatever you type in a sandboxie web browser session, will be picked up by the keylogger, but in Linux using Virtualbox it won't.

-{ Quote: "And if you use Linux using Virtualbox, you are immune from keyloggers when your host is windows." }-

??? why would you be immune from keyloggers when running a linux vm inside a windows host? why would a linux keylogger not be able to run inside the linux vm?

-{ Quote: "But as far as I know (someone correct me if I'm wrong), if your windows is infected with a keylogger, whatever you type in a sandboxie web browser session, will be picked up by the keylogger, but in Linux using Virtualbox it won't." }-

again, i see no reason why your keystrokes wouldn't be picked up by a keylogger in the host (since it receives the keystrokes first and passes them on to the vm)...

-{ Quote: "Is that previously installed program limited in some way?" }-
No. Why? And how exactly?

-{ Quote: "??? why would you be immune from keyloggers when running a linux vm inside a windows host? why would a linux keylogger not be able to run inside the linux vm?



again, i see no reason why your keystrokes wouldn't be picked up by a keylogger in the host (since it receives the keystrokes first and passes them on to the vm)..." }-

This has already been discussed at length on wildersecurity..... If you run Ubuntu Linux as a guest using Virtualbox, and windows as the host, whatever you type in the guest Virtualbox Linux session cannot be detected or logged by any keylogger that has infected the host Windows.

In other words, if I type anything in the guest Linux Virtualbox session, it won't be picked up and logged by any host Windows keylogger. So it's very safe to use Linux Virtualbox to do netbanking etc because even if windows was infected with a keylogger, it won't pick it up.

Test it yourself using any keylogger test program.

-{ Quote: "Have you tried running Linux using Virtualbox? It is very secure and a type of "Sandbox"" }-
Personally I think it's just overkill.

-{ Quote: "This has already been discussed at length on wildersecurity..... If you run Ubuntu Linux as a guest using Virtualbox, and windows as the host, whatever you type in the guest Virtualbox Linux session cannot be detected or logged by any keylogger that has infected the host Windows.

In other words, if I type anything in the guest Linux Virtualbox session, it won't be picked up and logged by any host Windows keylogger. So it's very safe to use Linux Virtualbox to do netbanking etc because even if windows was infected with a keylogger, it won't pick it up.

Test it yourself using any keylogger test program." }-

with all due respect, just because you haven't found a keylogger test app that does it doesn't mean there aren't keyloggers that can... how many do you think are out there and how many did you actually try?

i found some other threads here on the subject but some of the things said in them just don't ring true - vm's don't access hardware directly, they go through the host os (i shudder to think of what would happen if 2 or more concurrent systems were competing for access to the same hardware)... further, the notion of entering keyboard input into the vm is nonsense which can easily be seen by minimizing the vm's window and entering text into notepad... the vm is still running, it has no idea it's been minimized, why wouldn't it be capturing that text? it is the host OS that directs keyboard input to the appropriate process, whether that be a virtual machine running within that host or notepad or your browser... as such the keyboard input must go through the host first which means the keyboard input can be intercepted in the host...

but even more fundamental than that, you just cannot protect a guest system from something running on the host with the same (or greater) privileges as the vm software itself...

SandBoxie is good.. Yes but programs are being designed to jump out of them - Such as copying it'self to your clipboard then pasting in your real system etc amongst other things, Neither does Sandboxie "Sandbox" your memory.

It's good guys.. But don't go getting too over confident with it, it's not bullet proof... yet. Maybe in the future

-{ Quote: "SandBoxie is good.. Yes but programs are being designed to jump out of them - Such as copying it'self to your clipboard then pasting in your real system etc amongst other things, Neither does Sandboxie "Sandbox" your memory.

It's good guys.. But don't go getting too over confident with it, it's not bullet proof... yet. Maybe in the future" }-
Can you name any of these specifically designed apps that jump out of the sandbox and how does text copied to clipboard compromise a system?

Sure, It isn't an "normal APP" though. It's malware, We were discussing vitalization in the malware research group at comodo's forums. If you know what your doing send me a Pm and you could join the group and learn\share with each other the various techniques malware uses among other things.

Nothing is 100%

-{ Quote: "
Nothing is 100%" }-
And may I extend an invite to your fine self to to pm me with any poc you may have so as I could contact the author of SB or maybe you could pass any on personally.

It can only help make one of the best ever security apps even better and work toward that magic 100% security.

sent message in regards to franklin

-{ Quote: "SandBoxie is good.. Yes but programs are being designed to jump out of them - Such as copying it'self to your clipboard then pasting in your real system etc amongst other things ..." }-
This was also said in the Infoworld article. The response of sandboxie's developer was:

"Being able to put stuff on the clipboard, for these guys that's an attack.
I emailed them once to ask why but didn't get a response."

Perhaps you could explain why it constitutes an attack.

If there is any other poc that is not contained, that would be news indeed.

@Franklin: If Kyle has informed you of such a poc, I hope you'll continue to keep us informed of the results of your testing.

soccerfan

I can think of 1 thing straight off the top of my head, Some worms\Malware install them selves on the memory -Never even touching the disk. (There for not being sanbox)
I've already explained as to why clipboard is an attack.

I think you guys are getting me all wrong, I'm not bashing Sandboxie at all - It's a great program and I have used it *I really like it!*

What I am saying is to people using virtual programs on their production machines or home PC's shouldn't rely solely on Sandboxing or boot to restore vitalisation.

-{ Quote: "... I'm not bashing Sandboxie at all - It's a great program and I have used it *I really like it!*" }-
Kyle, all your points are well taken and do not IMHO in any way imply bashing this product.

-{ Quote: "I've already explained as to why clipboard is an attack.
" }-
Perhaps I'm being dense this morning (no coffee yet!).
Could you please humor me and explain again (or guide me to the appropriate post). Many thanks in advance.

soccerfan

I do hope that tests results get posted here or in SBIE forums, so improvements can be added...

Kyle1420, I would hazard a guess and say you are full of shite:
-{ Quote: "And there for I will not hand over VIA email nor links to anyone. These discussions are on the forums as per the links to these "nasties" All you have to do is PM Melih about wanting to join, then you can share\help and learn and put ideas out about new products or new methods you would" }-
Why would I wanna join a beta program that causes more probs than fixes?

I told you how to find out more about this issue and gain access. for obvious reasons I won't be "giving 0 day malware" to anyone.
I don't get what you mean "program" It's a forum that I'm reffering too.

Also I don't appreciate being told im full of *poo*. I came here to discuss and share opinions and I've also taken my time out to personally help you and give you the info you need.


Please use pm instead of open posts.


EDIT:: If you are going to qoute me, please qoute the whole message;
-{ Quote: "Hello Franklin.. As part of the Malware research group we often come across 0 day threats and web based exploits, as because of this they are very new and unknown to alot of well established Av's. And there for I will not hand over VIA email nor links to anyone. These discussions are on the forums as per the links to these "nasties" All you have to do is PM Melih about wanting to join, then you can share\help and learn and put ideas out about new products or new methods you would think are effective.

Also, Great you wanting to help sandboxie! it is a very fine app. if you join the forums.. Feel free to send samples off to competitors.. Melih doesn't mind. All 1 big family whether you are for, avast! Eset, Symantec, etc." }-

Okee Dokee, PM sent.
-{ Quote: "POC please" }-

-{ Quote: "SandBoxie is good.. Yes but programs are being designed to jump out of them - Such as copying it'self to your clipboard then pasting in your real system etc amongst other things..." }-
Kyle...

Once again you just confirms for the rest of us that you´re nothing more than a simple braggart, spreading around FUD since you can´t support your statements with any PoC. And when other members want some answers or further explanations, you really do your best to avoid this by referring to some ridiculous reason as the following:

-{ Quote: "...I've already explained as to why clipboard is an attack..." }-

Where have you explained this?

or:

-{ Quote: "...As part of the Malware research group we often come across 0 day threats and web based exploits, as because of this they are very new and unknown to alot of well established Av's. And there for I will not hand over VIA email nor links to anyone..." }-

Please...

Or as you did in this (http://www.wilderssecurity.com/showthread.php?t=220906) forum/thread where you avoided to, or "didn´t want to", refute my question and arguments by simply referring to links with product descriptions/praising = marketing...

Once again, if it´s something that I really detest, it has to be braggers without deeper knowledge, spreading a lot of FUD without any proof.

/C.

The answer and the methods of finding them out are right infront of you. Wilders Forums has rules, Comodo Forums has rules. I'm abiding by them and not handing anything out to "Random people"

You either have to follow the proccess or not. Either way, I'm sure that people using sandboxie in the group will report any exploits to sandboxie.

and in regards to the post with BOoClean, It should stay in that thread as this is to do with Sandboxie here.
I have explained all what needs to be said in that thread and if you wish to continue trying to find something to pick at feel free, but not this thread.

Hi,

I just discovered a new form of user mode rootkit. Can't be stopped by windows policy management, sandboxes, etc.

A pitty I can not tell you about it. I would have to kill you when I did.

8) 8) 7

-{ Quote: " 8) 8) 7" }-
Are you sure your choice of emoticons was the right one to carry on the purpose of your poast?
:^)

-{ Quote: "
I just discovered a new form of user mode rootkit. Can't be stopped by windows policy management, sandboxes, etc.

A pitty I can not tell you about it. I would have to kill you when I did.
" }-

Indeed - the user sitting behind the keyboard has always been the worst rootkit ever... and will continue to be for quite some time. ;D

-{ Quote: "Specifically, does anyone have anything to say about the 2 exploits that Sandboxie missed; Adobe Flash clipboard hijack and the XP Antivirus malware program?" }-

Yes I have something to say about this




-{ Quote: "I tested Antivirus 2009 a while back in sandboxie it did show the program tray icon running on the task which was a concern " }-

And I also have something to say about this.

Not yet mentioned in this thread anyone remember about the xtra settings that you can add to sandboxie to make it more secure which prevents programs from running inside sandboxie??



ProcessGroup=<RunAccess_DefaultBox>,firefox.exe,sandboxiedcomlaunch.exe,sandboxierpcss.exe,start.exe
ClosedIpcPath=!<RunAccess_DefaultBox>,*

But those anti-execute settings defeat the whole purpose of testing.
I use them for my everyday sandboxes, but I have 1 sandbox with almost default settings just to test malware.

This might help might things a bit tighter in certain boxes

BlockDrivers=y
BlockWinHooks=y
BlockFakeInput=y

-{ Quote: "This might help might things a bit tighter in certain boxes

BlockDrivers=y
BlockWinHooks=y
BlockFakeInput=y" }-
Aren't those resources blocked by default unless specified to allow?
203256

Franklin you are right...

-{ Quote: "Yes I have something to say about this
Not yet mentioned in this thread anyone remember about the xtra settings that you can add to sandboxie to make it more secure which prevents programs from running inside sandboxie??

ProcessGroup=<RunAccess_DefaultBox>,firefox.exe,sandboxiedcomlaunch.exe,sandboxierpcss.exe,start.exe
ClosedIpcPath=!<RunAccess_DefaultBox>,*" }-

With the new beta you can do this within the GUI of Sandboxie, there is a new menu called "Restrictions".

-{ Quote: "Franklin you are right..." }-

Oh ok cool. I never looked into the gui, Just did everything by the .Ini