I'm thinking of could the way of complete virtualization. I want to use the combination of SBIE and Shadow Defender. Obviously, that is extremely repetitive but I think that would provide the ultimate "no configuration needed" security. What are your thoughts on the below configuration?

Sandboxie, WinPatrol Plus, LooknStop, Proxomitron, Shadow Defender

I use a similar configuration. IMO, the way to go. As soon as my paid subscriptions to OA and NOD are over, I will most likely rely on Defensewall (hopefully then with outbound protection :P ), Sandboxie, and SD.

-{ Quote: "I use a similar configuration. IMO, the way to go. As soon as my paid subscriptions to OA and NOD are over, I will most likely rely on Defensewall (hopefully then with outbound protection :P ), Sandboxie, and SD." }-cool:thumb:

I agree. I use Online Armor, and Sandboxie as the primary, with ShadowDefender, if I am going dodgy. Thats it. But it does help a bit if you know what you are doing. I don't think it's a newbie approach.

Pete

I use the great Shadow Defender sometimes and it will be complete when it allows installed software that requires a re-boot. Sandboxie is a fantastic piece of software, I use it for all my browsing and downloads. The best thing about it is that Ronen Tzur (Sandboxie forum name "Tzuk") keeps in touch with Sandboxie users and offers support in the Sandboxie forum.

That's it then. I'll be using this setup from now on. Yeah!! Bye-Bye yearly subscriptions fees for dumb-ass inadequate signature based products!

Virtualization is the key.

-{ Quote: "I use a similar configuration. IMO, the way to go. As soon as my paid subscriptions to OA and NOD are over, I will most likely rely on Defensewall (hopefully then with outbound protection :P ), Sandboxie, and SD." }-Have you had any problems running Sandboxie, Defensewall, and SD? I'm considering the same setup.

-{ Quote: "Have you had any problems running Sandboxie, Defensewall, and SD? I'm considering the same setup." }-

None. Opening the browser can be a little slow, but there are a couple tweaks you can use to speed it up (i.e trusting firefox in DW, but untrusting the Sandbox folder itself - therefore still untrusting anything that may escape).

Any thoughts on Returnil Free?

Simple enough for me to understand and very useful if you feel the need to backstop Sandboxie...

I've just ditched ESS on one of my boxes to test combination below.

philby

-{ Quote: "Any thoughts on Returnil Free?

Simple enough for me to understand and very useful if you feel the need to backstop Sandboxie...

I've just ditched ESS on one of my boxes to test combination below.

philby" }-

works fine here :thumb:

-{ Quote: "Any thoughts on Returnil Free?

Simple enough for me to understand and very useful if you feel the need to backstop Sandboxie...

I've just ditched ESS on one of my boxes to test combination below.

philby" }-

Returnil worked fine for me as well. In the end I went for the paid version of SD for various reasons, but would definitely recommend Returnil.

Thanks for responding.

I noticed you have fwalls -

I've taken the leap of abandoning this layer on the premise that, for "normal" internet work, sboxie + prevx edge + wing and a prayer will be enough.

Just leaves me worrying about keyloggers, though afaik the chances of any logger I have already picked up piggybacking on clean session of forced ffox are negligible (??)

philby

-{ Quote: "Just leaves me worrying about keyloggers, though afaik the chances of any logger I have already picked up piggybacking on clean session of forced ffox are negligible (??)

philby" }-

That depends. How tightly configured is sandboxie? It has the ability to prevent any application from running or connecting to the internet except the ones that you list. That way, even if you were to get infected with anything it wouldn't matter because it would never be allowed to connect out. Plus whatever it was would be erased the moment you terminate the box.

-{ Quote: "That's it then. I'll be using this setup from now on. Yeah!! Bye-Bye yearly subscriptions fees for dumb-ass inadequate signature based products!

Virtualization is the key." }-

I couldn't agree more. This has been my approach for a couple of years using ShadowUser(similar to Shadow Defender) + AntiExecutable on an XP laptop. It was really impenetrable. With Vista I have Shadow Defender (unfortunately ShadowUser hasn't been updated for Vista) and Avira, because of a conflict between the new AntiExecutable and First Defense PC Rescue.

Even though I'm also in principle against AVs, it is the only way to check something I want to retain from a shadow session. Mind you one could have the AV only on demand, to check if something got through. AntiExecutable is still the best alternative IMO to AVs, but alas it is so tight that sometimes it doesn't let even legit applications run properly no matter how you tweak it.

You know, this new setup has got me thinkong. If all I need to do is restart to get things back to when I know everything is 'clean', do I even need WinPatrol? After all, its purpose is to alert the user to changes that might hint at infection. Do I need it now? I din't think so, not with a tightly configured Sandboxie and Shadow Defender.

And it gets lighter still...

-{ Quote: "You know, this new setup has got me thinkong. If all I need to do is restart to get things back to when I know everything is 'clean', do I even need WinPatrol? After all, its purpose is to alert the user to changes that might hint at infection. Do I need it now? I din't think so, not with a tightly configured Sandboxie and Shadow Defender.

And it gets lighter still..." }-You'll have to answer if you need WinPatrol, IMO. For example, I just started using SandboxIE. I immediately paid up and implemented the forcing of IE into the sandbox on my 8 and 13 years olds' PC - no brainer right? However, I haven't grasped what SandboxIE's limitations are, I have other programs that access the internet, and there are other features of SandboxIE that I haven't begun to get up to speed on yet, so I am by no means ready to shut WinPatrol off on any of our machines.

WP has become the first place I go to get a glance all across the system at what's running, what's starting up and even to manage startups to run "lean" or "full bloat" with selective disabling and re-enabling of background programs. So, it can serve purposes for me other than the original purpose of alerting me to new startup programs.

Need it? Well, I don't really "need" a beer when I get home from work on Fridays, but I like to think of it that way.;)

Yes, it can be lighter still. If you know ShadowboxIE well and how to tighten it sufficiently and have SD (plus some kind of back-up/image, at least of data, I presume) then indeed why run WP unless you use other of its features and like to have them immediately accessible?

EDIT: ah, yes, I see IFW (excellent for plugging in the WD Passport and imaging my laptops!) in your siggy, so you are imaging I take it.

-{ Quote: "That depends. How tightly configured is sandboxie? It has the ability to prevent any application from running or connecting to the internet except the ones that you list. That way, even if you were to get infected with anything it wouldn't matter because it would never be allowed to connect out. Plus whatever it was would be erased the moment you terminate the box." }-

This is what I'm dwelling on right now.

Assume I pick up a keylogger when unsandboxed.

I then run an internet session with firefox forced in sandboxie and the only allowed startup programme.

Could the logger still send out anything it's stolen on the back of firefox.exe?

This is really a critical point.

Would a fw add any effective extra outbound coverage in this particular case or would it be redundant by this point as firefox.exe would have already been allowed outbound access in the fw configuration?

I'm from the generation of users that has taken the necessity of s/w firewalls as an unquestionable given, but I'm really interested in knowing whether tight sandboxing means these can be dispensed with.

If I am allowing only firefox to go outbound via sandboxie, then why do I need to tick a rule in a fw to allow firefox out?

Again, the only danger I can see is nasties taking firefox.exe for a ride through sandboxie.

philby

-{ Quote: "You know, this new setup has got me thinkong. If all I need to do is restart to get things back to when I know everything is 'clean', do I even need WinPatrol? After all, its purpose is to alert the user to changes that might hint at infection. Do I need it now? I din't think so, not with a tightly configured Sandboxie and Shadow Defender.

And it gets lighter still..." }-

I'd argue that in fact you don't need anything else,with a proviso.If you want to update,etc caution will need to be taken and on demand scanners would be wise.It can't be overstated just how good the protection offered by SandboxIE is.
The only possible way to get infected while sandboxed would be to come across a malware specifically tailored to exploit a flaw within SBIE,these are few and far between due to the excellent coding and the fact that specialist malware such as this just isn't economically viable and is highly unlikely to be encountered outside of a POC at a black-hat convention.

Coupled with Shadow Defender and the use of a secure browser you'd need to be extremely unlucky and spend all your time surfing the dark side of the web to get infected IMO.To be doubly secure you could protect SBIE from malicious tampering by using a HIPS such as D+,but if you really want to keep it light Opera or Firefox (w/noscript) sandboxed is as near to bulletproof as is necessary,at least for websurfing.


As to your point: Could the logger still send out anything it's stolen on the back of firefox.exe? the sandboxed and unsandboxed Firefox are entirely separate,therefore the answer is yes if you're running FF unsandboxed,no otherwise.

One question here is how you would pick up the keylogger. I have a sandbox for each browser. My firefox sandbox only allows firefox and my foxit pdf reader to execute and only firefox to access the internet.

All my email is either in a web browser or Outlook which is also sandboxed and only allows Outlook internet access.

Finally I use the default sandbox to check out say a jpg I've downloaded. I use the right click function to run it in the default sandbox. This sandbox will allow anything to run, but nothing can access the internet.

So other than a rogue CD where would the keylogger come from.

Yes indeed you can button up your system with sandboxie.

Pete

n8chavez, try a-squared's hijackfree (http://www.emsisoft.com/en/software/download/).

Also has a portable download link which contains only one file.
http://download3.emsisoft.com/a2HiJackFree.exe

Can manage your autoruns, view your network connections, kill and delete processes, stop/start services, enable/disable start-up programs and so on. I still like winpatrol but find hijackfree provides more detailed information.

Just use it on-demand with sandboxie and shadow defender.

-{ Quote: "

...So other than a rogue CD where would the keylogger come from....

Pete" }-So would adding something like DefenseWall (to Shadow Defender and well configured Sandboxes as you described) take care of this gap? Or would DefenseWall just be redundant? I'm trying to see where the benefit of adding DefenseWall to this strong setup would be beneficial.

SBIE allows you to specify both programs and folders that can then have restrictions places on them to running or accessing the internet. If malware on CDs is a concern, simply place your optical drives within the forced folders configuration. There is no need for Defensewall with a tightly configured SBIE, especially now that is has incorporated Drop My Rights characteristics.

I am going to try Shadow Defender in the future right now Im sticking with Sandboxie and Avira.:dry:

-{ Quote: "SBIE allows you to specify both programs and folders that can then have restrictions places on them to running or accessing the internet. If malware on CDs is a concern, simply place your optical drives within the forced folders configuration. There is no need for Defensewall with a tightly configured SBIE, especially now that is has incorporated Drop My Rights characteristics." }-That makes sense. Thanks

-{ Quote: "SBIE allows you to specify both programs and folders that can then have restrictions places on them to running or accessing the internet. If malware on CDs is a concern, simply place your optical drives within the forced folders configuration. There is no need for Defensewall with a tightly configured SBIE, especially now that is has incorporated Drop My Rights characteristics." }-

I didn't go into that, but it's exactly right. Amazing what you can do with this jewel.

-{ Quote: "I didn't go into that, but it's exactly right. Amazing what you can do with this jewel." }-
It's the most underrated security app. out there.Apart from forums like this it barely rates a mention in the 'respected' computer journals.::)

-{ Quote: "It's the most underrated security app. out there.Apart from forums like this it barely rates a mention in the 'respected' computer journals.::)" }-

Honestly, I think that is because virtualization is a concept not familiar to many. The majority of people believe that a malware scanner is the only line of defense, in fact I think that hold true for users here too. If that were not true than I find it very odd that so few people use anything but signature based products with hueristics. In short, they are out to sell their publications not to inform.

I totally agree

-{ Quote: "Honestly, I think that is because virtualization is a concept not familiar to many. The majority of people believe that a malware scanner is the only line of defense, in fact I think that hold true for users here too. If that were not true than I find it very odd that so few people use anything but signature based products with hueristics. In short, they are out to sell their publications not to inform." }-

You're probably right.I don't think a lot of people think they're protected unless they have a flashy looking AV util complete with bells and whistles.Plain little SandboxIE just doesn't 'feel' as if it's protecting you,that's why it deserves far greater press coverage to hammer home the fact.

Have tried SB several times and have never been able to get on with it - perhaps again in the new year. SD on the other hand is a program that I would recommend to anyone. 2 days ago I helped set up a laptop and before I left the 9 year old user was happily turning on SD to surf. I would say that for many SD is enough so SB aand SD will be more than enough.

I use Returnil Free and was concerned on reading this:

http://www.castlecops.com/f288-Returnil_Virtual_System_Release.html

Please note that I'm not trying to instigate a flaming session - I'm just interested in the views of those relying on this kind of s/w without any anti-execute additions as mentioned in the thread.

I've been assuming that running system in memory only (with Returnil / Shadow etc) = safety.

I'd be really interested in knowing what you think - it's the only thread I've ever found that seems to question the merits of a virtualisation only approach.

philby

-{ Quote: "I use Returnil Free and was concerned on reading this:

http://www.castlecops.com/f288-Returnil_Virtual_System_Release.html

Please note that I'm not trying to instigate a flaming session - I'm just interested in the views of those relying on this kind of s/w without any anti-execute additions as mentioned in the thread.

I've been assuming that running system in memory only (with Returnil / Shadow etc) = safety.

I'd be really interested in knowing what you think - it's the only thread I've ever found that seems to question the merits of a virtualisation only approach.

philby" }-

Makes me wonder if it could happen with SD.
Hope not. I didn't see any way of making SD any more secure that it already is.
Hugger

Security in layers. :thumb: While Sandboxie and SD/Returnil seem airtight, there will always be some malware that can circumvent, as rare as it may be. I do strongly believe in a good virtualization strategy, but throwing in a defensewall, OA, or Comodo with D+, etc makes it that much more sound with minimal system impact.

-{ Quote: "Security in layers. :thumb: While Sandboxie and SD/Returnil seem airtight, there will always be some malware that can circumvent, as rare as it may be. I do strongly believe in a good virtualization strategy, but throwing in a defensewall, OA, or Comodo with D+, etc makes it that much more sound with minimal system impact." }-

Nope. Try this one on for size, no malware in the world can effect you with this. Sandboxie + Shadow Defender + Partition Image on optical media. That is the ultimate virtualization, and you'll have no yeary fees.

-{ Quote: "Nope. Try this one on for size, no malware in the world can effect you with this. Sandboxie + Shadow Defender + Partition Image on optical media. That is the ultimate virtualization, and you'll have no yeary fees." }-


Don't get me wrong, I totally agree with the approach. I just posted that in reference to the link above re: malware circumventing returnil free. If that was his concern, then that was a solution. :thumb: IMO, total virtualization is a hard concept for some users to grasp, so the addition of a HIPS or FW helps them feel more secure. :P