What's the use of having security software if malware can bypass it, e.g., breaking out of Sandboxie? I had Sandboxie installed for a few days, but uninstalled it after reading about how malware can break out of the sandbox. I mean, there's no sense using Sandboxie if malware is going to break out of it and infect my real system anyway. IMHO having malware that can bypass security software defeats the purpose of having security software in the first place. Security software has no real purpose unless it can guarantee 100% security. I can't help but dream of a sandbox that is impenetrable to even the most advanced malware.

Nothing can guarantee 100% safety on the internet. Why? Because it is all up to the user.

If you're an extremely risky surfer you will come across those types of malware eventually. And the opposite can be said if you only visit sites you know and trust.

A Sandbox or a program like DefenseWall HIPS do not guarantee 100% safety as well, they are like a safety net. The same can be said for firewalls, antivirus', etc.

In order to be a risky surfer and maintain a high level of security you need a layered approach and no 1 product can do that. But even in having a layered approach something may eventually slip through :) And there is a purpose to security software, it protects you 99.99% of the time you are out surfing on trusted, somtimes even malicious sites...Downloading something you shouldn't be or visiting an unsafe website is another story.

-{ Quote: "I mean, there's no sense using Sandboxie if malware is going to break out of it and infect my real system anyway" }-
Which malware can infect the real system when run sandboxed?
-{ Quote: "
I can't help but dream of a sandbox that is impenetrable to even the most advanced malware." }-
Strat/Run access.;)

-{ Quote: "If you're an extremely risky surfer you will come across those types of malware eventually. And the opposite can be said if you only visit sites you know and trust." }-This is not true so much any more. Remember the Miami Dolphins Super Bowl Web site that was hacked? And the many Google Search links that redirected to a server with malware. SQL injections into legitimate sites occur daily.

You just have to be prepared for anything and take nothing for granted.

This is not to assume a doomsday approach to using the internet. It does assume that you are prepared in case of a mishap.

----
rich

Yeah, I thought I should edit my post to say that it is not 100% guaranteed to even be safe on trusted sites anymore. But you do have to agree - being on a trusted site is a lot safer then being on a warez site downloading random applications that catch your fancy or visiting a crack site (places I know that my friends get infected) ;)

Plus I brought up some discussion :shifty:

-{ Quote: "Which malware can infect the real system when run sandboxed?

Strat/Run access.;)" }-

Sure I could use Start/Run access to keep possible malware from running. However, I would be unable to run a downloaded game to see if the game is malware-free. Is there any software out there that lets you analyze a file's behavior without messing up your system?

What's the use of wearing seat belts and crash helmets, when people continue to die in road accidents?

What's the use of having a police force, since they've never managed to eliminate crime?

Seriously, is this question even worth asking?

A VM and Zsoft Uninstaller and besides you could create another sandbox to install the game and monitor with Zsoft?

-{ Quote: "I can't help but dream of a sandbox that is impenetrable to even the most advanced malware." }-
Stop dreaming!
208508

208509

208510

208511

208512

-{ Quote: "What's the use of wearing seat belts and crash helmets, when people continue to die in road accidents?
" }-

Nice sentence Eice :D

-{ Quote: "What's the use of having security software if malware can bypass it, e.g., breaking out of Sandboxie? I had Sandboxie installed for a few days, but uninstalled it after reading about how malware can break out of the sandbox. I mean, there's no sense using Sandboxie if malware is going to break out of it and infect my real system anyway. IMHO having malware that can bypass security software defeats the purpose of having security software in the first place. Security software has no real purpose unless it can guarantee 100% security. I can't help but dream of a sandbox that is impenetrable to even the most advanced malware." }-


Hi Badget I know why you posted this. you have been reading the other thread
http://www.wilderssecurity.com/showthread.php?t=239942

Don't let it put you off using sandboxie. Using sandboxie is much better than using nothing at all. Even tho it is possible for malware to bypass sandboxie and cause permanent damage, the fact remains that no one knows
of any such malware which indicates that there is very few malware samples out there if not any atm.

-{ Quote: "Stop dreaming!
208508

208509

208510

208511

208512" }-

Franklin when I post about sandboxie its nothing personal, so don't take it as attack, its just my opinions.

This start run access setting in Sandboxie which every one Raves on about is nothing new. Even a very Basic hips program can achieve this. If you are only using Sanboxie to prevent executables from launching in the first place then why use sandboxie?? all you really need is a simple anti executable hips program.

One of the main reasons why you use a sandbox program like sandboxie is so u can run things in it without the things inside affecting the rest of your system. Which Sandboxie is unable to do, Well not properly any way...

-{ Quote: "What's the use of having security software if malware can bypass it, e.g., breaking out of Sandboxie? I had Sandboxie installed for a few days, but uninstalled it after reading about how malware can break out of the sandbox. I mean, there's no sense using Sandboxie if malware is going to break out of it and infect my real system anyway. IMHO having malware that can bypass security software defeats the purpose of having security software in the first place. Security software has no real purpose unless it can guarantee 100% security. I can't help but dream of a sandbox that is impenetrable to even the most advanced malware." }-

When we bought our last house (11 years ago), I got a free service to check your 'resistance' against burglary. The time it took to break into our house varied from 2 to 6 minutes. Especially the door between the garage and our house was vulnarable (wrong lock plating on a very strong lock, made it easy to penetrate). I took counter measures, so it would last at all possible entries at least 6 minutes and one easy to access room at the first floor 8 minutes. Also placed auto switch lights with movement sensors at the most likely places. According to the Dutch police a burglar on average wants to spend no more than 4 - 5 minutes to open an entry. So with the 'hunt' theory in mind (to survive an attack of a lion, you do not have to outrun the lion, only other people chased by the lion), we have settled for an assuring level of security (in our mind). We live in a reasonable safe area, so the specialist said, we did not need 10 minutes resillience time (my wife first asked this to him), because our neighbours problably did not take these additional counter measures.

PC security is about the same, determine some base line of protection level to ensure a minimum threshold for intrusions. Depending of your knowledge you choose the security applications suited for that expertise level. Also the mix of applications to use depends on your behaviour on the digital highway.

So when you have removed the locks of your house, because nothing is 100% safe, I would say YES (it is useless). In all other circumstances, I would say NO (it is usefull). Sandboxie is one the most efficient ways of reducing the attack surface of your PC, I would re-install it.


Regards Kees

I think malware that infects the system via browser without user intervention is almost impossible to escape from sandbox.

If you're talking about downloaded files that you have downloaded from a warez site and you run it sandboxed...then yes...there is a possibility. But if you know that you have downloaded a file from an untrusted site, then i think that you should take all possible measures. Personally when I want to run such a file...I enable shadow mode with shadow defender...there are other similar products...and then run the file sandboxed (sandboxie)( having always the latest image made with paragon around ). You never know and since nobody can provide 100% security...you can make it 100% damage free to run the file. As you have noticed I have not used any traditional security software. Those are for every day use.

-{ Quote: "What's the use of having security software if malware can bypass it, e.g., breaking out of Sandboxie? I had Sandboxie installed for a few days, but uninstalled it after reading about how malware can break out of the sandbox. I mean, there's no sense using Sandboxie if malware is going to break out of it and infect my real system anyway. IMHO having malware that can bypass security software defeats the purpose of having security software in the first place. Security software has no real purpose unless it can guarantee 100% security. I can't help but dream of a sandbox that is impenetrable to even the most advanced malware." }-


You read malware can break and and infect the real system. Where did you read it. Who was the author and what was the malware?

-{ Quote: "What's the use of having security software if malware can bypass it, e.g., breaking out of Sandboxie? I had Sandboxie installed for a few days, but uninstalled it after reading about how malware can break out of the sandbox. I mean, there's no sense using Sandboxie if malware is going to break out of it and infect my real system anyway. IMHO having malware that can bypass security software defeats the purpose of having security software in the first place. Security software has no real purpose unless it can guarantee 100% security. I can't help but dream of a sandbox that is impenetrable to even the most advanced malware." }-
What's the use of a lock on your door while burglars can break a window and come in from there? It helps to reduce the chance of breaking in ;)

-{ Quote: "What's the use of having security software if malware can bypass it, e.g., breaking out of Sandboxie? I had Sandboxie installed for a few days, but uninstalled it after reading about how malware can break out of the sandbox. I mean, there's no sense using Sandboxie if malware is going to break out of it and infect my real system anyway. IMHO having malware that can bypass security software defeats the purpose of having security software in the first place. Security software has no real purpose unless it can guarantee 100% security." }-
First of all, nothing is 100% secure and no security software can make Windows 100% secure.

Next point/question:
Why do people think that this 100% security (or as close as you can get to it) must come from one security app such as SandBoxie? No matter what a vendor might claim, no security app, suite or package does everything.

Regarding Sandboxie. I'm trialling Sandboxie on one of my systems and am quite impressed with it, but there is no way I would ever expect it to stand alone and totally secure my system. There is no perfect code. Sooner or later, someone will find a way to defeat Sandboxie. The vendor will fix that problem, then we'll do it all over again. Just about every good security app has gone through that process.

IMO, Sandboxie is at its best when it's used to isolate those apps that are likelly to open or make contact with malicious code (the attack surface) from the rest of the operating system. The OS itself should still be protected by the same software the user would have been running if they didn't have SandBoxie. On my system, SSM protects the OS itself while Sandboxie isolates the attack surface. If Sandboxie is somehow bypassed, any malicious code will have to defeat SSM and a default-deny security policy, extremely unlikely to happen.

-{ Quote: "What's the use of having security software if malware can bypass it, e.g., breaking out of Sandboxie? I had Sandboxie installed for a few days, but uninstalled it after reading about how malware can break out of the sandbox. I mean, there's no sense using Sandboxie if malware is going to break out of it and infect my real system anyway. IMHO having malware that can bypass security software defeats the purpose of having security software in the first place. Security software has no real purpose unless it can guarantee 100% security. I can't help but dream of a sandbox that is impenetrable to even the most advanced malware." }-

????

you use preventative controls to as best you can vastly reduce the number of malware that can affect your system...

the use in doing so is that it's a lot cheaper (in time/energy/etc) to prevent the malware affecting your system than it is to correct the problem ('an ounce of prevention is worth a pound of cure')... prevention and correction are your only options so it makes sense to use the option that costs you the least as often as possible...

since nothing is perfect, you also need detective (to detect when prevention has failed) and corrective controls... you need them because your dream of an impenetrable sandbox will always be just a dream...

-{ Quote: "Sandboxie is able to reduce the rights of the program you're running sandboxed too. And it doesn't just prevent the program from running, it prevents it from communicating to the internet also. You can also deny access of the program you're running sandboxed to critical or sensitive areas of your system. In addition to this, you can simply empty the sandbox to get rid of any malware downloaded. I can't think of any other program that can offer all this and with such flexibility. It's basically as near a 100% security as you can get when running something sandboxed properly configured.

Anyway, I'm thinking you are under-estimating Sandboxie there." }-


Remember the htaaa, htaab, htaac, stop, stop2 tests from the other thread?
when I tested them in sandboxie I tested them with Drop my rights and it made no difference.

In regards to sandboxie blocking things from accessing the internet that has also been bypassed as well with the http://www.firewallleaktester.com/leaktest26.htm
test.

In regards to sandboxie emptying the sandbox and deleting malware, I agree
that it is good at flushing the toilet after each browsing session. However there are better alternative methods like preventing such files from being downloaded in the first place.

When I was using sandboxie before I was using firefox with no script and cslite blocking all cookies and I was using admuncher and I had the offline cache storage set to 0 mb By doing all of this nothing gets saved to hard disk no files nothing. So as a end result there was never anything there for Sandboxie to delete.

Another method is by using Malware Defenders File rules. which can prevent your browser from creating files. If new files can't even be downloaded and created in the first place, then one would assume it would be Impossible to get infected by malware.

-{ Quote: "In regards to sandboxie blocking things from accessing the internet that has also been bypassed as well with the http://www.firewallleaktester.com/leaktest26.htm
test." }-Are you sure about that? Sandboxie's internet access restriction is working as advertised for me...

Nick s How are you meant to load web pages if you are blocking internet explorer??

It is quite common for malware to access the internet using your web browser and what I am saying is that sandboxie can't prevent this.

That test is also able to communicate outside of the sandbox and is able to launch your web browser if it is not running.

OP is right about Sandboxie it use to work great, but bad two files that PrevX had popped up reporting there was cloak-malware in that C:\Sandboxie folder. So the way this software is suppose to work it when you terminate it everything get destroyed but not so..

No matter what you need security software if you're going to use a browser to access the internet. You can block all bad tracker cookies, run virtual OS go remote into the box thus get on the internet.

Downloading apps with embedded (malware/trojans/bots to take off) and do damage the coders are getting smarter and software can no crash security tools from trying to update their dbase or even run. I've seen it.. None can be 100% but you can come very close to it..

Maybe we should go back to the days of RAMDISK and store the internet cache on that. When you exit out the cache would clear itself.

-{ Quote: " OP is right about Sandboxie it use to work great, but bad two files that PrevX had popped up reporting there was cloak-malware in that C:\Sandboxie folder." }-
Was this before or after you emptied the sandbox?

Before= not an issue.
After= more info needed.

-{ Quote: "
Downloading apps with embedded (malware/trojans/bots to take off) and do damage the coders are getting smarter and software can no crash security tools from trying to update their dbase or even run. I've seen it.. None can be 100% but you can come very close to it..
" }-

It is possible to be 100%. Its very simple to do. After you have downloaded the app and scanned it with your av and or submitted it to virus total.com
Install and run the app on another operating system image on another hard disk or partition. if all is normal then you can install it on your main operating system, And if you are still Paranoid use defense wall and run it us Untrusted.


-{ Quote: "
Maybe we should go back to the days of RAMDISK and store the internet cache on that. When you exit out the cache would clear itself." }-

I find that with my Cache turned off it makes no difference in browsing speed
due to fast internet, firefox speed tweaks and inbound filtering ie no script and admuncher.

-{ Quote: "
If I become so paranoid to the point where I won't want to download or create any files from the internet, it's time to disconnect my modem, burn it up, and go out and use the local internet cafe instead haha!
" }-

Its not about being Paranoid. Unless you are using browser caching or downloading new apps to try, why do new files need to be downloaded by your browser to your pc? what is their purpose?

-{ Quote: "
Why would I run a file as "untrusted" if I wanted to make sure it ran and installed properly on my system so I could use the program properly?" }-

from my experience so far all programs running as untrusted function perfectly normal, and correct me if I am wrong but I am still yet to read on these forums
of an example about software not working properly when it is running as untrusted.

-{ Quote: "You read malware can break and and infect the real system. Where did you read it. Who was the author and what was the malware?" }-

I read it from the "Some test" thread in this forum. What caught my attention is the post saying that malware can shut down Sandboxie because Sandboxie can't control the behavior of the malware. stop.exe and stop2.exe are examples of malware that bypasses Sandboxie, as well as the RegTest thing that is able to shut down your computer even when run Sandboxed.

-{ Quote: "Sure I could use Start/Run access to keep possible malware from running. However, I would be unable to run a downloaded game to see if the game is malware-free. Is there any software out there that lets you analyze a file's behavior without messing up your system?" }-
Apart from running sandboxed there are other approaches to this you could take.

1.Virtualisation .Either a 'Returnil type' system emulator, or a Symantec SVS application virtualisation(similar to a sandbox in some respects);or running within a VM such as Virtualbox (all free).There are pros and cons to all these approaches that have been explained in detail on these forums.(It's 4am so I'm not feeling long-winded enough to go into huge detail).

2.Disk Imaging.This offers the most comprehensive option,since you can run the application as it was intended on your 'real' system,then simply revert to a pre-installation image/snapshot once you've finished with it.There are free options such as Macrium Reflect,or commercial options such as RollbackRX that have more functionality.

With Defence Wall, what do you do if two years from now you decide you want to use something different and uninstall Defence Wall? Now you have a bunch of programs all over your comp, some as trusted some as untrusted, you cant remember which, its a total mess - verses installing in a sandbox and cleanly deleting that sandbox whenever you like and it is gone.

-{ Quote: "Nick s How are you meant to load web pages if you are blocking internet explorer??" }-
You asserted that ZAbypass bypasses Sandboxie's internet access restriction. Would I not need an IE internet restriction in place to test your claim?

-{ Quote: "It is quite common for malware to access the internet using your web browser and what I am saying is that sandboxie can't prevent this." }-
Sandboxie's job is to isolate/virtualize that scenario, not prevent it...unless you wish to apply more restrictive sandbox settings.

-{ Quote: "That test is also able to communicate outside of the sandbox and is able to launch your web browser if it is not running." }-A sandboxed ZAbypass invoked a sandboxed IE process. Sandboxie worked as advertised.

-{ Quote: "Sure I could use Start/Run access to keep possible malware from running. However, I would be unable to run a downloaded game to see if the game is malware-free. Is there any software out there that lets you analyze a file's behavior without messing up your system?" }-
If you want to download files it's best to research the company and download it from a "trusted" source. By trusted I mean directly from the vendor's site or from a reputable download site. You also really need to ask the question "Do I really need this game or program?".

I think this has been mentioned but you can create a separate sandbox to run the file in. However, you would need the proper knowledge or other programs to determine if the file was malicious. An ideal situation would probably be to run the program in a VM or on a test machine.

You could also scan the files with multiple AS/AM/AV scanners and/or upload it to be scanned or analyzed. I use this method as well as staying away from unknown applications. I also have an image I can restore if do get infected.

P.S. Am I the only person who mainly uses Sandboxie for my internet facing apps?

-{ Quote: "It is quite common for malware to access the internet using your web browser and what I am saying is that sandboxie can't prevent this." }- Maybe 5-6 years ago, what browser are you on?

-{ Quote: "With Defence Wall, what do you do if two years from now you decide you want to use something different and uninstall Defence Wall? Now you have a bunch of programs all over your comp, some as trusted some as untrusted, you cant remember which, its a total mess - verses installing in a sandbox and cleanly deleting that sandbox whenever you like and it is gone." }-


You don't need to try and remember what is trusted and what isn't. defense wall shows a list of what is trusted and what isn't. and if you do happen to have malware on your pc and you want to uninstall defense wall, just restore a backed up image. I really don't see this being any issue at all.

-{ Quote: "You asserted that ZAbypass bypasses Sandboxie's internet access restriction. Would I not need an IE internet restriction in place to test your claim?

Sandboxie's job is to isolate/virtualize that scenario, not prevent it...unless you wish to apply more restrictive sandbox settings.
" }-

But if you apply more restrictions then u can't load web pages. it is not a true
test if you also block your web browser. Sandboxie should be able to block it without you having to block your browser, other wise what use is it if you can't load web pages?


-{ Quote: "

A sandboxed ZAbypass invoked a sandboxed IE process. Sandboxie worked as advertised." }-

a sandboxed ZAbypass can also invoke a IE process outside of the sandbox. which it shouldn't be able to do.

-{ Quote: "Maybe 5-6 years ago, what browser are you on?" }-

Malware is always finding ways to bypass firewalls and I think you will find that using the browser is still one of the methods used.

-{ Quote: "from my experience so far all programs running as untrusted function perfectly normal, and correct me if I am wrong but I am still yet to read on these forums of an example about software not working properly when it is running as untrusted." }-

I have some delphi programs which do not work as untrusted...

-{ Quote: "I read it from the "Some test" thread in this forum. What caught my attention is the post saying that malware can shut down Sandboxie because Sandboxie can't control the behavior of the malware. stop.exe and stop2.exe are examples of malware that bypasses Sandboxie, as well as the RegTest thing that is able to shut down your computer even when run Sandboxed." }-

There has been a lot misinformation being published on this topic recently especially because of people using the word "bypass" and "control" so loosely. Unfortunately, when coupled with people improperly judging program functionality in tests and people ignoring most of the posts in the threads just to get to the "juicy" parts, the result can hold no higher title than "garbage".

I have yet to be able to prove the statement about programs outside of a standard configuration sandbox being terminated by a program inside the sandbox. I already explained in the "Some test" thread what happened when I tested htaa*.exe. No legitimate termination occurred. Considering that, Sandboxie, even with potential included, can not be terminated by any of the sandboxed programs tested in "Some test" even if they were remade to do so using their same methods.

It is also important to note that Stop.exe and Stop2.exe do not have process termination capabilities. The actions of Stop*.exe are not security threats. Therefore, Sandboxie was not built to block its functionality. Sandboxie was not made to be resource hog moderator.

-{ Quote: "If any program could install and run with full functionality as "untrusted", then I might consider re-visiting DefenseWall" }-
Not any program can be installed as untrusted, but most of them. In fact, DefenseWall was and is designed to be as user-friendly with untrusted installation/uninstallation as possibe for a policy-based sandbox.

-{ Quote: "What's the use of having security software if malware can bypass it, e.g., breaking out of Sandboxie? I had Sandboxie installed for a few days, but uninstalled it after reading about how malware can break out of the sandbox. I mean, there's no sense using Sandboxie if malware is going to break out of it and infect my real system anyway." }-I don't use Sandboxie, and don't have plans to, but not because of this. Although I'm aware legitimate sites can fall prey to malware as has been shown from time to time, I still argue the case for considering what you do online and how that affects the chances of getting malware, with or without Sandboxie.

I do have an AV, which is security software, and even with that I often wish it would alert me more often if all these reports on forums like this are anything to go by, but then I have to accept I'm probably not doing the same things as some of you guys. Sure, there's always a risk, but I hope we'd all try to minimnise that risk as best as we can. :)

-{ Quote: "Hmm, arran, any thoughts on my posts above? I was looking forward to an answer. Anyway, sounds like there are indeed some programs that can't even "run" properly as untrusted, not to say "install" as untrusted." }-

yea sorry there is so many posts that need replying to, and I can't reply to every single one.

while it is probably true that not all programs will work properly untrusted. However not all programs need to be run in untrusted mode. It is mainly just programs that connect to the internet that pose a security risk which need to run as untrusted. I ask you Why would you need to run programs with a good reputation that doesn't connect to the internet Untrusted?? I really only run my browser, and online games as untrusted. I also run VLC video player and Fast stone image viewer, image program untrusted in case any images or video files I download happen to have malware or a malicious code attached to them.

As for trying out new and unknown apps, like I said before in this thread Virus scan them and test run them on another OS and see how well they behave before you install them on your main OS. for me personally this is very seldom.

-{ Quote: "

I have yet to be able to prove the statement about programs outside of a standard configuration sandbox being terminated by a program inside the sandbox. I already explained in the "Some test" thread what happened when I tested htaa*.exe. No legitimate termination occurred. Considering that, Sandboxie, even with potential included, can not be terminated by any of the sandboxed programs tested in "Some test" even if they were remade to do so using their same methods.
." }-

And while you explained in the some test thread that no legitamte termination occurred. I also explained later on that
sandboxie and explorer.exe is terminated by the registry test, when registry test is running inside sandboxie. and by the way htaac.exe does also actually terminate explorer.exe. So TheEndX your statement is completly incorrect.

-{ Quote: "

It is also important to note that Stop.exe and Stop2.exe do not have process termination capabilities. The actions of Stop*.exe are not security threats. Therefore, Sandboxie was not built to block its functionality. Sandboxie was not made to be resource hog moderator." }-

Well Defense wall isn't a resource hog and yet it manages to prevent them all, with the exception of stop2.exe previously.

ssj100 I have a question for you, while you are going on and on about programs not working properly if you install them in Untrusted mode, well wouldn't this be the same problem if you try to install programs inside sandboxie? I can't see how things would install properly inside sandboxie?


Why is it more accurately phrased that defense wall only prevent 3 out of 4?

With the Tests I agree that no permanent damage was done and that there is no such malware atm. I am not disputing that. But thinking about it Logically this doesn't mean to say that malware can't be written to cause permanent damage. It has already been achieved for things to communicate outside of the sandbox and terminate explorer.exe, how much harder is it to achieve another step?? if programs can terminate explorer from inside the sandbox then surely it wouldn't be very hard to achieve 1 more step and write to the hard disk?

Defense wall has a MUCH STRONGER Sandbox in controlling the Behavior of Malware than Sandboxie does, do you want to know why? I will give you a clue, What feature does Sandboxie have that Defense wall doesn't have?

-{ Quote: "ssj100 I have a question for you, while you are going on and on about programs not working properly if you install them in Untrusted mode, well wouldn't this be the same problem if you try to install programs inside sandboxie? I can't see how things would install properly inside sandboxie?


Why is it more accurately phrased that defense wall only prevent 3 out of 4?

With the Tests I agree that no permanent damage was done and that there is no such malware atm. I am not disputing that. But thinking about it Logically this doesn't mean to say that malware can't be written to cause permanent damage. It has already been achieved for things to communicate outside of the sandbox and terminate explorer.exe, how much harder is it to achieve another step?? if programs can terminate explorer from inside the sandbox then surely it wouldn't be very hard to achieve 1 more step and write to the hard disk?

" }-
While i'm sure that no program offers 100% protection and i would be glad if sandboxie was bypassed by real malware writing in the registry and not some PoC's designed to test HIPS ,becouse i know that the developer will fix the security issue in a few hours at most ,can you untill then stop the nonsense missinformation regarding sandboxie?

-{ Quote: "What feature does Sandboxie have that Defense wall doesn't have?" }-
Gave Defensewall a quick spin in a VM so don't really know much about.

Give me a couple of years to throw my 2 gig of malware samples at it that Sandboxie easily contained and I'll get back to ya.;)

Is it possible with Defensewall to isolate an installed malware sample and it's dropped components so as to upload to antimalware vendors?

Such as the 1.exe below that drops five other hidden trojans.

208554

-{ Quote: "So for example, if you are testing a program and run it as trusted, your real system is pretty much infected" }-
For sure, if you run it trusted you are telling DW "Please, open the gates" because you trust this app. and you are not testing DW anymore, your choice.

As another poster already said, take the time to rtfm or the online help, very educative, for me at least it was.

-{ Quote: "y
And while you explained in the some test thread that no legitamte termination occurred. I also explained later on that
sandboxie and explorer.exe is terminated by the registry test, when registry test is running inside sandboxie. and by the way htaac.exe does also actually terminate explorer.exe. So TheEndX your statement is completly incorrect.

" }-


I think you and some others are missing the point. If you want complete isolation use a VM machine, that wasn't what sandboxie was designed for. It allows interaction with the machine, but isolates certain types of actions.

All the registry test was designed for was to prove Regdefend protects the registry, and the test was set up to prove that. Sandboxie wouldn't stop that, but it would stop the real system registry from being modified. But try and install a piece of security software, that needs to install drivers and start services. Not going to happen. Point is sandboxie, may or may not stop a particular action, but it will prevent it from harming the real system.

As far as shutting down explorer.exe, so what. Every now and then when I try to access a shared folder, explorer hangs. When I force that window closed explorer terminates itself(lose everything on the desktop) and then it restarts and all is back to normal. No big deal. But if I run a real live trojan like Killdisk, which indeed will trash the hard drive Sandboxie stops it cold.

I don't run any AV because of Sandboxie, and lets which would I prefer. Sandboxie which may allow explorer to be terminated, but blocks anything dangerous people have thrown at it, or an AV, which may or may not catch something, but on occasion with an FP, might delete a critical system file, which has happened.

Frankly this thread started with a somewhat off base premise and has gone nowhere.

Pete

-{ Quote: "You don't need to try and remember what is trusted and what isn't. defense wall shows a list of what is trusted and what isn't. and if you do happen to have malware on your pc and you want to uninstall defense wall, just restore a backed up image. I really don't see this being any issue at all." }- A backed up image of what? The original setup, before my 200 programs have been installed? Get a grip man - you can be so forgiving on the shortcomings of products you like. "Oh just install it on a seperate OS" "Oh just back up an image" The fact is that once with Defence Wall you are with it for life or you need a format and reinstall of everything. And where is the Defence Wall sandbox? I know you call it a Policy Sandbox ... whatever that is. Sounds like DropMyRights to me.

-{ Quote: "(...) I think if you are an expert, you can clean these remnants of malware out though. Also there's a feature in DefenseWall (can't recall the name for now) that potentially allows you to reverse all the changes in the registry and created files of this malware program...it's not easy if you are a novice that's for sure though!
(...)
" }-
It's called "Rollback List" feature and you will find this by pushing the button "File and registry tracks".

-{ Quote: "I don't think DefenseWall is capable of that. As I said, DefenseWall and Sandboxie are two different applications. You could probably use them both together to complement each other! I think LoneWolf is trying that at the moment?" }-

when I was testing reg test and those other tests at one stage I had both sandboxie and defense wall running . I found when I tested them inside Sandboxie defense wall was unable to control their behavior, Defense walls protection powers are stripped when you run things inside sandboxie. So having both sandboxie and defense isn't a good idea.

-{ Quote: "A backed up image of what? The original setup, before my 200 programs have been installed? Get a grip man - you can be so forgiving on the shortcomings of products you like. "Oh just install it on a seperate OS" "Oh just back up an image" The fact is that once with Defence Wall you are with it for life or you need a format and reinstall of everything. And where is the Defence Wall sandbox? I know you call it a Policy Sandbox ... whatever that is. Sounds like DropMyRights to me." }-


who on earth would have as many as 200 programs installed?

-{ Quote: "...200 programs is a lot, but I guess that's how some people work." }-With almost one third (20) of respondents to this: http://www.wilderssecurity.com/showthread.php?t=120570 having more than 100 or "too many to count" installed, probably a few do approach 200.

-{ Quote: "A backed up image of what? The original setup, before my 200 programs have been installed? Get a grip man - you can be so forgiving on the shortcomings of products you like. "Oh just install it on a seperate OS" "Oh just back up an image" The fact is that once with Defence Wall you are with it for life or you need a format and reinstall of everything. And where is the Defence Wall sandbox? I know you call it a Policy Sandbox ... whatever that is. Sounds like DropMyRights to me." }-

Hello. I've installed Defense Wall and uninstalled it with no problem. I don't think that was a "fact" but an opinion.

DefenseWall uninstalls without problems.

Give it a trial - then post your thoughts.

-{ Quote: "And while you explained in the some test thread that no legitamte termination occurred. I also explained later on that
sandboxie and explorer.exe is terminated by the registry test, when registry test is running inside sandboxie. and by the way htaac.exe does also actually terminate explorer.exe. So TheEndX your statement is completly incorrect." }-

Unfortunately, I did not consider RegTest as apart of the "Some test" thread and have not tested it. However, after reading RegTest's description, I do not believe RegTest terminates programs. As it says, it sends a shutdown signal and succeeds, although that operation should have been blocked by Sandboxie. Nonetheless, RegTest does not terminate anything, Windows does. (Based on the description)

My post in the "Some test" thread was mainly about htaac.exe and its alleged termination of explorer.exe. Unless we somehow got very different results, explorer.exe is not terminated, however the taskbar does disappear along with desktop icons. By simply opening Windows Task Manager, I observed that explorer.exe is still running.


-{ Quote: "Well Defense wall isn't a resource hog and yet it manages to prevent them all, with the exception of stop2.exe previously." }-

You missed the jist of that paragraph. I did not imply that a program had to be a resource hog to manage stop*.exe. (Plus the term I used was resource hog moderator: a program that manages resource hogging programs) My point was that Sandboxie is meant to block security threats. Threats that stop*.exe are not.

As someone - wisely - already mentioned before, and this time, I'll be using a different anology(ies), why the need for us to get shots, to have a decent dieting habit, wear worm clothes when is cold, etc? To prevent us from becoming ill. Does it mean we won't? Does it mean that some of these people that take this measures won't die of cancer? Or, if lucky enough, just get the this illness, and make the treatment, and get better?

What's the need for such protection measures, if we still get sick and still die? Lets no eat (properly), lets not wear any worm clothes when is cold, lets not take any shots, lets not...

What are seat-belts needed for, for example? - Beside the fact it is mandatory by law - People making use of them, still have accidents, and they still die. But, others, well, they get to live, and due to the fact that they used the seat-belts.

Cheers


P.S: Nothing uninstalls 100% from our system. As an example: Download a trial version of a popular software, install it, let it end, and then uninstall and reinstall it. See if you can run the trial again. My wild guess is that you can't. Why? Information is still left behind. (Which I totally oppose, because, well... Lets face it... It is my damn system, and if I want something gone, it should be for once... Not any different from... "spying".)

-{ Quote: " ...why the need for us to...wear worm clothes when is cold, etc?...

...lets not wear any worm clothes when is cold... " }-

Hi, m00nbl00d. I'm sure that you meant "warm" clothes. But before I figured out what you meant, I was momentarily perplexed at first. :) But besides that, that was a very good analogy.

-{ Quote: "

P.S: Nothing uninstalls 100% from our system. As an example: Download a trial version of a popular software, install it, let it end, and then uninstall and reinstall it. See if you can run the trial again. My wild guess is that you can't. Why? Information is still left behind. (Which I totally oppose, because, well... Lets face it... It is my damn system, and if I want something gone, it should be for once... Not any different from... "spying".) " }-

I'm sure that you meant that you "can" run the trail again. But is that true that stuff that is still left behind after an uninstall can function like spyware?

-{ Quote: "Hi, m00nbl00d. I'm sure that you meant "warm" clothes. But before I figured out what you meant, I was momentarily perplexed at first. :) But besides that, that was a very good analogy.
" }-

Sorry for the typo!!!! :D The damn worms already invaded my mind!!!

-{ Quote: "
I'm sure that you meant that you "can" run the trail again. But is that true that stuff that is still left behind after an uninstall can function like spyware?" }-

Yes, I can run the trial. But, my wild guess is that the popular ones, lets say, like Adobe Photoshop, Norton 2009, etc, after the trial ends, even if you uninstall it, though you still can install it, you won't be able to run it, as information saying that it has already been used for the allowed trial period, stays behind. Thats how a software application "knows", by checking against either a registry key or file, or both, I guess.

I don't say its spyware. I called it "spying", because, well, information was still left behind, so that a new installation would know a previous one, which trial period ended, has been used already, hence, blocking a new use of it.

-{ Quote: " Yes, I can run the trial. But, my wild guess is that the popular ones, lets say, like Adobe Photoshop, Norton 2009, etc, after the trial ends, even if you uninstall it, though you still can install it, you won't be able to run it, as information saying that it has already been used for the allowed trial period, stays behind. Thats how a software application "knows", by checking against either a registry key or file, or both, I guess.

I don't say its spyware. I called it "spying", because, well, information was still left behind, so that a new installation would know a previous one, which trial period ended, has been used already, hence, blocking a new use of it." }-

Okay, I see what you're saying. However, I would say that the software/manufacturer is just CYA-ing....Covering Your(or Their) Arse. ;)

-{ Quote: "Hello. I've installed Defense Wall and uninstalled it with no problem. I don't think that was a "fact" but an opinion." }- I am not talking about whether or not DW uninstalls. What I mean is this. Lets say you install DW and go about your life and start installing programs you like and you install them as untrusted. After a period of time you have installed quite a few programs - some stayed, some didn't. A few of them lets presuppose contained malware (otherwise there is no need for DW in the first place). So now you have malware that is mixed in with your files, but it is not able to do permanant damage because DW is there - guarding you. Now comes the day you decide to uninstall DW - and all this malware spings to life. You see things are acting strangly on the comp (or maybe you dont), and it could be from something you installed months ago. You would have no clue what was the problem - you would have to reformat and reinstall windows.

not really if you install files untrusted you can always rollback them delete them any time;) and if you want to trust them then that's when your second line of defense has to work hard for the trusted files itroduce to real systems,so have a 2 layer is a smart decicion:)

-{ Quote: "While i'm sure that no program offers 100% protection and i would be glad if sandboxie was bypassed by real malware writing in the registry and not some PoC's designed to test HIPS ,becouse i know that the developer will fix the security issue in a few hours at most ,can you untill then stop the nonsense missinformation regarding sandboxie?" }-

I can't see how the discussions about the failed Tests can be classed as msi information?

-{ Quote: "

-{ Quote: " What feature does Sandboxie have that Defense wall doesn't have?" }-

Gave Defensewall a quick spin in a VM so don't really know much about.

Give me a couple of years to throw my 2 gig of malware samples at it that Sandboxie easily contained and I'll get back to ya.;)

Is it possible with Defensewall to isolate an installed malware sample and it's dropped components so as to upload to antimalware vendors?

Such as the 1.exe below that drops five other hidden trojans.

208554" }-

Here you have miss understood what I was saying because you took a sentence out of a paragraph and made up your own interpretation

-{ Quote: "I think you and some others are missing the point. If you want complete isolation use a VM machine, that wasn't what sandboxie was designed for. It allows interaction with the machine, but isolates certain types of actions.
" }-

Well this is the first I have heard or read any where that sandboxie was only designed to prevent certain types of actions. I would of thought that the "Drop My Rights" settings in sandboxie should be more affective.

-{ Quote: "DefenseWall "was unable to control" the behaviour simply because it didn't need to! The "malicious behaviour" took place in a virtualised world - the sandbox. You can just empty it all out mate! That's the beauty of Sandboxie - you can test things out inside the sandbox as if it were your real system, but in actual fact, nothing on your real system gets touched!
." }-

No its not because it took place in a virtualised world the sandbox, there would be another reason. because how come Malware Defender can control the behavior of things running in Sandboxie??

-{ Quote: "Unfortunately, I did not consider RegTest as apart of the "Some test" thread and have not tested it. However, after reading RegTest's description, I do not believe RegTest terminates programs. As it says, it sends a shutdown signal and succeeds, although that operation should have been blocked by Sandboxie. Nonetheless, RegTest does not terminate anything, Windows does. (Based on the description)
" }-

What difference does it make what terminates the programs?? Fact remains
is that Reg Test was the "ROOT" cause of the terminations.

-{ Quote: "
My post in the "Some test" thread was mainly about htaac.exe and its alleged termination of explorer.exe. Unless we somehow got very different results, explorer.exe is not terminated, however the taskbar does disappear along with desktop icons. By simply opening Windows Task Manager, I observed that explorer.exe is still running.
" }-

Mine and other peoples experience was that explorer was terminated.

-{ Quote: "I am not talking about whether or not DW uninstalls. What I mean is this. Lets say you install DW and go about your life and start installing programs you like and you install them as untrusted. After a period of time you have installed quite a few programs - some stayed, some didn't. A few of them lets presuppose contained malware (otherwise there is no need for DW in the first place). So now you have malware that is mixed in with your files, but it is not able to do permanant damage because DW is there - guarding you. Now comes the day you decide to uninstall DW - and all this malware spings to life. You see things are acting strangly on the comp (or maybe you dont), and it could be from something you installed months ago. You would have no clue what was the problem - you would have to reformat and reinstall windows." }-

HungJuri I have some questions for you.

Why would you want to Uninstall defense wall?? Normally most people decide what security programs they want and they keep it the same without changing. Unless you are a person like many people here who are always testing security products. But most Testers here have Image back ups anyway.

If you have unsafe, adware, or malware programs installed , why would you want to uninstall Defense Wall?

If you know that you are going to Uninstall Defense wall later on then why would you install dodgy unsafe programs in the first place??

You cauld also ask the same question about Sanboxie, because Sandboxie has a setting which Forces programs of your choosing to run in the Sandbox, So with Uninstalling Sandboxie you would have the same problem.

-{ Quote: "not really if you install files untrusted you can always rollback them delete them any time;) and if you want to trust them then that's when your second line of defense has to work hard for the trusted files itroduce to real systems,so have a 2 layer is a smart decicion:)" }- I wouldn't even know that I had to rollback anything until after it was too late with DW being uninstalled.

So then the comparison isn't Sandboxie vrs Defence Wall - it is Sandboxie vrs "Defence Wall plus other programs and/or actions". With Sandboxie, I can install most programs (if it needs a driver, it's going to be clean before I even consider it) into a sandbox and it is completely cleanly entirely away and seperate - IN A SANDBOX (not some Policy Sandbox play on words) - from my file system. I can find it - all of it - and see it, and delete all of it whenever I choose. So it is not "Oh just install it as untrusted, you'll be fine".

-{ Quote: "Why would you want to Uninstall defense wall??" }- That is not the point and only proves what I say in that once you make the decision to go with DW, you are with it for life or reformat and reinstall Windows. DW is not a lifetime license is it? Well Sandboxie is. A one time fee.

-{ Quote: "Why would you want to Uninstall defense wall?? Normally most people decide what security programs they want and they keep it the same without changing. Unless you are a person like many people here who are always testing security products. But most Testers here have Image back ups anyway." }- So you have the same products installed as you did 1-2-3 years ago?

-{ Quote: "If you have unsafe, adware, or malware programs installed , why would you want to uninstall Defense Wall? " }- If you didn't have malware installed, why would you need DW?

-{ Quote: "If you know that you are going to Uninstall Defense wall later on then why would you install dodgy unsafe programs in the first place??" }- I don't pre-know that I will be uninstalling it - what if something better comes along?

-{ Quote: "You cauld also ask the same question about Sanboxie, because Sandboxie has a setting which Forces programs of your choosing to run in the Sandbox, So with Uninstalling Sandboxie you would have the same problem." }- You've never used sandboxie by that comment.

-{ Quote: "DefenseWall is a sandbox policy HIPS (completely different to a classical HIPS) and thus will only intervene if your "real system" gets affected, and not your "virtualised sandbox". A very important concept!" }- Really? I never realized DW worked that way, thank you very much for that info ssj100. To me the choice is only more clear now. thanks again. :D

Since there was discussion about Sandboxie, and Regtest, I decided to do some testing.

I think one of the problems when one reads of "tests" is the tester may well not really what a program like Sandboxie is supposed to do and not do, and also what the tested program is really supposed to do.

But before I started I did a play with APT, Advanced Process Termination.

First outside of sandboxie, it terminated, all the sandboxie programs, explorer.exe(which simply restarted) and services.exe(which caused a system shutdown)

Running APT inside Sandboxie, I was able to terminate all of sandboxie, execpt it's service. Although I couldn't see it, it was still running. Still able to terminate explorer.exe and again it restarted. This time though i was unable to terminate services.

For times sake I only used Kill1, but still it's obvious Sandboxie protects what's critical.

Then on to regtest. Regtest is meant to test registry protection. It modifies autostart keys. If successful it tries to reboot(program states it may not succeed, and you may have to reboot) If the registry wasn't protected, then when you restarted, you got a notice on the desktop, you failed.

Running outside of sandboxie, OA, and SSM(only two on right now) caught all the registry changes, which I allowed. System then did reboot, and indeed I got the warning my system was at risk.

Reran the test, and interestingly no warnings from OA or SSM, but test1 succeeded in changing the registry(or appeared to). Then on to test two. I got a warning from Sandboxie, that it had blocked an attempt at system shutdown. So I was sitting there with explorer shutdown and just the last box of the regtest display. I did a power reset and when the system came up I did not get any warning of the system at risk. Reason of course was that the modified registry and the program it calls was in the sandbox and not used on reboot.

Finally I reran the test, and when the shutdown was stopped at the screen with just wallpaper, and the Regtest window, I close the regtest window, and using taskmanager restarted explorer. Had the system back. Of course on reboot there was no warning of any issue.

Bottom Line Sandboxie worked as advertised and protected the system.

Pete

-{ Quote: "
-{ Quote: "
You cauld also ask the same question about Sanboxie, because Sandboxie has a setting which Forces programs of your choosing to run in the Sandbox, So with Uninstalling Sandboxie you would have the same problem." }-
You've never used sandboxie by that comment." }-

I was referring to this setting. Any dodgy programs you are not sure about you can make them run in the Sandbox when they execute.
And I have a registered version of Sandboxie and was using it for about 2 years. Cheers

Edit ok I made a mistake in the screenie, was meant to have selected Forced Programs, Not properly awake yet.

Of course I know about force folders and forced programs ; Your statement on uninstalling sandboxie - -{ Quote: "You could also ask the same question about Sanboxie, because Sandboxie has a setting which Forces programs of your choosing to run in the Sandbox, So with Uninstalling Sandboxie you would have the same problem." }- If I did uninstall sandboxie I would of course delete any sandboxes created but even if I didn't any malware that was installed into a sandbox (or any programs for that matter) would not be workable from the sandbox folder they were in. But your statement is not about installing into a sandbox - it is about running existing programs that are already on the computer as forced programs. So whether sandboxie was installed or uninstalled, the situation on my comp would not change. You consistently do not answer direct comments and try to divert away attention with answers that do not address the point. This entire thread is pointless.

I've said it before and I'll say it again.

EDUCATION is your best weapon, not software!

I've surfed the net since the day it was born and only used a software or hardware firewall and a AV program, a few malware apps and that's it and I've done all this surfing the worst of the worst.

A Home box is one thing and a server needing protection is another.

Having Fort Knox on a Home box is silly, all you really need is a firewall, AV, a couple of malware apps like Malwarebytes and SAS, a HIPS like DefenseWall and that's more then enough security and protection and even the HIPS you don't need if you're education enough on how to deal with things. BUT you still need EDUCATION on how to deal with your software and your surfing habits.

All the toys in the world aren't going to mean spit if you don't know how to use them, how to stay out of trouble and spot trouble and know how to deal with it when you come across it and better yet, learn how to stay away from it!. ;)

-{ Quote: "I've said it before and I'll say it again.

EDUCATION is your best weapon, not software!

I've surfed the net since the day it was born and only used a software or hardware firewall and a AV program, a few malware apps and that's it and I've done all this surfing the worst of the worst.

A Home box is one thing and a server needing protection is another.

Having Fort Knox on a Home box is silly, all you really need is a firewall, AV, a couple of malware apps like Malwarebytes and SAS, a HIPS like DefenseWall and that's more then enough security and protection and even the HIPS you don't need if you're education enough on how to deal with things. BUT you still need EDUCATION on how to deal with your software and your surfing habits.

All the toys in the world aren't going to mean spit if you don't know how to use them, how to stay out of trouble and spot trouble and know how to deal with it when you come across it and better yet, learn how to stay away from it!. ;)" }-


Personally I don't reply on any AV and malware apps like Malwarebytes and SAS to scan and clean out any malware which may be on my system, because I prevent the malware infection from happening in the first place.

With regards to surfing habits if you know what you are doing, you can go surf any where on the net with out getting infected. Why let infected websites prevent you from going there?

-{ Quote: "-{ Quote: "You don't need to try and remember what is trusted and what isn't. defense wall shows a list of what is trusted and what isn't. and if you do happen to have malware on your pc and you want to uninstall defense wall, just restore a backed up image. I really don't see this being any issue at all." }-A backed up image of what? The original setup, before my 200 programs have been installed? Get a grip man - you can be so forgiving on the shortcomings of products you like. "Oh just install it on a seperate OS" "Oh just back up an image" The fact is that once with Defence Wall you are with it for life or you need a format and reinstall of everything. And where is the Defence Wall sandbox? I know you call it a Policy Sandbox ... whatever that is. Sounds like DropMyRights to me." }-
If you've installed 200 programs since your last system backup, your security policy needs serious adjustment.

The statement made by DasFox is accurate.
EDUCATION is your best weapon, not software!
Security software is only as good as the security policy it's enforcing and the user that's configuring it. When users install several security apps and still keep finding gaps in the protection, it's because they didn't start with an overall plan. A security policy is like a picture of a puzzle that you're trying to assemble. The available security software is the pieces of many puzzles all mixed together. Not all the pieces will fit your particular puzzle properly. Without a policy or picture as a guide, you don't have a proper standard or criteria to use when choosing your security software or where they best fit into your overall strategy. Polls, popularity, leaktest results, and Matousec's 2 cents are not the proper criteria for making your choices. Start with a plan that covers what your PC is used for, how it's used, who uses it, what software each will use, and what that software requires to function properly, and how different files, media, situations, etc will be handled. Then select the security apps that give you the specific control you need to accomplish those things.

Then tell me what commonsense really is.

Here my main use of this pc is going to and finding/downloading/running/testing any and all exploits from the worst of the worst sites to the worst of the worst sites.

Doesn't commonsense usually tell people to stay away from compromising sites?

I would state that most Wilders members don't need commonsense as their security setups are way superior to real world setups.

And why do I surf the dark side? So I can help "real worlders" in getting zero day or nonflagged malware into the siggys of real world setups.

And besides I reckon it's great fun when a rogue site thinks they've hooked another victim only to have the tables turned on themselves.

-{ Quote: "
I would state that most Wilders members don't need commonsense as their security setups are way superior to real world setups.
" }-

I Totally agree with this. that''s why I said before why let infected websites prevent you from going there. It gives me such a warm and fuzzy feeling on the inside, that I can go any where on and internet and never get infected.

-{ Quote: "EDUCATION is your best weapon, not software!" }-
Education is important, but security tools are important too. If you are going to build an airplane, knowledge/education/draft is very important, but without instruments and materials you won't make a flight.

The OP states,

-{ Quote: "IMHO having malware that can bypass security software defeats the purpose of having security software in the first place." }-No one has defined what 'security software' is. If it is something that can keep malware from passing by, then certainly the browser should be considered. Today's versions permit per site managing that gives the user a lot of control over what happens on a web site.

I have yet to find a web site with a remote code execution exploit which serves up malware that works when using Opera.

Add to that a firewall properly configured for inbound protection: what else do you need?

The only other way malware can enter is if the user chooses to open something or install something that is infected. So what are the remedies here?

You can rely on a scanner or other such thing, or you can rely on your own judgment about the source of the file or software you want to download. It seems pretty simple to me.

There is quite a fascination these days with letting malware run and seeing how it can be detected by this or that, and a rush by vendors to keep up with the latest test - now we have Ring-0 tests. Good grief! The unwary reader is left to bemoan the fact that she/he does not have one of the products listed that thwarts this attack, therefore concludes that her/his security is somehow lacking.

There should be a separate forum, "Malware Playground" for stuff like this.

The sandbox has quite a following. (Interesting name - it suggests a playground atmosphere: Let's play in the sandbox!). Its use seems to assume the premise that the user is bound to get malware on to the system, resulting in it being contained by the sandbox.

The danger I see here is that there is less focus on preventing malware from intruding in the first place, and just saying, Oh - it doesn't matter, the sandbox will take care of it.

Having been around computing since Win9x days (and I know there are those who began computing much earlier!) I've seen a change in approaching computer security -- from reliance on one's self to learn and understand how malware attacks work (nothing technical - just knowing the attack methods) and what procedures/policies/products will prevent the attacks from succeeding -- to a reliance on security products to take care of everything, so that if you just "keep your AV or whatever uptodate" you are fine.

Recently I stopped in a local computer shop where for many years I've sent people to have custom systems built. I asked the head Tech person what he's seeing these days when he cleans up infected systems.

"99% of all problems I see are caused by operator error."

Think of that. Some other observations he had:


he asks what was the last activity done before the computer showed signs of trouble: most of the time it's downloading free music, videos, cracks, opening e-cards... they admit it...


Most victims have their AV up to date.


So what's the use of having security software? None what so ever, if it isn't complemented by an understanding of how to set up a strategy and define policies.

You don't even need a firewall if you know how to insure that Ports are closed. Not to be recommended, of course, but you get my point.

----
rich

-{ Quote: "There is quite a fascination these days with letting malware run and seeing how it can be detected by this or that, and a rush by vendors to keep up with the latest test - now we have Ring-0 tests. Good grief! The unwary reader is left to bemoan the fact that she/he does not have one of the products listed that thwarts this attack, therefore concludes that her/his security is somehow lacking.
There should be a separate forum, "Malware Playground" for stuff like this.
The sandbox has quite a following. (Interesting name - it suggests a playground atmosphere: Let's play in the sandbox!). Its use seems to assume the premise that the user is bound to get malware on to the system, resulting in it being contained by the sandbox.
The danger I see here is that there is less focus on preventing malware from intruding in the first place, and just saying, Oh - it doesn't matter, the sandbox will take care of it." }-
You hit the nail on the head. Users no longer view security software as tools that help to secure their systems. Instead the software is supposed to do it for them and relieve them of the responsibility of their activities. No software can completely compensate for irresponsible activities on the part of the user.

I also started in the 3.1 and 9X days and have seen the shift in what is expected of security software. Instead of protecting users from external threats, present day software is expected to protect users from their own irresponsible behavior. Users want administrative powers over their systems but don't want the responsibility of learning to be their own administrator and then complain when the software doesn't protect them from their own actions. I've often wondered how many PCs I'd control if I disguised a new rootkit as a leaktest and posted a link to it in forums like this. I'm beginning to think that it would take something this extreme to get the point accross that users can't just let anything execute, then expect their security software to contain the damage.

Your statement regarding SandBoxie and a "playground atmosphere" is exactly right. It implies the PC is a toy, which is what many users regard it as. A toy that can steal users data and money, a toy that can bring down sites and networks, a toy that can hijack other toys, assemble them together into big toys that can take entire nations offline. If it wasn't for the fact that these "toys" are taken over by others who use them as weapons against innocent users, I'd let those who treat their PCs as toys get what they deserve.

-{ Quote: "
The sandbox has quite a following. (Interesting name - it suggests a playground atmosphere: Let's play in the sandbox!). Its use seems to assume the premise that the user is bound to get malware on to the system, resulting in it being contained by the sandbox.

" }-

Hi Rich

This is true up to a point. But there can be real reasons, also. For example I have two very trust worthy young ladies who work for me and use my systems. We use Outlook for business Email, get voicemails by Email attachment, and almost have to open any attachment that a client sends. By running Outlook sandboxed with Sandboxie, they can do this without worry for the most part. Saves a lot anxiety all the way around.

Pete

-{ Quote: "For example I have two very trust worthy young ladies who work for me and use my systems. We use Outlook for business Email, get voicemails by Email attachment, and almost have to open any attachment that a client sends. By running Outlook sandboxed with Sandboxie, they can do this without worry for the most part. Saves a lot anxiety all the way around.

Pete" }-
There's an example of the proper use of SandBoxie, isolating the attack surface (Outlook in this case) from the operating system and other user software. I'd bet that your operating system is also defended by other software that will protect it even if SandBoxie failed to contain something opened in it.

Hi Pete,

I see your point about email.

What types of malware come as an email attachment these days?

If that is a concern, why use a product that lets the malware install and then be contained, rather than something that blocks the malware at its source?

----
rich

-{ Quote: "
The danger I see here is that there is less focus on preventing malware from intruding in the first place, and just saying, Oh - it doesn't matter, the sandbox will take care of it.
rich" }-

I agree the sandbox should be the second layer of defense not the first. everyone should have some inbound filtering.

I use Seconfig, and windows worms cleaner to disable those open ports.
admuncher and no script filtering
cslite to block global cookies.
activeX and java and all other plugins disabled.
LNS for packet filtering.
And Malware Defender Monitoring and blocking the creation of folders and files in Documents and Settings.
So 99.9 Percent of the crap is blocked before it even gets to Defense Walls area of protection. :) :) :)


-{ Quote: "

Think of that. Some other observations he had:
he asks what was the last activity done before the computer showed signs of trouble: most of the time it's downloading free music, videos, cracks, opening e-cards... they admit it...

Most victims have their AV up to date.

So what's the use of having security software? None what so ever, if it isn't complemented by an understanding of how to set up a strategy and define policies.

You don't even need a firewall if you know how to insure that Ports are closed. Not to be recommended, of course, but you get my point.
rich" }-

The amount of Ignorance in this world still amazes me, most people on the internet just think that by having an updated AV and a firewall which normally isn't configured properly that they will be fine. Even computer repair
guys at computer shops can be just as Ignorant, From my experiences they only recommend and say, Oh just install AVG and Zone Alarm free and you will be fine. In same places I know of they will even install AVG and Zone alarm for you as part of their Wonderful services.

As a result of this continuous ignorance in todays computer world malware and hackers continue to have a field day.

I think the real problem is Microsoft's OS, which allows by default and blocks by exception. That's an inherently unsafe system.

The internet (WWW) is also an insecure system. It wasn't designed for issues where security and confidentiality are necessary.

Then there is the coding of applications, including browsers.
It's usually sloppy. I'm no IT PRO, but from what I understand there are no established standards for software engineering compared to engineering of, for example, cars, hospital equipment or aeroplanes. (By 'established standards' I don't mean things like .NET or XML). I'm not sure why. The pressure to bring a product to the market and make money fast probably has a lot to do with it. Seriously, in software reviews bugs (if there are not to serious) don't get much attention, and in the average PCMAG review most bugs don't turn up.

One can blame the user. But there are so many ways to decieve a user, most people can't keep up. The malware writers keep coming up with new tricks.
Because many people fall for the scams, there is money to develop new scam tactics/software.

Truth is, the internet as it exists today is not suited for matters where security and privacy are paramount. It was not designed for that. It's an open network.

I'm actually thinking about dropping things like online banking, Paypal, online purchases by credit card etc. Then security would become much less of a concern. Like in the 90s.

It's all supposed to be progress, but is it really ?

-{ Quote: ".

I've often wondered how many PCs I'd control if I disguised a new rootkit as a leaktest and posted a link to it in forums like this. I'm beginning to think that it would take something this extreme to get the point accross that users can't just let anything execute, then expect their security software to contain the damage.

" }-

I don't think you would be able to control very many pc's. If you did make such a program, and people ran your leak test executable what would happen is that most peoples HIPS would block the Installation of the Rootkit.

-{ Quote: "Hi Pete,

I see your point about email.

What types of malware come as an email attachment these days?

If that is a concern, why use a product that lets the malware install and then be contained, rather than something that blocks the malware at its source?

----
rich" }-

Like what. If you are talking about another email client at this point, the switch over would be a night mare.

No, not another email client, but protection at the gate that would prevent malware from executing if an attachment were opened.

I haven't followed email exploits in a while, since there are so few, but current ones that might fool someone would be


PDF where upon opening, the Reader calls out to download malware.


DOC, XLS files with an embedded executable as an OLE object.


Less likely to fool someone (hopefully!) would be


"I Love You" attachments which are really executable files


Fake MS update notices (I haven't seen these in a long time!)


Many solutions exist to prevent such execution.

I think I understand the sandbox concept; it's just I get nervous thinking that malware might get onto my computer, even though it might be contained. I say "might" because you stated that

-{ Quote: " By running Outlook sandboxed with Sandboxie, they can do this without worry for the most part." }-It's the parts besides "most" that concern me!

----
rich

-{ Quote: "

It's the parts besides "most" that concern me!

----
rich" }-

More an expression of speech then anything. I've put Sandboxiei thru the wringer, and I have no concerns about anything they might open. Some stuff may trigger OA, but, even with that I don't worry. When I test how Malware does with Sandboxie, I turn off the hips, because I assume I may get it wrong.

Sandboxie hasn't failed anyone yet that I am aware of

Pete

I thought this topic is about "What's the use of having security software?", but it seems like its just a Sandboxie/Defensewall discussion. The topic title should be renamed.

"What's the use of having security software?"

I think, its already overkill, to have dozen of security applications running, being busy the whole day cleaning, scanning... where is there time to actually USE the computer?

Its almost like I would have a guard in front of each door in my house, guard dogs running around, and sit the whole day in front of my security monitor and watch who might attack my house.

LMAO @softtouch

I agree with you 100%! Like I've said before many times, there's more to life then spending all your time / energy tryin to make your computer setup a 100% secure fortress!!

There's a BUNCH of people on here that really need to step back and grab themselves a more enjoyable hobby thats for sure!! :thumb:

To get infected is not the end of the world. Analogies are often made with a burglar breaking into your house: I think that would be extremely traumatic and dramatic if you happened to face the intruder. A 10 minutes restore from an image and you are back in business, with your house you are truly violated even if have an insurance, there is a psychological damage.

-{ Quote: "I thought this topic is about "What's the use of having security software?", but it seems like its just a Sandboxie/Defensewall discussion." }- I think it developed that way because of the first sentence in the opening post;
-{ Quote: "What's the use of having security software if malware can bypass it, e.g., breaking out of Sandboxie?" }-

-{ Quote: "
Its almost like I would have a guard in front of each door in my house, guard dogs running around, and sit the whole day in front of my security monitor and watch who might attack my house." }-

Hehe, it sounds great :D

-{ Quote: "
I think, its already overkill, to have dozen of security applications running, being busy the whole day cleaning, scanning... where is there time to actually USE the computer?
." }-

I don't think many people here would have as many as 12 security applications running, the average would be about 5 or 6. I only have 4 security apps running.
which are very light.

But I do agree that there is still too many people who rely on scanning software. these people instead need to learn how to prevent getting infected in the first place. But I guess some body has to keep AV and Antispyware Venders and malware writers in business.

-{ Quote: "To get infected is not the end of the world. Analogies are often made with a burglar breaking into your house: I think that would be extremely traumatic and dramatic if you happened to face the intruder. A 10 minutes restore from an image and you are back in business, with your house you are truly violated even if have an insurance, there is a psychological damage." }-
It's not that simple. If the intruder got hold of sensitive financial info, the user could pay heavily. The "just restore" argument doesn't always apply either. It assumes the user knows they've been infected. That's often not the case. A good rootkit can go undetected for a long time, enabling the intruder to come and go as they please, repeatedly searching through your personal files.

-{ Quote: "LMAO @softtouch

I agree with you 100%! Like I've said before many times, there's more to life then spending all your time / energy tryin to make your computer setup a 100% secure fortress!!

There's a BUNCH of people on here that really need to step back and grab themselves a more enjoyable hobby thats for sure!! :thumb:" }-

I think as long as people realize its turned into a hobby for them , then its all right.
There are plenty of hobbies which I think are a bit daft :)

The only problem is a visitor to the site sees a load of apps in a signature, and thinks to h*** with this its just to complicated. But hopefully that doesn't happen much.