SBIE against ransomware

Discussion in 'sandboxing & virtualization' started by stvs, Jan 26, 2016.

  1. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Well as Rasheed did figure out, if you had files you just kept in the sandbox and Ransomware ran they would be vulnerable even if it ran sandboxed. But without sandboxie running it's folder is just another folder. The real key is get the files out of there someplace safe, and don't let sandboxed applications touch that folder
     
  2. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,144
    Location:
    Nicaragua
    By separating programs in their own sandbox you make Sandboxie tighter, more restricted, using 10 or 15 sandboxes instead of one, allows you to tailor each sandbox according to the Leader program of each individual/dedicated sandbox. When you make your email client the Leader program of a sandbox, then you only allow to run and connect in that sandbox the programs that you normally use when you send and receive mails. Thats the basic idea behind separating programs in their own sandbox.
    Kees, I know you are not familiar with SBIE and you don't understand how Sandboxie and email clients interacts. I ll try to explain. When you run your email client sandboxed, the proper way of using it is to have the client installed in your host, then you run it under Sandboxie, and when you finish sending, receiving mails, opening attachments, clicking on a link, etc, you delete the sandbox. Thats the proper way for running your email client under SBIE. At the end, you delete the sandbox.

    Why?
    If you don't delete the sandbox, and keep your emails forever (like you said) within the sandbox, any program that runs in the email client sandbox can read all the activity that you done, it can steal all the information thats inside. And you don't want that.:)

    Let me tell you one of the cool things that Sandboxie do with mails. You are asking yourself now, If I delete the mail sandbox, What happens to the emails I send and receive? Do they get deleted when I delete the sandbox? Are they lost forever?

    The answer is No. If you configure the mail client properly, mails that you send and receive get saved out of the sandbox. So, every time you run your email client sandboxed, all your mails are there, you don't lose nothing.
    When you run your email client under Sandboxie, the client runs untrusted. In a way, that works the same between SBIE and DW. The difference is that with DW, all activity is saved (as untrusted) to the disk but with SBIE, all is gone when you delete the sandbox, except what you allow to get out. In the case of the mail client, you want to allow the mails that you send and receive so they don't get lost.

    Bo
     
  3. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,144
    Location:
    Nicaragua
    I feel the same about that. When I finish using a program, I delete the sandbox.

    Bo
     
  4. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,144
    Location:
    Nicaragua
    To me personally, there are more similarities between DW and SBIE than not. To sandbox/untrust programs and files in my computers, I combine using both paid features (Forced programs and Forced folders) and the sandboxed Windows explorer. Basically, I run under SBIE same programs that DW untrusts by default...and a little more. The main difference is what the program do with files that get created in the PC, with DW they stay and you the user gets rid of them and with SBIE, you delete all by deleting the sandbox except what you choose to save out of the sandbox.

    Bo
     
  5. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,738
    So conclusion is that you don't want to keep any files within a sandbox? Well, accessing any file outside of the sandbox means that malware can read them to (just not write unless it's stored outside the host computer). I'm not sure how recovered files are affected (mainly "direct access"), can they be modified before leaving the sandbox?

    Browser hijacking aside (which is actually very hard without social engineering), SBIE (especially hardened) is more than enough in most scenarios though IMO. I personally don't even find it necessary for users with safe computing habits... I wonder how you guys deal with cloud services, if you even use one.
     
  6. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Cloud services are a separate issue for me. The files I have in the cloud can't be accessed via windows explorer. Has to be either the browser, or in the other case, Jungle disks application
     
  7. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,144
    Location:
    Nicaragua
    Thats too absolute, I don't make that conclusion. The way I see it, I don't want my important files compromised, so I get them out of the sandbox. Mails are important. Besides that, if you stored your mails in a sandbox, eventually, when you delete the sandbox, the mails are lost. Thats something most of us wouldn't want to happen.

    A lot of things about Sandboxie is opinion but this thing here about mail clients, thats not an opinion. Keeping, saving your mails in a dedicated sandbox and not deleting the sandbox is wrong.

    Bo
     
  8. Bo I know you are not familiar with policy sandboxes and you don't understand how they work (to reuse your pompous phrase). Big advantage of a policy sandbox is that the files remain untrusted, no matter where they are, so they will ALWAYS stay in a sandbox.

    Regards Kees
     
    Last edited by a moderator: Feb 8, 2016
  9. Automatically saving them out of the sandbox means you are punching a hole in your defense. When they contain malware, they are out of the sandbox onto the real system and it might be game over.

    I have a tip for you. Set the folder they are automatically recovered to as a forced folder. in this way you keep them ALWAYS in a sandbox (just make it a different sandbox than your e-mail sandbox).

    Hope this helps to leverage your knowledge on how to use SBIE.
     
    Last edited by a moderator: Feb 8, 2016
  10. Yep, remember you have added SecureFolders for that to, so you are triple secured :D, but then again it is your business also, you can't afford to lose it, so better be safe than sorry.
     
  11. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    You know it's funny. When people tell me I am paranoid with my setup, I always respond by telling them what I have on my systems relative to information about my clients. Suddenly they don't think I am paranoid, but just very careful. :)
     
  12. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,144
    Location:
    Nicaragua
    I know policy sandboxes a lot better than you know Sandboxie. I used DW, I like it and understand how to use it properly which is something you dont have a clue about SBIE. Since I used both programns, I can compare and know the similarities and the things they do differently. By the way, in the quote above, you are telling me what I told you at the bottom of post 77...
    And again, in post 79.
    Bo
     
  13. Yes you are a lot smarter, the post above clearly expresses that.

    A thank you for the tip of post #84 would even enhance your greatness, are you going to use it?
     
  14. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,144
    Location:
    Nicaragua
    Kees, to better your knowledge about Sandboxie, start here in page 1.
    .
    http://www.sandboxie.com/index.php?GettingStarted

    About Forced folders. Yes, thats a great feature. Like I told you before, I combine using the paid features (Forced folders and Forced programs) and the sandboxed Windows explorer to sandbox most files and programs in my computers. But there is a lot more that you can do with the Forced folder feature than sandboxing youtr Downloads folder. I use this feature to automatically sandbox files and programs that run out of mt Downloads folder, other folders where I keep files, CD and DVD drives and USB drives.

    Bo
     
  15. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,144
    Location:
    Nicaragua
    Kees, I am one guy who promote the usage of that feature. A lot of people who use Sandboxie, think of Sandboxie as a browser in a sandbox when actually Sandboxie is lot more than that. I like to change that view. Check the first sentence of this thread from a few days ago.:)
    http://forums.sandboxie.com/phpBB3/viewtopic.php?f=17&t=22440

    Bo
     
  16. @bo elam When you such a great promotor, I am surprised you did not mention in this thread

    In all the references you posted, you only mention downloads folder, have not seen you mentioning it to use force folder to sandbox recovered emails and attachments. In post #82 you explicitly mentioned that you recovered emails OUTSIDE the sandbox.

    So question remains unanswered: are you going to use forced folders option also for your recovered emails and attachments ?
     
    Last edited by a moderator: Feb 8, 2016
  17. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,144
    Location:
    Nicaragua
    Hi Kees, in a short paragraph. I never stop using Sandboxie. After I recover an attachment to my hard drive, from that moment on until the file gets deleted, this attachment is gonna run sandboxed. The only question really is in which sandbox its gonna run. For example, if the file is an Excel file, its gonna run sandboxed in a forced folder if the file its located in a folder that I force but will run sandboxed in my dedicated Office sandbox if it runs from elsewhere.

    Bo
     
  18. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,144
    Location:
    Nicaragua
    Reply to the sentence you added when you edited this post.

    Talking about forcing the downloads folder in that thread would have been off topic.

    Bo
     
  19. @bo elam Okay that covers the attachments, what about the mails themselves?
     
  20. I am not following you, the OP was afraid of drive-by's :confused:
     
  21. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,144
    Location:
    Nicaragua
    If you use web mail, the mails are covered when you run your browser sandboxed.

    If you use an email client, the client itself runs under Sandboxie, anything that runs or executes, its sandboxed. If you don't recover nothing, all changes get deleted when you delete the sandbox. If you recover an attachment to the hard drive, then you can continue running it under SBIE, as explained in previous posts.

    Bo
     
  22. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,144
    Location:
    Nicaragua
    Yes, but the thread was pretty much specific about running IE sandboxed or running Chrome without SBIE.

    Bo
     
  23. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,144
    Location:
    Nicaragua
    Hi Kees, I got a surprise for you. I got you a Sandboxie license good for a couple of weeks. I got it so you give Sandboxie a good try. You ll be able to test the paid features. I like to send you the license in a PM. Send me a mail or open up your mails for me so I can send it to you.:)

    Bo
     
  24. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Yes exactly, that was my point. But if you know what you're doing there is less risk of loosing files inside the sandbox. I've got several sandboxes, most of them are for testing software, but some are dedicated for a specific app. Normally, files inside these sandboxes are not at risk since only a couple of trusted apps are allowed to run. And those apps are not often attacked by exploits.
     
  25. No thx I allready have a lifetime lisence. I used Sbie, before I got a free license for GSwall and a 100 year lisence for DefenseWall.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.