Sandboxie again....and won't stop grc leaktest

[Chuck57]

I tried sandboxie with the grc leaktest 1.2 last night. Downloaded it, ran it in the sandboxie folder, and it showed responding to grc.com. At that time, I had only windows firewall, so no outbound protection.

My understanding was that Sandboxie stopped all that stuff, or did I misunderstand.

I installed my old version of ZA 6.1.xxx and ran it again. ZA caught the test and stopped it.

So, is Sandboxie at fault, or should I not worry that this one particular program got out? This stuff is all new to me, and not criticizing Sandboxie. It's a great little program

[WSFuser]

sandboxie does nothing to stop network connections and its not meant to.

[Chuck57]

Thanks much for that info. I figured it was a minor detail I'd overlooked in reading about this sandboxing stuff.

[Jarmo P]

Sandboxie only isolates malware.

Leaktest.exe is just a normal program exe file.
Running SSM, it would be recognized as a new application (if not in learning mode) and user gets asked what to do.
If allowed, the program acts just like other normal outbound connection applications, so if a firewall protects outbound, a user gets asked again.

Sandboxie protects rather your real system of not getting infected and does not restrict what malware does in a sandbox (sure can connect to internet too ). Leaktest.exe is though also run in a Sandboxie when executed, so it can only read your real system if even that.

[Chuck57]

I'm using CyberHawk. Have SSM but wanted to try CyberHawk. It did nothing in the way of warning me, but it's not exactly the same as SSM, which I think I'll return to today.

[FastGame]

Hello Chuck57

If you want to take full advantage of Sandboxie here's what you do...

Lets say you want to do online banking or shopping, first you start off with a clean sandbox. After you're done do a simple clear sandbox. Now lets say you want to mess around with some porn or check the underworld out, you have a clean sandbox, visit your underworld sites and clear the sandbox when you are done. For best protection you can clear the sandbox between site visits

Clearing the sandbox is fast and simple, things can't leak when they aren't there.

[Jarmo P]

Quote:

I'm using CyberHawk. Have SSM but wanted to try CyberHawk. It did nothing in the way of warning me, but it's not exactly the same as SSM, which I think I'll return to today.

Leaktest.exe is a normal program, it is not malware.
It should not be detected by Cyberhawk and also SSM treats it as any other normal program.

I don't run SSM real time normally. But it is usefull when installing new software or trying to "monitor system" behaviour when in paranoid or suspicious mood.

[WSFuser]

leaktest if meant to test outbound filtering, so you would need a firewall or HIPS with outbound network control (like SSM or AppDefend).

[Chuck57]

I've got a lot to learn. This is a whole new area of security for me. Time to start reading and playing with software in this area.

[Jarmo P]

Quite new to me too.
I don't much care about diagrams that are currently discussed in some other thread. I take rather a pragmatic viewpoint.

To me I am safe when running programs in a Sandboxie from infecting/corrupting my system.
With SSM i can control what processes/programs I allow to run. It does not protect me from infections in a same way. That is antivirus's etc. department.
I can just block realsched.exe from launching realplay.exe, so it does not have to be about malware.
Cyberhawk smells "bad behaviour" from programs and has some community list knowledge features too.
Though it often reports my Skype.exe of a trojan like behaviour when starting it too

I see a theoretical possibility of a conflict if running SSM and CH same time. Who knows these days what security programs will conflict each other etc. Sure am glad to be running a very well functioning simple packet filter like kerio 2.1.5.
Common sense more important than diagrams, lol:
http://www.wilderssecurity.com/showthread.php?t=155098

[ggf31416]

Quote:

Originally Posted by Chuck57

My understanding was that Sandboxie stopped all that stuff, or did I misunderstand.

Sandboxie prevents the sandboxed programs from changing your "actual system" but not from reading files or making outbound conections.
For example you can send the EICAR test file to VirusTotal through a sandboxed browser.

[Chuck57]

Kind of off topic but regarding sandboxing, what about DefenseWall? I tried it a while back, briefly, and was completely lost. I spent more time trying to figure out the help files than actually using the program. According to the tests in another thread, it might be the best of the bunch - if it can be figured out.

[WSFuser]

heres a quote from an old defensewall thread:

Quote:

The program idea is easy and simple. All applications are divided into trusted ones and untrusted ones. Everything is allowed for the trusted applications, but there are many restrictions for the untrusted ones. The restrictions are as follows: modification of the file system sensitive folders (ex., My Documents, Windows, Program Files), registry keys (ex., autorun, browser and system application settings, etc.), and entire system (installation/changing/deleting of the drivers and services,
protection of the \\Device\\PhysicalMemory, setting of the global window hooks (against so-called keyloggers), etc.).

basically u just place browsers, email, p2p and other internet-related programs into the untrusted list and your all set.