Sandboxie v2.86

[ErikAlbert]

Quote:

Originally Posted by Peter2150

What I really like is no complicated worries about where I save files I download, and no reboots to clean up. If I was using a frozen snapshot for just surfing, I think it would be bye bye frozen snapshot.

I'm not going to ditch my frozen snapshot. I don't trust any of my security applications, not even Sandboxie and I still have other weapons, if my frozen snapshot ever fails, which has to be proven first.
My whole security is partial based on restoration, the ultimate weapon against any infection. I only need more time to polish it.

An extreme test for FDISR, would be a honeypot and then try to clean that honeypot with a clean snapshot.
Unfortunately, none of the security people are interested to do such a test, they prefer to test scanners to prove how many infections they MISSED and how many false/positives they reported. That doesn't interest me, because I know this already.

[Peter2150]

Quote:

Originally Posted by ErikAlbert

An extreme test for FDISR, would be a honeypot and then try to clean that honeypot with a clean snapshot.
Unfortunately, none of the security people are interested to do such a test, they prefer to test scanners to prove how many infections they MISSED and how many false/positives they reported. That doesn't interest me, because I know this already.

Isn't converting A Vista snapshot, into an XP snapshot using an FDISR archive enough of a test for you.

[ErikAlbert]

Quote:

Originally Posted by Peter2150

Isn't converting A Vista snapshot, into an XP snapshot using an FDISR archive enough of a test for you.

That test was also extreme and successful, but that's not the same as removing any kind of infection, from simple infections to the most sophisticated hidden infections.

[Peter2150]

Quote:

Originally Posted by ErikAlbert

That test was also extreme and successful, but that's not the same as removing any kind of infection, from simple infections to the most sophisticated hidden infections.

Same principle. Okay I will screw up my system with DFK Threat Simulator, a bit later.

[ErikAlbert]

Quote:

Originally Posted by Peter2150

Same principle. Okay I will screw up my system with DFK Threat Simulator, a bit later.

Is DFK Threat Simulator such a good collection of infections, that EACH TYPE of infection is included. ?

[Peter2150]

Quote:

Originally Posted by ErikAlbert

Is DFK Threat Simulator such a good collection of infections, that EACH TYPE of infection is included. ?

Google it, and read the description. Sure makes a mess of the system, albeit with defanged stuff. Also comes with an uninstaller which I didn't bother with using.

[ErikAlbert]

Quote:

Originally Posted by Peter2150

Google it, and read the description. Sure makes a mess of the system, albeit with defanged stuff. Also comes with an uninstaller which I didn't bother with using.

I'm sure it will make a mess of your system, but this is nothing but a "good" theoretical test.
Nevertheless, I will try it myself one day, when I'm ready.

I remember the BBC Honeypot and they admitted, that this honeypot couldn't be cleaned with the classical security softwares. The honeypot had to be re-installed from scratch to clean it completely.
If FDISR is able to clean such a honeypot, I would feel more comfortable.

[Peter2150]

Quote:

Originally Posted by ErikAlbert

I'm sure it will make a mess of your system, but this is nothing but a "good" theoretical test.
Nevertheless, I will try it myself one day, when I'm ready.

I remember the BBC Honeypot and they admitted, that this honeypot couldn't be cleaned with the classical security softwares. The honeypot had to be re-installed from scratch to clean it completely.
If FDISR is able to clean such a honeypot, I would feel more comfortable.

No matter how bad it is, it is still just files. Do you have a link to the BBC Honeypot.

Pete

[ErikAlbert]

Quote:

Originally Posted by Peter2150

No matter how bad it is, it is still just files. Do you have a link to the BBC Honeypot.

I was too lazy to look it up, but here it is :
http://news.bbc.co.uk/2/hi/technology/5414502.stm
http://news.bbc.co.uk/1/hi/technology/6035455.stm
These are the threads at Wilders about the BBC Honeypot :
http://www.wilderssecurity.com/showt...light=Honeypot
http://www.wilderssecurity.com/showt...479#post854479

[Peter2150]

Quote:

Originally Posted by ErikAlbert

I was too lazy to look it up, but here it is :
http://news.bbc.co.uk/2/hi/technology/5414502.stm
http://news.bbc.co.uk/1/hi/technology/6035455.stm
These are the threads at Wilders about the BBC Honeypot :
http://www.wilderssecurity.com/showt...light=Honeypot
http://www.wilderssecurity.com/showt...479#post854479

I found them, but since I sit behind a router, I can't really do a honeypot test. To much of a physical cabling mess to get around it. But I may play with some live malware in my VM machine.

[ErikAlbert]

Quote:

Originally Posted by Peter2150

I found them, but since I sit behind a router, I can't really do a honeypot test. To much of a physical cabling mess to get around it. But I may play with some live malware in my VM machine.

OK. Peter, it doesn't really matter, I was only trying to tell you that such a honeypot would be a very extreme test too.
Your VISTA--->XP test was also very extreme, that's why I believe it will remove any infection as well, BUT I would feel more comfortable, if it also cleaned a HEAVY INFECTED honeypot without any failure.

IBK (av-comparatives) has also an enormous test bed to test all these Anti-Virus softwares, so his test bed is also a very extreme test for FDISR. (hint)

[AJohn]

A while ago I was listening to a 'Security Now!' episode about sandboxing applications over at GRC.com and I remember Steve Gibson comparing different sandboxing applications and coming to the conclusion that SandboxIE was one of his favorite in the way in which the programs were designed.

Some may find this episode interesting:

http://www.grc.com/SecurityNow.htm#55

[aigle]

Is he using FDISR or u want him to push this way?

[AJohn]

I think he was hinting that FDISR has yet to let down av-comparatives

[aigle]

lol...

[ErikAlbert]

Quote:

Originally Posted by aigle

Is he using FDISR or u want him to push this way?

No why would I do that ? He only has to test FDISR, not keep it.
Maybe he will enjoy it, doing something else for a change.

[ErikAlbert]

Well Sandboxie causes the first error on my computer, never had that before.
Suddenly a popup window appears on my desktop, when I want to open Firefox :

Direct OCR Error (= Popup Window Title)

An error with Direct OCR caused a memory conflict in your open applications. Please restart Windows.

It happened several times today.

[Franklin]

OCR, is that Optical Character Recognition and relating to a document scanner software?

Had a look around SB's forum and couldn't find anything related.

[ErikAlbert]

Quote:

Originally Posted by Franklin

OCR, is that Optical Character Recognition and relating to a document scanner software?

Had a look around SB's forum and couldn't find anything related.

I posted the problem at SB's forum. I wait for an answer, if I ever get one.

[Meriadoc]

Quote:

...Security Now!' episode about sandboxing applications over at GRC.com...

I think if i remember he said you cannot trust Sandboxie for security only privacy and that you could leave no trace behind on a machine when using it.
True, for one Sandboxie can hold browser related, cache etc, so when you delete the sandbox the byproducts such as history disappears, but Sandboxie is more than that - and files can be undeleted.

[Bob D]

Quote:

Originally Posted by ErikAlbert

:
....Direct OCR Error
An error with Direct OCR caused a memory conflict in your open applications....

Are you running Omnipage?

Quote:

I posted the problem at SB's forum. I wait for an answer, if I ever get one.

I don't think you'll have to wait long. Developer Tzuk is very active there.

[ErikAlbert]

Franklin and BobD,
Thanks for the info you gave me, because it did ring a bell.
I posted this problem at SB-forum in my post "Direct OCR Error" and gave them more info concerning my all-in-one printer and the software of this printer installed a bar called "Canon Easy-WebPrint" and this bar could be the problem.
Firefox doesn't have this bar, but I switched often between Firefox and MSIE, while I was running Sandboxie.
I'm waiting for a reply of Tzuk and if necessary, I'm going to uninstall this bar and see if there is an improvement. I'm almost 100% sure that this bar IS the problem.
Sandboxie is alot more important to me than this bar, which I don't use in practice.

[Peter2150]

I've started testing some real malware to see how well I am protected both against the malware and myself. Programs I commonly run are SSM OA, KAV and sandboxie. Then also as Erik challenged recovery.

I started with Killdisk, and this thing is about as nasty as it gets.

Both OA and SSM block it providing I am smart enough to not let it run. KAV even without PDM flat wouldn't let it run. Even when I said skip to it's alert of a virus it wouldn't let it run. I finally had to disable it.

When I ran Killdisk inside the sandbox, it failed. Sandboxie effectly protected me against it. Excellent.

THen I ran it an let it do it's evil deed to check on recovery. On reboot all I got was a fatal partition error. FDISR is out of the picture. Then I tried a simple restore with Shadow Protect and it also failed. I had to run DiskPart to delete the messed up partition that killdeed left behind. Then I was able to restore the Shadow Protect image.

This test also showed just how effective VMware machines are. I took a vm snapshot before the test, and while in the damage state of the disk, revert to the snapshot. Everything was perfect.

Pete

[ErikAlbert]

Quote:

Originally Posted by Peter2150

THen I ran it an let it do it's evil deed to check on recovery. On reboot all I got was a fatal partition error. FDISR is out of the picture. Then I tried a simple restore with Shadow Protect and it also failed. I had to run DiskPart to delete the messed up partition that killdeed left behind. Then I was able to restore the Shadow Protect image.

If I zero my harddisk instead of using DiskPart, will ShadowProtect recover my harddisk ?

[Peter2150]

Quote:

Originally Posted by ErikAlbert

If I zero my harddisk instead of using DiskPart, will ShadowProtect recover my harddisk ?

If by zero it you mean format it no. I tried that first. I had to go in and use Diskpart to delete the partition.

BTW, neither Acronis True Image or Disk Director could do anything with until DiskPart was run. This is indeed one nasty dude.

But the bright side Sandboxie stopped it cold.