Anti-executable(s) or Sandboxing

"if it can't execute"

How redundant is using any sandbox if i use something like SSM in a clean machine, with "disconnect use interface" enabled (essentially the same as AE, blocking by default any new executables without prompts, and then some).

What could the sandbox provide beyond this?

Or what does the execution interception/ blocking fail to provide? In what scenario (pick any one, but keep it real!)? Any real past examples?

Only if i intentionally execute something will the sandbox provide a more robust defense?
Or objectively the sandbox will do more?

Interesting post, thread

Interesting, but i still need some aditional input. Comparing these two types of programs could give me what i'm looking for.
I'm thinking of disconnecting the Ui, trading SandboxIE with SSM, which aditionally allows me to lock with a password, and let others use the computer at ease. Or simply use Prevx2, that does basically the same, and monitors my computer for malware (shot in foot and so on). But this input i need to form a final opinion.

Forget these names, and focus on the approaches. Maybe provide examples with concrete programs, no problem (DW, GW etc.), as long as this isn't about which is best.

 

Sandboxes offers a controlled execution environment of threat-gate (browsers, mail clients, P2P apps, etc) applications and their objects.
Anti-executables/execution interceptors lock down the entire OS.
IMHO, the protection provided is very similar in both approaches (obviously, anti-exes might offer more coverage, at least theoretical). The difference is in the ease of use.
A simple scenario, Windows Updates through the browser:
- Clean the sandbox and start an unsandboxed browser session. Done.
- Disable the anti-exe, watch new executables created, create rules for them, etc. More cumbersome, IMHO.

In summary: the anti-exes freeze the entire system providing (theoretically) more protection at the cost of ease of use. Sandboxes only freeze the vectors of attacks.

 

Sure, but with SSM i can simply answer prompts, or put it in learning mode and check the new rules/ tune them.

Another way of asking this: will AE block every malware the sandbox does? Or could there be something that doesn't envolve executables, that changes my trusted programs, and not detected? I don't even know if that's possible, but i am asking .

I feel like i'm answering myself, ie, controling executables is enough. Rmus said as much in PM, but i want to hear more arguements.
You seem to think that as well:

Why restrict policies if all i have to do is not accept new executables?? And put a firewall in front?

 

I classify the threats this way:
- In-memory threats (i.e nothing is written to the HDD):

A firewall protects against this trick. But, in the future, more threats of this kind may appear.
- Executables threats (compiled code which creates an object in the HDD):

This is the job of anti-exes, HIPS, sandboxes. Buffer overflows, exploits, social engineering all attempt to download unsolicited executables.
- Scripts/macros threats (text which is interpreted by a script/macro host):
These kind of threats are not common and most of them arrive by email, so safe email (read as text, discard unsolicited mail, etc) will deal with them. Wormguard is the best script interceptor, it can't be fooled by extensions, which is the case with Script Defender/Script Sentry.
GeSWall isolates scripts interpreted by WSH:

- Browser threats (read XSS):
The only solution (without disabling Javascript completely) is NoScript + perhaps Firekeeper.

 

Well, I would like to have both of these techniques in my security setup, but sadly, I´m still not satisfied with none of the sandboxing tools, so at the moment I´m using Sandboxie only as a software virtualization tool, not really as a HIPS.

But overall I would feel quite a bit safer with realtime sandboxing (virtualization and/or policies) because basically it´s running apps in "non-admin on steroids" mode. At the moment I do think that a HIPS like SSM will protect me against most zero day bugs, simply by blocking unallowed executables.

 

1. Preventing the installation of malware is the most important job of security software, because each installed malware creates three other and bigger problems :
2. you have to stop it immediately, otherwise it's too late
3. you have to find it and when you do.
4. you have to remove it completely.

My newbie solution until now is :
1. and 3. and 4. can be solved 99% with restoration, based on whitelists or isolation and a bit common sense.
2. can be solved partially with anti-executables and Beats me.

 

Hi, folks: Eric, your #2 concern is actually taken care of by anti-executalbes in great extent, not just partially. Malwares can sneak thru and install upon your box, but the moment it executes, it will be terminated by your anti-exec. Like one member says: If it can not execute, it will not infect. if you accept this theory, then you have more peace of mind.

 

I'm still worried about "in great extent", which means to me "not all of it".

 

Hi, folks: Eric, you remind of me-the me of 10 years ago. A perfectionist I was. Nice to be one, but not always thou. When I find a perfect solution, you will be the first to know. Have a nice one.

 

LOL. Yes, I'm something like that, but I'm not obstinate. Once I realize that I have to do water in my wine, I accept it. My insecurity due to lack of knowledge of malware makes me act like this. At work I know what I'm talking about, because I know the subject very well. Here at Wilders I'm always full of doubts.

In theory, when my security softwares miss something, my boot-to-restore will undo it as a change. Your DeepFreeze will do the same thing. So it's not really a big problem, because I'm still clean after reboot.

 

Pedro although it is a long post. https://www.wilderssecurity.com/showthread.php?t=174012 NicM shows that SSM and some other AE's fail this test and two policy right sandboxes (GeSWall and DefenseWall) not.

The weak point of an AE is that it has to recognise all variances of executable code (cause of the attack), while a Sandbox weak point is to control all 'sustainable' vulnarable control settings (protect target of attack by limiting rights to certain origins of attack = untrusted threat gates).

Because the concepts have a different approach of trying to achive security, they complement each other well (having diferent weak spots the chance of breaking through is reduced, when one of the two should miss something.

Reg K

 

Certainly, but that's past execution. What do i do online? Open pdf's, doc's, pictures, movies, etc. Besides browsing obviously. If any malware creeps in, the premise "if it can't execute.." says something will pop for execution. At that point, AE or SSM blocking by default will block.
Like drive-by downloads, but i'm englobing in a more global definition: unsolicited actions.

Sure, there could be some reason to run something, but i can't figure out why do i want to execute besides installing, and i end up telling the sandbox to back off. I end up turning brain on, and carefully choosing the software.

Any macros in documents or whatever, if dangerous, will call for an executable to do the really dangerous things no?

(any "disable macros" comment is irrelevant note! i'm trying to generalise a strategy, not discuss if documents are dangerous)

 

This has been the case so far.

Most recently was a spoofed .rtf file with malicious code embedded.

http://isc.sans.org/diary.html?storyid=2853

I was able to set up something similar by embedding a spoofed .rtf file in my PIM.
Clicking on the file revealed the hidden executable, which any program with execution protection
would have snagged:

http://www.urs2.net/rsj/computing/imgs/dataRTF.gif
____________________________________________________________________

The above applies to most MSWord exploits. Note the comment in the sans.org diary:

Not very encouraging, for meanwhile, you are effectively almost crippled if you depend on MSWord for your work, while you wait for a patch.

However, using execution protection at school, our people could go about their business not worrying about it.

Of course, the most effective solution, also in the sans.org diary:

regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."

--Bruce Schneier​

 

I'm much too lazy to bother myself/trust myself to operate SSM or other classical hips like my PG free as strongly as I maybe should. Don't want to get too paranoid either.
Sure you steroids running fellows can make use of them to have your computer safe, hehe.

I just don't know so much and feel sometimes the urge to clean my Sandboxie contents.
Makes me feel safer than running some antispyware real time software which I don't do. Also I have Superantispyware and Ad-aware installed but never scan with them. No need as there is nothing to be found. Has to be cause of my habit of never installing games software, too old for that.

But to header subject, I should say both anti-executables AND Sandboxing (virtualization). Sandboxie after all does not take any CPU cycles and my browsers, im and p2p work just as well and fast withing sandbox than without it, so why not have that added layer of ignorance security protection.

 

I understand that Jarmo, Specially the clearing the sandbox. It's very nice indeed. With eraser associated, it's even nicer.

But i'm trying to figure out if objectively, i need it.

Me too! But i'm using SSM because:
1- password protected; the only executables / programs that run have my express consent. No one using my pc will do anything more.
2- anti-executable; it will alert me, or block by default (alerting me or not), as i prefer to.
3- freeware

All the other things are perks. I can monitor stuff, but i'm pretty ready to say "allow", so i'm not basing my strategy on any of that. Only on AE.
I can block IE, so that no one uses it here
I can forbid a legitimate application from starting with Windows, etc. Nothing extraordinary, beyong AE.

 

Yes Pedro that disconnected user interface of SSM is a nice feature that PG does not have and also the password protection though I did not remember it had that too.
Usefull in a case with a family computer even though other users are only allowed XP limited user accounts.

If you have a disk imaging software and able to trust it, maybe not. Mozilla Firefox, not sure if you use it, has been known to get a corrupted user profile sometimes in my old puter that was unstable cause hardware troubles and to have the old profile back, disk image restore seems a bit too drastic to me.
But when you somehow would feel your system is compromised and maybe wanted to reformat?
With sandboxing you can be more sure that it does not get corrupted than to trust some images that are perhaps also not so clean and virgin anymore.

 

Hello Pedro,

To follow up on your question about "Any macros in documents" - the problem today has gone beyond just macros in documents.

I'm about to update my web article on MSWord Exploits, and here are a few references taken from some of my other posts.

Microsoft Office Security, part one
http://www.securityfocus.com/infocus/1874

This article explains how an executable component is embedded in the MSWord file structure.
This is a summary of how these exploits work:

MessageLabs Intelligence Targeted Attack Report
http://www.messagelabs.com/portal/s...n/news___events/press_releases/DA_193334.html

Alert Raised for MS Word Zero-Day Attack
http://www.eweek.com/article2/0,1895,1965042,00.asp

While many of these exploits are targeted towards businesses, people working in education environments handle dozens of MSWord files weekly.

Regarding your question, "Anti-executable(s) or Sandboxing" -- sometimes solutions to problems don't necessarily involve a security product.

Many faculty I'm acquainted with routinely open MSWord files received from other people, in a text editor, which will not execute code. Some use the free Microsoft WordViewer -- in the days of the proliferation of Macro Virusses, this was a sure protection

Other measures taken include configuring downloads in the Browser, and launching of attachments in the email program, to pass *.doc and *.rtf files to a text editor instead of opening directly in the browser or MSWord. The file also can be saved to disk and then opened in MSWord, if desired.

Many have Execution Prevention programs - - Default-Deny -- on their laptops. This will prevent any of the above exploits from running.

All workstations in computer labs and faculty workrooms have Deep Freeze. While not a Sandbox, it is Reboot-to-Restore.

There are other solutions, of course, and it is the job of the System Administrator in the institutional world, and us as home users, to come up with solutions that are effective in our particular situation.

regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."

--Bruce Schneier​

 

Start > Settings > Control Panel > Administrative Tools > Local Security Policy > Software Restriction Policy >

Additional Rules > Right-Click > New Path Rule > PATH TO PROGRAM > Security Level = Basic User
​

Tada... to NO write access to %System%

Mike

Fixed typo

 

I remember when SpikeyB first posted about SRP. I had several people in mind who I thought would like this approach. Unfortunately, it requires XP Pro, which many home users don't have.


-rich

 

OH!

So, that is why @Kees1958 made a statement about wishing he would have bought XP Pro!

Is there an alternative for XP Home folks, copy some local/group security policy files from XP Pro?

Geez, that sucks!

Maybe worth the cost to upgrade from XP Home to XP Pro... might eliminate some 3rd party security software (and the annual cost)?

But, for XP Pro users, the LSP on Word/Excel would be helpful... right?

Mike

 

Not that I'm aware of. XP Home does not have the Group Policy Editor (gpedit.msc)

It's curious: I have Win2K which does have it!

For home users, yes. However, in institutional settings, this is problematic. I've spoken about this with one System Admin at a school where I worked, about Software Restriction Policies, and considering the number of workstations, it's a huge task. Also, in the computer labs and classrooms, they need the workstations to run in Aminstrator mode so that students have access to the Registry, can modify system settings in doing classroom demonstrations, etc.

Hence, the value of using Deep Freeze which restores everything to previous good state upon reboot

regards,

-rich.

 

Btw, I was thinking, aren´t sandbox HIPS and "normal" HIPS almost the same thing? Because in fact SSM also strips certain processes from having the right to do certain stuff, the only difference is that you have to make the rules yourself, while for example Sandboxie restricts apps automaticly. So IMO the ideal HIPS would be a combo between the two, and it would be cool if you could execute apps in the sandbox but also still got alerts, so that you know what such an app tries to do.