MD's File and Folder rules an alternative to sandboxie?

arran is correct in all he discovered withing malware defender under the hood i also played with MD and came to a conclusion that it does same or similar to sandboxie plus more i have MD with DW and with these 2 together malware is almost dead

 

Note that doing this is a terrible way to try and test Prevx or any other security application for that matter Blocking its access to the system prevents it from using any of the added scanning functionality (and explains why you received the FP you did on Sandboxie).

Trying to run a security program without giving it access to the disk is not going to actually demo it

Also note that Prevx creates a whole ~30 registry entries and completely removes them on uninstallation.

Some programs may work well when sandboxed, but you could also be blocking fundamental functionality unless you know exactly what it is trying to do.

 

I've just now tried it myself - the fact that we do appear to at least mostly function properly is a huge testament to Sandboxie

Although we clearly can't have ALL of our functionality working properly when sandboxed (as we can't start the services/drivers required to provide protection, rootkit scanning, etc.), I'll see what we can do to make the experience more friendly to prevent the FPs from happening if they're blocking us out from the disk

 

After reading and watching the you tube vid from this thread
https://www.wilderssecurity.com/showthread.php?p=1473886#post1473886
I decided to take my MD File Rules for a quick spin thru some of those malware links on youtube.

Some of the malware on the links even bypass NO script so it just goes to show
as yet another Reminder that no script doesn't block all.

 

Pete,

MD does not apply rule inheritage. So in order to protect against direct disk writes you have to select this in the general application rules.

Also MD has a strong, not known to everyone option to just enter * as a rule for file protection. It also intercepts named pipes etc when using the * in stead of C:\*.*

Because MD the rules are not inherited (a spwaned process will get the general * application rules), containing internet facing software should always be combined with at least the following general applucation rules enabled
a) direct memory access
b) direct disk access
c) direct registry access
d) direct keyboard access

Also a second life line is needed, by using a deny SRP on the user space.

I agree with you that using SBIE or DW is a far easier approach to obtain this containment.

It needs quite a lot of tinkering before you can cash in on the performance benefits without losing security.

 

Yea that's the way I do it now.

Here's a tip for every one. Just enter * at the top for file and registry rules on each program, set that rule to "ASK" put MD in learning mode and MD will automatically create the needed permit file and registry rules under your * rule at the top.

It is also possible to have some programs in learning mode and at the same time Lock down other programs while MD is still in learning mode. How you do this is go to options select Protection and tick the box where it says "In learning mode, if explicit "deny" rule is found,do not create permit rule and do not permit the action" and then change the rule from ASK to DENY in the programs that you want to Lock down. which would be mainly internet facing apps. So while your internet facing apps are locked down and any other programs you think that has had enough time in training mode all the other programs on your pc are still training.

 

OK I've just run the latest Koobface variant and I need to harvest the droppers which is so easy and secure with Sandboxie.

How can I do that with MD rules?

 

I would not do that, if I were you to many risks as MD defender tries to intercept the attack vectors, while sandboxie protects the attacked surface. Miss an attack vector and you are gone

When you look at Arran's sig, you will notice he uses MD and DW, I am using Power User + SRP and MD to tighten up applications related to their risk profile. So MD is a nice HIPS were you can set some basic protection (kernel objects, shutdown, elevation, direct access to memory, disk, keyboard and registry) which will cause very few pop-ups (or denying does not disturb the function) and simple firewall and add selective restrictions. This to have a low noise/pop-up contingency based security given the fact you use an additional layer of policy management (like DW or a simpler version with SRP f.i. with deny execute on user space when you build your own, or buy this cheaply out of the box with coming AppGuard release).

Pete has made a point: Keep it easy keep it sandboxy

Cheers Kees

 

While that is undoubtedly a secure configuration it is very restrictive.With SandboxIE you have the freedom to play to your heart's content while still remaining safe and sound.

 

Exactly

 

Can anyone change this thread's titile from:
"MD's File and Folder rules an alternative to sandboxie?"

To:
"MD's File and Folder rules is no alternative to sandboxie?"

Or how about:
"Sandboxie is the best ever security app so don't even try a comparison with other security apps"
LOL

 

That sounds a bit over the top, IMO, but SBIE certainly rates as a good product and your comment does no justice to Arran's out of the box thinking.

 

I was having a bit of a dig so put a sock in it Kees.

I asked Arran - "Mr out of the box thinker" and ruleset maker extraordinaire.:

Time to start thinking in the box Arran, sandbox that is.

 

Using the zusojbktvo link I was able to determine that Firefox does a temporary caching of a download using a random filename. See my explanation here:

https://www.wilderssecurity.com/showthread.php?p=1474486#post1474486

Can you run that link (it's still working) and post a screenshot?

thanks,

----
rich

 

I wish you would stop babbling irrelevant nonsense, Franklin was asking for a "TECHNICAL" run down of how to do it with MD rules, not for your general views about Sandboxie and MD.and how much you love sandboxie.

There are limitations as to how much fun you can have with sandboxie, for example you can't test and run programs that needs to load drivers, Unless you like to do IDIOTIC things just for the sake of doing IDIOTIC things like ssj100 trying to run Prevx inside sandboxie LOL. The best way to get dirty is to test things on a backed up windows Image.

If you read back I did say before that I should of instead called the thread
MD's File and Folder rules an alternative to sandboxie for Browsing? OR
MD's File and Folder rules an alternative to sandboxie for Browsing for Technical users?

Sandboxie is by far not the BEST security product, even tho sandboxie prevents permanent writing to the hard disk, it has been proven many times that Sandboxie cannot properly control the Behavior of running programs in sandboxie. Hence the reason why I no longer use Sandboxie.

EVERYONE READ
I once got a virus a few years back and what it did was every time I booted up my pc the virus would shut down my pc within a few seconds after boot up. This would go on Endlessly in circles restart, shut down, restart, shut down, rendering your pc unusable. So because Sandboxie allows running programs to communicate with programs outside of the sandbox. Sandboxie would not have been able to protect me from this type of virus.

so basically you want me to create a set of rules so you can run your droppers with out causing permanent damage? not sure if it is possible.
But My question is why would you allow the Creation of unknown executable files?

That said If I was to run your malware I would first create rules for them and limit their powers before I let them run.

Using the file and registry rules I would block them from writing to the harddisk Just like Sandboxie Does block things from writing to the harddisk.

I would also block them from Loading Drivers Just like Sandboxie does.

I would also block them from other certain activities,

But to be safer I would do it on a backed up image. I back up images using Macrium Reflect btw.

that link is no longer working for me, it diverts to another link which is dead.

Its a pain how all the links went dead so fast.

Also Rmus do you happen to have any other malware links that you can pm me to try with my Block File rules?

 

I just tried it and it is working. It's the first link on the list.

I don't keep direct download links, only remote code execution links. The only ones that would work in FireFox are PDF exploits, but none that I have are active.

Check the malware domains for PDF - that's where I've found some in the past. I haven't looked in some time because the PDF exploit has become boring, since keeping Javascript disabled prevents the exploit from starting.

The other remote code execution links serve up IE exploits, so won't work in FF or Opera.

There are no reported remote code execution exploits in the wild that work using Opera or Firefox.

----
rich

 

What a load of utter nonsense as is the norm.

You couldn't even get the thread title right.

So it's not possible to create rulesets to harvest any droppers eh?

And why would I allow the Creation of unknown executable files?
Mainly because I want to and also to test the latest beta of Sandboxie and help make the best ever security app even better.

 

Wasn't Sandboxie bypassed by a bunch of POCs?

One other way is, a malware from within a sandbox leaking out information to a remote host.

 

By bypass, I meant bypass regardless of the configuration.

 

Some of the add-ons that attempt to auto-attach themselves to the web browser don't require installation. So, enforcing execution restrictions would be of no use in such cases.

For the POCs to bypass Sandboxie, you'll have to let them run. If you don't allow them to run, then it means that you are not letting the malware attempt the bypass. Which basically defeats the purpose of the test.

Blocking an executable from running, every anti-executable application can do it. But, Sandboxie isn't an anti-executable, is it?

 

If you test the poc against a full blown hips are you supposed to allow or block the action in order to test?

Or is it the old argument that you must block the action when using a hips but you aren't allowed to configure Sandboxie to block the action.

You could also use the same argument to test the poc against Sandboxie's start/run access settings which the pocs had no chance against.

No Sandboxie isn't a hips but it can be configured to emulate as such through it's start/run access settings.

 

Please explain what you mean by this.

thanks,

EDIT: answered by PM.

rich

 

Please share any links to a POC that bypasses Sandboxie's virtualization regardless of configuration.