Sandboxie and Full Virtualisation?

Hi

In terms of security, does a full virtualisation program like VMWare provide better security than an application sandbox like Sandboxie?

Because I just started using Browser Appliance in VMWare and have used Sandboxie for a while.

Thanks

 

In terms of security, it is a definite improvement in terms of security. Light virtualization programs probably wont cover all the bases while full virtualization will (assuming there are no crazy vulnerabilities in the VM software)

 

Hi

Thanks. But how does it provide better security? Won't I achieve the same level if I just do not allow anything onto my real computer?

Thanks

 

When you are using light virtualization, everything is still executing natively on your computer. Sandboxie just intercepts disk and registery access saves it as part of the sandbox. However it is conceivable that here might be something that Sandboxie may allow something it shouldn't have.

With full virutalization, there is a much more robust containment.

Agreed. However were there not a few that did pass through?

 

Hi

So would I gain any additional security if I browse the web (not looking for malware or anything) if I use VMWare instead of Sandboxie?

Thanks

 

If using a virtual machine it's sorta like using Returnil on the real system which can still be infected requiring a reboot to be rid of any infections.

Running your browser through Sandboxie contains any and all browsing data to the sandbox and only requires a deletion of the sandbox contents to be rid of anything.

Some user initiated and obscure methods have bypassed Sandboxie in the past but they are patched asap by Tzuk.

Sandboxie and Returnil combo is my setup on my XP/Vista installs.

Sometimes I do browse using a VM but they have Sandboxie and Returnil installed as well.

 

Yes you do. Think about 'additional security' as percentage of malware that would not have been been stopped by sandboxie but would have been stopped by a VM. This is a very small percentage.

 

I'm not sure how good a comparison a VM and Returnil is.

Depends on how you set the VM. You can configure it to remove all changes after every reboot or you can save the data even after reboots.

Also have a look at https://www.wilderssecurity.com/showthread.php?t=212092
I think that cs.exe would have bypassed RVS2008 when it would not have bypassed a VM.

 

run vmware in a setup with LUA...same with sandboxie..so even in the rarest of cases something does jump out of the box,it still has no access to your system

 

To me it's very simple : Sandboxie is security and full virtualisation is recovery and certainly not security. I never confused security with recovery. I combine both. Don't need VM either, I don't test softwares from an unknown source.

 

Why you always pointing out the differences,to me security is the all inclusive practice of preventing against mishaps from whatever source,so recovery is also included,they're just words needless to make a distinction.

 

Look this is just downright confusing if someone is trying to understand how light and full virtualization is different. OP is obviously in that scenario.

Full virtualization has many applications and 1 of them is security. If you are trying to compare the level of security between full and light virtualization, look at my previous post.

 

If you don't see it that way, that's OK with me, I'm just telling my opinion. I always separate things from one another, if they are not the same. If you consider it as the same, there is no difference and then you can ignore my opinion.
Opinions are like butts, everybody has one.

 

I've used VMWare Server running XP in Linux so I'm not new to this. My thoughts are if you get infected while running in VMWare the infection is still going to be in your virtualized OS once you boot back into it. Sure, your host operating system is clean but the virtualized one isn't. How do you all deal with that? Sandboxie? An antivirus? You go to all that trouble to install a second OS and you still got to deal with an infection. Just curious...

Later....

Yes, you can delete the virtualized OS and problem solved but then you're facing another install. I fail to see the benefit.

 

Hi

OK, I think I get it. So full virtualisation (VMWare, VirtualBox, etc) has better security than light virtualisation (Sandboxie, Returnil, etc).

But in most cases if you're not specifically testing malware light virtualisation is adequate.

Is that right?

Thanks

 

Farmerlee has the approach where he installs the security software inside the VM. If you only use the VM to browse and email, the slowdowns associated with security software are only relevant to the browser and email client and neither of these are intensive applications.

Alternatively, you can install an operationg system like linux that arent targeted by malware writers.

In either case, an infection in a VM is much easier to deal with than one on your actual computer. You can use snapshots to do a restore, you can mount the image to do a flat file scan etc.

Sure you can have an opinion but it isnt relevant in this thread. The comparison by the OP is obviously between light and full virtualization as an extra layer of security to isolate attack vectors like the browser and email client. Let us try to focus on this issue rather than boot to restore.

Yes that is my view. The additional risk minimization from using a VM is quite low. On my computer (low end laptop) the performance trade off is not worth it. If you have a 10k gaming rig, then performance is not an issue and you may well consider using a VM. It depends on your situation.

 

When making virtual machine state changes that I want to keep, I avoid doing anything dangerous. Then I shut down the virtual operating system and take a snapshot. During all other times, when I am done with a session, I revert back to the previous snapshot.

 

Hi

OK. Thanks! My laptop is not that good either so I think I'll just stick with Sandboxie.

 

With MS Virtual PC I do a base install of XP and Vista then copy and paste the VHD's as needed to their own folders and assign a new VM.

Saves a reinstall and you can copy and paste forever.

I even have a VHD/VM that I copied and pasted to a usb stick and it runs fine on any machine that has MS Virtual PC installed.

These VMs are stored on another partition as I prefer C drive as slim as possible.

 

Yes, that's a pretty good combo. Virtualization software is a must these days.

 

This question is specifically constrained to security while browsing the web. In such a scenario, both SBIE and VM can conceivably allow a keylogger to grab and compromise private information.

To me, a keylogger (with ensuing loss of private information) is a VERY nasty sort of threat.

I use SBIE configured such that ONLY Firefox can access the internet. Thus, I feel well protected from keyloggers -- unless something manages to hi-jack Firefox itself.

If and only if a VM is configured to protect against keyloggers, then I agree with those who have said a VM is (at least theoretically) more secure than SBIE. Otherwise, I do not agree.

Yet another *super safe* option would be to run something like Deepfreeze or Shadowuser, and (in that mode) use SBIE to surf the web. I am not yet paranoid to the degree needed for me to do that, but it's something for OP to consider -- wot?

 

Hi

Well I don't think it's really necessary for me to use so many programs to only fractionally increase the security when Sandboxie will suffice in most cases.

Thanks

 

Well, the next best thing is going to be OS virtualization, MS has already launched Hyper V for Win 2008 server, and they might make it compatible with Vista. In theory this would be a killer tool, imagine having, let´s say 10 virtual instances of the Win OS all running at full speed, if you´re not sure about some app or game, or if you fear a drive by attack, just use one of the virtual OSes.

But I´m not really sure what´s possible with such a virtualized partition, I suppose you can still install your security tools on it and I hope there is no need to boot the virtual OS? That would be a serious drawback of course. The Soloris OS is already offering such features btw:

http://www.sun.com/software/solaris/virtualization.jsp