SANDBOXIE HIGH TECH PROTECTION

Easter - for your tests, I just saw this post from Tzuk this AM. Might save you some time. http://sandboxie.com/phpbb/viewtopic.php?p=18260#18260

 

Thanks, off to review that now.

EASTER

 

For those folks nervous about the possibility of malware leaks, Sandboxie also works well in an XP Limted Account.

 

A Sandboxie leaktest from zeroday software is on its way...

 

exactly what I've been doing for quite some time now...

 

By all means bring it on. Theres no better way to strenghten such apps then complete and full scrutiny, it serves a very useful purpose for us all including the developers, so it's welcome indeed.

Thanks dmenace.

 

Well, the question for me is: does virtualization provide more/additional protection or not? Because basically, you can also sandbox certain processes with classical HIPS, that´s what I´ve done, certain tools that are vulnerable to drive by attacks are stripped from rights by SSM/NG + SRP (DropMyRights), so normally speaking, this measure should give malware a hard time to do any damage. The thing is, what if some attack completely bypasses these measures, I wonder, would virtualization (file/registry redirection) help me?

I would really like to test these kind of scenarios, but it´s hard for me to find any exploited sites, and I´ve got problems with network connections on my VM´s, so I can´t even test in a safe way. But just a couple of days ago, I finally found an exploited site, and I was so excited that I ran it on my real machine. Yes I know, it´s not that smart. But anyway, it supposedly tried to exploit a Quicktime flaw and the plan was to install some rootkit. But I don´t think it succeeded, so something (SRP?) must have stopped it, I didn´t get any alerts from my HIPS though.

 

I finally installed Sandboxie and sandboxed my Firefox Browser. This is cool.

 

Agree,even MS will provide some kind of virtu in their upcoming 7. Sandboxing,virtu solutions are the way to go for now and the future.

 

I think I read that it is normal for my Browser (Firefox) to load slow when I open it sandboxed the first time, and faster on subsequent load ups after that. It seems that it loads slower than normal every time though which is about 22 seconds, as opposed to 10 seconds on the initial load after boot up not sandboxed. If that's what I should expect I'm not concerned, just wondering.

 

@Peter2150

If SandboxIE auto-drops admin rights (when sandboxed) is there any real advantage in your opinion to also run SuRun in combination? Seems to me would be redundant since SandboxIE already degresses those rights built into the program.

Easter

 

I haven't heard that Sandboxie lower programs rights. SuRun gives admin rights when user is in LUA that's a different thing (IMO).

 

Good enough then. It that holds true then my running SuRun with this configuration can only further tighten a more solid grip against forced potential interruptions or intrusions so i'll just keep things as they are for now.

 

Hello Easter, I thought SuRun was only useful in being able to run a program that needs admin privileges when your running in a LUA.

FWIW, Process Explorer reports admin privileges when running a program Sandboxed. When I use my custom shortcuts to start Sandboxie/DropMyRights/Firefox, it shows Firefox.exe, SandboxieRpcSs.exe and SandboxieDcomLaunch.exe as 'Deny,Owner' which should be running with limited rights as far as I know. As a side note, when I set Firefox as Run Safer within Online Armor and then run Firefox in Sandboxie, it does not show as 'Deny,Owner' in Process Explorer.

Also, if you look in Sandbox Settings - Resource Access - Low Level Access, you see that Sandboxie limits in these areas. Warning, leave the 3 boxes unchecked unless you know what your doing.

For the tests, are you running as an LUA or Admin? Also, what changes to your configuration have you made? Have you thought about testing with a default Sandboxie config and your modified one? I think it would be interesting to see if a default and a modified config ended up with similar results.

Cheers,
innerpeace

Edit: I see MikeNAS posted about SuRun also.

 

Hi, Sandboxie leaktest or Sandbox leak test?

Thanks

 

Neither yet, i'm examining closely which settings would offer the best protections allowable by SandboxIE. This is as exciting for me as HIPS, the protection coverages offered are sure to prove impenetratable and if i add my DEEP FREEZE all bets are off for malware, they have lost.

 

Thanks for your reply EASTER. I agree that sandbox programs are exciting technologies and it does feel good to be ahead of the bad guys for a change with running a sandbox, HIPS and Virtualization program . I look forward to hearing more about the tests.

 

Sandbox leaktest aimed primarily at Sandboxie. (Ie may also work with others, not based around specific vulnerabilities)

Currently not ready for release still needs more work... Sandboxie is VERY good, kernel hooks blocked, so is SDT restore, etc. Won't go into detail.

But basically what i discovered when creating this test is even if sandbox is bypassed a well written HIPS and firewall, part of a multilayered solution will continue to protect you.

 

Installed PD 2008 in SB without a hitch so proof that all registry needed and even their propiate driver and services are sandboxed,this is against some comments that its not possible.

This was with default configuration,so most with closedpath config.

 

Returnil and SBIE make for a a simple and almost 100 % protection[ for sure how to configure,still learning] and feel more confident to ditch all realtime AV.
Benefit : lesser conflicts and everything faster !!

 

Thats no surprise. Serious security devlopers have grown equally notoroius against compromise makers and in many ways have trumped and learned much better how to frustrate their designs.

SandboxIE as others are a force to be reckond with and most formidable POWER SHIELD, make no bones about it.

 

Like what?

 

Yes I know, but SBIE´s won´t actually block exploits from running inside the sandbox. So when you run into a site serving malware, a malicious BHO (for example) might be installed. The advantage is that you´re real system will never get infected. But a HIPS like SSM is actually able to stop the code execution. Of course this might be bypassed by some advanced exploit, but same goes for file/registry redirection (virtualization), I guess.

What I´m trying to say is that in fact SBIE is not that different from regular HIPS (with sandboxing capabilities) but it offers virtualization as an extra, just like SafeSpace. I suppose that this might have certain advantages when dealing with certain advanced attacks, with that I mean, even if you will get hit, the malware is still contained in the sandbox.