Sandboxie, Malware...overall question

I've been a S/B user ever since I first heard a podcast with Tzur. I RELY on it, and I have YET to have anything sneak into my gear. I admit I don't [except to test] go to The Dark Side of the Internet. As I wander through the postings here and other security oriented sites, I remain puzzled by Users that run S/B [or some other VM software] and ALSO run the flavor of the month Reactive Anti-Malware application. Is this a case of 'belt and suspenders' safety? I wouldn't fault somebody who chooses to run EVERYTHING available... if that allows him/her to sleep better... but really... WHY, otherwise.

Sort of a 'philosophical' question, I suppose. I *do* note that some downloaded files on my VISTA computers will often not 'run sandboxed', and [I guess] should be A/V scanned first, but here on my WIN7 computer I have not found one file that wont run sandboxed.

I'm very interested in the views of Youse Guys with more security 'moxie' than I have....

Bill

 

Sandboxie is great, and I love it... but lets be perfectly clear here. It has a limited scope of protection. For one, it does nothing for files and software run outside of the sandbox (obviously). You can sandbox your web browser, but if you don't sandbox something like Word, and run a word document saved in my documents, you could get infected.

Now you might argue that you could just sandbox word.... well, I've done this, and a lot of other programs.. but most people have *something* not sandboxed, for whatever reason, and this could be a simple threat.. Hell, maybe someone finds out a way to exploit picture viewer, photoshop, autocad, or some other program like this.

Secondly, don't forget about network threats. Most firewalls do have ports open (i.e. file sharing and others). Lets not forget that worms are not entirely a thing of the past. Conficker spread pretty far a few years back.

Finally, everyone runs something outside of the sandbox at some point. Want to install something? Got to run it outside the sandbox. Lets be honest, no one compares the md5 checksum of all those files they download, and its not even available in some cases. You very well could've been DNS spoofed, cache poisoned, or something along those lines.

All of these things call for an A/V. Mostly, its as a backup. You hope to never need it. Security, IMO, is best served in layers. Relying on one thing to protect you is going to be a recipe for failure...

 

Hi Bill

As you've stated, one could generalize and call it a case of "belt and suspenders" safety, though in some instances it might be more aptly deemed "belt OR suspenders" safety, for those times when I am running something unsandboxed.

Another point I'd like to make pertains to your description of users who run Sandboxie and, "ALSO run the flavor of the month Reactive Anti-Malware application". The app may not necesarily be the flavor of the month (some of us stick with the same security programs for a long time), and the apps are often real-time, proactive ones that prevent malware from getting onto the system, either by IP blocking or web filtering or HIPS warnings. At least that is how I view my approach.

 

There many other vectors for infection. USB, installations, LAN, even some hardware can all be used to spread an infection. It may seem a little paranoid to some to use security software in addition to SandboxIE but I think it's a good idea to try to cover all the bases and not just HTTP or run in sandbox.

Sour Milk out

 

Umm.. Good. Thank you both.

hpmnick: Yes, I do force Outlook and Word, as well as my browser, but, yes, there are times when 'right click, run sandboxed' on a file is forgotten. Here's Hoping uSoft SSS run occasionally cures any regrets!

page42: 'flavor of the month' may have been... well you know. I run Avast on 'her' computer as she is terrible at even trying to remember to RunSandboxed. But doesn't A/V remain RE-active? Responding after somebody reports and the definition was figured out...as opposed to PRO-active? Maybe I'm too exacting; but I think the A/Vs are always behind, right?

The uSoft SSS seems on the mark since you boot from it... allowing examination OF the O.S., etc... not from WITHIN the O.S.

 

Even if you force a specific folder to run inside Sandboxie, there may be times when such files (inside the folder) will not open sandbox. Even if you open a file in a sandbox folder (C:\Sandbox), it may not open inside its respective sandbox.

Take a look here http://www.sandboxie.com/phpbb/viewtopic.php?t=6672

The best pratice is to have a sandboxed Explorer and open the files from there. But, let's be honest... would we always remember this? Hell, I don't.

Heck, even with a shortcut, I still don't remember.

 

'The best computer security is to use the one at the library'...hilarious! Thanks!

Perhaps I could have been a little more exacting about our usage, as well. We are...'more mature', have only two computers on THIS network, no disks or thumbdrives brought in, no other outside avenues for infection. I do run a second router to put my Kids and any other visitors on their own net', keeping US in a sterile environment. Maybe all that makes us a lot safer in the first place. MY real source of worry is from the large amount of E-Mail 'pass-along' traffic my Better Half constantly gets from her pals. Thank goodness for S/B in that computer, for sure!!!

Well, I've been glad for your comments. I'll read all that come, maybe learn some more.

B

 

My computer that I use at home is win7 ultimate x86. I use admin, with no UAC. For a time now I have relied only on SBIE and OS features such as Integrity Levels. I have had no issues. I configure SBIE very specifically for my machine and how I do things. I have developed a set of parameters that I stick to.

I choose to focus on those things such as browsers and media players and downloads, that I know have a higher chance of exploitation than I do a word processor. I do not want to be that concerned any more. However, I do a lot of imaging, and in fact my whole computer experience revolves around how I can easily put an image back on with minimal interruption. It is perhaps the reason why I don't care to use an AV or other such tool, because I can re-image every day and it only takes minutes to get back where I need to be.

My wifes computer runs my old vista ultimate x86. She uses UAC and Sandboxie. She struggles to understand (or doesn't want to understand) the way that SBIE works. I decided to skip AV with her computer as well. The situation probably calls for an AV, but because everything she downloads is forced into a sandbox, it has not yet been required. I have images for her of course, but she would not like it much if I put it back on. She has little interest in spending time configuring things a 2nd or 3rd time.

Thus far, because of what both her and I do (although we do different things) Sandboxie is able to contain all threats. She never executes a download outside of the sandbox, while I do but am able to do so with different tools/knowledge at my disposal.

If I were not there, I would install an AV and MBAM. On my own machine, if I were not comfortable with the technical aspects, I would install an AV. I would consider SBIE the belt, and AV the suspenders. The belt does most of the work, and the suspenders are there for extra measure.

Sul.

 

Sandboxing is a preventative measure and it sandboxes everything. There's no verification as to whether a file is actually malicious. Keeping a reactive antivirus could be used to

a) Catch things that break out of the sandbox
b) Verify that a file is malicious
c) Remove said malicious file, in case it is able to execute in the sandbox


I personally use sandboxing (not sandboxie) and no antivirus, why bother?

 

FWIW, I've yet to actually have to use the A/V on my machine...

However, my brother in law managed to infect himself using a crack he ran outside of the Sandbox... Sadly enough, he had A/V too... it just didn't catch it.

While this doesn't exactly prove my point, its just an explanation of how someone might manage to infect themselves with Sandboxie on their system... and how the A/V might handle itself as a viable backup...

Of course, a lot of people are never going to do something like my brother in law, so the risk will be minimal without an A/V. Habits will make the difference..

 

Great, All....

There's no doubt, S/B makes running the machine a little more complex. *I* reduced that on our's by only downloading to the Desk-Top... for Quick Recovery. The Queen can follow that fine.

It was interesting that Tzur included his version of Drop Rights; that makes the 'Box pretty safe, I think. And 'delete' after use.

I haven't heard anyone comment on the use of uSoft SSS as an occasional 'auto-claving'... when running only S/B. I only recently found out about it, myself.

Good Stuff... great to exchange views. Thanks

B

 

Sandboxie by itself is good enough if your upload downloaded files to VirusTotal and the like. There are size limits though.

Never forget a firewall or disk imaging.

 

When I use to run a real time antivirus, I always got infected, once every
six months. Now, only using SBIE, I don't get infected anymore.

Bo

 

+1 on this

The only use for my av/am is to scan files before introduced to the real system. So av/am only plays a small part yet crucial for my need

 

I feel a lot of people don't fully grasp the DropRights feature of SBIE, nor do they grasp fully what an AV really means to SBIE.

DropRights is meant to keep the INSIDE of the sandbox clean by treating NOTHING as an admin. It is meant for a generic sandbox OR for a sandbox that never gets its contents deleted. This is a LONG TERM environment, and you want to use DropRights to keep it clean.

If you apply restrictions to the sandbox, such as allowing only certain programs to run or have network access, or deny rights to key locations, you may well have achieved as much as DropRights did. As well, if you delete the contents of the sandbox often, especially every time it is used, DropRights isn't doing much. Put restrictions and deletion together on the same box, and you have tighter control than DropRights gives you.

It really depends on how you configure your sandbox. I am not saying DropRights is dumb, I am just saying I see a lot of comments that one should use it, but many times advice to add restrictions to the sandbox is given that actually restricts much more than DropRights does.

As for an AntiVirus, it is much the same story. Why would you need an AV if you restrict your sandbox AND delete it often? It isn't much use within the sandbox environment unless you use a long term sandbox.

An AV is useful in the real OS, at least one likes to think it would be. Again, I am not saying don't use an AV or anything, I am simply saying SBIE can be configured quite easily to not need an AV if you only care about it for use with SBIE.

Sul.

 

Interesting...

 

I do not agree.

I mean, I agree that it's meant to make impossible for apps to elevate rights, but I do not agree that's meant only to be used in the scenario you talk about.

Even if I only temporary run something inside a sandbox (that is, a sandbox that gets cleaned after using it), why would I want to give anything a chance to elevate?

 

Why could you care if you were going to delete it afterwards? We must apply some common sense here. If you are going to bank in that sandbox, perhaps it is wise to use DR. If you are going to check your email, perhaps it is wise to use DR. If you are going to check this forum, why do you need it? If the sandbox is for media player and you are going to listen to an mp3 you just downloaded, why would you need it?

The beauty of SBIE is that one box might not need it, one might, it all depends on the use.

Further, what is DR doing if you have restricted what may run in the sandbox, and what areas are off limits to the sandbox? If only IE can run in the sandbox, then DR becomes a secondary mechanism, since only IE may execute anyway.

m00nbl00d knows me well enough to know, but others might not -- this is just my viewpoint, and it is subject to change with new infos. Don't be afraid to question it, that is how we all gain better understanding.

Sul.

 

I don't run my browser inside Sandboxie, except for convenience*, when I need to download something.

* Yes, convenience, and not security.

But, I follow the same principle I have in the real system. If something doesn't require admin rights, why even letting it try to gain them?

It's a fair way of looking at it. And, one I totally respect... and agree. It just happens that I put into practice what I mentioned above.

This is just a mere example. I don't know if you remember, but not so long ago someone reported a bug in Sandboxie, which would a sandboxed whatever thing to create a user account in the real system.

DropRights would have prevented this. That's just an example. I'm sure that if Sandboxie was widely used, more problems would be found (and fixed).

Anyway, the approach I take is not to let something get more than what it needs to get the job done.

 

I think in a 64-bit system, drop my rights is required to have the same level of protection as the 32-bit versions (aside from the patchguard workaround).

 

No m00nbl00d, that's not interesting, that's the result of what Sandboxie
does for you, if you allow Sandboxie to do it.

Give it a try, sometime, you might like it .

Bo

 

I do have Sandboxie (paid version) But, I don't use it for my web browsing. But, yes I do find it interesting, due to what you said. You had a tradition of being infected every six months. Not now and then, but six in six months.

 

Here's an interesting question... could you configure any major player in the free AV field to scan ONLY when something is entering your real system? I know it wasn't exactly this that was done by Kees for Avast!, but I recall something similar. With that possibility, it is something that I would apply at once.

 

that's what I always wonder...
I need a lot of my files to be saved on the real system , since I need them for work.
so I've always use av/am/on demand scanner to scan them before introduce it to real system and share them with my colleagues.

how to manage working without av/am or at least on demand scanner?
maybe you guys have a different scenario than me?