Sandboxie restriction advice

Question for anyone who can answer...

So, if/when I start stripping away the "conventional" real-time security layers, like avast! and MBAM Pro, how will I know if malware is running (or trying to run) in a sandbox?

Will either SBIE 1307 or SBIE 1308 messages tell me that they denied access to something, and then if I don't recognize it, I begin the determination process of seeing if it is legit or malware?

Does a user have to view the Sandboxie Control dialog to see what is running sandboxed? Sometimes unwanted programs must show up in there, depending on how a user has configured his or her sandboxes.

How do the malware testers watch what is going on in Sandboxie?

 

The way I see it, Avast and MBAM should be retained at least as on demand scanners (if you want to keep anything from the Sandbox, it is the only way to check for known malware). Alternatively one could execute whatever is in the Sandbox, and see what changes and prompts might be forthcoming from SB (there could be a problem here if one has SB and "Drop rights" as malware may not run in the sandbox, but could run in the real environment if it is an admin account).

Personally I prefer the scanner method as it may not give you 100% security, but it is practical and quick.

 

Once you have restricted what can run inside your sandbox, if a malicious
executable is downloaded it will just sit in there doing nothing. I rarely
open SBIE control to see whats inside, remember, its gonna go anyway
once you delete the contents of the sandbox. Whats inside the sandbox
does not worry me, I am only concern about what I recover or install.

Bo

 

That is exactly the way I use it too. There is no doubt, that if you cannot implicitly trust what you download, you should run it through a diagnostic of some kind, be it AV or AM or whatever. I have virtual machines that are setup with different tools, such as HIPS and firewalls, that I use for diagnotics if I really wonder what a certain file/program is doing. I use sandboxie as a quick test for trusted sources, to see if a new tool/program is what I want. If it is not, then I delete the sandbox, if it is, then I might introduce it into the real system.

Testing new things in the sandbox is one thing I love about it, because by examining (file exploring) the contents of the sandbox, I can see any/all files it "would" have created/modified on the real system.

If what I am testing is more heavy-duty, like a firewall, then I test it in a virtual machine before introducing to the real system.

We often forget to take a grain of salt with the ideas we read about. It is no secret that an AV is always going to be an hour/day/week behind the current threats, it is no secret that many security tools require a lot of configuration, and sometimes wrongly configured are not worth much. It is no secret that many programs, like firewalls, will require you to revisit your configurations whenever something new is added, or a HIPS will throw up many prompts. It is also no secret that many security tools bog systems down with all of thier "protections".

I like the way sandboxie only allows what I say when my browser is running. Nothing else can execute, nothing else can have network comms. It does not make everything foolproof, but if you build your security scheme around what sandboxie can do for you, it can positively reduce the number of other programs you rely on, if you are willing to stick to your scheme.

The security blanket that a HIPS/firewall/AV gives, is it false? When using these tools, you are used to downloading or executing, and unless you get a prompt, you might feel everything is "OK". But is it OK? Who can say. I prefer to know that my browser (or whatever program using sandboxie) cannot do just whatever it wants. Until sandboxie becomes compromised, I will trust that it is doing exactly what it is supposed to do.

Besides, what is the difference in the end if sandboxie fails and lets something bad out, or if my AV/HIPS fails some new threat and lets it out. You have to trust something, sometime. I have other means in place to restrict what is happening personally, but you get the idea.

These days I am tired of all the security tools. Tired of having to scan this or scan that, answer this or answer that. I have had enough of that. So, while it might fly in the face of all the security gurus and vendors in the world who want me to buy thier product to remain safe, I have chosen the philosophy that if I understand where my threats come from, and I can create a scheme that neutralizes those threats as long as I stick to my protocol, then I will do just that.

Goodbye resource intensive tools, hello strict regimen of doing things a very specific way. I find that after roughly 2 years of this, I still have no virii/malware issues, and while I am not free to download/save files to where I might wish to archive them at first, I like having the rules in place I have created. It does cause more work to move/archive them later, but I also find I don't lose as many files because I downloaded them to a directory that seemed logical at the time, but later when I look for it, I don't find it because I downloaded it weeks or months ago and cannot remember where I put it. This way forces me to download everything to one place, then (if needed) test the download, then decide where to archive it if I am keeping it. It slows me down enough things seem to go better. But, thats just me

Sul.

 

I only use 1 sandbox for all. Only problem can be when I run movies, pdf-s, pictures, .doc out of sandbox because i have set only browsers to run forced.
But i think even if for example my media player is forced to run sandboxed and I run some .avi (movie) executable file from my desktop, my PC can get virus because that executable not only activate player but lot of other stuff.... ?
btw. i save .pdf, not open them online via browser, so i don't need to allow access to foxit reader.

My Sandboxie setup :

Restrictions - Internet Access: Internet Explorer, Firefox (disabled container), Opera, Sopcast, Java, uTorrent, Babaschess, Timeseal (for babaschess - component), WMP.

Restrictions - Start/Run Access : IE, Firefox (disabled container), Opera, Java, Sopcast, KMPlayer, Power Archiver, uTorrent, Babaschess, Timeseal, WMP.

Automatically delete content of sandbox when last sandboxed program ends.

 

Sully has put it pretty straightforward. But... There's always a but... uh?

... But, it will ultimately depend on what the user actually needs based on certain risks.

I'll tell you what I did to a relative running Windows Vista Home Premium x86.

It's set to run in LUA plus UAC. The web browser is Internet Explorer 8, with Protected Mode on. It's protected by SpywareBlaster and Spybot - Search & Destroy immunizations. Not to forget and disdain Internet Explorer's own SmartScreen protection.

On top of that, there's AVG LinkScanner.

I did install Sandboxie, BUT, I DO know my relative and I do know that at some point an error message or error messages would be annoying; and if I disabled the alerts, then something could not be working and my relative wouldn't know... and to be honest I don't really think my relative would be interested in learning (this is the crucial factor here - to learn!).

So, I don't have the browser under Sandboxie's protection. I have it under the protections I mentioned. Plus ClearCloud DNS.

LUA + UAC + SmartScreen + SpywareBlaster + Spybot - Search & Destroy + LinkScanner + ClearCloud DNS provide a layered passive and non-annoying, for my relative, security for the web browser.

I did add under Sandboxie's protection PDF reader and media player.

These apps, including Office are also under EMET's protection.

I also installed an AV (Microsoft Security Essentials) plus AVG Identity Protection.

You see, different security measures are needed according to whom this security is mentioned to.

In no way, what Sully mentioned, like having virtual machines with HIPS and firewall, would work for my relatives. This is 100% known.

 

Yes, I agree. Today it was verclsid.exe that SBIE 1380 message told me could not start up. I researched it and then added it to the allowed programs list for Start/Run Access. By not starting, I was unable to log into a Craigslist account.

 

The absolute essence and brilliance of SBIE summed up here. Thanks Bo. Once you come to terms with that you realise that with start/run access denied you only have to concern yourself with what you let out. If you have a strategy to verify/contain/control that part your sorted.

I've used SBIE for a number of years, much of which were spent looking for an ideal real-time partner for it. It is only recently the penny has finally dropped - just use the bloody thing on it's own.

I choose now to use a combo of forced folders as download locations, SRP, VT & Jotti, SD & VM and very occassional on demand scanning to look after what comes out. SBIE does the job of keeping my systems clean better than any other product I've ever used. Oh yeah and my systems literally fly - no system load, heat, fan overwork issues. No constant updates, no interminable tweaking of rules, no checking out the latest AV comparitive and worrying whether my solution has best on demand/best real-time/is lightest or just isn't the latest fad. No ropey releases and crap support. No on-going cost!

Sure it relies on you making a few decisions - what to sandbox, what to allow, what to let out. Maybe not for Ma and Pa McNormaluser, maybe will never challenge the big guys as a result but I'm loving it and will never go back!

Cheers

 

Hi chris1341. I think most of us, after using SBIE for a while, sooner or later
will come to your conclusion that is better to"just use the bloody thing on
its own". At first, we stop scans after they come up clean every time, then
we get rid of the scanners and the AV real time. I think its natural that this
happens.

Bo

 

Sometimes I've just got to ask.... SD & VM is what exactly?
I get SRP... Software Restriction Policy.
I get VirusTotal and Jotti.
But SD & VM... help me out.

Great post, by the way. Lots of valuable insights. I'm seeing where you guys are making sense, but I'm in the early stages of SBIE use... I still have my training wheels on. It's tough giving up the real-time AV security blanket, you know? Plus, until I develop a more thorough working knowlege of Sandboxie (a strategy, if you will), I don't think it's a bad idea to keep those security app training wheels on.

Edit in: OK, I figured out SD. Shadow Defender.
Now I'm down to just VM... but I guess that's virtual machine.
Can't say I don't try to answer my own questions!

 

Yeah exactly right - VirtualBox in my case, sorry for the jargon.

Keep the training wheels a long as you need them! Forever even. The way I see it SBIE users either use it as a compliment or a safety net for their primary solutions or like me and others as their primary solution. Whatever makes you feel most comfortable.

Good luck with the learning curve. Its worth it in the end.

 

Oh, don't apologize for using jargon. I just needed to catch up, is all.

 

I came across an interesting post on the SBIE forum from a year ago. It's from a member named DarkEnergy, and I've excerpted a few paragraphs below...

 

Yeah I finally came to the conclusion that no matter how good your detection, detections fail. For a while I was using CIS and Prevx SOL. I felt kind of naked without some virtual mode or sandbox.

 

Do they call this a paradox? You almost have to do something to check files you don't know/trust, yet you really don't know if a scanner is going to do its job or not. You assume that if it is updated it will. To go to the trouble of starting it in a VM or other method, and check every detail of what it does? To put up with very noisy HIPS type tools that have prompt after prompt to click on? All of these and more can help you to gain a feeling of "trust", but where does the line get drawn?

It is what I have tried to escape, the need to trust something that you cannot truly trust, yet also not just run around blind and naked. I love the way sandboxie contains things, but sometimes you want to let it out, and I wonder if there is truly a simplistic way to do so, other than rollback/imaging.

Sul.

 

Amen sul.

 

You make some good points... But, and maybe I am misunderstanding something, how is that X person will know if something is misbehaving, if has no way to verify it? When will this X person make use of the rollback/imaging backup plan?

When something bad happens? And, what does the word bad mean? Something this X person spotted "today"? Couldn't it had been there for weeks or months?
Will this X person enter a paranoia state of rolling back or restoring an image every single time he/she boots up the system?

I agree with you, specially with the question "where does the line get drawn?"

For example, you previously mentioned...

So, where does the line get drawn?

Don't take this as bad criticism; it's way far from it. But, sometimes I feel like people waste too much of their time thinking why they shouldn't/others shouldn't be using something, while the real question, in the way I see it, would be: Why am I using this?

Perhaps, the answer would be something that goes in the line of "I do it, because I can handle it"; "I do it, because I can't handle other stuff. So, for me, it would be far more worse not to use it/them."

In the end, hopefully someone will come to the point of thinking "This is what I need, accordingly to what I can handle."

P.S: This "handle" could mean it's all this someone could really handle working with, or merely because other techniques were simply considered annoyances.

I'm telling this, because I know someone who truly considers disabling autorun and then having to open "My Computer" to get to the USB device a complete waste of time.

I'm 100% sure this person would consider all restrictions one can achieve with something like Sandboxie a total nightmare. So, breaches need to exist; but covered with other mitigations, that won't be considered annoyances.

Maybe you'll agree or not; maybe someone else will also agree or not; maybe we'll all have to agree in the disagreement. But, in my very own experience of dealing with certain people, this is the conclusion I took: Not every single person will react in the very same exact way upon a given situation. Just as certain as death being a sure thing.

 

@m00nbl00d

You are correct. It is hard to know where that line is, or where to draw it. It is hard for there to be "one scheme to rule them all, and with security bind them" lol.

I think a lot of users who are into computers are after the same thing, although what that is can be defined differently. We all know there are inherit dangers, even for advanced users. Many are tired of this "chasing our tail" round and round in circles.

The most refined and sophisticated schemes still has the same weaknesses as the most simplistic ones - how do I know whether I have been compromised. As you state, how do I know so that I can put my image back on?

I am often torn between sides on this very question. While I don't think an AV is the answer, it is a tool that can offer some definate assistance. Sandboxie is of great use, until you let it out of the sandbox.

Myself, I have chosen to use education to replace the scanners, for the most part. I may use one occassionaly, but try not to if I can help it. I just watch my system usually. I am familiar with what rights/restrictions I have in place, and understand what can and cannot happen. I also am familiar with every process and service running, which allows me to (almost) at a glance determine if something is amiss. Using Process Explorer and similar tools allows me to watch something new or somethign in question and see if it is "out of the ordinary". In XP I knew every port that would be open, while in win7, it is a little more and takes more learning as to why some ports are open.

The whole point is not to brag and say "I don't use AV, I only use SBIE", it is to share differing opinions and possible solutions. My half-baked ideas work really well for me, but are they truly secure? Maybe. Are using a HIPS and IPS/firewall and AV and other scanners truly secure? Maybe. But, if you look at how many people have the latter in place and still become compromised, you would have to say most likely "no". But, if you throw experience and knowledge in with all those tools, then most likely the answer would be "yes".

I believe if the user gains sufficient knowledge, almost any security scheme they use will become quite secure. If that is true, then you are free to "lighten the load" as much as possible, or keep the load and maybe more certaintly.

One thing I know for sure - Sandboxie, in the hands of an intelligent person with some drive to learn, IMHO, offers the best and most simplistic protection offered today, as long as "what happens in the sandbox stays in the sandbox". All should note the IMHO part of that statement

Sul.

 

Having just selected a preset secure delete command for Eraser, how do I know that the sandbox is being erased and not merely deleted?
All I can come up (to test or confirm secure deletion) is to select the 35 pass Gutmann deletion and see if it takes longer to delete sandbox content?

 

Yes, I agree! For sure, for most and for those who lack it, easier than my approach.

I just wish that everyone would be able to accept at least, a little learning curve, even for the little details like disabling autorun feature! Because when someone is not willing to do that, they won't be willing to learn a bit more about how something like Sandboxie truly works, and once everything is explained... well... IHMO ( ) it is EASY.

 

Some intersting discussion on secure delete in SBIE here https://www.wilderssecurity.com/showthread.php?t=284840 Which may help.

Chris

 

Thanks, Chris. That is exactly what I was looking for, though not what I was hoping for, if you get my meaning. I think I'll look for similar discussion on the SBIE forum. I'm most interested in any response from tzuk along those lines. That info does not paint a pretty picture, does it?

 

I've been inspired by all the Sandboxie users tales here at Wilders so I converted and removed all protection except for Hitman Pro as an on demand scanner.

Now I have this problem that I can't seem to solve; I've set Chrome to have direct access to desktop (it's where I download my files off Internet) in my browser sandbox. The 2nd sandbox has the desktop as a forced folder so everything I execute in that area will automatically be sandboxed. Now, I want to do an on demand scan on the files I download at the desktop. I right-click the file I want scanned in the desktop with Hitman Pro, but Hitman Pro starts sandboxed. Is there anything I can do to prevent Hitman Pro from being sandboxed when scanning in the forced sandboxed area (my desktop)?

Except this small problem, I've been testing my setup against all sorts of threats today and nothing has passed so far. Sandboxie sure is a great tool.

I'm looking forward to some help! Cheers!

 

If you right-click the Hitman executable, and then simultaneously press CTRL+SHIFT and choose Run sandboxed, it should/must run it unsandboxed.

Hope that helps.

 

The problem I'm having is that right-click scanning an .exe-file with Hitman Pro at desktop which is a sandboxed area, makes Hitman Pro do a scan in sandboxed mode as well. CTRL+SHIFT & right click scan the file does not help. It just starts a scan in sandboxed anyway.

Just to clarify this; I don't want to start the file out of the sandbox. I want to do a scan with Hitman Pro inside the sandboxed area without having Hitman Pro sandboxed when doing it. I can do a scan outside the sandboxed but that requires the whole computer to be scanned. I want to scan specific, downloaded files in a sandboxed area (the desktop) with Hitman without Hitman being sandboxed as well.