Shadow Defender or Sandboxie: If we choose

My opinion is that SBIE is the easiest approach for testing anything that does not require a reboot or is not too intense, like AVs or Firewalls.

SD is fine for testing anything that does not require a reboot, but that is its achilles heel so to speak.

Myself, I test a lot in SBIE, and if it is insufficient, I use vmWare, which is a paid product but there are free alternatives.

SD is a very solid application, but IMO I don't believe it is the best option for testing much in because you have to reboot. I prefer virtual machines and snapshots for that sort of thing much more.

Sul.

 

for me SD is just a convenience.
it takes me about 3:30 minutes to restore an image.

when i feel too lazy, SD saves me those 3-4 minutes.

 

I would agree in that respect. I used SD for awhile on my main machine, but frankly I got tired of rebooting, and did not like the fact that I could not test things needing a reboot. I had been using SBIE a little bit, but switched to using it as my primary testbed or vmWare if I needed it. I still prefer vmWare if I am doing anything that is not just a quick test, primarily because I can use snapshots to restore the vm in about 15 seconds or less and make new shapshots very fast. It is the snapshot feature that I like. If it did not have it, I would not use it near as much.

All of it works, it once again comes down to personal preference.

Sul.

 

Dear Pegr,

You are quite right and I stand fully corrected on that point. Thank you, I withdraw my remarks.

John

 

It's still reliance on scanners, despite what you said. Just because they're online doesn't disprove that fact.

 

Come on J L, you know that Mr.PC meant, REAL time scanners.
Why is it so hard for you to understand that there are some users that
prefer to rely on easy to use, effective Sandboxing/virtualization apps
instead of a huge list of tools, like you do.
While you play with your bunch of scanners doing updates, scanning,
we do what we really like to do when using the Internet. At least I do.
Thats another benefit of using SBIE/virtualization instead of what
you are using.


Bo

 

He did not say real-time scanners in the first post, which I've responded accordingly.

I do scanning and internet surfing at the same time. I use sandboxing as well, and for longer than you did.

 

J L, I know you love scanning but your urge for scanning means only
one thing........You don't trust your list. If you trusted your setup,
scans would be rare.
J L, I am out here.

Hasta mañana, JL.
Bo

 

Not necessarily. I don't trust every program that comes from the internet, but I'd still want to try them. I also like testing products against malware.

 

Downloading and executing within SB or SD may give the user an idea whether the program is behaving normally or it is suspicious. Obviously a fake AV can be easily spotted for what it is, but rootkits, keyloggers and other stealth malware will just silently install upon execution without giving a hint. Deleting the sandbox or rebooting will effectively rid the machine of the infection.

Keeping anything from the sandbox or committing anything to disk will have to be done with the assumption that the executable comes from a very trusted source, one's own behavioural judgement, or the results given by scanners. As far as I know an AV/MW scanner is still the only way to identify malware.

When people say "I don't use an AV/MW" because they are redundant, I would expect them not to use any scanner on demand either, but most people do. Using an AV/MW real time is a technical choice based on machine power, specific footprint of the program, and working procedures. I have myself Avira and MBAM which I use most of the time on demand but there are periods (when I'm in a hurry with my work) whereby I might use them both in real time.

If you asked me which would I choose between say Sandboxie and Avira or Shadow Defender and Avira, I wouldn't hesitate picking both SB and SD. Scanners can't be taken as a first line of defense anymore, still they do play a very important role in security.

 

Nicely put Osaban. I believe in much the same way that those who go without an AV, if they are smart, will have a degree of caution when executing files from untrusted sources. I try to get things from trusted sources, but don't always.

Some of it though comes down to what measures you have taken. Using something like SD means you can run about anything you like. Imaging and virtualization in the same way. But at some point, if you like what you see, I see only two real options to determine if a file is to be trusted into the real system or not...

1. put faith in a scanner and hope it detects a virii/malware properly

2. gain enough knowledge to examine it yourself in a contained environment (using process explorer and/or HIPS within a VM to see for yourself what is happening)

It is the achilles heel of security. If I never downloaded and executed files, but only surfed the web and such, I would be free of issues forever. As it is, I maintain a pretty tight standard as to what I execute in my real system, and it keeps me problem free every day. I cannot recall the last time I had a malware. I have never had a virus (only on purpose to test). Something must be working

Sul.

 

@ Bo Elam and Sully.

You are two wonderful people and a credit to Wilder`s. We are so lucky to have members like you who give their expert opinions liberally and openly in an obvious wish to help people. The information you give is always logical and very intelligently explained.

Thank you both. What would a Forum be without such a bank of knowledge ?

John

 

Using a AV is useful when some virus comes from USB also. Even you use well SandboxIE and a virtual app. like SD, Returnil or Time Freeze without AV, USB virus could damage your security setup...

 

Can you clarify what you mean here? I force the drive letters associated with my USB drives to run Sandboxed and from around 3.29 (if I remember correctly) SBIE now sandboxes exe's in the real system started from within the USB device as well as those already on the device. From what I understood that would include something on the device starting cmd.exe or wscript.exe etc that might be used to drop malware or activate some form of exploit. Am I wrong with this?

Are you suggesting that, even with start/run restrictions, something malicious could execute outside the sandbox from a forced folder/USB device even without autorun? If so I probably need to take some additional precautions I'm not taking now.

Thanks

 

Pardon me!
I edited my 1st Post to dissolve any further misunderstanding...

Thanks!

 

One can sandbox effectively a USB flash drive with Sandboxie, but from my experience this is best done with Shadow Defender, Returnil, and the like. You are raising another excellent point: the use of an antivirus (real time or on demand) in conjunction with a virtualizer will probably also detect the very few (but very destructive) viruses which affect virtual systems specifically (from memory, killdisk, robodog, more may have been created ever since) by erasing the disk.

A scanner within a virtualizer is a quick solution to verify if any known malware is detected, like Sully says it may be an act of faith, better than nothing though. There is no 100% security. Nod32 and Avira on my machines have detected more than 100 viruses from USB flash drives while on shadow mode in the last 5 years. There are situations at work whereby time is essential and a behavioural analyses (provided one is savvy enough to perform it) is just too time consuming and impractical.

 

I've decided on scanners over manual monitoring, not just because of inexperience. Some malware can hide very stealthily, and it's always more risky executing than reading. Also, multiple scanners can provide more accuracy.

 

I think you are right about, and I have similar forced USB devices. I wasn't thinking in "something malicious could execute outside the sandbox from a forced folder/USB device"; in fact I was focus attention to general SandboxIE'users that could to think they are protected with default settings - and to avoid "an act of faith" like Sully and Osaban rise this crucial point...

Like Tzuk states "Sandboxie may be your first line of defense, but it should certainly be complemented by the more traditional anti-virus and anti-malware solutions. These solutions can let you know if your system does become infected in any way" and "typically, those other solutions employ various forms of pattern matching to discover malicious software and other threats. Sandboxie, on the other hand, quite simply does not trust any software code enough to let it out of the sandbox".

Nevertheless my security setup don't use an AV for now... And I agree in full with Osaban when he writes "There are situations at work whereby time is essential and a behavioural analyses (provided one is savvy enough to perform it) is just too time consuming and impractical".

 

Ok, understood thanks for the clarification and agree scanners real-time or otherwise still have and will always have a place.

Chris

 

I would prefer an AV that is not such a resource hog as what the current offerings have. I used Avira for a very long time, and it used to be really light for an AV. Now though, they are all heavier than they need to be. The argument of "machines are faster and have more resources" doesn't fly in my book. That is no reason to stop optimizing code just because people have more ram.

I would gladly use an on-demand scanner if it did not consume any resources until I called upon it. But I do agree that a scanner can be of use, although I don't put the sort of trust in it that many do.

Sul.

 

Using Sandboxie allows me to stay away from using real time antiviruses but
when I started using SBIE, the thought of doing so was not on my mind.
So, What happened? Well, my favorites antiviruses came up with issues
on my computer when they upgraded to newer versions. It happened with
Avira10 and more recently when MSE2 came out, that's when I decided to
stay away from real time scanners for good. Thankfully, I was ready.
I use HMP and MBAM for on demand scans but as time passes by, scans are
rarer and rarer.
Using programs like SBIE and/or Shadow Defender is out of this world, in my
opinion, the users trust on them is put on trial when the user decides
to rely on them completely like some of us are doing. For me, it is easy
doing it this way because my trust level on SBIE is 100%.


Bo

 

I trust SBIE in the same way. Like you, I don't rely on a scanner at all. I sometimes submit files to online scanners, but rarely. I do think though that having a scanner that worked well but was completely on demand and lightweight would really make me want to use it, even invoking it would be nice. But, as you, I have no desire to put a resource hogging AV-suite on my machine. In fact, I would just as soon get a virii etc, and put an image back on rather than run an AV. Maybe my machine is becoming dated, but I tried a few of them a month ago, and only reaffirmed that they are not for me.

Sul.

 

Ha-ha...we think alike on this matter exactly I do have the free on-demand MBAM which I sometimes use to check a file, otherwise I pretty much trust implicitly anyhting I download, and if really in doubt, I'll test in the vm first.

 

Hi Sully,

It is fairly clear that for someone as knowledgeable as you an AV real time or on demand would probably be like having ABS brake control on a Ferrari! On a serious note I think as I mentioned in other posts it really comes down to cyber environments.

Using several computers for years on the Internet I ran into perhaps 2-3 instances of malware, at work plugging hundreds of USB flash drives over the years, 1 out of 3 was badly infected.Yes, I was in shadow mode but I needed to keep the contents of the flash drive, an AV was indispensable.

I agree that for normal Internet use, using SB or SD and the like, one doesn't really need AV technology if one trusts sources or applies a default deny policy.

I have Avira and MBAM most of the time on demand, and they have no system impact except when they are obviously scanning. In Real time there is definitely a slowdown which becomes noticeable with slow machines. Finally how can you expect programmers to optimize code when most computers are sold nowadays with 4-8 GB of RAM?

 

Some time ago, I thought that Windows was very weak in terms of security, and that was needed to flood the system with lots of 3rd part software to make it safe. Now, after some reading in this forum, and not being an expert whatsoever, I’m convinced that Windows have what it takes to keep the average user safe against the most malware outhere: SUA, SRP, whitelist exe´s via parental controls, MSE, EMET, Bitlocker, Imaging... and many other things i don´t know.

Sometimes people even pay for stuff that is already built in to the OS. Even with applications like Shadow Defender or Sandboxie, an AV, IMHO, is a important layer: even an experienced user can click “allow” when should click “deny” and grant malware admin privileges, a apparently trusted installer from a apparently trusted source can contain malware, and some malware maybe can be designed to bypass windows restrictions, or virtual environments.

And to be honest, most decent AV nowadays are light and don´t interfere with everyday work. Normally people have their PC bloated not due to their AV, but yes due to junkware they´ve installed…