What's the use of having security software?

Apart from running sandboxed there are other approaches to this you could take.

1.Virtualisation .Either a 'Returnil type' system emulator, or a Symantec SVS application virtualisation(similar to a sandbox in some respects);or running within a VM such as Virtualbox (all free).There are pros and cons to all these approaches that have been explained in detail on these forums.(It's 4am so I'm not feeling long-winded enough to go into huge detail).

2.Disk Imaging.This offers the most comprehensive option,since you can run the application as it was intended on your 'real' system,then simply revert to a pre-installation image/snapshot once you've finished with it.There are free options such as Macrium Reflect,or commercial options such as RollbackRX that have more functionality.

 

With Defence Wall, what do you do if two years from now you decide you want to use something different and uninstall Defence Wall? Now you have a bunch of programs all over your comp, some as trusted some as untrusted, you cant remember which, its a total mess - verses installing in a sandbox and cleanly deleting that sandbox whenever you like and it is gone.

 

You asserted that ZAbypass bypasses Sandboxie's internet access restriction. Would I not need an IE internet restriction in place to test your claim?

Sandboxie's job is to isolate/virtualize that scenario, not prevent it...unless you wish to apply more restrictive sandbox settings.

A sandboxed ZAbypass invoked a sandboxed IE process. Sandboxie worked as advertised.

 

If you want to download files it's best to research the company and download it from a "trusted" source. By trusted I mean directly from the vendor's site or from a reputable download site. You also really need to ask the question "Do I really need this game or program?".

I think this has been mentioned but you can create a separate sandbox to run the file in. However, you would need the proper knowledge or other programs to determine if the file was malicious. An ideal situation would probably be to run the program in a VM or on a test machine.

You could also scan the files with multiple AS/AM/AV scanners and/or upload it to be scanned or analyzed. I use this method as well as staying away from unknown applications. I also have an image I can restore if do get infected.

P.S. Am I the only person who mainly uses Sandboxie for my internet facing apps?

 

Maybe 5-6 years ago, what browser are you on?

 

You don't need to try and remember what is trusted and what isn't. defense wall shows a list of what is trusted and what isn't. and if you do happen to have malware on your pc and you want to uninstall defense wall, just restore a backed up image. I really don't see this being any issue at all.

But if you apply more restrictions then u can't load web pages. it is not a true
test if you also block your web browser. Sandboxie should be able to block it without you having to block your browser, other wise what use is it if you can't load web pages?

a sandboxed ZAbypass can also invoke a IE process outside of the sandbox. which it shouldn't be able to do.

Malware is always finding ways to bypass firewalls and I think you will find that using the browser is still one of the methods used.

 

I have some delphi programs which do not work as untrusted...

 

There has been a lot misinformation being published on this topic recently especially because of people using the word "bypass" and "control" so loosely. Unfortunately, when coupled with people improperly judging program functionality in tests and people ignoring most of the posts in the threads just to get to the "juicy" parts, the result can hold no higher title than "garbage".

I have yet to be able to prove the statement about programs outside of a standard configuration sandbox being terminated by a program inside the sandbox. I already explained in the "Some test" thread what happened when I tested htaa*.exe. No legitimate termination occurred. Considering that, Sandboxie, even with potential included, can not be terminated by any of the sandboxed programs tested in "Some test" even if they were remade to do so using their same methods.

It is also important to note that Stop.exe and Stop2.exe do not have process termination capabilities. The actions of Stop*.exe are not security threats. Therefore, Sandboxie was not built to block its functionality. Sandboxie was not made to be resource hog moderator.

 

Not any program can be installed as untrusted, but most of them. In fact, DefenseWall was and is designed to be as user-friendly with untrusted installation/uninstallation as possibe for a policy-based sandbox.

 

I don't use Sandboxie, and don't have plans to, but not because of this. Although I'm aware legitimate sites can fall prey to malware as has been shown from time to time, I still argue the case for considering what you do online and how that affects the chances of getting malware, with or without Sandboxie.

I do have an AV, which is security software, and even with that I often wish it would alert me more often if all these reports on forums like this are anything to go by, but then I have to accept I'm probably not doing the same things as some of you guys. Sure, there's always a risk, but I hope we'd all try to minimnise that risk as best as we can.

 

yea sorry there is so many posts that need replying to, and I can't reply to every single one.

while it is probably true that not all programs will work properly untrusted. However not all programs need to be run in untrusted mode. It is mainly just programs that connect to the internet that pose a security risk which need to run as untrusted. I ask you Why would you need to run programs with a good reputation that doesn't connect to the internet Untrusted?? I really only run my browser, and online games as untrusted. I also run VLC video player and Fast stone image viewer, image program untrusted in case any images or video files I download happen to have malware or a malicious code attached to them.

As for trying out new and unknown apps, like I said before in this thread Virus scan them and test run them on another OS and see how well they behave before you install them on your main OS. for me personally this is very seldom.

And while you explained in the some test thread that no legitamte termination occurred. I also explained later on that
sandboxie and explorer.exe is terminated by the registry test, when registry test is running inside sandboxie. and by the way htaac.exe does also actually terminate explorer.exe. So TheEndX your statement is completly incorrect.

Well Defense wall isn't a resource hog and yet it manages to prevent them all, with the exception of stop2.exe previously.

 

ssj100 I have a question for you, while you are going on and on about programs not working properly if you install them in Untrusted mode, well wouldn't this be the same problem if you try to install programs inside sandboxie? I can't see how things would install properly inside sandboxie?


Why is it more accurately phrased that defense wall only prevent 3 out of 4?

With the Tests I agree that no permanent damage was done and that there is no such malware atm. I am not disputing that. But thinking about it Logically this doesn't mean to say that malware can't be written to cause permanent damage. It has already been achieved for things to communicate outside of the sandbox and terminate explorer.exe, how much harder is it to achieve another step?? if programs can terminate explorer from inside the sandbox then surely it wouldn't be very hard to achieve 1 more step and write to the hard disk?

Defense wall has a MUCH STRONGER Sandbox in controlling the Behavior of Malware than Sandboxie does, do you want to know why? I will give you a clue, What feature does Sandboxie have that Defense wall doesn't have?

 

While i'm sure that no program offers 100% protection and i would be glad if sandboxie was bypassed by real malware writing in the registry and not some PoC's designed to test HIPS ,becouse i know that the developer will fix the security issue in a few hours at most ,can you untill then stop the nonsense missinformation regarding sandboxie?

 

Gave Defensewall a quick spin in a VM so don't really know much about.

Give me a couple of years to throw my 2 gig of malware samples at it that Sandboxie easily contained and I'll get back to ya.

Is it possible with Defensewall to isolate an installed malware sample and it's dropped components so as to upload to antimalware vendors?

Such as the 1.exe below that drops five other hidden trojans.

 

For sure, if you run it trusted you are telling DW "Please, open the gates" because you trust this app. and you are not testing DW anymore, your choice.

As another poster already said, take the time to rtfm or the online help, very educative, for me at least it was.

 

A backed up image of what? The original setup, before my 200 programs have been installed? Get a grip man - you can be so forgiving on the shortcomings of products you like. "Oh just install it on a seperate OS" "Oh just back up an image" The fact is that once with Defence Wall you are with it for life or you need a format and reinstall of everything. And where is the Defence Wall sandbox? I know you call it a Policy Sandbox ... whatever that is. Sounds like DropMyRights to me.

 

It's called "Rollback List" feature and you will find this by pushing the button "File and registry tracks".

 

when I was testing reg test and those other tests at one stage I had both sandboxie and defense wall running . I found when I tested them inside Sandboxie defense wall was unable to control their behavior, Defense walls protection powers are stripped when you run things inside sandboxie. So having both sandboxie and defense isn't a good idea.

who on earth would have as many as 200 programs installed?

 

With almost one third (20) of respondents to this: https://www.wilderssecurity.com/showthread.php?t=120570 having more than 100 or "too many to count" installed, probably a few do approach 200.

 

DefenseWall uninstalls without problems.

Give it a trial - then post your thoughts.

 

Unfortunately, I did not consider RegTest as apart of the "Some test" thread and have not tested it. However, after reading RegTest's description, I do not believe RegTest terminates programs. As it says, it sends a shutdown signal and succeeds, although that operation should have been blocked by Sandboxie. Nonetheless, RegTest does not terminate anything, Windows does. (Based on the description)

My post in the "Some test" thread was mainly about htaac.exe and its alleged termination of explorer.exe. Unless we somehow got very different results, explorer.exe is not terminated, however the taskbar does disappear along with desktop icons. By simply opening Windows Task Manager, I observed that explorer.exe is still running.

You missed the jist of that paragraph. I did not imply that a program had to be a resource hog to manage stop*.exe. (Plus the term I used was resource hog moderator: a program that manages resource hogging programs) My point was that Sandboxie is meant to block security threats. Threats that stop*.exe are not.

 

As someone - wisely - already mentioned before, and this time, I'll be using a different anology(ies), why the need for us to get shots, to have a decent dieting habit, wear worm clothes when is cold, etc? To prevent us from becoming ill. Does it mean we won't? Does it mean that some of these people that take this measures won't die of cancer? Or, if lucky enough, just get the this illness, and make the treatment, and get better?

What's the need for such protection measures, if we still get sick and still die? Lets no eat (properly), lets not wear any worm clothes when is cold, lets not take any shots, lets not...

What are seat-belts needed for, for example? - Beside the fact it is mandatory by law - People making use of them, still have accidents, and they still die. But, others, well, they get to live, and due to the fact that they used the seat-belts.

Cheers


P.S: Nothing uninstalls 100% from our system. As an example: Download a trial version of a popular software, install it, let it end, and then uninstall and reinstall it. See if you can run the trial again. My wild guess is that you can't. Why? Information is still left behind. (Which I totally oppose, because, well... Lets face it... It is my damn system, and if I want something gone, it should be for once... Not any different from... "spying".)

 

Hi, m00nbl00d. I'm sure that you meant "warm" clothes. But before I figured out what you meant, I was momentarily perplexed at first. But besides that, that was a very good analogy.

I'm sure that you meant that you "can" run the trail again. But is that true that stuff that is still left behind after an uninstall can function like spyware?