Whats your opinion on Sandboxie

Not really comparable but maybe you could try Comodo's Disk Shield Beta.

Running it here along with Sandboxie on my XP 64 bit install and seems to work OK but I don't really know too much about it as I prefer using my 32 bit installs most of the time.

 

I understand that SBIE sandboxes some parts of the system partition, but not all of it. My question is if SDBIE protects in the following case (it happened to me recently):

I download a file with uTorrent or Internet Download Manager. The downloaded file is saved to a folder in a data partition (not in the C: partition).

When I open the file, the antivirus (avast!) immediately detects malware. I quarantine the file, but the antivirus keeps issuing alarms. It becomes clear that malware has infected not one but several locations on the system partition, it has even installed a program that keeps reporting security problems from the icon tray.

If I delete the sandbox, is all the malware written to C: deleted? Is the downloaded file deleted?

 

that has always been my issue. If your AV detects something while Sandbox and quarantines it. It is still there after closing Sandbox, now you restore and guess what.

 

If you run the malware within the Sandbox, play with it a little and then delete the Sandbox, all contents of the Sandbox will be deleted and NONE changes will have been made to ANY location.

 

and why restore an infected file? (and av will alarm again during recovery bcz it is copied/written on system

 

i've used it on my vista laptop, but only a few times, it's seems really good. i even listened to the security now about it the other day with the developer.
http://www.grc.com/sn/sn-172.htm

 

well what if we thought it was a FP. And no, files like this are not deleted by closing SB. I know the chances are rare but that is why we are called human beings.

 

well if it was an alarm,false or not it is still a matter of you and your av as to what to do with it.sbie fails in neither case and also gives you multiple security patterns on hoq to wipe the sandbox data (you can also select "explore contents" and delete just the problematic file anyways from within sbie,no need to shut it)

 

of course that only stops keyloggers from using their own communications channel... ones that use the browser will still be able to leak your data...

also, in-browser malware and drive-by pharming are not stopped by sandboxie, but otherwise it is a pretty good tool...

 

Can you clarify?

 

Exactly, keyloggers have to execute, and if only the .exe for the browser is permitted to run inside the sandbox and is the only .exe allowed internet access, the keylogger is DOA. Also, malware may not be stopped from getting in the sandbox, but malware can't do a thing that can't be reversed once it's in there. One thing you do have right is there is no phishing (which I believe you meant instead of pharming) protection. If you willingly hand information over, nothing can stop you.

 

Key logger simulation test with Sandboxie restrictions as followed Firefox internet Access only +start/run Access = Firefox.Exe only No other Excuteable.The following of the four.

 

Test 2

 

Test 3

 

Test 4 It looks like a key logger would fail IMO. Draw your own conclusions.

 

Sandboxie is a great program.

Thanks for the screenshots djohn.

 

Your welcome

 

It seems to me that a less contentious approach would be to exclude \Sandbox from AV interference. The sandbox contents are virtualized until explicitly made otherwise...at which point I would expect a resident AV to react to file writes or execution.

Nick

 

I am not sure what you mean by interference but in this particular test nod32 fails,Hense there is No interference.

 

Sorry about the confusion. I was not responding to your posts. I was just making a general point about sandbox and AV interaction.

Nick

 

OK sorry my bad.

 

I would like to try Sandboxie but would it work with bittorrent.I need utorrent to be able to send correct ratio to the private tracker.How could it be set up not to affect stats

 

kwismer may also be referring to an XSS script injection, or code embedded in a page the user reaches through pharming:

Once the user finishes typing and clicks "submit" or "login," all keystrokes are sent to the hacker's site. No separate keylogger executable needed.

----
rich

 

There is no protection against that, just common sense (which I'm beginning to doubt it even exists)

NoScript could help also, but that is for another thread...