Sandboxie technical tests and other technical topics discussion thread

From Q4, that below, is sandboxing.

"Instead of breaking the links, GeSWall tracks an untrusted application data-flow: files, registry, etc. For example, GeSWall does not prevent a new file to be created by a browser, but it tracks out files created by isolated applications and isolates (restricts) an application that uses those file"

Pegr, did you read the link from the DefenseWall site? No comment?

Bo

 

In the case of DefenseWall, things are a little more complicated because, although the basic security model is policy HIPS, there is a degree of sandboxing due to partial virtualization. Similarly, with Sandboxie, the basic security model is sandboxing, with added policy HIPS features. In that sense, both programs are hybrids. For classification purposes though, it is probably more helpful to separate them into different categories because they are, fundamentally, quite different types of program in the way they operate.

 

See my reply to MrBrian in post #552.

 

From Q4: -

"GeSWall is not a sandbox. Perhaps the best sandbox you can afford is a separate machine or VmWare/VirtualPC, the rest is by definition incomplete solutions and will always have some flaws. Virtualization/sandboxing solutions create strictly separated environments."

 

Read what I said in post # 540.
https://www.wilderssecurity.com/thre...discussion-thread.369328/page-22#post-2440066

Bo

 

I think you are still misunderstanding me, Firefox was installed in the sandbox and I couldn't get Flash to work. To avoid having to install and configure Firefox on the real system, I tried to copy the Mozilla files from the sandbox into "C:\Program Files" and "C:\Users\Default\AppData", but that does not work with apps like Firefox and Opera, they will not recognize your extensions and settings. I should have known better.

Yes, that is a good idea, I've learned my lesson, because some things just can't be fixed inside the sandbox. After installing Firefox on the real system and reinstalling Flash, everything is working fine. Of course FF is still a "forced" app.

 

Okay, so if they get things done differently why insist on calling them the same thing? It isn't helpful when making comparisons between programs that are using different security models. Look, I'm not saying you are wrong. You are free to call anything you like a sandbox if you want to. The terms right or wrong, true or false, don't apply to concepts. Concepts are more or less useful, depending on how well defined they are and whether they enable us to draw out distinctions between things and make valid comparisons.

The problem with referring to everything that uses restriction as a sandbox is that we don't then have a handy term of reference for isolation into a separate environment. Sandboxie is a fundamentally different type of program to AppGuard, DefenseWall, or GeSWall in the way it works. Referring to all programs using restriction as sandboxes invites false comparisons with programs that use isolation into separate environments. In order to get back the distinction we have lost, we have to start talking about type A and type B sandboxes.

My view is that it is simpler to classify different things into separate categories by naming them differently, rather than calling them all by the same name then trying to explain how they are not the same after all. You are free to disagree and I respect your right to do so.

 

Isolation and restrictions make Sandboxie, DefenseWall and GesWall similar and sandboxing programs. The way they get it done is differently but in essence, they are doing the same, which is to keep the system, files, registry and other programs intact from being modified by untrusted applications (DW and Geswall) or sandboxed programs.

In one, Sandboxie, you get rid of the untrusted/sandboxed files when you delete the sandbox. In the other two programs, files remain in the system but they cant make changes to the system unless you run them as trusted. Pegr, call it what you want, but all three programs are doing basically the same thing.

According to Ilya, DefenseWall is a sandboxing program. You say, it is not. What can I say? I agree with him.

Bo

 

Let's agree to disagree shall we?

 

I agree with nobody being wrong. Personally I like to call apps that offer some form of restriction "a sandbox", but you can use different forms of sandboxing. You can use only policies, or you can also use policies combined with virtualization. It's the same with HIPS, some say HIPS is not a behavior blocker, others say, HIPS = behavior blocker, but you have two kinds of them, namely "expert based" and "policy based". The first is a smart one, the second the dumb one. Who cares really.

 

As an advanced home/small office user (never an expert), I really don't care. At the end of the day those security firms provide us with a certain program that falls into certain category or a mix of two (hybrid) and we take the one that suits our needs and our beliefs. For the moment, I think it'll be very long lol, I stick to Sandboxie and AppGuard, beautiful both, indeed.
Happy festivities for you all guys...

 

I completely agree. Language is simply a means of communication. Even if people attach different meanings to terms where there is no general agreement about usage, providing there is clarity of use in any given context so that no confusion or misunderstanding arises, it doesn't really matter. Clearly, there is less chance of misunderstanding if there is a single definition for each term that we can all agree on, but very often in computing it doesn't work out that way, and usage sometimes changes over time from its original meaning anyway.

 

Sounds good, Pegr. I ll finish up here. I can tell you haven't tested DW because if you had, you would know that Sandboxie and DW have more things in common (sandboxing), than don't.

Bo

 

I agree. Providing people are clear about where the similarities and differences lie when comparing program features, it isn't worth getting too hung up over the language used to describe them. There is a risk of confusion in applying the term "sandbox" to both restriction and isolation, but so long as it made clear in any given context what kind of sandbox is being referred to, no misunderstanding or loss of clarity should arise. I agree that Sandboxie and AppGuard are both great programs, as are DefenseWall and Shadow Defender also.

 

BufferZone: neutralizes threats, including viruses, spyware, and other types of malicious
software, by redirecting their disk, registry and other modifications on your PC to an
isolated Virtual Zone (the “buffer zone”).
Any modification requested by a program running in the Virtual Zone is performed within the
boundaries of the isolated area and does not effect your PC’s actual configuration, data or files.

Maybe BufferZone may be more "sandbox related" to Sandboxie. What do you think?

 

I have tested all of the different programs that we've been discussing, including DW, and I do understand the differences between them. DW has partial virtualization so, yes, it has some sandboxing features in addition to rights restriction. I believe I've already acknowledged that.

The use of the term sandbox in computing appears to have originated as a metaphor for physical boxes used to contain sand. With a physical sandbox, there is isolation and a clear separation between the world inside the sandbox and the world outside. This meaning has been broadened in computing to include rights restriction, but not everybody accepts this. As you can see from the discussion between Ilya Rabinovich and Kurt Wismer, even acknowledged security experts sometimes disagree on these things.

In any case, as I've already said, providing there is clarity about the meaning of the term sandbox in any given context, I don't see any harm in broadening it to include rights restriction, although personally I prefer to stick to the original meaning of sandbox as isolation in a separate environment. I would still describe AppGuard, for example, as policy restriction, rather than a sandbox.

 

Yes, I think that BufferZone is related to Sandboxie in that they are both types of application sandbox. The words "isolated virtual zone" make it clear that the buffer zone is a sandbox by anybody's definition.

 

And you should, AppGuard blocks programs from executing, sandboxing program don't do that, they contain, isolate. Sandboxie has Start Run restrictions but that has nothing to do with sandboxing.

Bo

 

Actually AppGuard doesn't block programs from executing IF they start from System space (Program Files folders etc.). It does not have that kind of hips capability, like SbIE has in the restricted sandbox. Instead it does prevent programs running from User space (unnatural places for normal execution and needs then from user some input to make them execute if desired). AppGuard not having some kind of antiexec control, makes it in my opinion one of the programs not likely to cause conflicts with other security software.

AG does allow guarding of apps. Typically internet facing apps like browsers and also many other uses. And it does guard apps from untrusted space by default. And spawned processes of guarded applications are also guarded. Guarding means the applications can't make system space changes and so can't cause damage to it. And additionally our private data can be protected from guarded apps with an option.

I agree with pegr that this is not sandboxing though. I think AppGuard is not exactly guarding such things as a browser profile even if the browser is guarded, because I believe it exists in user space. For that a sandboxing program like SbIE provides desired protection, no matter if the browser itself has some sandboxing implemented.

And thank you pegr for the excellent posts and readings.

 

I agree with pegr, except that I want to call policy restriction as a sandbox too with slightly different words such as policy-based sandbox vs. virtualization-like sandbox. One reason is there've been already much use of the word "sandbox" for that kind of solution, especially in Chrome, Adobe Reader, Android, OS X, iOS, IE, etc. and I can't think of better word for them, they're clearly not HIPS or such.

Guys, just accept the fact there's no fixed & absolute meaning for the term "sandbox". It's well known in linguistics that there's no meaning in a word itself, but meaning have to be determined by syntax, context, and actual usage in communication.

What the matter is however, there have been many confusion around the term, you'll find them by just searching past discussion in this forum, and this is because people often talk w/out clear definition.

 

Sorry, somehow missed your reply.
Well, at least I also have to allow direct access for bookmark, but as to download folder it is already forced for DefaultBox (only slightly changed from default settings.).
But so far Chrome w/ forced download folder works fine, so I re-consider that if current setup causes new problem.

BTW, I found incompatibility on Chrome 64 bit w/ Norton 2014 is related to Norton's self-protection. There's many errors in Norton's history when that occurs, all says Norton prevented SBIE to access its component.

 

Thats what I said Jarmo, AppGuard don't do what sandboxing programs do and that is allow programs under their supervision to run free, untrusted so they cant make changes to the system, files, registry, other programs but free to run as they normally do.

Hi Yuki, I hope you dont agree with Pegr that DefenseWall is not a sandboxing program because that is wrong. IMO, DW is as much a sandboxing program as SBIE is. No need to add an asterisk or an adjective next to the word sandboxing to describe either program. Please, read the first few lines in DefeneWalls webpage.
http://www.softsphere.com/
And about GesWall, read what I quote below from their link. That is sandboxing.

"For example, GeSWall does not prevent a new file to be created by a browser, but it tracks out files created by isolated applications and isolates (restricts) an application that uses those file".

"GeSWall's isolation implies security policy that effectively prevents an attack damage. The only restrictions imposed are restrictions for leaving isolation layer - damaging system outside given application".
http://www.gentlesecurity.com/docs/geswallfaq01.html#q5

On that, Yuki, we agree, that's why I have a problem with someone saying that DW is not a sandboxing program when I have used it, like it, understand it and more importantly, know that what it does, it is sandboxing at its best.

Bo

 

Agree. Such a great program I've used before, shame it is there's no DW x64 version.

 

Yuki, its probably best to use a separate sandbox for your Downloads, that way you can keep downloads from having access to the internet when they run.

About Norton and SBIE. Incompatibility issues between both programs are well known. As far as I know, the antivirus itself works fine with Sandboxie but problems arise when Nortons addons are enabled. So, its probably best to disable the addons to get both programs working together.

Bo