Sandboxie technical tests and other technical topics discussion thread

And what makes you think that attachments are not protected by Chrome's sandbox? We will have to wait for Yuki to give us full information on what is protected and what is not protected.

 

J_L, I thought you don't run Google Chrome and its built-in sandbox sandboxed (under Sandboxie) at all, except the Chrome's downloads folder right?
Can you give me your entire security setup, if you don't mind (I still have to see what I need to feel, I will most likely buy license for MBAM and use Zemana anti-logger free (credits from Yuki and his security setup))?
Big thanks in advance, J_L.

 

Yuki, please forgive me for asking you again (please, don't kill me for asking you this again):
You said here:

Yuki, could you, please, explain these bold and underlined statements: when you wrote this, did you mean on Sandboxie on default level without configuration, or did you mean on properly configured Sandboxie with super-tight configuration?

I do remember that in one of your posts you wrote that properly configured Sandboxie is equal to Google Chrome and its built-in sandbox when it comes to protection against exploits and drive-by downloads-can you confirm this again?
I can find this post here in this thread if you want to.
I again apologize for this, Yuki.

And if you can give us what parts of Google Chrome are still not protected by Google Chrome's built-in sandbox?
Big thanks for your patience, again.

 

I think I understand what you mean here. I have a few family members I've suggested sandboxie to and after takiing a look it's much more complicated than they are willing to deal with to get the results they want. It's certainly not for everyone as it currently exists but I also can't devise a way where it would remain as useful and versatile but still be more user friendly. :-/ It's a shame when it can solve so many issues but maybe in a few more years I'll get them to sign on It only took 4 years to get them to use a decent firewall/av!

 

I have to disagree somewhat in that if you put Sandboxie on their system,configure it to self-delete the sandbox on closing,remove all browser icons from the desk top and tell them "the pepperoni pizza" is their internet access, then the battle is mostly won.The only other part is a good AV.

I did this on my daughters computer(installed BD free) over a year ago and no problems with anything.

BTW my daughter`s eyes triple glaze over the moment I mention "computer security" so it had to be a set and forget solution.

Regards Eck

 

No it's application virtualization, because there are 2 separate environments, inside the sandbox and outside. So this means you can run the same browser (IE or Firefox for example) with different settings and extensions. The only difference is that with BufferZone, all files end up on the real system (clearly marked), instead of inside the sandbox container/folder. This can be handy, because you no longer have to search for files. But I wonder how it would work when you use multiple sandboxes. I think in the end, SBIE's approach is better.

 

You definitely can do that, but my SBIE setup is strictly on-demand. So no forced folders, although that is an idea I could pursue.

As for my entire security setup, I believe it's all in my signature. Feel free to base off of it, but I wouldn't recommend copying it entirely to anyone else (though they can if they wish).

 

@CoolWebSearch, @bo elam, @J_L
Exactly speacking, not all plugins can be sandboxed. However, in recent Chrome any attempt for direct PC access by any plugin will cause prompt which asks user to allow or deny, see this link's pic.
http://helpx.adobe.com/adobe-access/kb/error-3321.html
And if you cinfigured unsandboxed plugin access to force plugin-sandbox, all plugins will be either sandboxed or not able to run at all, so essentially all plugins will be sandboxed. You can find a bit of info from these links.
http://browsers.about.com/od/google...d-Unsandboxed-Plug-ins-In-Google-Chrome_6.htm
https://code.google.com/p/chromium/issues/detail?id=394401

Oh, BTW CWS, I also don't recommend to copy my setup. This setup is only for me, there're lots of tricks which I didn't and practically can't write up, and using those products w/out clear vision of whole security design is, IMO, nonsense and that can even cause issue. As I said, how to use and how to configure is more important, and if my AV was not Norton, my entire setup would be different (changing only AV is impossible for me). You can use it as a reference, but firstly make your vision and only after you're convinced to use them, actually use them.

 

@CoolWebSearch
I don't understand why you're so confident that you can't be infected by download. I already said I can be fooled and ethat xperts admitted he's fooled by advanced social engineering.
You said you don't download anything, then how can you get MBAM or Zemana installer? and you never download attachment from email? You might think MBAM installer must not be malware, but how have you confirmed it actually? There're already such infection cases (or worse, cracker hacked update server and distributed malware through update in several cases including Opera browser). So I always check digital signature, and when I firstly download executable, I always throw it to Virustotal regardless how much reputation it have, oh, and in my case Norton file insight also helps identifying the file.
I suppose you have made some conversation here or other forum/SNS, but are you always be extreamly careful on it? I might send malicious link or attachment to you. It is quite common in targeted attack that attacker firstly establish trust btwn you and make many good conversation, and only after that, insert malicious link or attach malware in email. Or attacker might hack your true friend, and send emai with his account. In some condition, spoofing sender will also be possible. Are you sure you'll never be fooled? I know you agree to what I want to say, as you admittd anyone can make mistake. Depending on how you use it, SBIE actually can ease this.

Well, I guess you still don't get what bo mean. You can set your brother's SBIE to allow direct access to download folder (and more, depends on need) so that all files downloaded will be there permanently (on real system). But at the same time, make download foler (and other folder) forced so that every downloaded executables and documents still will be in sandbox.

 

While your saying is literally right, I got more nuances from your post #620. Chrome itself is surely browser, but it's sandbox is dedicated sandbox and can be used for ohter program as you see in Adobe Reader if dev implemented it in code level.
While I don't like Google as a whole, I appreciate their expertise in security field and huge contribution to entire IT security, especially highly efficient vuln research team and leadership in web security. So, for me, your statement sounded like "I trust Kaspersky over Symantec as they're dedicated AV company but Symantec not" or "I don't trust Online Armor as they're bought and Emsi is not dedicated firewall company". (Google bought Greenborder)
So, IMO, you could just say "I trust Sandboxie above all because it's a security oriented solution, and I know it is quite robust from all what I've seen and my experience", but no need to mention about Chrome, "Chrome is not" part of your statement do not reflect fact that Chrome sandbox is security oriented solution designed and maintained by efficient people including world's best security experts (Google often headhunts them).

 

My apologies, if you misunderstood me, Yuki. I still don't have MBAM and I still don't have Zemana anti-logger. What I'm saying is that I will install them both plus Avira antivirus free plus Hitman Pro.Alert 3-I still don't have anything mentioned yet.
None is sending me anything yet (no file, no attachment, no nothing) through e-mail, not before I finally get an AV and that would be Avira free-that's one of the rules I have.

Regarding SBIE and Chrome, I'm quite surprised that Sandboxie with all the configurations and with all the restrictions and yet still itt (SBIE) can't reach Chrome's degree (it has no access right, no network connection, no file read/write, of course no execution) as Chrome sandbox is only for Chrome and adapted in code level (in other words you wanted to say/write that Google Chrome and its built-in sandbox are more secure than SBIE with proper/super-tight configurations and restriction)s, however, these facts do not stop me to run Chrome sandboxed under Sandboxie's supervision, configurations and restrictions in the first place.
Cheers.

 

So, I was right, after all, you use and run Google Chrome without Sandboxie/outside Sandboxie's propr/super-tightly configured restrictions/protection?

 

Didn't know this, is good to know now.

 

Sorry, I surely had read your posts, but somehow forgot to reply to bolded part. I meant whatever access restriction you made via SBIE settings, it can't block all (even if you could, it would just end up breaking the program). It's similar to black/whitelisting, SBIE's access restriction is blacklist like, you add folder or registry you want to be blocked. OTOH, Chrome strip down all rights from renderer, and only allow access to needed object. It is not pre-defined list, but what can be accessed is dynamically determined by policy. E.g. if you download something, only that file can be accessed (and only allowed access, either read, write, or execute, can be done)(exactly speaking, it's not 100% correct, but as a plain example). This is safer than allow entire download folder.

But anyway, as long as common exploit is concerned, strictly restricted SBIE is equally secure. That difference on access restriction would make sense in more advanced attack seen in targeted attack, but if you restrict SBIE with network & start/run restriction and access block to sensitive folder/registry, only practically possible threat left I can think of now is malicious addon which is not affected whether you sandbox Chrome or not.

 

Still, I can understand rest of your statement. Once you sandboxed Chrome, the master is SBIE, not Chrome. And considering double-sandbox don't add much protection, it's understandable to disable built-in sandbox if it addresses or decreases compatibility issue.

 

I just wonder how tough is to break Sandboxie and its protection with exploits, and how tough is to break through Sandboxie and its protection with exploits?
Obviously, it's much easier to break Sandboxie and its protection with exploits than Google Chrome and its bulit-in sandbox, also, it's much easier to break through Sandboxie and its protection with exploits than through Google Chrome and its built-in sandbox-based on your posts here!
Right?
Again, this does not stop me to use Sandboxie on top of Google Chrome.

 

So, against what, exactly double sandboxing (Sandboxie on top of Google Chrome) does protect against?
The only thing that I know of is downloads, and perhaps social engineering-true, false?
What else?
Can you make the list?

 

I agree with Pete in most part, and don't want to continue this discussion.
And anyway, I'm going to go to trip and maybe won't drop in during that.
Have a good yeah-end!

 

lol you too, have a nice year end!!! I mean all of you guys!!!

 

Yes, I do agree. And ....................................................................

 

I wonder in what part you disagree with Pete?

But I have to admit that you also excluded the fact Sandboxie, like Google Chrome, also uses integrity levels.
Sandboxie puts everything that runs inside of it, on untrusted integrity level.

So, based on the fact that both Chrome and Sandboxie use integrity levels for security and protection, both Sandboxie and Google Chrome ware equally hard to exploit in the first place.

So that researcher you mentioned who was able to bypass Chrome with extremely complex and hard exploits plus with dozens of vulnerabilities, would also bypass Sandboxie equally hard as he did Chrome, as well-regardless if Sandboxie is targeted application or not.

You said that Google Chrome has no access right, no network connection, no file read/write, of course no execution), you're forgetting the fact that everything you mentioned is actually possible with Sandboxie's configuration and restrictions.
And, yes, have a nice year end, you, too!

 

True, very true, Peter.