Sandboxie Acquired by Invincea

Hi Rasheed, Univeral Apps and Edge are not compatible with Sandboxie. If you attempt to run any of them under SBIE by mistake, you ll get a friendly error.

Bo

 

Perhaps there's nothing urgent to fix.

Curt left a few weeks ago. When I asked Barb about Curt, she told me there are other developers that work in Sandboxie and all will continue as it has.

Bo

 

Yes, I am happy. There is something called Metered connection. Setting your internet connection as metered gives the user sort of control over updates. Up to version 1607, in W10 Home the setting was only available using WIFI. But in 1703, the setting is now also available for Lan. A few days after getting the computer, I tested the setting with WIFI for 3 days, it works. There were no updates, not even checking for updates. No nothing, Eventually, I am going to set my Lan connection as metered and keep it that way for good, and a week or two after the regular monthly updates are released, switch it off to allow the Monthly updates to come in. The setting allow you to have some control over updates.

Bo

 

Yes I know, but I was trying to say that running SBIE on top, is never pointless. In theory, if a browser's sandbox gets hacked, SBIE should still be able to contain the malware via virtualization. But yes, Edge isn't supported.

I just read about it, and it's still not good enough.

https://www.howtogeek.com/226722/how-when-and-why-to-set-a-connection-as-metered-on-windows-10/

 

Running browsers like Firefox, Chrome and Opera under Sandboxie works great. If we do, we are not going to get infected unless we recover a virus....and run it unsandboxed. But if we run Edge, Sandboxie doesn't protect. Edge is not compatible with Sandboxie. With Edge the only protection from Sandboxie could be to Force the Downloads folders but that's it.

I cant use Edge, using it would break my security strategy which is simple. All files and programs run sandboxed every time they run during their lifetime in the PC. The only time I am not using Sandboxie is when the PC is idle. I am disciplined and adhere to that. So, if a program (like Edge) is not compatible with Sandboxie, whatever the reason, I stay away from using that program. For me, there is nothing to ponder about.

Its like middle ground. I think the setting works better than what it sounds in that article. I tested it for 3 days and there were no checking for updates at all. At the time, I still had not turned off Windows defender, and if I remember correctly not even for WD there were checks or downloaded updates. My real test is gonna be next month when I ll set my Ethernet as metered a couple of days before the monthly updates are released. If using the setting allows me to actually update a week or 10 days after the update is released, I ll be happy with that.

Bo

 

@Rasheed187 you should read this: https://www.wilderssecurity.com/threads/rehips.364248/page-37#post-2694225

it is about full Appcontainer apps (win10 apps ) , Appcontainer-using apps (chrome, etc...) and ReHIPS , but i guess that could be also be applied to any sandbox applications; especially the comparison of an appcontainer-using apps and a 3rd party sandbox like ReHIPS or Sandboxie.

 

I might be wrong. But I assume if someone is able to bypass Appcontainer, then he/she should be able to bypass third-party sandoxing apps as well.

 

Done already. https://tools.cisco.com/security/center/viewAlert.x?alertId=53619 ; so i guess your statement is valid. however, the "advantage" of 3rd party "home users" sandboxes is that few people use them so they aren't worth the time to be spent on...

And using a sandbox doesn't protect you from network based attacks, so if someone managed to penetrate your network, using let say a famous kernel exploit (follow my eyes) , using a sandbox shouldn't help much.

 

So, guest, you have any real world examples of malware escaping the sandbox, or this is just another round of knocking on SBIE based on assumptions, guesses and beliefs? What you wrote I read many times before but never comes thru.

Bo

 

I am going to tell you an story. When I first started posting here at Wilders, there was a guy here that told me in a reply that I shouldn't promote Sandboxie in my posts, he said doing so did no benefit for me as a user. His take was, based on the belief you wrote and I am quoting, that the more people that uses Sandboxie, the less secure Sandboxie becomes. Time goes fast, that was 7 years ago, his nick was moonblood and Sandboxie is as strong or stronger today than it was then.

Bo

 

New beta v5.21.2, without Curt's work on it I guess:
https://forums.sandboxie.com/phpBB3/viewtopic.php?f=62&t=24690

Sorry Bo I was waiting for you to post but you never did lol.

 

Yes, beta 5.21.2 is out . Time to play, improvements and fixes below.

https://forums.sandboxie.com/phpBB3/viewtopic.php?f=62&t=24690#p129389

Bo

 

@bo elam
Why are you on the defensive..? i'm not saying here Sbie is weak, i don't say i have a malware under hand right now that can bypasssing it. if i had, believe me, i won't still using Sbie right now. Don't misunderstand my words, thank you.

I say hackers/pentesters won't waste their time and resources trying to bypass a soft that very few people use; it being totally weak or uber-strong. Not being bypassed (yet) doesn't mean it is impossible.

Why Edge was bypassed , it is not because Appcontainer is weak or not, it is because it is on every Windows8/10, so it is a ideal target, Appcontainer run as a safer Integrity Level than any 3rd party sandboxes, but it was bypasssed so why not a soft which is using a less "strong" IL couldn't be also bypassed. That is common logic...

If Sbie was as popular as let say Chrome or Edge, don't you think thousands of pen testers/hackers will find a way through?
It happened once long time ago, so why not in the future if someone skilled enough decide to do so?
Chrome and Edge are always the targets in hacking contests because they are rock solid, popular and used by millions of people so they are worth the challenge and time spent on them (not saying MS or Google give dozen of thousands of dollars as rewards).

Also, we all know that sandboxes are a huge pain to bypass, so now malware-writers rather make the malware sandbox-aware, so the malware stay dormant when it detect it is in a sandbox, so the sandbox-user believing the file is safe will just recover it and let the malware run non-isolated then get infected.
That is why the use of another security soft (AV, HIPS, anti-exe,etc...) beside a sandbox is now most recommended. Using only a sandbox as security isn't a valid strategy anymore.

btw, the only thing that really annoying me with Sbie is that it needs to be updated everytime a browser or other soft is updated...It is the only soft that users need to constantly have to update.
But it is because its core mechanism that work in a particular way, so no hope this will change soon.
Luckily for me i use it only for one thing : Forced Folders , not much for application's isolation. So i don't need to update it as other Sbie's users.

I just explaining basic things, no drama here.

 

A determined attacker who is willing to devote the time necessary and put forth the effort required will eventually find a way to bypass any security soft. That includes SBIE or any other security soft.

SBIE has been bypassed. It's been openly discussed in the past on the SBIE forum. It is probable there are current undiscovered vulnerabilities and ones that are discovered which are quietly reported and fixed over time. Fixing vulnerabilities is an on-going process and not a one-time event.

Bugs and conflicts are far more prevalent on an on-going basis than vulnerabilities. It just is what it is and applies to all security softs.

Every security soft user, whether they know it or not, has probabilities working strongly in their favor.

 

guest, I am not on the defensive, I was just saying that the "few users use Sandboxie and thats why malware doesn't escape the sandbox" is an old story. I been hearing it since I started using Sandboxie. Sandboxie was created in 2004, long time ago. Till when, how much longer is it gonna take for unbelievers in the power of SBIE to finally say, its pretty good software, it does what is supposed to.

Thars why using Sandboxie for telling if a program is clean or not is the wrong way of using SBIE. Users should not use Sandboxie that way. Myself, I never stop using Sandboxie. When a file gets recovered, I continue running that file sandboxed. I do it until the file gets deleted. Thats what allows me to go with nothing but Sandboxie. Is easy doing security like that, its all done automatically with very little thinking being required. But yes, users using the free version or users who run files and programs unsandboxed, should use something else and not depend on SBIE.

I don't like frequent updates either but I am not talking about Sandboxies updates. I am talking antiviruses updates that take place 2 or 3 times a day or having to reboot when the engine updates. That bothered me as much as running scans. Or updating flash. That was painful, uninstalling, rebooting, reinstalling, deleting the task and disabling the update service. I used to go thru a whole procedure, no more. For the last few years, I keep an installation of Flash in a sandbox and use that sandbox when I need Flash. And I use Flash every day. But most of the day, when I dont require Flash, I browse without Flash.

There are some software that I don't update every time a new version comes out, I update portable Libre and portable Foxit and CCleaner 2 or 3 times a year. I dont spend much time updating software, sometimes I go a few weeks without updating nothing.

But updating Sandboxie, 2 maybe 3 times a month, if you are using betas, 10 seconds and you are done, no pain. You could just use the stable and only go beta if something breaks, handling SBIE that way you could go a couple of months without updating Sandboxie. You could update Sandboxie as I do with Libre. You dont have to update SBIE every time a beta comes out.

I know you don't like the frequent updates in Sandboxie but I do, I am going to tell you why. Changes from one beta to the next are little. If something breaks in one of my computers after updating from one version to the next, its a lot easier to figure out the change in code that causes my problem than if I was a user who only updated when a new stable comes out or waited months before upgrading.

Bo

 

True, every software has vulnerabilities and most get fixed in the background. But, I dont know about any Sandboxie bypasses "by "real world malware". Would you be so kind to show One example of a bypass by real malware that was discussed at the SBIE forum.

Bo

 

FWIW, new beta 5.21.2 is working nicely in W7 32 bits and W10 64 bits version 1703.

Bo

 

Christ, I can't remember. It was back when Tzuk was active daily on the boards. It is probably archived by now.

If I were a malc0der I sure as hell wouldn't target SBIE. I'd target all the realistically available out-of-date crap that half the world runs on a daily basis. Targeting softs is a numbers game. The more widely-used a targeted soft is, the greater the likelihood of success.

In the case of SBIE I would target browsers - and that is it. And there is a tiny chance of success, but not without a ton of work. So, financially, just not worthwhile - even if there is a way to do it. You have to target millions and not thousands to make money. Unless you happen to be a jackass and like messing with people just because you can.

 

I am just asking you for one, nothing more. By the way, Tzuks posts are not archived. They there, and are available.

Here, all the way back to.....2004.
https://forums.sandboxie.com/phpBB3/search.php?author_id=3&sr=posts

Bo

 

You always do this. You pose this "provide one malware sample." Ask Tzuk directly or search the old posts. We're talking years ago. And there is even a mention on the website somewhere about the frequency of reported security issues. Something to the effect "once every few months or so." Tzuk is the one who knows all the nitty-gritty details. Because a person does not provide you with a sample, you use that as the basis that "no one can provide a real world sample that bypassed SBIE." The production of a sample is not technical proof of anything as most security issues are discovered internally or get reported privately and are fixed quietly.

I could care less about SBIE. I'm not here to prove it is crap or prove it is the best thing since sliced bread. Anybody that knows security softs knows that protection-wise SBIE is a solid product. I have no vested interest in it whatsoever.

If you wish to research it, Bromium has a complete bypass of SBIE that was posted online a few years back. So its ancient and should be fixed by now. In fact, it is a double-sandbox bypass. I'm not sure it's online anymore as I don't follow virtualization stuff much.

When the SBIE architect, Tzuk, has admitted in the past that SBIE was bypassed or had security issues, that is pretty much the final word. He was always asking people to test and report security issue stuff so he could fix it. Security vulnerabilities are a part of any security soft's history. It comes with the territory and really isn't as big a deal as forum participants make it out to be. LOL.

 

So, as always, back to the same old assumption that Sandboxie doesnt get breached in real world situations because its not worth doing it for malware writers. I am going to tell you something, when you play a game it doesn't matter how you win, it only matters if you win or lose. And in the game of keeping computers clean, Sandboxie is always on top. I don't care any how it does it or why it does it, I only care that when I turn off my PC, its clean. That is it, thats what matters.

Bo

 

I just pointed the possibility that Sbie like any other softs is potentially bypasable, no more no less. (and it was to respond to the other member statement).
Not being breached since years doesn't mean it is impossible to do. Just nobody tried or if they succeeded, they didn't made it public.

Your usage of Sandboxie is quite unique, but then how do you install a software? what if an installer is packed with a fileless malware? you have to run it unsandboxed to install it, right?
As example, in the past the official Linux Mint site was silently hacked and the original installer of the OS was replaced by a infected one; hundreds of people installed it without checking because it is from the official site.

it is why i wonder why you don't use Windows Defender in Win10, it just update once or two a day without reboot.

 

I didn't say SBIE doesn't get or hasn't gotten breached in real-world conditions. To say such a thing is an absolute falsehood.

I am just stating malc0der's out for financial gain aren't going to waste their time targeting a product such as SBIE. They operate on the basis of targeting as many machines as possible to ensure success. And that means targeting unpatched editions of Windows and software such on systems and other malware distribution campaigns. The more machines you target, the greater the probability of infecting a machine.

I get that you are SBIE's # 1 fan, but just about anybody with any common sense can see through your manipulative arguments and the use of portions of posts out of context for your own purposes. You spout nonsense on these forums about SBIE that is contrary to what the original software architect himself has openly stated in the past.

I like certain softs too, but I don't go to bed with them.

 

App guard guy, I already said to you what I had to say. Goodbye.

Bo

 

Anyone who is determined to bypass SBIE can do it. Just find a vulnerability. They are there, it is just a matter of finding them.

Invincea-X is built upon the SBIE foundation and uses its framework:

http://blog.talosintelligence.com/2017/06/vulnerability-spotlight-dell-precision.html

And this was my point about all security softs.

So in the first post that I made, I was actually defending SBIE in a general way.

Anyhow, it's all good. Typical day at Wilders.