To all Sandboxie fans, please explain

Dear SBIE-fans:

I have 1 reason for Sandboxie NOT qualifying as product of the year

SBIE seems simple and safe as long as you flush the toilet after each browsing session (delete the Sandbox).

What when you want to keep a file. Then you move the **** out of the toilet and you are unprotected.

So every time you save file you have to make the same risk decision as for installing a program. Remember that some files contain embedded code in it (for instance media files, OLE in normal docs or PDF and XML files). While data is shared much more commenly than code. You call that effective and simple?

Please explain this to me because I really do not understand, when there are better alternatives

- complete try out security: virtualise hardware (not only file system but OS and all in it). Hardware virtualisation is a lot more simple in its architecture, because you create a clean cut interface from the host environment. While in SBIE only the file system is virtualised, making it a complex mixed situation. The developer of SBIE has to known an awfull lot of the OS to deal with this complex (half) interface of only virtualising the file system. In this context I honore Ronen of SBIE as one of the best software developers around.


- easy protection: use a policy sandbox, it remembers the untrusted state of files, no matter where they are. Files can remain untrusted for ever, since they should not need to be installed. Using a policy sandbox/HIPS you never have to make such a decision for files, ergo reducing the human error chance dramatically

Help I just do not grasp it?

made a different thread, don't want to hijack another nice thread https://www.wilderssecurity.com/showpost.php?p=1378111&postcount=95

 

First, it is like Greenborder and others that allow you to surf the net, then clean the contents out. Programs like Shadow Defender and Returnil clean everything out, not just your web browsing. The other thing is, its protection is better then most, at protecting you to.

Your scenario of letting things out, is that any differnet then SD or Returnil giving you the option to save files after a session. There could easily be a nasty on something you are saving.

Defensewall,Geswall, great apps but never truely let you add anything to your PC. So Sandboxie is simple, safe and will keep you secure. If you do let something out, that is why you have another layer.

 

You are not answering the basic question of any file virtuaisation application

A) letting files out of the sandbox ==> policy Sandbox/HIPS provide more protection
B) testing software ==> HW virtualisation provide more protection

So you need another layer, like Spyberus (for installs) or GeSWall (for data).

 

Quick reply for my personal taste of SB:

- I see Sandboxie only as a browser guard (avoid exploits from the internet). It's also good for testing simple .exe before really running them. And most of all it's VERY LIGHT and requires zero interaction from me other than launching the browser.

- Total system virtualization (Returnil & Co): sometimes i am getting bored tryin to figure out what i have to exclude in order to keep changes on the real file system. I also sometimes forget to "commit changes" before reboot. I have also tried Shadow Defender. It has a problem that it can't keep Twister's updates after reboot, no matter if i put in exclusion all folders. As a matter of fact, after reboot, Twister gets disabled (!) and has to be reinstalled. I have also noticed that after some time, when a lot of data has been used, there is a little of system lag.

- Policy sandbox. I have Defensewall. I don't use it currently, because it is too CPU intensive for my taste and because emule spams the log with entries. I like clean logs from apps that shouldn't do anything out of the ordinary. But mainly it's the CPU issue. If Defensewall was having the cpu usage of Sandboxie , i most certainly would run Defensewall. But for instance put Outpost and Defensewall on the same setup and launch emule and browse and every few seconds 12-15% of my CPU (x2 3800+) will go just for those too. Which is something i can't stand. There are already situations with multitasking and HD video that my CPU hits 100%, i don't need 2 background apps eating 15% of my CPU. Also theoretically i still have a concern about what if i execute malware and DW fails/crashes. DW doesn't flush the malware. It's an acceptable risk, but makes me want to complement DW with something else, increasing even more CPU usage.

- Classical HIPS: They can get annoying in the long run with the pop ups, but they do give a peace of mind in that there can be no "leak" unless you allow something to execute.

- Behaviour blockers: I like Mamutu but has online activation. I trust Threatfire even more, but i wish it has the resource usage of Mamutu. I use it from time to time though, when i get into the "enough with the pop ups" mood. And Sandboxie allows me to run something "middleweight" like TF without upseting me too much for the CPU TF is eating, because SB is so light that TF becomes acceptable. For example, having DW, Outpost and TF, (with emule running) would be a CPU mightmare for me.

So, for me, it's not all about who is more secure. So now, i have Sandboxie as browser guard and Comodo will take care of the rest.

Sandboxie isn't the "total" solution. But it's a very effective part of the solution and at virtually zero cost in system resources. I also don't care if from time to time my setup isn't bulletproof. I rarely install software i don't know, my main attack surface is the internet.

In conclusion, my main concern is "good security at low system impact" (and mainly CPU that is). In this strategy, Sandboxie allows many possible setups, because it uses almost no system resources. So i can even accept to run something "heavier" alongside it. While if you have something already "heavy" and you want to add something also "heavy" , it becomes "too heavy".

(Yes, i know, i am paranoid about system resources. But since the chance that i get infected is very slim anyway, why waste my CPU cycles on security applications and not in the video encoding or HD movie/ dvd burning/p2p?).

 

Kees, this is "one average man's opinion".

1) For general browsing, just visiting sites, looking, searching (no downloading), the thought of nothing busting out of the sandbox is quite simply, awesome.

2) And the fact that it uses minimal resources, and has no slowdown, makes me one happy dude.

3) And using half of my brain, I like how I can install software I know is trustworthy, for example, professional software, software for professionals (such as web/photo development software) without having a million alerts thrown up at me, without the install going wrong and my computer crapping itself. The install goes cleanly, and I don't see no BSOD.

4) I like the fact that it's free. And installed with other great free programs such as Avast, Avira, Comodo, makes the chance of restoring a 'dangerous' file very very slim.

5) I like the fact it is by large part, compatible with any other program alongside it, for example, prevx edge, avast, avira, comodo, DefenseWall, Dr.Web. You only have to glance at the sandboxie forums to see that posts such as, 'sandboxie screwed up my comp', are as rare as hen's teeth. Other software/programs can't say the same thing. Yes it may have some bugs, yes it may have some slight conflicts, but nothing to bring down a system!

6) I like the fact that the free version just sits idle in the system tray, and if I decide never to use it, then I don't have to. Annoyance factor = 0.

7) I like that the developer listens to his users. When he sees people ask for specific features, he implements them (border feature is an example, I was previously using an extra add-on a sandboxie forum user implemented).

8 ) I like the fact that I can run almost any program sandboxed, I mean, it's so simple to use, right-click, and away you go. Watch an avi file sandboxed, open some files off a USB sandboxed etc etc. And afterwards, programs like CCleaner don't find a thing. No temporary program files, nothing!

9) trjam and Fuzzfas said everything I tried to say in fewer words!

 

A) If you simply run whatever file you removed from the sandbox inside another sandbox. Then you'd have the same protection as with a policy sandbox would you?
B) I agree with what you're saying there. HW virtualisatopn is a much better alternative for testing software.

 

You're onto something there Tu5. And I forgot I actually do that.

Once you recover a file, you run it sandboxed, to see where/how it tries to run/install.

 

As far as I understand it you can ask your virus scanner or Malware software to scan whilst the files are still safe in the sandbox, if anything reads as as a virus etc, you can just delete that sandbox.

 

Very true!

In deed! I also use it "on demand". If i want Opera sandboxed, i use the desktop shortcut. If i want it to run normal, i launch opera from Rocket Dock. I can even use one sandboxed instance and one normal at the same time. (for instance emule and torrent links must not be clicked from sandboxed browser, because they open a "ghost" sandboxed emule and torrent). This is a versatility given in a very direct way that even policy sandboxes don't give.

Exactly. DW for example, needs special "presets" for some apps. If the app changes, you need to contact support to make it fully functional with that app and sometimes this requires to be given a new file/driver from support. Now, this in time can grow tiresome. With Sandboxie you just click and run and you are sure it will run.

Fewer words? Trjam, yes. Me? Never!

 

So the majority of you use SBIE for which I use

Browser hardening
A) Windows running limited user +SRP with Malware Defender having a deny all policy of internet facing programs, allowing them to write only to a limited set of registry keys, file locations

Installation fall back scenario
For freeware
B) Spyberus on the admin account with Malware defender logging (in Learning mode) all start up locations, file creations and registry access and all possible windows suspicious activities

For payware
C) only Malware Defender on the admin account

Thanks

Kees

 

I agree with these 3 points. So, one of my favourite security combo is: a classical HIPS + Mamutu + Returnil ( not worrying for me remember which changes I want keep )

 

Wow, that's probably as bulletproof as it can get. I can't imagine how you could infect your PC, even if you wanted to.

Myself, when i run Returnil, i don't run classical HIPS, because i consider it too much. Having to remember to commit changes is already enough. Adding the pop ups of a classical hips, i wouldn't do it. Also classical HIPS do slow down a bit the system. So i use Returnil in the "lightweight" setup series. That is :

"simple firewall" (PC Tools w/o enhanced security/Kerio 2/Ashampoo free/ Rising free etc) + Twister + Threatfire + Returnil.

That's a pretty light setup. I only wish Returnil could come up with an option "autosave excluded folders on reboot/shutdown".

 

Hi

I suppose the answer to kees question "Why Sandboxie" as opposed to a policy sandbox such as Geswall boils down to the following.

1) SBoxie's concept is very simple and very understandable. At the end the end of your browsing you dump the baddies.

2) Policy Sandbox takes a little more to grasp and I suspect people don't like haveing potentially bad files tagged but still on their system.

3) Even in a policy sandbox (Geswall) I believe that protection afforded by tagged files can be disabled.

4) SBoxie is under constant development/rectification. It is sometimes difficult to keep up with them. Whereas I have seen a number of criticisms and doubts about Gewalls development.

5) Geswall has been caught out on occasions by "nasties" slipping through the net. They are however rectified just as they are with Sandboxie. The former appears to take longer to resolve issues.

6) Sandboxies author is either one smart marketer or there are a lot of very competent and confident people out there who have confidence in it.

7) I don't think Geswalls configuration is as easy as Sandboxies. The latter has got easier over the last couple of years with the GUI changes

I think what is overhyped about Sandboxie is its ability to test software before installation. In my experience this is severely limited if the test software needs to reboot for full installation.. ie cannot be done. Even where it doesn't require reboot much software won't install under sandboxie

Terry

 

You are truly the lord of analogies Kees...

Criteria for what distinguish a high quality application:

-amount of run-time errors (low)
-its integrating level with the OS (low)
-performance (high)
-achieving its problem-solving purpose as designed (high)

Considering the above criteria I would indeed qualify Sboxie as one of the top products. The "problem" of not containing the datafiles (pdf, jpg, doc etc) ones it leaves the sandbox is a no-brainer since, as Tu5 mentioned, you could simply sandbox the file in question. Personally I've sandboxed the applications that I'm using to run these files (Media Player Classic, Image Viewer, foobar2000, PDF-XChange Viewer etc).

/C.

 

Whether you delete or don't delete the contents are still under Sandboxie's control.

Do you really have to use such vulgarities when referring to the best security product ever conceived.

If ya don't like it then piss off !

 

You raise a good point there Franklin. When users don't delete the sandbox (although I set it to delete on closing down all sandboxed applications) everything is still contained.

Slightly off-topic, but for a minimal setup, a user could basically run sandboxie, and something like the new a-squared free, which is on-demand, but now has right-click scanning. After recovering a file, a user could run the file sandboxed again, take a look at what the file does, then right-click and scan with a-squared free.

Total resource use, 3000K (sandboxie) + 3000K (a-squared free) = 6000K in total?

 

Sandboxie was introduced more than 2 years back y is it that it is just qualifying now.

 

Also, I don't think Kees is 'dissing' the program, I think he's just asking why so many users are enthusiastic about it. Kees, join us!

 

raaki, it's just hypothetical, what we think would earn the 'product of the year'. Just for fun.

**Edit - have to add one more feature which I like. Being able to right-click on the sandboxie icon and 'terminate all programs'. Useful when a page stalls or 'jams up', or you've had enough of browsing, or don't feel like waiting for the browser 'clear the history/cache' or a program to shutdown. 'Terminate all programs' shuts down several programs and clears the contents instantly.

 

http://www.grc.com/sn/sn-172.htm

Acadia

 

Sandboxie isn't a real security-program it's a place to test and explore "****" on safe ground without the risk of throwing the "****" around your system.

So if you take the **** out of the toilet.. it's your responsibility if you don't have appropriate security outside the sandbox.

For complete virtualization you have Returnil or Shadow Defender.

I don't prefer complete virtualization though =/

 

then sandboxie is for geeks only and not average joe where DefenseWall is very simple and design for mama and papa and still remain strong and also can empty the toilet too (roll back feature)
regular people dont right click and run sandbox they just double click then with sandboxie need a scaner just in case

 

I use Sanboxie along with my ISR software (i.e. EAZ-FIX or AyRecovery).

I prefer Sanboxie over GeSWall -Free- :
GeSWall -Free- made my Internet Browsing slow.
I tried the latest release with IE 8 Beta, Opera, and FF,
but the same problems existed.


Sanboxie does NOT -Slow Down- my Internet Browsers.

Sanboxie is lighter on Resources.

I prefer the Configuration of Sanboxie than the one of GeSWall -Free-.

Another thing I don't like in GeSWall -Free- is the pop-up windows
to try the -Professional Edition-.

However, I don't solely rely my security on any Sandbox.

ISR (i.e. EAZ-FIX or AyRecovery) is
the most important layer of my security setup.

 

Well it depends if you just set up a special download folder for files you save as you can still be safe for "webbased threats", downloading files are a risk though !

 

Thanks for this. Really good interview. Ronen's answers were straight to the point.

Jmonge, without comparing products, sandboxie does by default provide an icon on the desktop for the default browser to run sandboxed. I see no reason a user would delete this icon, so if they intended to download the product, they'd continue to use the program and click on the desktop icon.

Also, many regular users, it's fact, ask more informed users to set their systems up. Each of us are probably helping several people or more with setting up their programs. It takes me one minute to show someone how to use sandboxie properly, eg. 'all you do is click on the default icon, or right-click and select run sandboxed'. Those that download sandboxie but don't stop to read for 10 seconds about how it works, that's their own fault, not sandboxie's.

Sandboxie is looking to complement another security product, not be the be all and end all. Most viruses and problems occur through the browser. That's what sandboxie aims to take care of, the web browser, although, more experienced users know it can be applied to any program, or opening of any file.

And hopefully we don't forget the most important point, currently, it's free.