MD's File and Folder rules an alternative to sandboxie?

Sandboxed programs that use system services will have those services taken over by Sandboxie, and if you have Internet Access limited to just those programs you specify, any other programs will be denied internet access.
http://www.sandboxie.com/index.php?ServicePrograms

 

So what you guys are saying is that it is not possible for anything that is running inside the sandbox to give instructions to a program outside of the sandbox whether it be a browser, system service or any other app to make outgoing connections??

 

You're missing the point though.Since the malware would have to be initiated via the brower it would be subject to the same policy restrictions of the browser therefore if Fifefox was blocked from accessing a particular folder then so would any malware brought into the sandbox by it.The malware doesn't limit itself to what it can do but the configuration of SBIE does limit it greatly.

 

That's correct as long as the sandbox is configured to only allow the browser network access. Also if you deny the browser permission to communicate with any other app. then even if it somehow partially bypasses SBIE it won't have any access rights to any of the blocked items anyway.An analogy would be if the sandbox was a jail cell and you are the prisoner,you find a loose brick and remove it allowing you to stick your arm out of the cell,you still remain imprisoned though.

 

Yes. That is true. Let's say that you have keylogger.exe on your system already. That exe may in fact signal out just on its own ------ but if for some reason a sandboxed program contacted your existing keylogger.exe, that would put the action in the sandbox. Then if you have Internet Access setup it could not contact out. Let's say you have virus.exe already on your real system and a sandboxed program issues the order "Destroy computer" -that will also happen in the sandbox.

 

Yeah it takes a lot of getting your head around to try and understand the full nature of Sandboxie but it does offer an amazing degree of security,Tzuk is something of a genius IMO.

 

I guess I have repeated myself many times. A malicious keylogger could attach itself to the web-browser as an add-on from a website with hidden script.

A buffer overflow exploit can use your web-browser to do harm your real system. If you allow your web-browser to communicate outside the sandbox, of course.

A HIPS app. will protect you from the above two threats.

 

The POCs again should that there is possibility that, in the near future, Sandboxie can be bypassed by "real malware" - as you people seem to put it out.

Malware, in my opinion, is anything that does harm to your OS, be it freezing your mouse or wiping your hard disk. The POCs did harm the system despite running under the supervision of Sandboxie. So, the conclusion is, Sandboxie was bypassed.

 

Just like any of your add-ons would. It will sit there innocently on the browser toolbar, and everything you type will be logged, gift-wrapped and delivered to the author of that marvelous add-on to puncture holes in your bank account.

 

Why is there even a need to "fix". The malware was not supposed to freeze your system forever. It was supposed to freeze until restart. It was ABLE to freeze until restart. Hence, bypassed.

The way it should be view is, "Sandboxie was bypassed by the POC, but since it is fixed by a simple restart and I can live with it. It is a BYPASS I AM NOT WORRIED ABOUT."

Are you saying that if a virus, from within a sandbox, managed to corrupt your system files, disappeared right after a reboot, it wouldn't be a bypass?

What exactly is the criteria for bypassing a security app.?

 

I don't know much either, but it is like a drive-by-download. It is a matter of visiting a website that drop malware onto your system without the user having to click anything. Sorry, I cannot give a technical explanation. It is beyond what I can comprehend.

 

Any HIPS will prevent BOs exploits. Even the simple anti-executable cannot be penetrated by BO attacks.

COMODO's BO protection is just another layer, which again is not 100%.

 

Sorry, got it wrong. I think an anti-executable will protect only if the the BO makes the web-browser spawn a new executable. If the web-browser is itself made to do the damage, then a HIPS will have to come in.

I was wrong about Sandboxie too. It will prevent a BO, the same way a HIPS would. But not the way you think - default-deny. I also take back what I said about Sandboxie failing against script based add-on-keyloggers. There is way you can configure Sandboxie to prevent it (I discovered the method after a bit of experimentation with CIS).

But I stand by my opinion that the POCs did bypass Sandboxie.

 

I did state earlier that it will be bypass only if the POCs require to communicate outside the Sandbox, and are able to do so.

During your test, if the malware (which did wierd stuff to the desktop) did what it did without breaking the Sandbox, then it is not a bypass. Very difficult believe though, that what is happening inside the sandbox could affect the real system. Now, that is a worry in itself!

ssj100, for Firefox, just deny it permissions to write to it's profile folder. It is usually "C:\Documents and Settings\%User Profile%\Application Data\Mozilla\".

 

@peter

good you have the petition to reply 100 times for all the stupid reply about sandboixe , the bad part, ppl dont ask they just write a bad / mislead statement , making other / new users get bad /wrong impression in this case SB

cheers

 

Yep, and there is your 100%. Usability will certainly get a hit if you enforce the restriction through Sandboxie. Rather do it with CIS and configure it to "ask" everytime Mozilla tries to write to it. Block all the alerts, except when it is you doing the installations or updates.

The thing is all that configuration is unnecessary and redundant, since Firefox will do a perfect job of altering the user everytime any such installations occur.

 

you do have a good point here.

Kinda like my File rules. I forgot about the CIS file rules.

 

As a huge proponent of both SB and MD, they satisfy the needs of those who either want to twak to their heart's content in order to achieve near bullet proof security (MD) or those who want a virtually bullet proof setup without having to answer alerts (SB)

This latter scenario was the obvious choice for my kid's old pc, so SandBoxie paid is the only security app on it - no AV, HIPS, firewall (except XP's built-in) or anti-spyware. The machine runs light and whatever trouble they might get themselves into will all be flushed down the cyberspace drain when they close SB, as I've got it set up to force internet facing apps to run in it, as well as other tweaks bred from ideas I gleaned from these forums.

I have utmost confidence in it to secure the machine without the need for other security measures that will only grind this poor dog of a machine to a snail's pace cadence

 

DW is a very good app.

 

Franklin,

Please keep it easy keep it sandboxy (as I mentioned in my posy NR54 https://www.wilderssecurity.com/showpost.php?p=1474058&postcount=54).

It becomes very fuzzy when you start to praise DW. I would understand when you should have said something like: the second best security program in the world (off course SBIE is the best) is also very good.

 

seen how you will now be cleaning out your sandbox more often to avoid keyloggers, this would now mean that you would have to run your browser outside of the sandbox to do weekly updates