Sandboxie With SRP & LUA....?

Hi Guys,

I am using Windows 7 Ultimate With Limited User Account. I have also NIS 2010 and Sandboxie. Yesterday i implemented SRP in my Windows 7 Ultimate using instruction form "Here" and found that my Sandboxie 3.42 does not worked with it. Is Sandboxie incompatible with SRP? Even it did not worked with Administrator Privilege.

Is Sandboxie Incompatible with SRP?

Can anybody help me to Maximise Windows 7 Ultimate security with LUA and SRP...

Please do note that i am bit paranoid person and using SRP first time, but i am comfortable with registry modifications. I specially request Tlu, Lucy and bigc73542 to help me in this.

 

I am not one of the ones you asked for but I think I can point you in the right direction. The guys at Sandboxie previously found some incompatibility with Win 7+SRP + Sandboxie and they have yet to figure it out as far as I know. But as a workaround they have all started using Applocker. I don't know if they have fixed the actual problem yet or not but here is a link to their discussion.
http://sandboxie.com/phpbb/viewtopic.php?t=6401&start=15

 

Thanks Brother.....I am not asking their helps only but asking of everyone. I only specially request them to help me also....

 

No problem glad I could help. There were a couple of people who posted that the newest version had fixed the incompatibility problems. I do not use SRP or sandboxie anymore.

 

I have no idea if Sandboxie is compatible with SRP but I would ask why you even need it with LUA, SRP and Norton Internet Security. With LUA & SRP I only have on-demand AV to check files I download and do a quick scan every two weeks or so.

To be honest I would forget about it and save yourself a couple of more kernel hooks to collide with the ones from Norton. With LUA & SRP you have made the most sensible first step. With that alone you probably have 99% covered and you also have NIS.

 

Hi Brother,

I do agree with you that having SRP and LUA i am 99% covered, but i don't want to keep any hole or leak which is not covered under SRP and LUA. That's why i want to keep NIS in Real Time Protection Mode...

 

Then I would keep it if I were you! I was wondering why you would even need Sandboxie, not NIS. NIS has all kinds of modules like behavior blockers and the like so you are more than covered combined with LUA & SRP. If Sandboxie isn't working right then getting rid of it will save you a few headaches and some system resources.

 

Sandboxie will help me to use keygens to generate keys, as well as to test unknown software's without changing any system settings. I can also protect my browser through sandboxie.

 

Quick question:
Why are you not using AppLocker if you have Windows 7 Ultimate?

 

Hi Brother,

I heard about AppLocker but till date i have not able to find good details about it. I mean i want to know "How can i configure it"? I found SRP details everywhere and able to configure it, but in case of AppLocker i am not able to configure it as of less info on it. If you have good demo details on it please help me.

 

http://4sysops.com/archives/review-windows-7-applocker-part-1-overview/

https://www.wilderssecurity.com/showthread.php?p=1599794

http://edge.technet.com/Media/Using-AppLocker-in-Win7/

Heres a couple of links you can check out if you are interested in Applocker. These are mostly information but their is enough configurations tips to get you started and if you read the articles you will well versed in AppLocker. Google brought up a lot more good results also if you are interested.

 

Hi Bro,

Thanks for your help. Even i googled about AppLocker, and found the above mentioned websites by you except the Wildersecurity Post. I am trying my hard to get into it, but due to some reasons i am not able to concentrate on this...Trying very hard to understand fundamental things of AppLocker

What i found is that SRP is far more easy then AppLocker...But due to Sandboxie incompatibility problem on Windows 7 with SRP, i m trying to implement AppLocker based policies. Hope i will understand its basics...

 

If you follow link given by dcrowe0050, you can understand it easily.
They are explained very good and AppLocker itself isn't that complicated as it seems at first look.

And if you follow the link to the thread in the forum https://www.wilderssecurity.com/showthread.php?p=1599794
You can find a lot of usefull information aswell. (btw the thread was started by me )
And read carefully chronomatic's post in the thread. It is ver easy and well explained tutorial.
Also consider wat0114's post about troubleshooting, it explains how to use AppLocker's Audit mode.


If you have more questions post back.

 

AvinashR, you may find this article helpful: AppLocker: IT’s First Security Panacea?

 

Hi Bro Jav,

Thank You for your response bro. But after reading the whole article, what i feel is that AppLocker should be configured after the fresh installation of Windows 7. And we need to configure each and everything separately, but in case of SRP we can add as many file extensions as we want. This will not only ease our task but also save our time for configuration.

Still i am trying to find out a well illustrative article on this topic, as i already go through all these websites even MSDN too.

Till date i feel SRP is easy to configure then AppLocker. Please tell me your views too...

 

Hi Bro,

Thanks for your valuable help. But still i am not very much convinced with AppLocker...

 

Hi,
Yes, in a way it's recommended to put AppLocker after fresh install, but it is the same recommendations to the SRP. (note: it is recommended but not must to do)
About configuring each and everything, no you don't need to do it. It has the similar configurations to SRP. I know why you got this image because most of those articles tell about publisher rules (as it's new).
But AppLocker still has old traditional path rules aswell.
When you create default rules, it will allow everybody to execute from Program files, Windows folders and allow execute to Administrator everywhere.
So it is automatically almost ready.
You had to configure only those programs which aren't installed on Program files but on the user folder or somewhere else. (it is the same with SRP)

So, in my opinion from ease of use SRP and AppLocker are the same.

How you configured your SRP now, We will try to help you to convert it into AppLocker.

 

Hi Bro,

Thanks for your reply and help. I have a doubt, i guess that the default installation folder for every application is C:\Program Files so how can i configure it for others? And you said that in a default configuration of AppLocker everyone (Every User) is allowed and execute any file in the system..Say if Novice User execute a Virus.exe from my D drive then there is a nice chance for Virus.exe to infect my system, whereas if i configure my SRP then it will not execute as it will get blocked due to policy...

Waiting for you inputs bro.

And also please find the attached SRP Policy, please note that right now i am not using it because of incompatibility problem with Sandboxie 3.42 in Windows 7 Ultimate.

 

Hi Bro,

Today i did some google on AppLocker and found that AppLocker can only be used to manage four different types of files: executable (.exe), Windows Installer (.msi and .msp), script (.bat, .cmd, .js, .ps1, and .vbs), and DLL (.dll and .ocx). But in SRP based policy we can manage other different type of files like .pif etc. I have also found that .pif extensions can also be used for malicious activities and through AppLocker we cannot block it.
Looking for your response....

 

Hi,
Sorry, it was probably my fault.
Let me rephrase my sentence.
By default Everyone (every user) is allowed to execute from Program Files and system folder (I mean folder named "Windows") and denied to execute from all other locations.
It means your novice user can't execute virus.exe from D: drive as it is denied by policy.
He can only execute from those 2 (Program Files and Windows folder) in which he has no write access.
So, he is allowed to execute files which are already on your system and allowed by you.
Hope you understand what I meant this time.

For programs which are located outside of these two folders, you can create additional rules. As described here: https://www.wilderssecurity.com/showpost.php?p=1598079&postcount=2
If Program has Digital signature use Publisher rules.
Otherwise use Path or Hash rules.

:\
I am not sure about this one...

 

Hi Jav Bro,

Thanks for your "Late" reply , but i am happy that you did. Now again a question arises..Yo said that " By default Everyone (every user) is allowed to execute from Program Files and system folder (I mean folder named "Windows") and denied to execute from all other locations. It means your novice user can't execute virus.exe from D: drive as it is denied by policy.

But i guess this was not possible....i am not sure about this, but what i guess is that i have to configure a rule for my D: and E: drive, so that a novice user (Sisters) cannot able to execute and run any malicious executable file...

 

Sorry for Late response.
We seem to have different time zones and I was busy with my studies.

What do you mean by not possible?
IF you right click executable rules and click create default rules.
It will create default rules which is based on white-listing. Which means nothing except those allowed files can be executed, so it will allow only Windows and Program Files folder and nothing else. (even CD-ROM or USB)

But Administrator will retain his right to execute from anywhere.
If it wasn't answer, please clarify your answer.

 

While I am not up to snuff yet on win7, I can add to this.

The rights and permissions that are set when you install windows are 'predetermined'. As you state, Windir and ProgamFiles get a 'generic read/execute' for every group, but only Admins and System get create/write/modify/delete.

When a user is created, the user becomes the 'owner' of thier profile directories, and it is predetermined what that includes.

Normally, most everything else for a 'User' is only read/execute. However, there are no restrictions to other drives or custom directories that I have ever seen. That is, D: , E: , F: etc etc are not 'known' by the windows install, and thus not normally restricted. To protect a drive like E: , you would have to set permissions yourself.

This is why many like to use LUA and SRP, because with SRP you can create a default deny policy, so that anything NOT in SRP's list is just denied. You then open specific holes to allow for execution or you just use the default Windir and ProgramFiles.

I would be curious to know of it is a LUA issue or an SRP issue. Try logging into the admin account and using SBIE. My hunch is that it is the LUA that is effecting SBIE.

Sul.

 

its an srp issue and was fixed in latest beta..will be gone when the sbie beta goes live
http://www.sandboxie.com/phpbb/viewtopic.php?t=6401&start=15

 

Hi Sul,

Its SRP which is creating an issue with SBIE. In Windows 7, if we apply SRP neither LUA nor Admin can use SBIE. I guess there is some problem with SBIE thats why users are also complaining about SBIE issue in Sandboxie forum.