Sandboxie/ UAC / DropRights / A/V...Question

I have been using S/B for a few years, but I have always wondered how the pieces fit together. I run Avast scanning Web Pages. I have UAC on [in my Vista 64 bit]. And I have S/B 3.54 {with DropRights}. So...is the Avast a waste of time? Does UAC take care of 'problems' that came down the coax, to my OPERA browser? Or is DropRights the cure BEFORE UAC even see's a problem?

I'm for caution, but it would help if I could understand the way these things work together {or maybe, don't?}

Glad to be able to use this Forum...

Bill

 

Lot of things going on here.

First, lets look at UAC. It is a mechanism (regardless of the argument as to why it was created) that allows you to "conveniently" elevate processes to an Admins level of rights. So you go throughout the day as a limited user, and when certain things need to happen that require Admin rights, UAC prompts you. Other things depend on UAC, such as IE's protected mode, but suffice to say that without Sandboxie and an AV, UAC has the job of alerting you that SOMETHING needs Admin level privileges. It is the last practical defense you have before something you don't want to execute does.

On to AntiVirus. Its job is prior to UAC IMHO. It sits and watches (resident modes) things that are read or written, examining for known signatures of mischief. Providing the scanner is capable of sniffing out a problem, it will quarantine/delete/alert you as you save or read or "touch" a file it thinks is "no good". This should happen before the file executes if the AV is capable.

Now, Sandboxie is a bit different. With Sandboxie, you are going to segregate something (browsers ?) from the real system. What happens inside the sandbox then (typically) should keep it there, even if something nasty goes on. The danger with sandboxie lies in that if you get something installed inside the sandbox, like a keylogger, it can and will operate as normal. If you don't delete your sandbox, but use it everyday for a long time, the keylogger could be doing its thing. True, it cannot escape to the real system, but it make precious little difference if you go to your bank and do a transaction within the sandbox WHILE the keylogger also lives in the sandbox. Granted, this in "generic" as there are ways to avoid this, I am just saying is all...

Now, DropRights in Sandboxie is one method you have to fight things within the sandbox. What it does is simple, it treats what happens within the sandbox the same way as out of the sandbox. If your account has no rights to install a program in your real system (without UAC approval), you are restricted user. DropRights does this very thing within the sandbox, making sure you are restricted in the sandbox in the same way. I don't use UAC that often (only when testing), so I don't know exactly how UAC and DropRights ineteract, but I know they do somehow.

So your question now then is should you still use an AV? Or DropRights? My answer (and this is only one geeks opinion) is that you should continue to use both. At some point you are going to execute something you downloaded within the sandbox outside of the sandbox. If the AV did not catch it within the sandbox, you hope it catches it outside of the sandbox before you exectue it. That is all you hope for with an AV. All its other functions, email or IM or webpage, that is all extra to what its real purpose is supposed to be. If it shows you bad web pages or stops IM spam but cannot detect a virus, I am sure there are much better programs available to do that other stuff.

DropRights might be restrictive to you, only you can say. But unless you want to tweak Sandboxie (I do) it is a pretty easy method to stop a lot of things that might happen WITHIN the sandbox, but it does nothing outside the sandbox.

This leaves you in the same situation most people are in who use Sandboxie. You are well protected within the sandbox, but what exactly do you do with that file you downloaded that you want to run on the real system? Is AV the best answer? Is it a VM to test it in? How do you know in a VM even that everything is OK? lol, you don't unless you know what you are doing. You could use a HIPS type program that will tell you everything that new file is trying to do when you execute it. You could submit it to an online scanning engine. You could do lots of things, but probably the easiest approach is just to use an AV and hope it detects any funny business.

Once you execute that file you donwloaded with Sandboxie in the real system, and you say OK or YES to UAC when it pops up, you will soon find out if your AV worked or not. It is wise to have a rollback mechanism then, whether you use DeepFreeze/ShadowDefender type tools or you use some sort of imaging.

Sul.

 

*THANK YOU*... That's The Best of this stuff I have been able to get anybody to talk about! On my Bride's computer [32 bit] S/B has kept her in great shape, with that clutch of Loose-Gear she has for girl friends. I only keep Avast on that computer for occasional C:drive scans. I cautioned her to run her Pals' attachments IN the sandbox, but I'm betting she lets one 'out' once in a while. In this 64 bitter[my] computer I have just run OPERA with Javascript off, and Avast scanning Web Page files [not the whole computer as files are used] and that has been fine. Then I found Tzur had brought out 64 bit S/B. That's when the Drop Rights surfaced, for me. I'm pretty conservative; I *did* take a run around The Dark Side when I first put S/B in the 32 bitter...leaving the 'Box un-emptied, to see if I could catch anything. Raunchy as could be [I think], and not a THING in that 'box! I normally run with 'delete contents'.

Thanks again for taking the time... I appreciate it...

B

 

I would also like to say thank you to Sully for his very useful and comprehensible explanations of a quite difficult issue.

 

Great post, Sul.
Everytime I read a post wherein someone like yourself, who knows how to really use Sandboxie, is digging into detail, I get all enthused about what a terrific program it is.

I wanted to toss RunSafer into the mix, along with DropRights and UAC.
Running as Admin, I am encouraged to know that not only do I have SBIE and DropRights on my side, but if one of my net-facing apps opens outside of the sandbox, I have OA's RunSafer in place. Sure, it is one more layer for me to take down if I want elevated privileges, but I definitely like the luxury of knowing the layer is in place.

 

Would RunSafer feature of Online Armor be of any good when you already got Sandboxie? (I don't know what this RunSafer thing aims to do... )

I would personally add SRP (Software Restriction Policies) into the mix, instead. If you got Windows XP Pro, then you can achieve it using Group Policy Editor. Otherwise, Sully has a great tool to substitute it named Pretty Good Security.

 

Hi m00nbl00d
Here is a good description of what RunSafer does.
And as I said, it's there for me as another layer, if something isn't sandboxed.

 

Sully posts are always informative After reading his posts especially configuration ideas, I am permanent sandboxie user

 

Have ONLY the browsers/other programs you know are safe and sandbox allowed to have internet access. That way if a keylogger does get in. It can't send anything back out. It writes and writes but can't do jack diddly squat. Or you can have only browsers/other programs have BOTH ONLY internet/running privileges which crashes the keylogger totally since it can't run OR phone home.

 

I 'think' I avoid any potential key logger 'ware by keeping all my passwords in a TrueCrypt volume, mount the volume, then only copy and paste 'em where needed. Nothing 'password' is ever 'typed'...

Oh, yeah.... and if Sandboxie is set to Drop Rights, how COULD a Key-Logger executable malware even run ??

Bill

 

Encrypting your passwords may be good, maybe not. If your encryption stores the password, then when you need to input your password it is automated, perhaps this is secure.. don't know explicitly.

If you are copy/pasting your password, that is OK, but still can be detected (there is a downloadable test for this, can't remember the name).

If you are typing a password, even if you are storing it in an encrypted state, you still have to worry about it being stolen. IMO the biggest threat we have is identity theft or account theft. Everything else is an inconvenience to one degree or another. Backing up important data is the responsibility of the user.

Now then, DropRights. You must understand what rights are first. Users have rights to read and execute any file in any directory usually. Users have rights to modify/create/delete only in thier %userprofile% directories (my documents etc). There are no restrictions on a user saving a keylogger to thier profile. There are no restrictions to a user then executing that kelogger. If the user does not know it happened, it makes no difference. Obviously Administrators can do anything they like

One must see than, that when your OS is installed, there are rights assigned to every file/folder created. These things the OS knows about and creates rights for. Some things have rights that are to be inherited to future objects when they are created. Some do not.

The sandbox directory (ie. c:\sandbox) was not known about at OS installation. So it has no restrictions normally to a user. This is half the issue (sort of). To fully understand it, you must realize that within the sandbox, directories will be made to "mirror" the real world directories. Your sandbox will likely have a "program files" directory. This directory does not have the same restrictions within the sandbox that it would in the real OS. In order to make the sandbox environment more like the real environment, you use DropRights. It strips the token within the sandbox, so that the "program files" directory within the sandbox will be off limits just like it would in the real OS.

Now that you understand that, how does DropRights stop a keylogger from being downloaded? If the keylogger is saved to MyDocs, that is allowed. If it executes, that is also allowed. In fact, nothing keeps your %userprofile% free from unwanted "issues".

This is why (as noted by Cheater87) many people make some strict rules for the sandbox. They only allow the browser to run. They only allow the browser to have network access. All other processes are denied. One would need to think ahead a little when doing this. If you use Sumatra or Foxit for .pdf reading, you might want to make sure those are also allowed to run. If you use adobe you might want to allow that. This is where Sandboxie shines IMHO, the customization which can take it from a really good way to contain your programs, to a really great way to not only contain but also "harden" and otherwise make things more secure.

Sul.

 

I'd like to add that the main use of the A/V would be threats that don't pertain to the sandbox. For instance, network based threats that might try to execute code through an open port or service in your firewall... or maybe something that autoruns off a USB flash drive or CD-Rom...

This is why I keep A/V around. If you ask me, with sandboxie, drop my rights and UAC, the A/V is almost useless IMO. I suppose extra layers can't hurt, but its not really vital.

What I've done on windows 7 is use Applocker to form a blacklist path rule on the Sandbox, so nothing will execute inside the sandbox.. This means that essentially any malicious web code will not be able to execute automatically...

 

I ride the fence on this one. For myself, I don't use an AV any longer. But, there are times when I might upload something for an online scan. I think they do have thier place if you are going to execute something, which we all will do at some point. The thought that they are always behind and playing "catch up" is one that I do share. However, they can serve a purpose if they are updated and they do what they are supposed to do.

It is too bad that many have gone down the same route as other softwares (firewalls especially), where they strive to do so much to be the "best" product, and add so much, it eventually turns the more discerning user off. I don't know how much "word of mouth" or "recommendations" play in the overall total of sales/use, but I know a lot of folks who are above average that use an AV because they probably should, but they think the current choises are very much sluggish compared to years past. With bigger/faster machines today, one has to wonder why that is.

Sul.

 

Thanks, again. I appreciate you taking the time. Your answers are long and well constructed, which take a lot of time, but which is SO vastly different from the Usual Forum 'RTFM' or such!

FYI, 'TrueCrypt' is a serious encryption scheme that requires a multistep 'mounting' process... using the P/W for the volume. While nothing seems impossible, I am confident that P/W stored in the H/D in this fashion and copy/pasted into use is pretty darned secure.

Your info on Drop Rights pretty much 'turns up the light' on the subject; I knew to some degree most of what you described. One thing that remains to puzzle me is your comment regarding a Key-Logger that was saved to 'MYDOCS'. Unless the operator invited the 'Logger out of the S/B and let it BE in My-Docs, how could it GET there My understanding of the S/B Drop-Rights is that it applied to executables residing in the S/B only. That it would previously have been possible for 'things' to run IN the S/B; earlier versions of S/B did not have Drop-Rights. I heard Ronen say so in a podcast on Sandboxie.

Since you referred to that 'Logger being in My-Docs [XP Folder], it sounds like you're talking about XP running the M/S Drop-My-Rights app, not the UAC found in VISTA and "7" ??

Yes... I keep Avast around purely for scanning any downloaded file that wont run in the Sandbox at my choosing... and for general Full System Scan capability. 'Home Use' here, total control over both computers, and when The Kids come to visit, THEY go on their separate network, via a second router.........

Bill

 

The whole "catch up" factor is how I eventually discovered Sandboxie. To be quite frank, I think definition based A/V (even with good heuristics) is losing the war... For high risk users, even if the A/V blocks 9 out of 10 samples, you will quickly have that one exception infect the user... and it usually is devastating (the avg person will rarely be able to clean it themselves). The frustration of having to deal with this - I'm looking at YOU, inlaws - led me to Sandboxie. I've been a happy user myself for a couple years now, and you can't really beat the protection IMO. It does pretty well all by itself.

That being said, I agree that A/V can serve a purpose. Not that long ago I went on a public network with my laptop and I had a malicious piece of software uploaded to one of my writable shares (my fault for not turning them off). The A/V caught it right away. I would've never run the file, but with things like the .lnk vulnerability, I could've been at risk without it.

I know! So many of these security suites are so overly bloated, its actually an amazing feat of (bad) software engineering. I try to encourage people to buy just the "A/V only" version of the products, but I would have to guess that most people buy the fully bloated version. After all, that is what you will mainly see when you shop around at Best Buy and other electronic stores.

 

Sorry, my lack of proper definitions. I refer to MyDocs as the "typical" directory that users save to, that is also within the users profile directories. So in essence I used MyDocs as a generic example that references to a uses profile area.

Ok, you are missing the point here, and perhaps I did not explain it well enough.

As we know, if you start your browser in Sandboxie, and you then download a file, it is written "for real", but it is kept within the sandbox (ie. c:\sandbox\boxname\drive\c\myfiles\some-downloaded-file.exe).

It stays there unless, as you say, the user "invites" it out of the box. This is called Recovery in Sandboxie. Some directories (the MyDocs areas usually) are "monitored" within the sandbox. If a file is created in one of these "monitored" areas, then Sandboxie will prompt you "Hey, do you want to recover that file to the REAL location?". This is useful because if you save something there you might actually want it to be recovered FOR REAL. It is a convenience option IMO.

Sandboxie also has the capability to have DIRECT ACCESS to a location. This is how I use it. I have a downloads directory (ie. c:\users\sul\downloads) that I allow direct access to for all sandboxes. This way, when I (by default) save downloaded files there, they are there FOR REAL and do not have to be recovered.

Now that we have recapped the fact that Sandboxie will keep new files within itself, or on your option let them out into the real system, we can address your question. You might not yet understand that the danger I am talking about comes from WITHIN the sandbox, not the real system. I refer to the fact that when you run a browser in a sandbox, and you have no restrictions except DropRights enabled, a keylogger "might" be able to be installed within your user profile area WITHIN the sandbox. When you shut the browser down, if you don't delete the contents of the sandbox, the next time you start it up again, the keylogger will be there. In fact, as long as that sandbox is not deleted, within its ENVIRONMENT the keylogger will remain running. You go about your day to day browsing, and the keylogger runs. It did so because DropRights does not stop it from doing something basic and allowed such as downloading and executing a file within your user profile area -- you have the rights to do that! DropRights would have stopped the keylogger from installing a driver or installing itself to %programfiles% or writing an HKLM registry value WITHIN the sandbox ENVIRONMENT.

So, I am not refering to a keylogger getting out of the sandbox, although the user could do so by configuration or by choise. But instead I refer to the danger of keeping a sandbox ENVIRONMENT for long periods of time, never deleting it. Many do not realize that even though the sandbox is contained and kept separate from the REAL system, within its confines malicious software is readily capable of running.

Sul.

 

I have a Dlink DIR-655N router, which provides a "guest" network that is segregated from my standard one. This works great for when company comes over or I am fixing someones machine. I attach to the "guest" network, and do my thing without worrying about my own LAN being affected.

Sul.

 

Great 'expansion', Sully. Yes, I have my 'Box set to delete contents when I close either of the two forced programs here.

Didn't know about a Guest Network; I don't *think* Belkin has that capability. I always have a 'spare' almost everything, so I am not bothered by a 2nd Gigabit Router. I gave it the IP 192.168.3.1, and when inputted from one of the RJ45 outputs of the Main router, provides nice isolation, as well as IT being set up wireless [which the Kids, and other Visitors {may} like, and I never use!]

GOOD STUFF, Sul..... 'Miller Time'


Bill

 

It isn't very hard to program software that automatically reads out your copy paste clipboard. Even some very old Trojan horses had this feature. So copy pasting passwords isn't more secure than typing them.

 

How does it help against XSS eg like a fake login page?

 

Sandboxie doesn't help with XSS...