Sandboxed browsing: does really it make a difference..?

Up front:

I am in fact using Sandboxie when browsing (FF by default and IE10 where necessary).
This for already quite some years.

Am also using Kaspersky Internet Security 2013.

I don't visit 'weird' sites: 99,99% are 'official' sites, forums, etc.

That said, and with all due respect for Tzuk (he definitely is making a wonderful program)
I wonder whether sandboxed browsing is really making sense.

Also considering that big Internet Security-developers didn't introduce something similar...
Yes, Kaspersky introduced a kind of 'safe run' some years ago, but they dropped that later.
As far as I know, Norton does not think it necessary: apparently they think their security
software is good enough.

Running a suspicious program within Sandboxie, okay. No doubt about that.
Browsing, also okay, but then again, considering Internet security software installed:
in what way is Sandboxie making any difference?

Again.. with all due respect to Tzuk and again... I -am- using Sandboxie for quite a while already.

=

 

Same here but a while back I was searching for some medical information and I visited a website that tried to download some malware. The website itself looked genuine enough so it may have been hijacked. The AV I was using at the time (can't remember which one) missed it but Sandboxie contained it so no harm done.

You don't need to be surfing the wild side to get infected, just unlucky. Unless Sandboxie is causing you problems, you're better off sticking with it ... just in case.

 

With FF you run with Medium Level Integrity, With IE10 or Chrome you run in Low (IE) or Untrusted (Chrome) Level Integrity tabs.

To compensate for this lack of security all FF-users should at least run adblock-plus and noscript and preferably Sandboxie.

In general most malware is spread via third party advertising, so adblock plus is a good first layer. Next cross site scripting is the largest problem (using gaps in software used to build/run a webside to inject code on that website), so you need Noscript also. Luckily most FF users who think FF is the better browser (it was in IE6-times) also use ABP and Noscript, so in practise/real world usage, the damage is limited.

 

This is really going to depend on how you have sandboxie configured and what applications you are utilizing, but the simple answer is layered security. No applications is 100% guaranteed to protect you, nor is any system guaranteed to be safe. That goes for the servers your connecting to when you want to watch a video from youtube or post a thread here. Some folks are content relying solely on an anti-virus and some browser add-ons or running other light set-ups. If that's something you want to experiment with there are plenty of suggestions in the threads. I'm not going to argue A vs B in terms of applications or security setups. Thinking back though, the three applications that have been most important to me are the: browser, firewall, and sandbox. Everything else is just sprinkles on top the icing.

 

As pegr said you can get infected visiting a safe site that was hijacked. That's where Sandboxie comes into play, it will impede any malware from touching your system.
Keep browsing with it, no other security product will offer the same protection.

 

Thanks for all the feedbacks.

Have been using Sandboxie + FF (in its default settings) for about two years now.
ABP installed last year.
One time I tried noscript, together with ABP, but that slowed down everything so much,
at times nothing happened and I was just waiting for things to happen.
Sometimes even upto 15-20 seconds each time I changed a webpage. I disabled Noscript.

Over the years I encountered maybe half a dozen times where Kaspersky warned me about a website.
I immy leave such sites.

Am using regular, relatively straightforward software, like Office, Adobe stuff, etc.
(i.e. nothing 'exotic'). For login websites (forums/bangking) I use Roboform.
IF... I download something special, I run this in vmware first.
Check it with KIS, NIS (vmware) and AVG (vmware) and needcase run it sandboxed.
If this all is okay and if many people is using it (search on google), then most likely it is safe.

Anyway, will continue with Sandboxie of course.
It was/is just my way of browsing (FF+ABP+KIS) that made me wonder whether SB was not
a bit of an 'overkill'.

=

 

SBIE is never overkill because:
a) it won't conflict with other security software (mostly)
b) it won't slow you down

 

Well...

I know that the IceDragon browser uses integrated 'virtual browsing', ie, sandboxing, but only if you have one of Comodo's antiviruses installed. I have doubts about the strength of the sandbox though, and am left wondering whether it would work at all with EMET application settings.

My overall browsing safety recommendations, beyond an antivirus, are as follows:

Your best statistical bet for FF is to use NoScript with full security settings, HTTPS everywhere, ABP (including the malware domain filtering list), EMET protections, and Sandboxie. This isn't overkill for a medium priority by default browser. Sandboxing is essential here if you use a lot of third-party add-ons, too, or are a fan of Greasemonkey applications.

For Chrome, the practical combination for enhanced security is ScriptSafe, ABP, EMET, and HTTPS Everywhere. Sandboxing an already sandboxed process is perhaps overkill, but wont necessarily lead to application errors/bugs since everything assumes low/no priority anyways. Recommended action is to not sandbox Chrome unnecessarily if you go to trusted sites.

For Opera, one should at least use Ghostery, Sandboxie, EMET, and maybe one of those custom scripts that behave like ScriptSafe in Chrome. Opera is inherently NOT secure. The only reason people say it is is because the browser has such a small market share and few commercial uses that little consider bypassing it worthwhile. Sandboxing is highly recommended for this closed-source application.

In general, YES, sandbox everything that wont spout errors if you do so or applications that give code too much priority. This especially includes the FF plugin-container, which is one of the highest victims if malware historically when online and especially worthwhile if you have a significant number of plug-ins installed.

 

For me, sandboxing the browser was the stepping stone. Thats how I started using the sandbox but SBIE is a lot more than a browser in a sandbox. Once I realized that sandboxing (SBIE) really works and actually works better than traditional scanners, I moved on and now I sandbox pretty much all programs and files that I run in my computers. I encourage you to get more out of SBIE. You are not getting all the juice out of this wonderful program when all you use it for is browsing or running "suspicious" programs.

In my personal case, using SBIE has made a huge difference. Before, I use to get infected all the time and was always wondering whether the computer was infected or not, running scans was part of the routine. Now, I don't get infected anymore and I am never worrying about malware or wasting my time doing scans. For me, using the program has made a huge difference as I enjoy using computers and the internet a lot more than I did before Sandboxie came into the picture.

Bo

 

Unless Sandboxie is causing you problems, why, would you not want to use it ?
Sandboxie, does not rely on heuristics or signatures, it simply does not allow changes to the system.
http://forum.kaspersky.com/index.php?showforum=19

 

You are not alone.

Since many malware infections are acquired when browsing, sandbox feature was, is and will be an accurate technique to avoid PC malware intrusions in your real Windows System. I remember yet to read in Wilders forum, from some Microsoft skewed fanboys, that sandbox process is an needless way to protect their deified OS...

After that we can see Metro version of IE10 to use a sandbox attribute... The same with Adobe...

Sandboxing and virtualization are ways to enhance security in Windows OS.

Don't forget that Guest Mode was included under the Beta versions of Windows® 7... [The Guest Mode worked like Windows® SteadyState.]

Even a type sandbox program, far away of Sandboxie, like the "SecuBrowser" freeware (it is unable to isolate/virtualize the Registry, e.g.), is effective to avoid ransomware malware, as I had the opportunity to test.

 

Just in addition to all the comments which already pointed out the usefulness of using Sandboxie:

To my mind Sandboxie is the most effective way to protect your system from the zero-day attacks. That is

(http://en.wikipedia.org/wiki/Zero-day_attack)

These attacks are the main reason why I would not feel any longer secure if I used only an AV when browsing. And as already mentioned by other posters: Even a usually harmless site could hide such a danger within it.

Indeed. That's exactly my experience too (applying to Sandboxie and the other excellent security program Shadow Defender).

 

Amen. One of the neat tricks you can do is force drives to run sandboxed. This really helps if you've got people sticking any number of disks or USB drives into your computer. Can't tell you the number of times that I've caught my younger sister doing this because she wanted to copy music out of my library. Better than blocking auto-run in my honest opinion.

 

Does it make a difference? The answer, IMO anyway is really simple.

Yes it does, IF you want it to.

There really is no other program quite like it. We could (and have) devote a very lengthy thread to what it can do and how to make it do it. But in the end, if you want it to make a difference, it can.

Of course there are many 3rd party applications that can make a difference, as well as many native OS tools. The question is what you want. I want to use Sandboxie, but I don't like cats really. Maybe you like cats but don't like Sandboxie?

On a serious note though, the people I support that want to use it have success much like Bo Elams. It changes things for them, for the good. And those that don't really want to use it, maybe they just don't want to learn or be bothered, well, they hate it.

Sul.

 

To all: thanks folks for all the feedback!

For good order's sake, pls do note that I am a 'registered' users of Sandboxie.

Actually . . .
one reason for asking my question is that doing a screencapture of a website (or part of it),
my screencapturing program normally also saves the URL as 'extra info'.
Lateron it may be nice to know the origin of the capture.
Whilst sandboxed browsing the URL info is nót passed on to the screencapturing tool.
So, the screencapturing tool should run in sandboxed mode as well.
I configured it to do so, adding the folder path to Quick Recovery, tagged "Immediate Recovery"
and added the path to Resource Access->File Access->Full Access.

This all seems to work fine.

But one way or the other the capturing program seems to be acting differently.

e.g.
1. when doing a window capture: running OUTside Sandboxie, it will automatically select
the window (you only need to click on it and it is captured) -
Sandboxed: I need to draw a box/select manually.
Therefore, most likely capturing with a fixed frame, with xx secondes interval will not work.

later...: I just checked - I added the capturing progam+editor to Resource Access->File
Access->Direct Access: now, a window is automatically selected.
Great...

However, I also discovered that the program keeps running (taskmanager/processes,
although I exited it - File Exit), also after removing removing it from the direct access.


2. running OUTside Sandboxie: when a file is saved, I can drag the file from the editor into
(e.g.) Outlook and the file be attached.
However, this is nót possible when running sandboxed. I need to use Explorer for that.

Have spent already quite some time on this now and in the past.
So just to make a tool working as it should requires quite some time of trying this and
testing that. Bottomline is that I need to accept that sometimes a tool may not entirely be
working as it normally would without Sandboxie.

All this and Internet Suites not being interested in introducing something similar (except
for Kaspersky, who dropped their 2012 'safe run' option in their 2013 version) more or less
made me wonder whether, considering my being very cautious already, it would make sense.

As I am working with 3.76 maybe the new release will solve the issue.

Have asked tzuk to look into this, hopefully he will.

Pls. . . donot consider the above as criticisme ! It absolutely isn't meant that way.

Anyway, again, thanks for all the input!
=
ps sorry for the long reply.
=

 

Sandboxie is great addition to any security setup. I can't imagine to use common programs like browser (GC/IE), media player (MPC-BE/WMP), document reader (AR), and other utilities (wordweb, calc, etc.). I even prefer to use it in Shadow Defender protected environment. Seems paranoid? I have complete control over program functionality as well as proper working environment. I make 'Sandbox' folder on drives other than C: and have smooth computing experience. Must have security for me....

 

From my POV it's hard to say; I don't see infections with sandboxing or without sandboxing.

 

Sandboxing makes a big difference if you ever actually encounter a drive-by download that can infect you. Last I checked, most exploit kits are still targeting older vulnerabilities.

Disabling most plugins, staying up to date, Adblock and using a more obscure browser will render you invisible to most threats. You just have to ask yourself - when was the last time your AV prevented you from getting an infection?

 

Many years ago on a downloaded screensaver attempt. av was NOD32. Nowadays I would never attempt this sort of download.

 

What about sandboxie's vulnerability to Blackhat?
https://www.wilderssecurity.com/showthread.php?t=344108
http://blogbromium.files.wordpress.com/2013/03/blackhat-2013-sandbox-roulette_wp.pdf

Did Tzuk fix this vulnerability?
I read that you have to a temporary workaround is :Resource Access > File Access > Blocked Access and add c:\windows\system32\t2embed.dll
deny access to t2embed,however can cause some problems to pdf and doc files

Personally, I did this without problems with my pdf and doc files.

its not a sandboxie fault, just that exploits the buggy windows t2embed.dll
there is also a microsoft secury bulletin fix to deny remote code execution via TrueType or OpenType fonts.

This is from sandboxie's forum:
http://www.sandboxie.com/phpbb/viewtopic.php?t=15025
Any comments?
I actually thought that Tzuk has fixed this by now.

 

And, how exactly would Sandboxie's author/other fix something that only Microsoft can fix/patch?

Only Microsoft can patch Windows bugs.

 

That vulnerability in particular was patched by MS in December 20, 2012. Check Microsoft Update/Windows Update.

 

Like I said, you can fully block and fully prevent this vulnerability by using Sandboxie itself:
Resource Access > File Access > Blocked Access and add c:\windows\system32\t2embed.dll

However, this is no longer needed since Microsoft has fully patched this Windows vulnerability.

 

Sure,sandboxie is a wonderful addition to anyone,s security arsenal.

Also running a browser within sandboxie leaves a lot less debris on the HDD to clean also.
I have proven this when running sandboxed and unsandboxed using ccleaner.

Thats an extra benefit besides of course the security benefit.

 

There are many benefits that we get out of using SBIE. Most have nothing to do with browsing but one that I like is being able to return a program to how it was before running the application sandboxed. If I wasn't running programs like video players or Foxit in a sandbox, I would mess up settings so much that I couldn't return them to how they were before I ran them. That would give me headaches because sometimes I wouldn't remember how I had them set originally.

Bo