Is Sandboxie useless on Windows 10?

Discussion in 'sandboxing & virtualization' started by CoolWebSearch, Dec 1, 2016.

  1. Beyonder

    Beyonder Registered Member

    Joined:
    Aug 26, 2011
    Posts:
    545
    I thought Sandboxie couldn't block Windows and kernel exploits?

    https://web.archive.org/web/20170402072237/https://blogbromium.files.wordpress.com/2013/03/blackhat-2013-sandbox-roulette_wp.pdf
     
  2. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    It indeed doesn't block exploits themselves, but it's designed to contain malware that's delivered via exploits. I've read the Bromium report years ago and they confirmed that they could bypass both Chrome and Sandboxie, with the difference that they had to specifically target Sandboxie, because it would still interfere with malware. In other words, if the malware (with high or system privileges) doesn't know that Sandboxie is running and doesn't try to terminate it, it will still run virtualized. But I don't know how strong SBIE's self protection is.
     
  3. GrDukeMalden

    GrDukeMalden Registered Member

    Joined:
    Jun 16, 2016
    Posts:
    487
    Location:
    VPN city
    Sorry, I'm a little late replying to this, I didn't get any email notifications about a reply directly to something I said. I sandbox all of my daily-used stuff too. Literally everything that can be run sandboxed, I run it sandboxed. And now, with those sneaky crypto-miners hidden inside of a lot of websites, programs like Sandboxie are mandatory now. Doesn't matter what kind of protection you have, it's bound to occasionally miss a thing here or there.
     
  4. GrDukeMalden

    GrDukeMalden Registered Member

    Joined:
    Jun 16, 2016
    Posts:
    487
    Location:
    VPN city
  5. GrDukeMalden

    GrDukeMalden Registered Member

    Joined:
    Jun 16, 2016
    Posts:
    487
    Location:
    VPN city
    Another thing you can do is deny admin privileges to the things running in sandboxes that you use for regular browsing.
    You also should use a good whitelisting AV to auto-block any unknown malware that might try to run, sandboxed or otherwise.

    Sandboxie serves as...I guess a safety net, when we're talking about exploit-delivered malware. By denying admin access, you've made the net considerably stronger and harder to break through, but nothing is infallible. I mean, why do you think so many companies focus on making supplementary antivirus/anti-pup products now? SecureAPlus prides its self on being a supplementary product, but it can still hold its own as a stand-alone. Voodooshield is another product like that. Malwarebytes was one of, if not the very first one to do that.

    Even a product like comodo might not catch a pup or two, because a pup isn't technically malicious it's just annoying crap.
     
  6. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Exactly, and it can even protect browsers like Chrome who already have a quite strong sandbox. Sandboxie is mostly about containment, so certain malware that runs inside the sandbox can of course still do damage, but you can always tighten the sandbox. I prefer to combine it with tools like EXE Radar, and I wouldn't recommend to use it with tools like HMPA, because at some point they will start to conflict, resulting into weaker protection, or no protection at all.
     
  7. Azure Phoenix

    Azure Phoenix Registered Member

    Joined:
    Nov 22, 2014
    Posts:
    1,556
    Which is funny. Cause aren't they own by the same company?
     
  8. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    To be honest, totally forgot about that. But I have experienced problems myself, the thing is, they both work on a very low level, so it's best not to mix them, that's my advice. Because with every update, they can break stuff.
     
  9. GrDukeMalden

    GrDukeMalden Registered Member

    Joined:
    Jun 16, 2016
    Posts:
    487
    Location:
    VPN city
    As is stated in my signature, I use SecureAPlus set to silent mode with the whitelisting settings set to identify based on a hash AND a publisher signature. And as a backup (mainly to force my daily-used programs to only connect through my VPN) I have Comodo firewall on the proactive security preset with the hips and firewall on safemode and "do not show popup alerts: block requests" enabled. The container in C.FW is set to auto-block the unknown and any known malware that it would encounter and to auto-block privilege elevation requests too.
    Virusscope and file rating in C.FW are also set to "do not show popup alerts" as well. So it's basically impossible for malware to run on my system. Even if I do mistakenly run a malware-setup-file disguised as a video or a picture, it's going to get blocked by either C.FW or S.A.P. and if it's known to SecureAge's database as a threat, it will get quarantined the moment it's finished downloading.

    So Sandboxie on my two systems serves mostly as a utility to segregate my browsing data and to keep any data left over by my other applications in a nice neat little container to delete all in one go when I'm done doing what I'm doing.
     
  10. GrDukeMalden

    GrDukeMalden Registered Member

    Joined:
    Jun 16, 2016
    Posts:
    487
    Location:
    VPN city
    I had to google around like crazy to find out what you were talking about. HitManPro Alert. Yeah, that program sucks, exploits are just a way of downloading a payload. If you want a good anti-exploit solution (that was even able to stave off eternal blue) then use VoodooShield. I had to stop using it because I couldn't afford it anymore now that my VPN provider raised their prices. I haven't seen a single honest test of Voodooshield where it missed anything, the false alarm frequency on autopilot mode is also very low. I haven't seen any honest tests of comodo I.S. or comodo firewall where either of those products failed.
    The one test I saw where Comodo I.S. "failed" was where the tester was counting a successful download of malware, just the download without running the file as a miss, but that tester didn't apply the same standard to bitdefender. This tester I saw also counted catches by CIS's container as misses, despite the fact that those are clearly successful catches.
     
  11. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    Over years, never had a problem with HMPA and Sandboxie, using latest beta versions of each.
     
  12. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    5,871
    a 5 or 6 years old article is NOT up-to-date.
     
  13. guest

    guest Guest

    it doesn't matter, it is by design not the role of sandboxie.
     
  14. imdb

    imdb Registered Member

    Joined:
    Nov 2, 2011
    Posts:
    4,208
    don't bother, guest. :thumb: let @Brummelchen reply to @Brummelchen :isay:

     
  15. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    No it doesn't suck, from a technical point of view it's pretty good. But it does cause lots of problems on certain systems when combined with other security software.

    BTW, I forgot that a browser's sandbox can also be exploited without using a kernel exploit. I've read that on Pwn2Own 2019, they managed to hack Firefox and Edge without kernel exploit. In other words, this is probably also possible in Chrome. So another reason why it would make sense to use Sandboxie on top.


    That's the thing, sometimes you won't even notice it. What happened on my system was that Sandboxie wasn't correctly running sandboxed apps with the untrusted integrity. So everything looked just fine, until I saw the problem in Process Explorer. After that I wasn't willing to risk anything, even though they can of course work together. So it's just an advice.
     
  16. GrDukeMalden

    GrDukeMalden Registered Member

    Joined:
    Jun 16, 2016
    Posts:
    487
    Location:
    VPN city
    To the first point, I've seen lots of tests of HMPA where the ransomeware protection did nothing at all. Ransomware is a huge issue and it's almost always delivered through a malicious redirect exploit. The payload is always zero-day and often polymorphus as well. Whitelisting AV, such as Voodooshield, SecureAPlus and Comodo set to block instead of contain is really the only way to be safe from ransomware. If it can't run, it can't install. If it can't install, it can't make any meaningful changes to the system.

    To the second point. Yeah, with or without Sandboxie, you need good protection as well to help mitigate anything that gets downloaded.
     
  17. GrDukeMalden

    GrDukeMalden Registered Member

    Joined:
    Jun 16, 2016
    Posts:
    487
    Location:
    VPN city
    Well, Spyware can pretty much run unhindered inside of Sandboxie, that's why I always turn on the "drop admin rights" thing in the restrictions menu. Denying admin access to sketchy unknown files is always important. If you use Comodo, go into the container settings and turn on "do not show privilege elevation alerts: block" and if you're particularly paranoid, use proactive security and set the container to block instead of contain. I would also recommend turning on "drop admin rights" in every sandbox you use for sandboxie.
     
  18. plat

    plat Registered Member

    Joined:
    Dec 19, 2018
    Posts:
    2,233
    Location:
    Brooklyn, NY
    Yes, I've likewise enabled Drop Rights recently as well as "automatic delete" of contents when browser closes. I read about Service Worker exploits via the browser that can theoretically run in Sandboxie. Can enabling this setting mitigate that exploit?
     
  19. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,144
    Location:
    Nicaragua
    Hi plat1098, this type of malware doesn't install software, so, probably using Drop rights doesn't help us against it. From Sandboxies perspective, our best protection is to delete contents (constantly). I know there are users that go many hours, days, without closing their browser, I am the opposite, I close it and open it many times a day and delete contents every time I close the browser. To protect ourselves against this type of malware (as with any other), deleting contents is what we want to do. I also read this marionette malware uses JS, as usual for browser attacks. So, add NoScript, that will turn the sharks of the internet into sardines :).

    Bo
     
  20. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,144
    Location:
    Nicaragua
    After all the noise the Bromium propaganda created when the report came out years ago, by this time, 6 years later, we should have expected some sort of malware similar to the one described in their paper to go in the wild and successfully attack, and escape Sandboxies sandbox. But no, nothing. Who knows, maybe it ll take another 5 years (after all, there is always a possibility that something will break out of Sandboxies sandbox, right?) :).

    Bo
     
  21. guest

    guest Guest

    Sandboxes are niche markets, few users, not worth the effort to create a widespread malware since the malware must consider the various mechanisms of every sandboxes.
    The Bromium article was a PoC showing that sandboxes are bypassable, and they are.

    if some group decide to target sandboxes, they will succeed like the edge/FF sandbox bypass few days ago at the pwn20wn 2019 event.
    https://www.wilderssecurity.com/threads/pwn2own-2019.414478/#post-2816159

    What motivate hackers is the ratio effort/reward; if the gain worth the effort, don't worry, they will find a way.
     
  22. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,144
    Location:
    Nicaragua
    It doesn't matter the reasons that Sandboxie hasn't been breached, what matters is that it hasn't been breach.

    Again, if no one is interested or it doesnt pay to spend the time and money to develop successful malware against Sandboxie, it doesn't matter. What matters is that no malware has been in the wild that escapes Sandboxies sandbox.

    Bo
     
  23. plat

    plat Registered Member

    Joined:
    Dec 19, 2018
    Posts:
    2,233
    Location:
    Brooklyn, NY
    Well.....alrighty, then. lol. Thank you for the straightforward answer about the Service Worker issue. I have since disabled Service Worker in Firefox about:config--tried NoScript a while back but it didn't work out. Don't recall why specifically. Since I'm a very basic Sbie user, I appreciate this thread a lot, believe me.
     
  24. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Correct, but it's much more likely that someone develops an exploit for Chrome and Firefox, instead of developing some exploit to bypass Sandboxie. Like I said, Chrome's sandbox can also be bypassed without kernel exploit. This doesn't mean that this Chrome exploit will automatically bypass Sandboxie.

    But the reason why you don't see this a lot, is because apparently Chrome/Chromium is coded pretty good. But I expect to see Firefox getting more and more secure also. And soon Edge will switch to Chromium. But even then, I will still choose to run Sandboxie on top.

    That doesn't mean it sucks. None of the anti-ransomware tools can block 100% of all ransomware. Also, in the tests that you saw, they simply run ransomware manually. So if they were delivered via exploit, HMPA would have most likely stopped it.
     
  25. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,144
    Location:
    Nicaragua
    I believe you. This threads on Sandboxie at Wilders are also important to me, they always being, I dont take them for granted. When I discovered Sandboxie, while doing searches for information on SBIE, it seemed like I always ended up at Wilders, and ended up getting what I was looking for at Wilders. So I know the value of this threads. But I think it would benefit new potential users who are seriously interested in SBIE who land here at Wilders in this Sandboxie threads if this threads were a bit cleaner, too much noise sometimes from people who dont use or dont care about SBIE. Noise can confuse people.

    Anyway, I was lucky when I discovered Sandboxie, at about the same time (same week for sure), I also discovered NoScript. And adopted both immediately. That was a lucky week. There was one huge difference when I first started using this programs, Sandboxie made sense right away. There was nothing really to struggle regarding making sense of Sandboxie, but that was not the case with NoScript. Nothing made sense with NoScript on day 1, it was an struggle. Making sense of NoScript is the key for success and enjoing using the program. Check this out.
    https://www.tenforums.com/browsers-email/128337-stop-videos-auto-playing-firefox.html#post1589507

    Bo
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.