Grab bag re: Sandboxing and browsers in 2019

Discussion in 'sandboxing & virtualization' started by Mac29, Jul 26, 2019.

  1. Mac29

    Mac29 Registered Member

    Joined:
    Apr 19, 2018
    Posts:
    27
    Location:
    FL
    I've used Sandboxie forever, and have been on W10 for 6 months. I use Firefox (with uBlock Origin). I'll be on a new system shortly and want to use a VM to browse but before I do, a few questions.

    Does Opera have some sort of Chromium sandbox built-in? I like the built-in ad blocker. (I have a continuing problem w/FF and SB. FF re-sets itself periodically and I have to re-config everything. It loses my history and bookmarks. Although the problem has been less frequent recently.)

    The thread 'Is Sandboxie useless on Windows 10' is asking if it's useful or not due to "modern" browsers. Any consensus about that in 2019? People feel safe to browser 'naked'?

    I'm confused about AppContainers. They work automatically in W10, for any application, including browsers? So nothing for me to config to 'harden' anything.

    Finally, is ReHIPS difficult to use? Basically curious how wilderssecurity members surf. Recommendations?


    Thank you,

    Mac
     
  2. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    No.

    AppContainer usage must be configured within the app. Edge by default. IE11 can do so if configured for EPM mode. Chrome use is still optional, I beleive. FireFox does not use it. It is an optional setting in Adobe Reader. Etc., etc.. Also as far as Windows system apps go, only a dozen or so use it.
     
  3. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,144
    Location:
    Nicaragua
    That shouldn't be happening. It sound to me like perhaps something is corrupted in the sandbox you are using for Firefox. To know if that's the case, you test creating and using a new sandbox. If the issue doesn't occur in the new sandbox, that would mean that probably a setting you are using is messing thing up. To fix the issue, you continue using the new sandbox.

    Also, if your Firefox sandbox is not set to delete on closing automatically, then you should delete it now, and do it often. Deleting contents fixes a lot of non problems that are considered problems.

    You should also make sure, your settings to save bookmarks and history are enabled in Sandbox settings.
    The only reason why I feel confident that I can browse anywhere in the internet, regardless of how nasty the site is, without any stress or sweating, and confidently feel, that when I shutdown my computer, it is clean, is because I use Sandboxie and NoScript. If there was no Sandboxie, believe when I tell you, that day, it will be the day when I change my browsing habits. Mac, I think what I just wrote, answers your question from my perspective. :)

    Bo
     
  4. guest

    guest Guest

    AFAIK, opera is chromium, so it uses its sandbox.

    I do on one machine with chrome and appcontainer enabled in it, and I feel safe.


    Appcontainer is by default on Edge and normally all Metro Apps. And opt-in in some apps like Chrome. The rest don't usev it.

    I am one of the few here beta testing REHIPS, it is a bit more complicated to use than Sandboxie (you have to unlearn your Sbie habits and it has an anti-exe module) but nothing very difficult.
    And since Sandboxie isn't made for testing (claims some of their users), rehips is the best choice for security oriented people.
     
  5. dwalker

    dwalker Registered Member

    Joined:
    Aug 10, 2008
    Posts:
    8
    Location:
    Ottawa Ontario Canada
    Rethinking my use of Sandboxie to have one browser very isolated and secure.​

    I've used Sandboxie for years with different browsers but never thought of this before. Feedback on this strategy is very welcome. I use Windows 10, version 1903.

    I have thought for a long time that using a portable browser sandboxed might be an ideal way of increasing the isolation of that browser from everything on your system. Only recently have I found a simple way that works well.

    HERE’s the Strategy:

    All I've done is install Firefox Portable inside a Sandbox with certain settings. I think it has no access to the registry or settings on my computer.

    1. I've set the Sandbox to "never delete this sandbox or its contents".
    2. I've gone to the internet browsers section and made sure this version has no access to my regular installation of Firefox for bookmarks or profile, though I've allowed the Phishing Database access.
    3. I've checked the box which Blocks access to network folders & files unless specifically opened.

    In Firefox Portable I've added Ublock and CookiesAutoDelete.

    So far I love it. It opens faster than running any of my browsers on my C: drive sandboxed. Ublock with default settings works very well. Excellent for Streaming. My anti-virus free Kaspersky has blocked access to certain dodgy sites (Kaspersky's working from it's normal folder, it's not installed in the sandbox).

    The only glitch has occurred when updating the portable version in its sandbox. After downloading the Update, The Relaunch Button has led to Firefox freezing. I had to close Firefox and it appeared to do the same thing again. But suddenly found it had updated to the latest version. So it works, if a little weirdly.

    Comments?
     
  6. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,144
    Location:
    Nicaragua
    Hi dwalker. Sandboxie is not supposed to allow updates to be applied while running programs sandboxed. Sandboxed Firefox can download the update using the internal updater but when you restart the browser, the update should be discarded/not applied. You seem to think the update was applied, perhaps you should check again.

    Programs work better with SBIE when automatic updates are disabled. In regular Firefox, you can disable the browser checking for updates automatically by creating a policy. You should be able to do the same with the portable version of Firefox. If you want to try it, I can show you how to do it.

    IMO, the best way to update browsers you install in a sandbox, is to do over the top upgrades by running the installer of the new version. That should work fine for you with Firefox portable.

    Personally, I never liked the idea of installing browsers in a sandbox, and only do it when I want to test a new version of the browser before updating the version I have in the real system. I am going to tell you why. When you install a browser in a sandbox, you have to set the sandbox not to delete on closing of the browser. This means that all the garbage you pick up while doing regular browsing is saved in the folder of the sandbox where you installed the browser. If you picked up malware, the malware is going to stay around until you delete contents, so, if you do sensitive browsing, it could steal your credentials or personal information and send it home. So, at least, don't use this browser for sensitive browsing, use it only for regular every day browsing.

    Bo
     
  7. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    5,871
    wrong strategy, but that depends on lack of knowledge. you only have a view to single elements only but you lost the view to the whole package

    a) kaspersky free is BS, less security than fully integrated windows defender (and it is NOT clear how much and what kaspersky is sniffinig on your user behavior)
    b) ublock is much better that the questionable kaspersky web blocker
    c) firefox is currently the most secure browser.
    https://www.zdnet.com/article/germa...cy-recommends-firefox-as-most-secure-browser/
    d) starting sandboxie as free with all features dont need to run firefox (securest browser) complete in the box - use the "forced" features instead.
    e) in case you only visit regular pages there is no need to isolate firefox and make it crippled in functionality. in fact you need to lower security (sandbox level) to make it fully work. so you have a less secured browser in a questionable secured box!?
    f) as you stated the update wont perform - exactly, thats a matter of sandboxie and not firefox.
    g) you forgot malware which is or might be able to break out sandboxie, this is not clear how or if. but in that case nothing will help you out, neither kaspersky not defender not sandboxie nor firefox.
    h) depending of the location of the sandboxie container folder it could be more or less safe, matter of user rights and sandboxie, not firefox.
     
  8. Beyonder

    Beyonder Registered Member

    Joined:
    Aug 26, 2011
    Posts:
    545
    Yeah, I'll believe that when I see it. If you look at the list, Chrome didn't win because it failed 3 privacy options
    - Lack of support for a master password mechanism (Chrome, IE, Edge)
    - No option to block telemetry collection (Chrome, IE, Edge)
    - Lack of organizational transparency (Chrome, IE, Edge)

    Meanwhile, Firefox doesn't have strict site isolation yet.
     
  9. 142395

    142395 Guest

    Off topic

    Just laughed at having read the requirements almost designed to place Fx first w/out firstly detailing threat model(s), hard to believe this is written by such an org - everyone can perform this kind of "audit" with arbitrary conclusion. You shouldn't take click-bate title as is, always check details. But I like Fx's way to allow many config for TLS and cert handling.
    [EDIT] happened to overlap w/ @Beyonder ?
     
  10. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,144
    Location:
    Nicaragua
    Hi Brummelchen, I dont agree with all that above at all.

    First of all, by sandboxing Firefox with Sandboxie, Firefox doesn't become crippled. Sandboxie doesn't mess up Firefox. For me, Firefox functions identically in the sandbox to how it would be if I was not using Sandboxie. I used Sandboxie for more than 10 years, and sandboxed Firefox for more more than 10 years, never had a real issue. So, I have no idea what you are talking about.

    Out of choice, I disable Multiprocess but you dont have to, to sandbox Firefox with Sandboxie, nor lower security sandbox level. I dont know how you come up with that, but you don't have to.switch off those functions in Firefox in order to use Sandboxie with Firefox.

    Questionable secured box? All I am going to say to that is, I cant believe you wrote it. :)

    Regarding this, "in case you only visit regular pages there is no need to isolate firefox", I think is a bad idea to pre qualify websites to help you decide what sites are clean and which are not. You can never really tell if "good" sites are clean and "bad" are infected. I believe people who do that, get burn sometimes. So, IMO, is better to treat all websites the same way. I trust them all the same, I dont trust any. So, I use Sandboxie for every website I visit, and never get burnt, or infected.

    Bo
     
    Last edited: Oct 19, 2019
  11. dwalker

    dwalker Registered Member

    Joined:
    Aug 10, 2008
    Posts:
    8
    Location:
    Ottawa Ontario Canada
    Hi Bo,
    I have checked again. Firefox Portable did update to the latest version within the Sandbox. It's no surprise to me, Firefox Portable as I have said, saves bookmarks, changes to Ublock etc. I consider this very similar to using Firefox Portable on a USB drive where I would also expect it to update.
     
  12. dwalker

    dwalker Registered Member

    Joined:
    Aug 10, 2008
    Posts:
    8
    Location:
    Ottawa Ontario Canada
    Hi Brummelchen,

    My God, what a lot of comments! Ok, I asked for them, so thanks. The only thing I was hoping to get feedback on was the idea getting more isolation and security by having a portable version of Firefox (that does not access my registry at all) sandboxed. It is not crippled in the least. Also, as I said to Bo, the update did work, Sandboxie does not actually block it. Functionally it works impressively well.

    For me then, your best objection was g) & h) it has been a concern for me, as I am used to watching the X appear as my browsing session is deleted in sandboxie. This is my first time trying a program within a "permanent" sandbox and I've been very impressed about how well FF Portable works. But am I really safe from malware getting by my security controls into the sandbox? That's an excellent point. Clearly deleting the sandbox after each use is better.

    My problem in the past has been that FF Portable installed in a folder on my PC, unlike "regular" Firefox, gave me problems I could not easily solve when I ran it in a sandbox. I would never know when an update to Windows or FF Portablr would cause something to go wrong. That's how I came up with this experiment.

    But thinking about this, I am going to return to working with FF Portable in a folder on my PC, that I then run in a sandbox that deletes its contents when I exit the browser. I've just now thought of a couple of settings in its sandbox I didn't check before. If that fails I may return to this topic.

    Doug
     
  13. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    5,871
    thats pity but and make the result lie in this point, but at least - it is the best "you're simple the best" TT

    @dwalker from my view running firefox in the box seems futile and has no benefit when using sandboxie with the default settings. you need to restrict programs in the box and refuse and write back to the system (open folder..., and (instant) recovery).

    if the security concept has different layers and redundant mechanisms it do not need to run programs in the box. but you can force other programs or folders into the box (that was only possible with the paid version before) - eg downloads, cache, plugins (flash).
    an up-to-date firefox has not really leaks (until they were fixed with the next build) and ublock is able to block questionable files.
    i dont have doubt in this smart combination so i dont need to run firefox inside the box, either site isolation or not ;)
    i have more doubts about chrome/chromium bypassing adblockers, now or in future.

    concerning firefox and malware as memory payload - firefox has access to the system and a sandbox wont change this, until the write back to the host which is ofc limited due sandbox - reading out secret files and send content is still possible. but for now this only would occur when user is going on risky pages without any doubt.
     
  14. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,144
    Location:
    Nicaragua
    Hi dwalke. In sandboxed installations of browsers, the saving of bookmarks, changes to Ublock etc, is expected. You dont even have to check any settings to allow this changes for this type of changes to remain. This changes will remain within the sandbox and gone together with the installation when you delete contents.

    But Firefox updates are not supposed to be applied when running sandboxed, thats he case with regular installs, perhaps its different with portables. I dont know. I wanted to test installing an older version of portable Firefox to see what happens when Firefox updates. But Portable apps don't have older versions of portable Firefox.

    Bo
     
  15. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,144
    Location:
    Nicaragua
    Hi Brummelchen. This past couple of days you written a lot of statements about Sandboxie that I disagree with, it would take me pages to give you a complete reply back. :)

    At least now (quote above), you clearly say what you written is your point of view.

    I am going to give you a quick reply. Question: what happens if you are running Firefox unsandboxed and you get hit by ransomware (and you click to allow it to run) or drive by malware (where you dont have to click nothing to get infected), and your AV doesn't flag the malware? The answer is, you get infected.

    Same scenario but this time, what would happen if you are running Firefox under Sandboxie in a default settings sandbox and you get hit by ransomware or drive by malware, The answer is, the infection takes place within the sandboxed environment, not touching your real system, registry or files. And is gone when you delete contents.

    Using Sandboxie makes a huge difference.

    Bo
     
  16. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    I can confirm this bo with a test a made a while back. I found a piece of malware that took over the display and the only way out was a reboot. When you rebooted the malware owned the machine. When the malware was run in sandboxie same thing. It took over the display again. Again it took a reboot to get out. Difference was the machine was clean.
    Sandboxie does it's job.

    Pete
     
  17. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,144
    Location:
    Nicaragua
    That was an ugly piece of malware. What you experienced is what we can expect from what I believe is the second worst and most dangerous type of malware we can be hit with, this type doesn't hide but runs and install in the sandbox, and like you said, it takes over. The reboot is needed to terminate the malware, after rebooting, deleting contents (which includes the malicious installation) becomes easy as the malware is not running anymore, dormant, sleeping :).

    Bo
     
  18. dwalker

    dwalker Registered Member

    Joined:
    Aug 10, 2008
    Posts:
    8
    Location:
    Ottawa Ontario Canada
    Thank you Pete and Bo, Sandboxie works very well. I have used it for something like15 years, always with the sandbox where I browse deleting its contents after each browsing session. I have had no malware, ransomware etc. ever take over my system. Sandboxie is a great program. I have a sandbox for Chrome where i do my financial dealings and access to my email online. I have a sandboxes for my C drive Firefox installation, which I use for various videos for music, yoga meditations, etc. I have additional security measures like surfing in a User Account, an Antivirus program, scans with Malwarebytes free and other programs. But I'm trying to investigate one usage of Sandboxie in these posts.

    My whole point is to investigate using a very good portable browser in a sandbox for use, not for "regular" websites but more or less free searching and surfing. To me sandboxing a portable browser should be about as isolated as you can get without installing one of the virtual machines. My thought is: a portable browser by itself is safer than the regular installation as it does everything within its folder, making no registry changes. Run the portable browser in a sandbox and you have even greater isolation. Set the dedicated sandbox so the portable browser is the only program that can access the internet, block access to network files, set the sandbox to delete its contents upon exiting the browser and I think it's a very good way of browsing safely.

    Update I have successfully found the problem I was having with using Sandboxie with Firefox Portable in its recent versions. If you open the program using the obvious application firefoxportable.exe which is in the root folder FirefoxPortable, it does not like Sandboxie, before opening, it will pop up the Windows message asking you to sign into your Admin account. I tried a couple of fixes which did not work. But I think this is the answer:

    Under the App folder, there are folders for Firefox and for Firefox64 which have "firefox.exe" for 32 or 64 bit version. I have changed my shortcut to Firefox portable to FirefoxPortable\App\Firefox64\firefox.exe and things are going very well. I sandbox this application path in the usual way into a dedicated locked down sandbox. This sandbox deletes everything after I exit Firefox portable.

    So at least for now, if this experiment is successful through continued updates of Windows and Sandboxie, I will not pursue my original idea of using Firefox Portable installed in a permanent sandbox.

    I welcome comments from supporters of Sandboxie, I'm not hear to preach my idea, but to learn from others who have experience with Sandboxie. Again, this is all on a Windows 10, version 1903 PC, with the latest update of Sandboxie.

    Cheers!
     
    Last edited: Oct 21, 2019
  19. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,144
    Location:
    Nicaragua
    dwalker, you are a long time user, we learn from you too. I know I learn something new about SBIE everyday. I always say people come up with different ways for using SBIE, ways I never thought about. We learn Sandboxie from each other. Its unfortunate the bank of Sandboxie knowledge (the old forum) is dead but we still have each other to share what we know about this beautiful program.

    Bo
     
  20. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    5,871
    code asks for admin right. thats no matter of code itself more of the used libraries. it is possible to lift the code to another language where any actions work on user level, that means it is possible without admin rights. (a reduced rights sandbox will show up)
    anyhow the portableapps code contains a lot of lines and modifications at files in profile but it lacks some functionality in general and has the rights flaw.

    concerning ransomware - i never got one, or any other malware. but the malware has to break several layers of security and that may be the major difference between me and others. sandboxie is part of it but not the first or second layer. and an active antivirus is neither nor part of it.

    about the example from Pete it overtook the desktop and maybe firefox. overtaking the desktop from within sandboxie is not hard to do - running explorer (which means also desktop) - or another start menu. but this will only cloak the real action behind. if firefox is hit in memory (payload) it will read any kind of data and send it elsewhere, whether the malware can pass sandboxie or not. and the portableapps starter is a bad kind of example how it not should be. forcing folder into sandbox is one method, but it still need the portable starter outside. a cheap batch file has more security.

    again the malware and firefox. firefox itself has several layers of defense and one of it is the usage of low or untrusted instances. thats beyond user rights or no rights. if you strip that away to a single instance firefox will act with user rights, either made by a sandbox setting or user account. the sandbox level of firefox within sandboxie has to be changed when user need audio or video, in most cases it fail for the hardware acceleration or at all. this had ever been an issue in old sandboxie forums and it also happens for chrome.

    on the one hand you build some security around the browser, on the other hand you need to lower security and in summary it has not really benefit. and people think using an antivirus will make it more safe. thats complete fail because current malware - in special ransomware - is tested each day against the most used suites. so it will break antivirus for sure and not by accident. dont take chance on the goal keeper. thats all what Umbra wanted to say.
     
  21. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Not this stuff again. This Brummelchen guy is still clueless. The whole point of Sandboxie is to trap malware inside the virtual container. This means that malware should not be able to infect the real system.

    Of course depending on the type of malware it might still achieve its goal, like keylogging or stealing files, so that's why Sandboxie should always be combined with other anti-malware tools IMO. Also, browsers have become a lot more safe, but it's still possible to bypass the sandboxes in Chrome and Firefox. Sandboxie running on top will then still contain the malware.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.