Sandboxie Acquired by Invincea

Discussion in 'sandboxing & virtualization' started by ad18, Dec 16, 2013.

Thread Status:
Not open for further replies.
  1. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,453
    Location:
    .
    Last edited: Nov 14, 2019
  2. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    5,868
    the picture on sophos is fake. ccleaner cumulates found cookies in that option which do not apply to the real existance of cookies. never ending story.

    the existant of cookes is as bjm_ shows up when you ticked IE > cookies - or IE direkt (internet options).
     
  3. camelia

    camelia Registered Member

    Joined:
    Nov 4, 2011
    Posts:
    455
    Location:
    Mexico City
    Thank Bo.. maybe they are spy us :ninja: I will block it that connection
     
  4. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,453
    Location:
    .
  5. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
  6. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    5,868
  7. stapp

    stapp Global Moderator

    Joined:
    Jan 12, 2006
    Posts:
    23,933
    Location:
    UK
  8. Beyonder

    Beyonder Registered Member

    Joined:
    Aug 26, 2011
    Posts:
    545
    Probably, but 0-days are astoundingly rare and Sandboxie doesn't really seem worth the program breakage that everyone seems to be having, me included on my laptop.
     
  9. Compu KTed

    Compu KTed Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    1,411
  10. syrinx

    syrinx Registered Member

    Joined:
    Apr 7, 2014
    Posts:
    427
    At the risk of shooting myself in the feet I find fault with your short argument because SBIE does not rely solely on the built in windows uac controls or integirty levels (aka in this instance what I took to be your description of the 'windows sandbox') but instead relies on hooks [OM*G the number of user mode hooks is insane!] and then has requests sent to the SBIE service asking for permission to do THIS OR THAT.

    They are both using lower integrity levels as a starting point (and this is mostly good). It does not, however, instantly translate into fact that if someone can trick or bypass the Chrome broker it also applies to Sandboxie.
    Sandboxie has both service and driver components to aid in it's decision making and enforcement, chrome does NOT. How helpful that ends up being is not something I can properly attest to as I haven't investigated either in this scenario but with the little experience I do have with SBIE I'm tempted to believe that it still has a greater chance of preventing an escape.

    Don't get me wrong. I find the sheer number of user mode hooks which SBIE currently uses alarming. They are more often than not responsible for the compatibility issues you read about here or there. I don't even use SBIE anymore and while not particularly related to the number of hooks I have found things to simply be easier to handle these days.

    That said I still disagree with your statement that one cannot protect against something just because the other doesn't simply because they both start off by relying on a principle of 'least privilege' even if that means they initially start off at the same disadvantage by relying on the OS to limit what they can do and both use brokers to check the rest. SBIE has many 'extra' checks. It also has a bunch of other 'options' a user could choose to enable in order to block even more things.
     
    Last edited: Nov 29, 2019
  11. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    5,868
    bypassing windows sandbox means to break out of untrusted or low integrity process - this means bypassing DEP, ASLR, CFG Integrity - one or combo of those. if sandboxie has "extra" checks this would mean you can bypass or harden these mechanisms, even they were deep hidden under the hood (ini file). if you have set sandboxie to limit processes, access, rights or web ofc this would limit the damage. if not anything is possible. i dont know how many special switches sophos built into sandboxie to eliminate incompatibility for chromium based browsers.
     
  12. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Are you sure this is BS? AFAIK, these hackers used holes in Chrome to break out of the sandbox. Sandboxie implements the sandbox in a different way, so if Chrome and Firefox get hacked, this doesn't mean that Sandboxie will fail to protect the system automatically. Hackers will also need to exploit Sandboxie. So I'm afraid you're the one who is talking BS.
     
  13. GrDukeMalden

    GrDukeMalden Registered Member

    Joined:
    Jun 16, 2016
    Posts:
    487
    Location:
    VPN city
    Would auto-denying admin access help with this at all?
     
  14. syrinx

    syrinx Registered Member

    Joined:
    Apr 7, 2014
    Posts:
    427
    I won't argue with you there.
    I don't even use it atm so while once upon a time I might have bothered to some test stuff ~ that isn't where I currently am.

    Hopefully people who care and have some real insight will take a look once the source is finally released and be able to tell actual users more!
     
    Last edited: Dec 1, 2019
  15. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    No of course not. They are using holes in Chrome to get remote code execution and then elevate rights. The point is that if Sandboxie is not targeted, it will still contain the malware.
     
  16. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,063
    Location:
    Canada
    You know this based on what information? So far I've seen nothing but an obscure tweet on this hack. If this was the Pwn2own tournament, details on this nature of exploit would have been posted within a week of it happening.
     
  17. GrDukeMalden

    GrDukeMalden Registered Member

    Joined:
    Jun 16, 2016
    Posts:
    487
    Location:
    VPN city
    Wait wait. So seeing as how LOTS of people use chrome and not that many people use sandboxie, if only by comparison, how likely is it that someone would target sandboxie as well as chrome using the same exploit method?

    Okay, while proofreading this post, I scrolled up and saw that you weren't the one nay-saying sandboxie. Hopefully @Brummelchen will see this post.

    The whole point of using sandboxie is to have a safety net in case of exploited vulnerabilities in any applications that you'd run inside of sandboxie. If you're worried that something might bypass sandboxie as well, then get HitManPro.ALERT! to go with it and set the rule that allows HMPA to work with sandboxie. But what you'll want to do is set the rule for just one sandbox and then go into the configuration file and cut&paste the rule into the global rules.
     
    Last edited: Dec 7, 2019
  18. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,792
    Location:
    .
    Don't just hope, make sure he can read it. How? Mention him in the post by clicking @ followed by his name. A notification will be showed when the user signs in.
     
  19. GrDukeMalden

    GrDukeMalden Registered Member

    Joined:
    Jun 16, 2016
    Posts:
    487
    Location:
    VPN city
    Oh, by the way, I was talking about auto-denying admin access within the supervision of sandboxie's sandboxes, not windows.
     
  20. Compu KTed

    Compu KTed Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    1,411
    Servers for offline activation are working again.
    Was able to reactivate my lifetime license for older version of Sandboxie.
     
    Last edited: Dec 10, 2019
  21. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    That's exactly my point. But some were also saying that Sandboxie on top of Chrome, would actually make Chrome easier to hack. I'm not buying that stuff, because you will still need to find holes in Chrome.

    No that won't help either, assuming that hackers can elevate rights.
     
  22. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Yes correct, they didn't publish any information. But there are two ways to exploit a browser like Chrome:

    1 By using holes in Chrome to get remote code execution and elevation of rights.
    2 By using holes in Chrome + Windows to get remote code execution and elevation of rights.

    In the first case, Sandboxie will most likely still contain the malware. In the second case, Sandboxie might still interfere with malware. I say this based on the Bromium report that was published years ago about sandbox escapes.
     
  23. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    5,868
    i have read it but why repeat my own words? and its not my problem when some people think they are more clever but run always in trouble here.

    target of the TianfuCup was to break chrome and get elevated rights to compromise the system which is not possible with only user rights. so the breach got admin rights for its purpose. sandboxie can (or better: should be able) to deny admin rights with settings. but i can not prevent the chrome breach. another target was vmware exsi to reach host system. maybe sandboxie is not interesting enough.
    if the box has admin rights the chrome breach was successful and malwarwe can do anything it wants inside the box. and if sandboxie would be vulnerable malware can break it too and jump like the vmware breach into the host.
    yep.
     
  24. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,063
    Location:
    Canada
    Sure, very likely they achieved the breech one of these ways, no arguments here, but I'd like to see details on exactly how they achieved it, rather than speculation. The details of an exploit of that magnitude should have been posted long ago. The Tianfu cup had far more members than any pwn2own contest, yet the latter posts details of these kinds of hacks within a few days of them happening.
     
    Last edited: Dec 10, 2019
  25. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,144
    Location:
    Nicaragua
    Brummelchen, regardless of your claims (this past few days), the truth is that is harder for malware to infect if you are using Sandoxie to sandbox Chrome, and it gets even harder if the user is able to use Drop rights in the sandbox were he runs Chrome. You can claim all you want, but that's the honest truth and all I would care about if I was a Chrome user.

    Rasheed used a very important word in his last post that perfectly describes what Sandboxie attempts to do if and when we are under attack, that word is "interfere".

    Thats what Sandboxie tries to do in every step the malware takes to infect, by interfering with what the malware does, is more likely than not that the malware will fail somewhere along the process it takes to infect. The malware might succeed in steps 1 and 2 but fail in step 3 so it cant continue or escape out of the sandbox. If it cant break out of the sandbox, it cant infect.

    Bo
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.