SANDBOXIE HIGH TECH PROTECTION

Many are very high on the app SandboxIE (and for good reason) including Mods here at Wilders.

To anyone's knowledge at this point, is this sandbox virtually impenetrable so long as sandboxed?

In other words, are there any reports whatsoever where any (sandboxed) malware is proven capable of compromising it by jumping out of it's prison?

I recently tested it against some very mean malware and although the tray icon vanished still nothing penetrated the host system, that is IMPRESSIVE to me.

I bought another HD (Seagate) today strictly to expose it to the worse of the worse possible attack files so if anyone has a lead to something they wish tested let me know by PM because this is the purpose for this 2 partitioned HD i now have. I don't care of it gets affected at all, it's a totally research and proving HD.

EASTER

 

There are ways to penetrate the sandbox at the moment, though the effects are more likely to cause more frustration for the end user than any real damage.

 

Well I reckon it should be possible to convert some leaktests for firewalls into leaktests for sandboxes. Most leaktests have available source code.

So go to this website and browse down to the list of leaktest methods: (http://www.matousec.com/projects/wi...alysis/introduction-firewall-leak-testing.php)

Maybe try:

• "COM/DDE/OLE" (PCFlank, OSfwbypass, Breakout2, Surfer, ZAbypass),
• "Race Conditions" (Ghost)
• "Unhooking" (FPR)

And read that article on "destroying sandboxes" (google it)

 

Obviously what i have written sounds complicated. However if you wait i might just try and see if i can create a new leaktest for sandboxes...

 

Of course it depends how user has configured Sandboxie. In my configurations there is always only one program which can run and connect to internet. I'm still figuring how to block all not needed system drive folders and files (easy way).

 

Must admit that somewhile i'm in awe at what the darksiders can make to compromise that most advanced protection[its afterall clever coding and knowing OS's inside out]. Sure some day SB will be destroyed but developer is always very fast to fix his baby.Like Easter and Peter throwing the baddest stuff at it,until now SB holds its own sofar.

 

I'm sure there are holes. But can virus/spyware writers bother with sandboxes when there aren't many people using them? Why go to all that trouble to break out a sandbox when theres low hanging fruit to go for.

 

Easter, please do keep us posted on the results of your testing.

IMHO, you will get a lot of opinions ('yes there are ways', 'sure there are holes' etc), but I doubt you'll find any real takers with any POC or actual exploits. Sandboxie is indeed that good
[OT: I use it inside powershadow]

soccerfan

 

Excuse me for interrupting, but I was just reading a thread here in Wilders, which I can't find now and I would like to ask a question. The thread spoke about using Sandboxie and Returnil as well. Don't both apps accomplish pretty much the same thing? If so why would you need both? I'm using Returnil and might consider Sandboxie if I thought it would be useful. Thanks in advance.

 

IMHO, you will get a lot of opinions ('tested against mean malware', 'expose it to the worse of the worse possible attack files') but I doubt you'll find any real takers with any actualt documented tests to show Sandboxie is indeed that good.

 

I have never seen even one post to Tzuk on anything that was proven out to have left a sandbox on its own. No malware of any kind. There are a couple of things where users thought so, but were more confused on how Windows itself works. One of them concerns a sandboxed programs ability to change a clock setting, and that setting stayed changed after the sandbox was deleted. The setting change also survived a reboot. That is discussed here; http://sandboxie.com/phpbb/viewtopic.php?t=2725&highlight=

The other one was that a user had installed a wallpaper changer program in a sandbox. Then used that program to change the wallpaper. The new wallpapers .bmp file was in the sandbox. The user then deleted the sandbox (along with the .bmp), and the wallpaper was still on the screen. Upon reboot or log-off that wallpaper was replaced by the original wallpaper. (probably would have even been gone with a refresh). Here is the key with that one. The original wallpaper was restored, not just any wallpaper or the bottom one on the list in Display properties.

 

I was also curious why users would need to resort to virtualizing TWICE as example, employing both SandboxIE and shadowing the system with Power Shadow/Returnil, but then a tiny pinlight began to emerge with after thought.

If anyone here at Wilder's is been the chief culprit of "piling on" or layering of apps, i would have to rank right up there with most of them at one time. In a sense i still subscribe to that method but yet now on a much lesser basis.

Out of a lot of these Pete is tested for instance, just a slight few have actually come thru and were considered well durable enough to stave off being displaced or interupted at all.

SandboxIE seems to fit that style of a solid containment fence with the barbed wire being the extra Returnil/Power Shadow etc.

I suppose it wouldn't hurt just in case sbie control went offline for whatever reason (and other concerns) but then again, i'm not tzuk, and perhaps once sandboxed no matter if something did locally malfunction, any (Sandboxed) apps activity would still be limited because as i see it and from what i'm able to understand they already are feeding and drawing activity from a source, only that source is the artificial/duplicate system if you will created by SandboxIE.

As it stands and if nothing changes SB alone can hold it's own, but then Returnil and others can too, operating solo, although IMHO every security app including Sandboxes/Virtualizers should always be supplemented with even a small cast of other supporting programs and most of us here do just that.

 

Extremely well said.

 

So if I understand the concept correctly, and you're using Sandboxie with Returnil as another layer of defense, Returnil is virtualizing Sandboxie which is sandboxing your HD. Is that right?

 

One argument for comparison might lean to concensus that favors which security app, virtualizer in this case, was installed ahead of the next one, but this is only speculation since obviously that is a question better suited for those respective developers. But from experience i can report, like you and all members/users, my results.

Retunil/Power Shadow can indeed return a clean slate after reboot from shadowing SandboxIE. The beauty of SandboxIE is that you can delete/terminate on-the-fly anything that lands in it's sandbox or thereafters, so it begs to question why use both?

And my answer to that would be the same as why i also prefer to use a HIPS (EQS), on chance no matter how remote, if some new fierce malware let's say is embedded with a file infector and who knows what else, just hypothetically speaking, happened to at the very least break out where lets say not even Returnil was immune, then this whole method for protection would have been in vain, but of course reported and fixed, but then the damage would already been done.

This is why i am very excited and a strong proponant of HIPS, a pre-stage interceptor of sorts. If something malicious wants to drop into the sandbox, it has to pass the gatekeeper first for thorough examination (Google Search/AV Scan) and be declared safe.

 

Easter, for me, sandboxie is indeed the first line of defense Why powershadow (or returnil)? Because it serves to prevent (through boot-to-restore) the after-effects of any user (i.e. my) stupidity My ultimate line of defense is a ghost (or TI) image

soccerfan

 

Very well said.

When we examine the entire picture other fall back measures MUST be included of course for that 100% reassurance.

I'm trying to focus on the what if, and can we as users depend on solely a single sandbox minus any supporting cast as HIPS/Returnil etc. and if SandboxIE would fair secure enough in a solo role. I think the same comparison would draw equal results from Returnil/Returnil etc. but for sake of topic i chose SandboxIE because it exhibits all-about protection without need for Reboot-To-Restore.

 

Just from the standpoint of adding any information that I possibly can to help you with your testing and experimentation, there is one thing that you may find useful. That is that if you already have an underlying problem that is more system related as opposed to security related, that problem seems to amplify in the sandbox. Specifically CPU, memory, and browser add-on problems. The complaint often is; "Everything was fine before SandboxIE and now it isn't. IE takes 30 seconds to load." - This normally traces back to an add-on issue with a BHO. As strange as this may sound, the program often has diagnostic ability in that regard. haha - What I mean is that we all know that IE doesn't take 30 seconds to load, so there must be a problem 'somewhere'.

I am including this prerequisite in your hypothetical and your recommendation as to a layered approach to any security products ultimately chosen. A difficulty arises in that, considering the preceding paragraph, a user almost has to 'commit' to SandboxIE prior to adding additional layers. This may help to explain why some users feel differently than others about the program after adding it to different sets of preexisting programs.

 

I agree totally with that summation. If a problem exist BEFORE sandboxed, obviously it will remain a problem, and maybe even amplified? I never experienced a single problem like others who seem to go Gah Gah over apps like Ad-Muncher and the like.

Some like myself prefer to stay within the confines of basics, like a Power Shadow/Returnil/HIPS along with SandboxIE. I've read countless ups and downs with the browser FireFox and frankly aside from playing with it once, i stick strickly with trusty ole IE6 or Opera. FF is just never got thru to my taking serious interest in it.

Properly monitored IE is as safe a browser as it comes IMO in spite of it's swiss cheese reputation, and in the hands of freeway surfers unprotected, it's as lethal as leaving your door open at bedtime which is sure sooner or later to invite more than just nocturnal flying creatures in the night or some other crawling pests. (Humorous Analogy)

I haven't a clue why some have experienced issues from regular programs, now driver loading apps might clash, i don't doubt that, it's the nature of the O/S itself in many cases and tzuk i'm sure has examined such clashes.

But straightly speaking, seeing & experiencing the solid benefits of virtualization, i was curious just how well SandboxIE could stand on it's own and it seems from the reports posted here and at their forums, does a very admirable job at meeting those challenges.

 

SandboxIE is a perfect program to use in a layered structure. The reason that I state this is that it changes what had been a 'Critical Decision' (browser choice) to a 'Secondary Decision' (user choice). Since day one we have gone back and forth on that one issue with no consensus to this day. Think of all the time we now have to focus on other security related things. lol - Hey, toss Media Players in there also. Since internet interaction is easily such a large percentage of what all of us use our computers for, that is a huge load taken out of the equation. It is a good time for users because of these products. We can choose user programs that we like without having to bury ourselves in the often impossible to solve '50-50ness' concerning those user programs potential vulnerabilities.

 

twl845,

Returnil virtualizes your C: system partition only. Sandboxie was meant to virtualize or isolate your internet facing applications from your system. I run my browser and my media player through Sandboxie full time except for updates.

Sandboxie also has a couple trick's up it's sleeve where it can easily be configured to block access to your other partitions from what is running Sandboxed. In other words, if malware somehow found it's way into the sandbox and if it could run, it wouldn't be able to read or destroy your valuable and personal data.

Sandboxie also can be configured so that only one program at a time in the Sandbox (ie: firefox.exe, iexplore.exe etc.) is permitted internet access. This could help stop possible malware in the sandbox from connecting out. It acts sorta like a firewall.

To me, Retunil and Sandboxie compliment each other nicely. I hope this helps .

innerpeace

 

The reason IE takes extra time to load when sandboxed isn't due to a BHO. It's due to the nature of the sandbox. When IE loads sandboxed, it loads into a sterile environment with no OS or anything it needs. Everything it needs has to be retrieved and copied into the sandbox. That takes time. Once that is done, then subsequent uses of IE doesn't require those time-intensive matters, and it loads rapidly, until such time that the sandbox is emptied and the routine begins again.

 

I don't experience any real noticable delay when sandboxing IE, and since i'm presently confined to 56 dial up anyway, i expect a momentary hesitation but it is definitely not so significant to warrant a complaint and certainly not due to SandboxIE, thats for sure.

Sandboxed, IE runs normal as usual here.

 

That is part of what I am trying to dispell, and inform on. IE loads in seriously less than a second here. (first start after reboot) If you have nothing that you can put your finger on and you have a delay, don't accept it as normal. 'Something' is holding you up. But if you were pulling let's say all of Adobe Reader in as a BHO, you would probably see an unusually high delay. And that would be normal.

 

Inner Peace - Thanks for the explanation.