Chrome + AppContainer vs Chrome + Malwarebytes Anti-Exploit

Discussion in 'sandboxing & virtualization' started by Beyonder, Dec 31, 2016.

  1. Beyonder

    Beyonder Registered Member

    Joined:
    Aug 26, 2011
    Posts:
    55
    Hello. As you might already know, Chrome runs its own sandbox. However, under chrome://flags/ you can enable AppContainer support. If you don't know what AppContainer is, then the simple explanation is it that it's a type of sandbox included with Windows 8 or later Windows operating systems.

    Now the question is: Is Chrome with AppContainer enabled more or less secure than Chrome running side by side with MBAE? From my understanding Chrome already has most of the MBAE stuff implemented by default, so doesn't that mean that AppContainer should be the superior choice?

    I'm currently using Sandboxie, but since MBAE/AppContainer is less likely to break the browser completely it's a better choice for non-tech people like my parents but feel free comparing it with Sandboxie too if you want.
     
  2. pb1

    pb1 Registered Member

    Joined:
    Apr 4, 2014
    Posts:
    389
    Location:
    sweden
    Let me present you with another alternativ. Antiransomware and EMET.

    Information about Antiransomware : https://www.wilderssecurity.com/threads/interesting-antiransomware-freeware.391031/ . Facts about EMET still being good protection even for W10 : http://www.ghacks.net/2016/11/24/microsoft-windows-10-emet-unnecessary/.

    There you will have some good install and forget protection. But you will still need a good backup solution to cover up if malware occurs, that is the best and simplest solution for "non techies". There exists some really simple and reliable solutions out there.
     
  3. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    4,872
    Location:
    Among the gum trees
    I've enabled AppContainer and Chrome is protected by HitanPro.Alert and all works great.

    Your mileage may differ.
     
  4. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    9,883
    Location:
    The Netherlands
    Tools like HMPA and MBAE are designed to protect the browser, even if the browser's own sandbox is breached. Same goes for SBIE, with the difference that SBIE is focused on containing malware instead of blocking it. So I would never rely only on a browser's sandbox, no matter how secure it is.
     
  5. I use HenryPP's chromium, it is compiled with CFG, so on Windows 10 you have extra exploit protection.

    First I have AppContainer enabled with about flags to run renderer processes in a AppContainer sandbox making Chrome's internal sandbox stronger and harder to escape.

    Second I have UAC set to block elevation of unsigned programs, so the broker process running medium level integrity rights effectively runs in limited user sandbox

    Third I use a little free program called MemProtect to enable Windows internal protected processes. I allow executables in Chromium folder to call and access memory of executables located in the Chromium folder only. So this is the third container around Chromium.

    Fourth I add a "Deny Execute/Traverse Folder" ACL to my download folder and Chrome's Appdata (user data) folders. When you apply that you will get some errors because Chrome apparently has set some ACL limitations on some files and folders itself.

    Because I use windows mechanisms only, there are is no code added (HPMA/MBAE/EMET) nor the security model is changed (SBIE), so I think Chrome is kept on its strongest.
     
  6. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    9,883
    Location:
    The Netherlands
    LOL, you seem to be fascinated by your Windows tweaking. But this is an old discussion. In general, hackers write exploits that are specifically designed to bypass browser sandboxes, they are not trying to bypass third party security tools that are running on top. So that's why the possible weakening of Chrome's (or other browser) sandbox is hardly relevant, unless you are targeted by some elite hacker.
     
  7. 1. Number one design principle of IT: be humble, (re)use what is already available.

    2. How many exploits have been found in the wild bypassing AppContainer sandbox?

    3. Old discussion not to be repeated, thank you
     
    Last edited by a moderator: Jan 10, 2017
  8. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    2,093
    Location:
    Canada
    Are these browser sandbox exploits currently being successfully utilized? As far as I'm aware, it's the browser plugins such as Adobe or Java that are typically targeted and not the sandbox, but I could be completely wrong. These days I'm becoming increasingly bored with these security topics because nothing ever happens in my neck of the woods, so I'm losing track of the latest and greatest exploit trends ;)
     
  9. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    9,883
    Location:
    The Netherlands
    That's not the point, I even said in another thread that it's becoming very hard for exploit-writers to successfully exploit systems because of browser sandboxes and ad-blockers. But that doesn't take away the fact that running security tools designed to protect the browser, is still a good idea, in case a browser's sandbox does get breached.

    https://threatpost.com/two-new-edge-exploits-integrated-into-sundown-exploit-kit/122974/
     
  10. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    9,883
    Location:
    The Netherlands
    And BTW, when you think about it, people who are worrying about MBAE (or other tool) weakening the Chrome sandbox, are actually the true paranoid ones. Because those people assume they will be targeted by elite hackers, that will write specific exploits that will only work when Chrome and MBAE (or other tool) are combined. :argh:
     
  11. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    5,486
    Location:
    U.S.A.
    Important to note is that these were discovered vulnerabilities that were rapidly patched by Microsoft when they were disclosed. To date, there has not been a successful in-the-wild exploit against Edge: https://mspoweruser.com/security-company-eset-says-edge-browser-has-no-exploits-in-the-wild/ .

    That said, the Threatpost article had an interesting comment about the absolute need to insure the first thing required when acquiring an off the self PC is to run Win Updates.
     
  12. Mister X

    Mister X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    2,941
    Location:
    Mexico
  13. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    4,051
    Location:
    Europe then Asia
    Untrusted = low box token
    Appcontainer = low-box token modified based on "capabilities" set by the developer of the Metro App.
     
Loading...