Chrome sandboxed

Discussion in 'sandboxing & virtualization' started by Overkill, Jun 25, 2015.

  1. The Red Moon

    The Red Moon Registered Member

    Joined:
    May 17, 2012
    Posts:
    4,051
    For comodo internet security users on windows i see no real benefits of using chrome.I have not used windows for quite a while but i assume comodo can still virtualise a browser...?

    If this is correct then why use chrome..?
    Just use an open source browser and your fairly good to go.
     
  2. guest

    guest Guest

    Indeed , but the point is using Sandboxie with it (far more tweakable than Comodo's sandbox)

    because i like it :p

    - unlike Firefox, Chrome is better displayed on my system (on High DPI)
    - Chrome is safest (because its "sandbox")
    - Chrome is fastest on my system (i use the beta x64 version).
    - Fixes are fast.

    i also use Tor Browser
     
  3. Solarlynx

    Solarlynx Registered Member

    Joined:
    Jun 25, 2011
    Posts:
    2,015
    On my home and office PC Comodo sandbox is verrry laggging. :(

    Chrome restriction sandbox is considered to be very safe. Why not to use it?
     
  4. The Red Moon

    The Red Moon Registered Member

    Joined:
    May 17, 2012
    Posts:
    4,051
    Why use a browser that only restricts certain code when the whole browser can be run in a virtual environment.:)
     
  5. Solarlynx

    Solarlynx Registered Member

    Joined:
    Jun 25, 2011
    Posts:
    2,015
    Restriction in a virtual sandbox adds safety. Pure virtualization is not so safe.
     
  6. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,321
    Location:
    Slovenia
    For regular users who probably don't want to be bothered with virtualization built-in restrictions are IMO more than welcomed. It would be nice if more developers would start implanting similar restrictions to their products.
     
  7. The Red Moon

    The Red Moon Registered Member

    Joined:
    May 17, 2012
    Posts:
    4,051
    Really.?
    Then why have comodo implemented such a feature.The same constructive criticism could be applied to sandboxie also.

    If a very nasty piece of malware dropped on the system,i would sooner it was fully contained rather than allowed to roam free with reins on.
     
  8. Solarlynx

    Solarlynx Registered Member

    Joined:
    Jun 25, 2011
    Posts:
    2,015
    For example a nasty can call home from a virtual space. Restrictions sandbox prevents it.

    For example I use time machines on some my PCs. It's pure virtualization (unless MBR is intact though). Is it enough for security if I can revert to any snapshot at any moment? So no need for other layers of protection?
     
    Last edited: Dec 6, 2015
  9. The Red Moon

    The Red Moon Registered Member

    Joined:
    May 17, 2012
    Posts:
    4,051
    In comodo the calling home should/would be stopped by the firewall.
     
  10. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,247
    That's not really true, because in Sandboxie itself without Chrome you can restrict and block anything you want, sou you can also additionally restrict with Chrome anything you want, this is why Sandboxie with configuration restrictions adds more protection when it is running on top of Chrome.
     
  11. Solarlynx

    Solarlynx Registered Member

    Joined:
    Jun 25, 2011
    Posts:
    2,015
    But a fw cannot prevent redirection of web pages etc. As it is shown in this mbae video:
    hxxps://www.youtube.com/watch?v=34rrjkRkj1s

    Thanks for confirming my idea:
    :D
     
  12. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,085
    Location:
    The Netherlands
    And BTW, for the people that think Chrome can't be hacked, don't forget about the Hacking Team exploit, that used a Flash + kernel exploit to bypass Chrome's sandbox. It's likely that SBIE would have been able to block or at least mitigate the payload.

    And I'm not making this up, you can read the report from Bromium about kernel exploits, they confirmed that even when using a kernel exploit, they had to directly attack SBIE (do some extra work) in order to completely bypass its protection. So with SBIE you at least have a chance to mitigate these kind of exploits, when it's not targeted.

    http://krebsonsecurity.com/2015/07/adobe-to-patch-hacking-teams-flash-zero-day/
    http://arstechnica.com/security/201...y-potent-enough-to-infect-actual-chrome-user/
     
  13. guest

    guest Guest

    after all , security softs are like armored doors, they are not made to totally deny the breakers to enter your house but make their job harder :p
     
  14. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,247
    That is really not true at all, because I did not confirm anything, what I said and confirmed is the part with Sandboxie you can also restrict/block just about anything.
    But take a look at this: If you remove all the restrictions, if you take away all integrity levels that Chrome sandbox possesses-Chrome's own sandbox will not be able to protect you from anything at all-everything inside Chrome is based on restrictions.
    Now, remove all the restrictions and all integrity levels inside Sandboxie and do not enable/disable DropMyRights-this means Sandboxie on default level-, and malwares, infections and even exploits will still not be able to harm or even touch your real harddisk/computer!!!!
     
  15. Solarlynx

    Solarlynx Registered Member

    Joined:
    Jun 25, 2011
    Posts:
    2,015
    I agree. Though uncontrolled malwares etc are undesirable and might be dangerous even in a sandbox.

    BTW is it of any effect to enable Drop Rights in Sandboxie in a standard user account in Windows 7?
     
  16. Nightwalker

    Nightwalker Registered Member

    Joined:
    Nov 7, 2008
    Posts:
    1,282
    Not true, Cruelsister (security expert that post here) has proved that Sandboxie can be bypassed at the default level. (search for her videos and tests)
     
  17. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    5,969
    Location:
    Nicaragua
    That vulnerability was fixed in version 5.04.
    http://www.sandboxie.com/index.php?VersionChanges#v_5.04

    Bo
     
  18. Infected

    Infected Registered Member

    Joined:
    Feb 9, 2015
    Posts:
    1,040
  19. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,247
    First, this is the only own vulnerability in plenty of years and it has never been used in the wild, plus it has been fixed in version 5.04 as others posted. Second, the only form of malware that could bypass Sandboxie on default level are keyloggers-however, with Internet access restrictions and start/run restrictions and Sandboxie also blocks all of the dlls, so that no keylogger and no other form of malware can do anything at all.
     
    Last edited: Dec 10, 2015
  20. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    3,918
    Location:
    Mexico
    :thumb: +1
    This is why I love Sandboxie and Invincea I must admit is doing a superb job lately, specially on compatibility and lag of processes.
    In fact almost every app facing Internet uses the yellow (and several other colors) condom LOL
     
  21. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    I cannot believe this thread is still so active lol.

    I have used Sandboxie off and on for many years now. I have used all browsers at some point. My conclusion is very simple.

    If I don't use Sandboxie, any browser will allow "something" through at some point that I do not want, and I will have to clean up the mess.

    If I do use Sandboxie, nothing has EVER escaped it, and cleaning up the sandbox is effortless.

    Thats all that matters to me :)
     
  22. @Sully

    PGS still works on Windows 10 32 bits :thumb:

    Regards Kees
     
  23. Infected

    Infected Registered Member

    Joined:
    Feb 9, 2015
    Posts:
    1,040
    When I seen someone posting on this thread, i was thinking the same thing, it's still active? Anyways, I agree with you. I use Sandboxie every day, Chrome included. Nothing ever escapes Sandboxie. But there are some days when I run Chrome without Sandboxie. But I don't worry much.
     
  24. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,738
    Cleaning the sandbox is not effortless. You need to prepare everything meticulously or else face anything from minor inconvenience to data loss.

    If you don't want "something" to get through, just use a text browser and don't download anything. As for "mess", that is completely dependant on the user and their browsing habits.

    All that matters to me is that I'm reasonably secure without having to worry about tinkering this and that, especially for family computers.

    *Then again, if I didn't use Chrome so much or even dislike it, I would install it inside SBIE.
     
  25. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,321
    Location:
    Slovenia
    I use Chrome under SBIE control but mainly to improve privacy. All Chrome writes are redirected to RamDisk and when I close it all locally stored identifiers are gone.
    I also like how I can restrict browser access to personal data without playing with ACLs and similar.
    About something breaking out of Chrome's sandbox - I don't worry about that much. IMO it's really unlikely to happen.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.