Comodo Sandbox vs Sandboxie Tested

Fire the dudes, well, the fella on the left is good for party laughs, so keep him for a bit. We HAVE to keep the girl though, simply because she is hotter tha.....*ahem*, well, look, just keep her. Anyway seriously, what the heck was that? It reminded me of the old "ScreenSavers" program if it was hosted in a frat boy living room by said drunken frat boys. All that video tested was my ability to overcome ADD...it failed.

 

I guess he took a lot of flack over Sandboxie and in the next episode he spent a few minutes responding.

Basically he acknowledges that it's strong protection, but his issue is with the default configuration, and I kind of see where he's coming from. The default config allows the user to save downloads out of the sandbox to the desktop (where most noob users download stuff to anyway) with just one additional "Recover" prompt. From that point on there is no protection if the download is run, since it is out of the sandbox. Which makes it kind of easy for a user who doesn't really understand Sandboxie to screw things up.

 

Yeah....But really..

I used Sandboxie in default configuration for years before someone,ssj100,on these forums, took the time to hip me (and others)about its true potential.

Even so,I knew recover from sandbox=all bets off.

That is pretty basic.
Even then,recover-does not equal execute.

 

I really don't see why things are "screwed up" with the default config. What is Sandboxie supposed to do besides asking whether or not to recover downloads? If Sandboxie is used the way it is meant to, meaning allowing the browser and the browser only to be run inside the sandbox and blocks drive by malware from running because of said config, it did its job. It isn't responsible for what users download themselves and remove from the sandbox.

It's not a Geswall or Defensewall-type application, it wasn't made to be. What the user does outside of it is the user's responsibility alone.

 

As much as I like Comodo, this review was a crock and was blatantly unfair to Sandboxie.

The reviewers are living proof of the age old truth that you don't have to have a long neck and feathers to be a goose.

CT

 

it is true but people will still make mistakes and wont care about it even if it mean to get infected

 

Hello,

I don't see any problems extracting a downloaded file [.exe, .rar, etc.] out of the Sandbox as long as you don't double-click on it to execute it. The file will be sitting at your Windows desktop or any folder where you downloaded it to.

Although, you need to know for sure from what source you downloaded the file in question. If it is a shady web site, a compromised web site or a site known to post cracks bundled with Trojans, my advise would be not to recover it and just empty the Sandbox unless you are planning to recover it to be run on a VM or else.

Regards,

Carlos

 

Very unfair to Comodo!

 

Sorry. I mean't unfair to Sandboxie. This review was a laugh.

 

@dw426:

"If Sandboxie is used the way it is meant to, meaning allowing the browser and the browser only to be run inside the sandbox and blocks drive by malware from running because of said config, it did its job."


Will all due respect as a Sandboxie user and fan,the configuration you cited my be "the way it is meant to" (be used),yet it is hardly the default setting.

@Dragons Forever:
Freudian slip?
Old habits/battles die hard,eh?

 

So what are these guys saying, that Sandboxie doesn´t offer any good protection? I´m sorry but I didn´t watch the whole video, was a bit lazy.

 

Agreed, it certainly isn't the default configuration. But, imho, Sandboxie really isn't worth a crap unless you change the default settings. I didn't use to feel that way, by the way, but I've since changed. That doesn't mean however that it has a problem with download saving. At the end of the day the user has to be the one deciding if the download is safe to commit to the disk, not Sandboxie.

 

It's Kevin Rose grade technical analyses. Might as well go to G4TV or zdnet and asks opinions. A little bit of sensationalism with a whole lot of ridiculous fads.

None of them are protected on the windows loader level. There have been POCs on at least sandboxie and bufferzone where the host processes were vulnerable to injection, and jail-break was possible, even after that is patched they need to hide their processes so malware doesn't detect and bail so easily(even trojan-kits by noobs activly detects them currently and bails). IceSword inevertantly jail-broke sandboxie, not sure if they ever fixed it.

Also I don't like how people blindy slander and flame people who question the quality of a product. People I know who have made public proof of concept like for sandboxie were attacked for it both on sysinternals and the sandboxie forums. If you want to ignore concepts of software engineering expect proactive criticism, and resistance/ignorance only makes you look like a incompetent fool.

 

Amen!!,to all said.

 

I agree. I also feel that with a properly configured Sandboxie sandbox I feel safe.
(Never mind I also run in ShadowMode of ShadowDefender 99% of the time)

At least for myself,I try not to "ignore" anything,but to evaluate it to the best of my ability,and seek the council of wiser heads,on this Forum.

That said,POC's that seem to defeat Sandboxie concern me.
(Just not very much.)

 

To me the biggest problem is the fact you can detect a loaded sandbox DLL from a process inside these and as a malware author simply kill your process. Even incompetent trojan authors currently detect sandboxie and a lot of other environments using this method. I haven't seen a malware in 'the wild' yet that breaks out. It'll probably show up in an industrial kit first.

The reason that's important is statistically speaking the common user is going to get frustrated and risk running it on an open local system. Especially since most malware comes in off pirated software and media files that have malicious codec configurations. Sandboxie can easily hide their modules using what they already use for virtualization, the same applies to most of these engines, they don't use hardware virtualization.

 

thanks, xorrior, I see your point.

 

Posted over at SB's forum four and a half years ago by TNT:

SB Forum Discussion

 

Solution for Sandboxie:

http://bsa.sandboxie.info/frameb.htm

Not mentioned there because it´s supposed you are using Buster Sandbox Analyzer, you must inject LOG_API.DLL.

http://bsa.sandboxie.info/frame5.htm

Edit Sandboxie´s configuration (open Sandboxie Control -> Configure -> Edit Configuration) and add next two lines to every sandbox you will be using with Buster Sandbox Analyzer:

InjectDll=c:\bsa\log_api.dll

OpenWinClass=TFormBSA

You can use LOG_API.DLL even if you just pretend to hide Sandboxie.

Resuming: To hide Sandboxie use Hide Driver + LOG_API.DLL.

 

NO it DIDN'T. You should go back and reread the threads before making a foolish comment yourself.

Yeah well the way I look at it is either put up or shut up. I remember reading a post by STEVE in Texas about some active x they designed that completely killed the system, regardless of Sandboxie or any Security software but failed to provide any evidence except to the feds supposedly. (Frickin lol) Whatever.