Does sandboxing help against scenarios such as Poison Ivy, etc?

Discussion in 'sandboxing & virtualization' started by overworkedmonkey, Nov 1, 2011.

Thread Status:
Not open for further replies.
  1. overworkedmonkey

    overworkedmonkey Registered Member

    Joined:
    Jan 31, 2011
    Posts:
    55
    If I have Sandboxie running and have my browser,Flash player, PDF viewer, etc confined to the sandbox will it help against Poison Ivy, buffer overflows, etc?
     
  2. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    If you set your sandbox to only allow certain programs to start/run and access the net, then no, it isn't going to work. No matter how ugly malware may be, they all still have to clear that hurdle of execution. No execution, no "pwning". The same goes for script malware, if scripting is white listed and you're careful, they don't stand a chance.
     
  3. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Depends on the sandboxie config, the exploit, the program that's exploited.
     
  4. hpmnick

    hpmnick Registered Member

    Joined:
    Mar 24, 2011
    Posts:
    186
    Unless there is some sort of kernel level exploit involved, Sandboxie will work in protecting your drive from anything the malware will read/write. Will it stop it from executing? By default, no.

    If malware does execute, its can read anything... but writes are confined to the sandbox.
     
  5. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Reads are confined as well, aren't they?

    Anyway, even with a whitelist exploits don't need to create a separate process they can tun within the process. That's like... the entire point of a return-to-libc attack and many others.

    You can lock down your Sandbox as much as possible the exploits will still be able to run. The idea is to limit what they can do/ stop as many from running as possible.

    Once you start poking holes in the box you start letting the exploit loose, which is why if I poke a hole to a folder I either make it read-only or I set that folder to low integrity.
     
  6. hpmnick

    hpmnick Registered Member

    Joined:
    Mar 24, 2011
    Posts:
    186
    Reads are not confined by default, but they can be..

    I just use Sandboxie with Applocker, which works fine on just the Sandbox folder. I don't like using Applocker with the rest of my system, but its great for using it on the Sandbox folder... nothing runs.

    Sandboxie also has a run restriction, but its not up to par with applocker.
     
  7. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Reads should be confined to the virtual area.

    or not

    idk lol
     
  8. Konata Izumi

    Konata Izumi Registered Member

    Joined:
    Nov 23, 2008
    Posts:
    1,544

    sandboxed app can read anything unless you use resource access > block access... :D

    all it can do is read, if it tries to modify something, the action is then virtualized/confined.
     
  9. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Strange. I didn't know that. Thanks.
     
  10. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,047
    For normal system stuff I don't worry about reads, but I have my personal folders areas totally blocked so they can't be accessed by anything in the browsers. Works great.

    Pete
     
  11. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Microsoft doesn't think reads are much to worry about either - they're entirely unrestricted. I don't think that should be the case.
     
  12. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,213
    Hi, Peter, on one computer I have DefenseWall and on the other computer I have Sandboxie (for my job)-my question to you is what would you recommend me to block access. For example, I decided to block access to my section D where is I need for my job, how do I do it?
    Do I go on "Block Access" section on the Sandboxie?
    And what about C: where is everything else from Windows-what parts I should block, since I don't want to block entire access to Windows, or is it possible to block it without blocking it your own access to C:?
     
  13. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,047
    I use Resource access file restrictions. All I restrict is my 2nd disk drive (D:\) and the My Documents area which is (%personal%\)

    That's it. I have nothing on my c: drive other than My Documents what is worth blocking reads.

    Pete
     
  14. wat0114

    wat0114 Guest

    If reads of private data is a concern, then there are ways to easily address this;

    1. Keep all private data in the Administrator’s users space (assuming you are the Administrator) and run normally as a Standard user.
    2. partition your h/drive and create one large enough to hold your private data and encrypt it using, say, Bitlocker if using Win7, or TrueCrypt, and place all your private data there.
    3. Encrypt a USB pendrive and place all your private data there, instead.
    There’s no need to maintain visibility of private personal data from a Windows account, and rely on something like Sandboxie to shield it from potential web-borne prying eyes.

    In my case, any and all data I have in my Standard or even Admin accounts that can be read, is of inconsequential nature to me, where no one can gain aything from it or use it against me.
     
Loading...
Thread Status:
Not open for further replies.