Feasible? Sandboxie in DW or vice versa

Discussion in 'other anti-malware software' started by Perman, Mar 6, 2008.

Thread Status:
Not open for further replies.
  1. Perman

    Perman Registered Member

    Joined:
    Nov 23, 2005
    Posts:
    2,160
    Hi,

    I have read some discussions on off- shore (outside North America) forum, that in order to compensate each other's shortcomings, there are some suggestions: To run some programs in SBIE, some others in DW or Run SBIE inside DW, or Run DW inside SBIE.

    Members' feedback will be appreciated.

    Take care.
     
  2. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,048
    Well I don't quite do that, but I do run my browsers in Sandboxie, and at the same time, I have them set to Run Safer in Online Armor, which lowers the rights they run at. Sort of redundant protection.

    Pete
     
  3. muf

    muf Registered Member

    Joined:
    Dec 30, 2003
    Posts:
    926
    Location:
    Manchester, England
    I'm running SBIE inside DW. It works, mostly. Had a few crashes with "Firefox encountering a problem and will close...". I've reported the issue and it's being looked at. It may not be DW or SBIE, or even running both of them that's causing it. But I can say 90% of the time they co-exist and it's a good setup. I'd be happy if the occasional crashes get sorted. The good thing is that anything coming into the SBIE virtual folder has it's privileges stripped by DW so even when it's recovered from the Sandbox to the 'actual' pc it's still under the restriction's placed on it by DW. Which is rather nice.

    As I said. It works, mostly.

    muf
     
  4. Perman

    Perman Registered Member

    Joined:
    Nov 23, 2005
    Posts:
    2,160
    Hi, Muf:

    Nice to hear that. How do you do it ?

    Do you put the whole sandboix folder , or just some files of it, such as sandboxdefault, in DW as untrusted application ?

    Your reply are appreciated.

    Thanks.
     
  5. Nebulus

    Nebulus Registered Member

    Joined:
    Jan 20, 2007
    Posts:
    1,582
    Location:
    European Union
    I find running 2 sandboxes toghether a strange idea... This is because SBIE and DW are not real virtual machines (it's not like you would run VirtualPC inside VMware, for instance). They both protect your computer by hooking and manipulating windows API function calls. For instance, let's suppose both sandboxes hook NtCreateFile. If you create a new file, where would it end up? Which of the 2 sandboxes will have the last word in deciding where the file will be created?
     
  6. hammerman

    hammerman Registered Member

    Joined:
    Jul 14, 2007
    Posts:
    283
    Location:
    UK
    I use Sandboxie for browsing with Firefox and Defensewall for all other internet facing apps.

    At first I had Firefox as an untrusted application in DW. With this configuration however Firefox would startup as sandboxed and DW untrusted at the same time. This slowed browsing down a lot so I left Firefox as a trusted application in DW and set the Sandbox folder as untrusted.

    Now Firefox runs sandboxed only and all files within the sandbox are DW untrusted. Anything recovered from the sandbox comes out as untrusted.
     
  7. muf

    muf Registered Member

    Joined:
    Dec 30, 2003
    Posts:
    926
    Location:
    Manchester, England
    Well I never actually set anything from Sandboxie as untrusted. But I do have Firefox untrusted. So when that runs untrusted DW makes Sandboxie untrusted by default. The two processes SandboxieRpcSs.exe and SandboxieDcomLaunch.exe are untrusted. As are all the folders and files created within the sandbox. SbieSvc.exe is trusted and so is SbieCtrl.exe. It's an odd setup but works, mostly...

    muf
     
  8. hammerman

    hammerman Registered Member

    Joined:
    Jul 14, 2007
    Posts:
    283
    Location:
    UK
    Yep, that's exactly the same setup that I had. I decided to change it because it really slowed down my browsing. Setting the Sandbox folder to untrusted meant that anything coming out of the sandbox was untrusted and my browsing speed was back to nomal.
     
  9. muf

    muf Registered Member

    Joined:
    Dec 30, 2003
    Posts:
    926
    Location:
    Manchester, England
    Interesting! So much so that I'm trying this myself to see if it solves the problem I had with the crashing. I didn't have any slowdowns but the occasional crashes are a little niggling.

    muf
     
  10. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,139
    I once thought of the idea of running sandboxie inside DW and using having DW
    as my HIPS, I tried DW but I don't think its a very good HIPS because it failed
    the "System Shutdown Simulator" test

    so I replaced DW with eqsecure.

    you know what would be better security? wait untill the new version of eqsecure comes and run sandboxie inside eqsecures sandbox.
     
  11. CogitoErgoSum

    CogitoErgoSum Registered Member

    Joined:
    Aug 22, 2005
    Posts:
    641
    Location:
    Cerritos, California
    Hello arran,

    I have tested DefenseWall(DW) v2.21(compatible with Vista SP1) against the latest version of System Shutdown Simulator(SSS). What I have found is that provided one runs the SSS executable as "untrusted" and follows the instructions, DW "passes" the HIPS software test(test 2 of 3) because it prevents an auto-start registry key from being created.

    Contrary to your findings, it is my personal opinion that DW does "not" fail the SSS test because of the following two reasons. First of all, the antivirus software test(test 1 of 3) which attempts to create an Eicar test file is primarily a test for blacklist scanners. This test does not apply to DW because it is not equipped with such a scanner. Lastly, the firewall software test(test 3 of 3) which attempts to download and execute a test file does not apply to DW because it does not employ outbound application network control as is found in traditional firewalls.

    My interpretation of a "fail" in regards to any security application subjected to the SSS test would be as follows. An antivirus program fails the antivirus test, a HIPS program fails the HIPS test and a firewall program fails the firewall test.

    Please refrain from proclaiming a conclusion until you have all of your facts straight.


    Peace & Gratitude,

    CogitoErgoSum
     
    Last edited: Mar 6, 2008
  12. Perman

    Perman Registered Member

    Joined:
    Nov 23, 2005
    Posts:
    2,160
    Hi,

    Thanks for all the feed backs. This is my setup for now.

    In DW, I disable iexplorer, add sandbox folder as untrusted.

    I use SBIE to launch web browser (IE).

    If I recover some files, then go to DW to remove that file from untrusted list.

    So far works just fine.
     
  13. hammerman

    hammerman Registered Member

    Joined:
    Jul 14, 2007
    Posts:
    283
    Location:
    UK
    My current setup is EQSecure + DW + SBIE
    EQSecure as classical HIP's
    SBIE for web browsing
    DW for restricting rights for all other internet apps

    Adding DW also ensures I pass all AKLT tests. Note that v2.20 of DW failed GetAsyncKeyState on my system. Ilya produced a fix for me in a couple of hours. Great support.

    I really don't think it's necessary to run SBIE inside DW or vice versa. SBIE does a perfectly good job on it's own. The fact that anything recovered from the sandbox is untrusted by DW is an added bonus.
     
  14. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,139

    yes I agree that it prevents an auto-start registry key from being created and that the antivirus and firewall tests do not apply to DW.

    the part where DW failed was that sss was able to shut down DW along with all my other programs that were running, but thinking back now it cauld have been the dfk-threat-simulator-v2 test which was able to shut down DW. but bottom line is one of these tests or both was able to shut down DW.

    and before you ask yes I did make sure that they were running as "Untrusted"
     
  15. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,633
    Location:
    U.S.A. (South)
    Hi arran

    If you find time again and can re-run your test again i would appreciate confirmation of that potential leak which is IMO well worth the attention you're bringing to it.
    I'm curious exactly which test actually evaded protection.

    Thanks

    EASTER
     
  16. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,139
    yes ok I shell uninstall eqsecure and install DW again and try again and post some screenies, Just for you Easter because I love reading your informative posts.
     
  17. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,633
    Location:
    U.S.A. (South)
    Thanks.

    I'm equally fascinated by comparisons made from users too like yourself and also like to mill over your own opinions on those results, sometimes their favorable and sometimes not quite up to expectations, but makes us all pay more attention that EVERYTHING works like it's supposed to.
     
  18. CogitoErgoSum

    CogitoErgoSum Registered Member

    Joined:
    Aug 22, 2005
    Posts:
    641
    Location:
    Cerritos, California
    Hello arran,

    One other thing to consider in regards to the SSS test and DefenseWall(DW) is that DW would not be able to "pass" the HIPS test or any other applicable test if it was effectively shutdown. If a DW component was shutdown, chances are good that it was only it's GUI(defensewall.exe) in the system tray which has nothing to do with it's protection duties. Keep in mind that the foundation of DW's main protection mechanisms are installed both as a "service" and as a "system driver" at the kernel level(ring-0).


    Peace & Gratitude,

    CogitoErgoSum
     
    Last edited: Mar 8, 2008
  19. CogitoErgoSum

    CogitoErgoSum Registered Member

    Joined:
    Aug 22, 2005
    Posts:
    641
    Location:
    Cerritos, California
    Hello arran,

    With Shadow Defender in "Shadow Mode" and Primary Response SafeConnect disabled, under Vista SP1 I tested DefenseWall(DW) v2.21(Vista SP1 compatible) against DFK Threat Simulator v2. Despite and contrary to what this test proclaims(the implication that DW has failed and my computer is owned) which is misleading, provided one runs iPod-commercial.exe as "untrusted", DW restricts all possible damage to the confines of it's sandbox. Whether one allows the test to run its full course(pop-ups and all) with or without clicking upon anything or by terminating the simulated attack by right-clicking the DW system tray icon and clicking upon "Stop Attack", DW successfully passes the gamut thrown forth by DFK. FYI, DFK was not able to shutdown any component of DW during my test session.


    Peace & Gratitude,

    CogitoErgoSum
     
    Last edited: Mar 7, 2008
  20. CogitoErgoSum

    CogitoErgoSum Registered Member

    Joined:
    Aug 22, 2005
    Posts:
    641
    Location:
    Cerritos, California
    Although, I have no experience with the concurrent use of both DefenseWall(policy restriction sandbox) and SandBoxie(file, folder and registry virtualization sandbox), Kees1958 best expresses my opinion of this combination in the following link below.

    http://gladiator-antivirus.com/forum/index.php?showtopic=73034&st=0&p=205867&#entry205867 (Post #9)

    The link below is my sobering experience with running one too many redundant or overlapping security programs for testing and experimental purposes.

    http://gladiator-antivirus.com/forum/index.php?showtopic=72694&st=0&p=204967&#entry204967 (Post #1)


    Peace & Gratitude,

    CogitoErgoSum
     
    Last edited: May 25, 2008
  21. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    I think it is an irrelevant discussion

    DefenseWall is a strong threatgate mitigation application. The driver can not be unloaded or terminated. It also does not fail SSS.

    Let me explain why it is an irrelevant discussion running DW and an application based virtualisation application like SBIE

    1. DefenseWall (unlike GeSWall) has total untrusted file control, meaning that an untrusted file/program always stays untrusted and will be chained to the stronger than limited user environment of DW. This reduced rights chain also survives reboots, moving from one partition to another, renaming, etc. Therefore you do not need to throw away everything after a dodgy internet surving session. The malware remains paralised in the DW safety net.

    2. Rollback feature. Wanna throw away all data files and registry entries made by a untrusted program? Just choose, file and registry tracks of the main screen. Scroll down to the date you want to delete registry and file tracks, select line, click on rollback: all traces are gone! So even in the case you might want to rollback changes, this can be done within DW!

    3. With Resource protection you can also add some registry key protection for the "system' process (see pic), to cover parts of the HKCU hives at choice (and data directories). Adding resource to one of the untrusted processes implicitely means that they are excluded for other untrusted processes. Adding resources to the system means non of the untrusted processes is allowed to change them (you will get a pop-up when this happens). So resource protection offers seperation within the 'policy sandbox', I have not used SBIE since using GeSWall and later on DefenseWall, so I do not know whether this is possible with SBIE settings.

    4. From all of these sandboxes (policy and virtualisation) DefenseWall is 9 out of 10 times the strongest within the pack, so what use does it has to put SBIE behind DW? DW is a quiet (few to zero pop-ups), when you want to ad a fantastic freebie like ThreatFire, you have to drop SBIE, because when TF finds an intrusion of programs in the sandbox, it will kill it associates also (delete SBIE). DW and TF (like GW and TF) work flawlessly together. The odds of something breaking DW and TF (due to their different approach) is smaller than two different sandboxes, so why waist CPU cycles on such an irrelevant setup (A=DW total control of untrusted files makes it unnessecary, B=DW has a rollback option, C=because with a different combo you get better defense).


    Note: GeSWall offers also virtualisation (redirect option), so for GW the discussion GW and SBIE is as irrelevant as with DW and SBIE (only more knowledge needed to organise this with GeSWall)
     

    Attached Files:

    Last edited: May 28, 2008
  22. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    I recently tried DW and SB, running 8 SB-executables as untrusted in DW, except the SBIEsvc-executable in a frozen system partition.
    It didn't work properly : error messages, disappearing icons, ...
    The problems weren't that serious, but everything has to work PROPERLY and NORMAL in my system partition, otherwise I don't do it.
    I rolled back to my previous setup : DW only without SB and all problems were gone.

    The trouble was, that I was also trying a new extension "Delicious Bookmarks" and that distracted me too much.
    Once I'm recovered from this disaster psychologically :rolleyes: I might try it again in the future.
    I also hope that THIS thread will help me with new ideas regarding this combination.
    At least the new extension "Delicious Bookmarks" was working properly, which was a comfort :rolleyes: to me.
     
    Last edited: May 25, 2008
  23. osip

    osip Registered Member

    Joined:
    Oct 25, 2006
    Posts:
    610
    Well, I´m also trying this combo, also with errors if all executables are untrusted...If, on the otherhand, sbiectrl.exe is trusted and all others untrusted everything seems to work properly or have I missed something...SBie user folder shows up when starting browser in DW:s untrusted applications...
    -----------
    added: also had to put SbieSvc.exe in trusted to avoid SB driver startup problems. Can´t see any problems at all after this...smooth and absolutely normal performance.
     
    Last edited: May 25, 2008
  24. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    I see five man, four holding the table and turning it (the untrusted parts of SBIE), the fifth holding up his arm sitting on the table, basically doing niothing (the trusted one), so the light bulb is screwed in. Every now and then they meet in a virtual environment called a forum to discuss new or more efficient ways of replacing a light bulb with five guys and a table.

    Apperently no comments or discussion on my previous post (https://www.wilderssecurity.com/showpost.php?p=1248922&postcount=21 ), so I will stop reacting on these post, appearently it is not done to install two Anti Virus aps, two fire walls, but it is normal to install two sandboxes side by side.

    Happy hunting on how to solve the setup problems.
     
  25. osip

    osip Registered Member

    Joined:
    Oct 25, 2006
    Posts:
    610
    Hmm...Personally this combine seems as an overkill to me...Testing them both together more of interest than as a permanent setup...You´re probably right in your analyze.
     
    Last edited: May 26, 2008
Thread Status:
Not open for further replies.