How do sandboxes work?

Discussion in 'sandboxing & virtualization' started by Someone, Jul 19, 2008.

Thread Status:
Not open for further replies.
  1. Someone

    Someone Registered Member

    Joined:
    Jan 18, 2008
    Posts:
    1,106
    Hi

    Does sandboxes like Sandboxie, GesWall, DefenseWall, etc block untrusted programs access to the whole computer and allow specific directories or does it allow access to the whole computer except for specific directories?

    Thanks
     
  2. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    I can say only for DefenseWall- you second assumption is the right one.
     
  3. Someone

    Someone Registered Member

    Joined:
    Jan 18, 2008
    Posts:
    1,106
    Hi

    Thanks for the reply. But wouldn't the first way be safer?

    Thanks
     
  4. n8chavez

    n8chavez Registered Member

    Joined:
    Jul 19, 2003
    Posts:
    2,302
    Location:
    Location Unknown
    As a matter of theory, it would be better to be as ristrictive as possible. If you are asking which is better, policy driven HIPS or sandboxes, that is a matter of preference. There is no right answer. I can say, for me, I prefer Sandboxie over DefenseWall because everything gets erased after the session is complete.
     
  5. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    Theoretically- yes, practically it would be impossible to use such the HIPS and set up internal ruleset.
     
  6. Someone

    Someone Registered Member

    Joined:
    Jan 18, 2008
    Posts:
    1,106
    Hi

    What's the internal ruleset?

    Thanks
     
  7. Someone

    Someone Registered Member

    Joined:
    Jan 18, 2008
    Posts:
    1,106
    Hi

    Light virtualisation sandboxes like Sandboxie also just allows everything except certain files/folders/registry keys right?

    But the good thing about policy sandboxes are that it blocks malware from executing in the first place, like in Sandboxie you can have keyloggers to steal your data unless you have special configurations.

    Thanks
     
  8. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    Internal policies set.
     
  9. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,047
    If a keylogger has to install drivers, services, and needs low level access to the keyboard, it will be unsucessful in Sandboxie. Also empty the sandbox and it is gone.

    Pete

    PS. And with a little learning and configuring, you can lock down the system pretty tight without interfering with the ability to work.
     
  10. Someone

    Someone Registered Member

    Joined:
    Jan 18, 2008
    Posts:
    1,106
    Hi

    But not all keyloggers need to install a driver, service or low level access right?

    Are these rules secure?

    under GlobalSettings

    ProcessGroup=<restricted>,firefox.exe,Start.exe,SandboxieDcomLaunch.exe,SandboxieRpcSs.exe

    in your sandbox

    ClosedFilePath=!<restricted>,*
    ClosedIpcPath=!<restricted>,*

    Thanks
     
  11. Huupi

    Huupi Registered Member

    Joined:
    Sep 2, 2006
    Posts:
    2,024
    I guess you know the answer. ;)
     
  12. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    does this configuration protect your cookies from been reading or eating;)
    and privacy or data stolen?
     
  13. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,047
    Note completely. You can block access to your data. As far as cookies, they would be gone when you delete the sandbox.

    Pete
     
  14. Doodler

    Doodler Registered Member

    Joined:
    Dec 23, 2007
    Posts:
    219
    A simple solution is shown via the below link. Steps: (1) Open your browser in your sandbox, (2) open Sandboxie Control by right-clicking the icon in your notification tray, (3) right-click on the name of your running sandboxed browser and select Program Settings, (4) Select "This program is the only program in this sandbox that can access the Internet."

    Sandboxie does not keep you from picking up a keylogger, but it's my understanding that with this setting, the keylogger cannot call home. And when you close the sandbox, the keylogger program is wiped out.

    http://www.sandboxie.com/index.php?ProgramSettings
     
  15. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,047
    You can even take a step further and restrict the sandbox so only the browser can run. Nothing else can even execute.
     
  16. Doodler

    Doodler Registered Member

    Joined:
    Dec 23, 2007
    Posts:
    219
    Peter,
    Can that be achieved by using Sandboxie Control to make configuration changes or are manual changes via Sanboxie.ini required? (I'm not confident enough to try the latter.)
     
  17. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,047
    You can do it in Sandboxie control. It's under Resource Access.

    Pete
     
  18. jrmhng

    jrmhng Registered Member

    Joined:
    Nov 4, 2007
    Posts:
    1,268
    Location:
    Australia
    You can also check this thread.

    https://www.wilderssecurity.com/showthread.php?t=212408

    In terms of solutions to cookies, use an extension in FF like CS Lite.
     
  19. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    I have a question, I'm trying to set up SandboxIE similar to how Hurst has it set up here: https://www.wilderssecurity.com/showthread.php?t=212408. However, my needs differ a bit. I use IE7, Firefox for browsing, PDF-Exchange for PDF views, and only Xion, VLC, and Zoom players for media. What I'd like to do is the following:

    1. Run IE7 in the default box and enable it to view PDFs, embedded media, and be able to save bookmarks and downloads from the browser, while not allowing anything else and blocking access to data/folders that are not needed to perform those functions.

    2. Run Firefox in a separate box with the exact same functions and restrictions, but being able to update extensions.

    3. Run Xion, VLC, WMP, and IRFanview in a single box that allows only playing of files I already have. No internet access, no other data access.

    I also use Emule/Bittorrent, so if there is a safer way to use both of those within sandboxIE (if they can be used within SandboxIE that is), I'm open to suggestions. I wouldn't ask for so much input if it wasn't for the fact that in looking at everyones .Ini files, I realize they are all completely different depending on programs used and where data is located.
     
    Last edited: Jul 19, 2008
  20. Someone

    Someone Registered Member

    Joined:
    Jan 18, 2008
    Posts:
    1,106
    Hi

    What's ClosedIpcPath?

    Thanks
     
  21. Doodler

    Doodler Registered Member

    Joined:
    Dec 23, 2007
    Posts:
    219
    Pete, I use Resource Access to make IE7 the only program that can access the internet and to block access to My Documents. But I don't understand how to use it to restrict the sandbox so only the browser can run and nothing else can even execute.
     
  22. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,047
    You have to do that with ProcessGroup restricted statements. Hurst has a good example of that. You might ask him for it.

    Pete
     
Loading...
Thread Status:
Not open for further replies.