How do you'll use Sandboxie and Returnil??

Discussion in 'sandboxing & virtualization' started by spider_darth, Jul 11, 2008.

Thread Status:
Not open for further replies.
  1. spider_darth

    spider_darth Registered Member

    Joined:
    Dec 30, 2006
    Posts:
    82
    I've read past threads and the advice given was that Returnil should not be used in isolation with Sandboxie, or vice versa. However, I still don't quite understand what this means.

    1. Let's say if I'm using Returnil Free, since it'll revert everything on my C drive back to its original state, why use Sandboxie to sandbox firefox then? After all, Firefox is stored under C drive and everything will be deleted later on. Also, I save my downloads in my data partition (D drive), so it won't be affected by the deletion.

    Is it because the downloads I saved into my D drive might be infected, and Returnil can do nothing about it.. which Sandboxie can?

    Which means... Rebooting will only clear the damage malware creates to the C drive, but not to D drive.

    2. And, when using Returnil, how often do you'll update your AV, OS and other security software? Boot into Safe Mode weekly to do so?

    3. If you were to game, will you on Returnil's protection? Cuz u won't be able to save your game. Or, would you install the game in another partition, so that it will be unaffected by Returnil?

    4. I also realised that when I'm using firefox and the pc crashes, the session manager is unable to save the session, when I choose to save the session in D drive or Returnil drive. But, when Returnil's not running and firefox saves to C drive, the session manager works when the pc crashes.

    5. Lastly, would you consider windows steadystate a good alternative to Returnil Free?

    Sorry for the rather long post.
     
  2. Someone

    Someone Registered Member

    Joined:
    Jan 18, 2008
    Posts:
    1,106
    Hi

    I don't know the answer to all your questions, but Sandboxie can enhance Returnil's protection because it blocks malware at an earlier level and has protection against Low level disk access. Also, you can set Sandboxie to block access to other partitions and your data, which you can't do with Returnil.
     
  3. innerpeace

    innerpeace Registered Member

    Joined:
    Jan 15, 2007
    Posts:
    2,095
    Location:
    Mountaineer Country
    In addition to what Someone said, Sandboxie can be setup so that Firefox is the only program in the sandbox that can run and/or access the internet. So theoretically, if you download a nasty it's not running wild on your system partition and calling home with you information or download other malware. Plus you can empty the sandbox at will which might save you a reboot if you were only running Returnil. A match made in heaven :-* :p .
     
  4. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,057
    Hi Spider_Darth

    Let me just give you my view. I use Shadowdefender, but the principle is the same. Normally I just run with Sandboxie. However there my times I do something that I want to get rid of, or I am going to play in a VM machine, doing high risk stuff, I will turn on the Shadowing for some extra protection of the host.

    Another words, I use them more or less separately for different things.

    Pete
     
  5. MitchE323

    MitchE323 Registered Member

    Joined:
    Nov 22, 2007
    Posts:
    156
    I've only recently added Returnil to my mix with SandboxIE as it is simply too good a program not to use. The way I use it is to always have the Returnil protection on so the entire setup is protected and then incorporate SandboxIE as to internet access and closing off partitions to sandboxed programs. If I see a program I want to install, I download it to my desktop and then physically place the installer on another partition. Then I turn off the Returnil protection, reboot and install the new program and JKDefrag everything and put the protection back on.
     
  6. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    I use SBIE+Returnil as my only active security. No problems or conflicts.
    Returnil as the base defense, avoiding anything to stay on C: partition. Sandoxie for prevention during computer use. With some settings it defeats keyloggers. Also, as seen in currently active threads in this same forum section (here and here), SBIE protects against malware that goes after you data. And last but not least, SBIE protects against some malware that defeats Returnil's protection.

    When I had an AV, I did this once a week. No I don't need to anymore.

    With Returnil paid, you can set files and folders to be saved.
     
  7. Someone

    Someone Registered Member

    Joined:
    Jan 18, 2008
    Posts:
    1,106
    Hi

    What settings make Sandboxie block keyloggers?

    Thanks
     
  8. innerpeace

    innerpeace Registered Member

    Joined:
    Jan 15, 2007
    Posts:
    2,095
    Location:
    Mountaineer Country
  9. spider_darth

    spider_darth Registered Member

    Joined:
    Dec 30, 2006
    Posts:
    82
    Do I have to manually set Sandboxie to block access to my other partitions? Or, will it do so by default?

    And where does Sandboxie store the Sandboxed contents? If I'm running Returnil, won't the contents be unrecoverable if the pc crashes?

    With Returnil and Sandboxie, does it mean that AV and other security software can be dropped? e.g. threatfire, a-squared, SAS, spywareblaster, win patrol?
     
    Last edited: Jul 12, 2008
  10. Huupi

    Huupi Registered Member

    Joined:
    Sep 2, 2006
    Posts:
    2,024
    You have to set it manually in SB control.

    Content stored in root in SB folder

    Obvious if pc crashes y'l loose everything,exept for your real system which maybe recoverable.it depends on the cause.

    Dropping your realtime scanners is up to you paranoia level,i have only SB and Returnil in place and use MBAM and SAS for ondemand once a week,faring well now for 6 months.
     
    Last edited: Jul 12, 2008
  11. HungJuri

    HungJuri Registered Member

    Joined:
    Nov 23, 2007
    Posts:
    104
    Location:
    USA
  12. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857

    Pete thanks for explaining it in a few lines.

    SBIE or Safe Space or DefenseWall or GeSWall = normal operation
    Shadow Virtulaisation = for dodgy sessions only
    Machine Virtulaisation = for real dangerous testing only

    So OR is better than AND
     
  13. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    I would not recommend this to everybody. It depends on many things. For the average user, keep using an AV.

    I agree with this. But many times I found out that problems where caused by the hardware component between the keyboard and the chair (=me:D ). Too many times I did things in a hurry and after the click I said "I wish I had Returnil enabled before doing this" (many times not even malware related). So when Returnil was on GAOTD, giving me the possibility to save folders and files, I started using Returnil "always on".
     
  14. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    I don't do anything new in my system partition without having the possibility of rolling back to a previous state.
     
  15. innerpeace

    innerpeace Registered Member

    Joined:
    Jan 15, 2007
    Posts:
    2,095
    Location:
    Mountaineer Country
    Your link is similar to what I'm using. The link I posted was one I had bookmarked from when Wraithdu was here. I think all it does is limit what can run in the sandbox which should stop a keylogger from running.

    I'm using Franklin's suggestion which looks the same as your link to me except for which programs are specified. https://www.wilderssecurity.com/showpost.php?p=1262568&postcount=10
     
  16. Someone

    Someone Registered Member

    Joined:
    Jan 18, 2008
    Posts:
    1,106
  17. innerpeace

    innerpeace Registered Member

    Joined:
    Jan 15, 2007
    Posts:
    2,095
    Location:
    Mountaineer Country
    Hi Someone,

    Have a look at my post #15 and the link HungJuri posted and the link to Franklin's post. They limit what can run and what can have internet access in the sandbox.

    I tried it with the fireworks.exe (storm worm) which Rmus posted about and I couldn't get it to run. I even renamed the file to firefox.exe, winamp.exe and start.exe and it wouldn't run in the sandbox.

    P.S. Let us know your results.
     
  18. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Suppose you have 2 partitions :
    a. System Partition[C:] = Windows + Applications + Returnil = ON
    b. Data Partition[D:] = documents, spreadsheets, emails, etc., but not protected by Returnil.

    Security = Windows Firewall, no Sandboxie or anything else, because you don't really need it, because Returnil will remove any infection during reboot in the System Partition [C:]

    1. Is Returnil enough to protect your Data Partition ?
    Personally I don't think so. Any malware, installed in your virtual system, that targets your data, will infect or destroy or steal your data without any problems. Of course after reboot the malware is gone, but the evil deed is done.
    It simply doesn't matter to malware, if your system is virtual or normal. Am I right, yes or no ?

    2. Is Returnil + Sandboxie better than Returnil alone to protect your Data Partition ?
    Personally I think this is true, because Sandboxie isolates malware in a sandbox and makes them harmless.
    If malware, that targets your data, is in a sandbox, your data is protected and can even be locked by Sandboxie.
    If not, something is definitely wrong with Sandboxie. Am I right, yes or no ?

    If I'm right, than it's not Returnil OR Sandboxie, but Returnil AND Sandboxie.
    And then Sandboxie is security, while Returnil is just recovery and please no other security softwares, the subject is Sandboxie and Returnil.
     
    Last edited: Jul 13, 2008
  19. MitchE323

    MitchE323 Registered Member

    Joined:
    Nov 22, 2007
    Posts:
    156
    @ErikAlbert
    Let's begin by inventing two pieces of malware. One has the ability to destroy data, the other has the ability to read data and transmit that information to somewhere. Your scenario #1 would (as you say) not be enough to handle either of the malwares. Now with scenario #2, the addition of SandboxIE would protect against the destruction of data. Adding a closedfilepath to the data partition would prevent the reading of that data as well. At this point both malwares have been thwarted. You can then consider SandboxIE internet access settings as an extra precaution that pretty much firms up the deal.

    So, your analysis as to points #1 and #2 is by and large correct. But as to the conclusions drawn in your final paragraph, there is an issue.

    Those conclusions are asking for an all-user definition as to the use and characterization of the two programs, but the analysis was based on a single-user scenario.

    At the opposite extreme, let's consider a user that has no important data on the machine. With that user, each of the two invented malwares are a moot issue and he primarily needs system and spyware protection. In his case Returnil alone would be fine, and it would be 'security' in a sense focused towards the removal of spyware type installations.
     
  20. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    I don't agree with this at all. I work theoretically and it doesn't matter to me, who is behind the keyboard. Security, based on personal needs and habits, is a bad beginning to build a security setup and is only valid for ONE user, no one else can use it, because it isn't the same person anymore.
     
    Last edited: Jul 13, 2008
  21. MitchE323

    MitchE323 Registered Member

    Joined:
    Nov 22, 2007
    Posts:
    156
    That's fine I guess. The alternative is that all users regardless of how they use their computers and regardless of what is on their computers "Must" always use these two programs the same way and "Must" refer to them the same way. SandboxIE is security and Returnil is recovery. Always. :rolleyes:
     
  22. MitchE323

    MitchE323 Registered Member

    Joined:
    Nov 22, 2007
    Posts:
    156
    Since when?
     
  23. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Security is something for everybody, not just one person.
    Everybody wants a malware-free and garbage-free computer and don't like to waste their time on getting their healthy system back, which was already there in the beginning.

    It's not my fault that security is such a BIG MESS, full of overlapping and redundancy, that's because there is no planning, no structure, no organization, no quality, ... just money.
     
  24. MitchE323

    MitchE323 Registered Member

    Joined:
    Nov 22, 2007
    Posts:
    156
    Your supposition begins with a given statement;
    And it ultimately winds its' way to a conclusion. Returnil plus SandboxIE is preferred and one is clearly security and the other is clearly recovery. There is no disagreement on that. The disagreement is that you were stating that as an "Always Is" conclusion.

    It is you that are trying to take a single-user (with that user being you) and having it culminate into a "Rule". And then you state that usage should not enter the analysis, but that is only after you have interjected your very own usage into the supposition.

    But really, let's stop and not divert the thread. I know your setup and I admire it, it is the kind of 100% setup that I advocate. But guess what, I know in a heartbeat that it wouldn't work for me and I suspect the same for many others. I sincerely think you need to come to grips with that.
     
  25. Someone

    Someone Registered Member

    Joined:
    Jan 18, 2008
    Posts:
    1,106
    Hi

    So do I. Not everyone wants a computer where no new executables can open unless you turn a program off, which would reduce protection.
     
Loading...
Thread Status:
Not open for further replies.