I Can See Underbelly Of The Net With SANDBOXIE!!

Discussion in 'sandboxing & virtualization' started by cortez, Feb 23, 2008.

Thread Status:
Not open for further replies.
  1. twl845

    twl845 Registered Member

    Joined:
    Apr 12, 2005
    Posts:
    4,186
    Location:
    USA
    Exactly. Returnil is the App of choice for the Grandchild trojan. Just turn it on before you let them on the computer and reboot when they go home. If you don't tell them what returnil is they won't know enough to mess with it. :D
     
  2. Long View

    Long View Registered Member

    Joined:
    Apr 30, 2004
    Posts:
    2,295
    Location:
    Cromwell Country
    Could someone explain why I might prefer Sandboxie to Returnil then ? I tend to be lazy and don't like having to play with lots of options. I did try Sandboxie and got the impression that it was originally designed to protect those using IE. Certainly it didn't work out of the box with Firefox (I accept that it can be forced to work). If something nastie did get on my pc it would be gone at reboot. Using Sandboxie would provide better ( how much better ?) protection in that the nastie would be contained but in practice is the extra protection really all that great ? put me down as a Grandchild trojan if you will but I can't see what I'm missing by using Returnil, deepfreeze, or Shadow Defender rather than Sanboxie.
     
  3. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    Well Sandboxie can be configured to stop all outbounds which suits me fine as I have a hardware firewall for inbounds.
     
  4. Huupi

    Huupi Registered Member

    Joined:
    Sep 2, 2006
    Posts:
    2,024
    boils down to preference.IMO has nothing to do which is better,right out of the box Returnil just works,after install there is almost nothing to configure.
    Sandboxie is either simple and just as effective but has more options to setup to your liking,but both are good to go. ;)

    yes SBIE can setup to exlude browser(or complete processgroup) in denying anything to connect,should be done in the SBIE ini file,by way of closing all paths,except for processgroup,a beautyfull option given us by Wraithdu.
     
    Last edited: Apr 22, 2008
  5. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    I use both. You can do something in the sandbox and it stays until you delete it, as opposed to losing it to reboot. I had no trouble getting Firefox to run Sandboxed. I use SD/Returnil for specific tasks, but it isn't practical for me to have them on all the time, hence I like Sandboxe for it's real time protection. I run browsers, and Outlook sandboxed.
     
  6. CircleGirl

    CircleGirl Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    61
    Location:
    Circle Campus
    Since they can already get on SBIE on their friend's box simply cut them off at home (please tell them to avoid 'greasy' sites---they won't listen but at least you warned them). Have a partition for your own SBIE, passworded with a password that they will not find a sticky on.

    May I suggest your ZIP code: first as the mail sees it, i.e. 12345 then simply reverse it's second part, i.e. 54321. The total password will be1234554321 and it is almost impossible to forget!!!

    For other partitions or programs, variations are easy to come up with, i. e. 12345abc54321 ect.

    Even if you forget it one time it is easy to permutate the password until you are let in.
     
    Last edited: Apr 22, 2008
  7. cortez

    cortez Registered Member

    Joined:
    Nov 19, 2006
    Posts:
    450
    Location:
    Chicago
    My grand child requested that I try to find out what type of infection it was that caused SandboxIE's "desktop cycling" "meltdown". Perhaps some one can recognize it. Google did not reveal anything like it.

    I was using Norton's Security Suite on this particular SandboxIE partition when the malware meltdown occurred (I use AVAST on my other SandboxIE partition, and it always catches the maleware [so far] ).

    The malware caused something I never encountered before: the desktop continuously appeared then dis-appeared. This happened about every 7-9 seconds in which during the 7-9 seconds that the desktop was "on" I could open programs (as long as they could do so in 7-9 seconds). Once a program or plug-in was "on" it remained on and worked normally).

    If no program was opened the desktop, it simply went away with no way to get it back (I tried for over 5 hours to repair this problem).

    I un-installed SandboxIE (and tried the restored function and all other things I could think of) during these 7 second intervals, but the desktop continued to cycle on and off.

    I wonder what kind of male ware it was ( I suspect that it infected the registry where "users" [maybe the "fast switching" function?). Any ideas?
     
  8. Beto

    Beto Registered Member

    Joined:
    Jan 27, 2008
    Posts:
    47
    Did norton detect anything or did it just happen after opening the file unboxed?
     
  9. CircleGirl

    CircleGirl Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    61
    Location:
    Circle Campus
    It seems like a Trojan of some sort. There are so many of them but you could start looking for them at http:www.megasecurity.org/files_all.html .
     
  10. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    It could relate to the icon refresh rate and or folder - icon cache size limits.

    See lines 2, 121 and 157 left columns at the link below.
    Kellys Tips and Tricks
     
  11. cortez

    cortez Registered Member

    Joined:
    Nov 19, 2006
    Posts:
    450
    Location:
    Chicago
    Beto:

    I was told there were no notification or warning before the file was opened (funny as there usually is some sort of notice).

    CircleGirl:

    A site that is terrifying as one could actually see the different types of Trojans and their targets. I believe that malicious code was introduced into the registry causing the loop which caused the desktop cycling after opening the file unboxed from SandboxIE.

    See Franklin's registry site reference. As he suggested there are keys that make for good candidates to infiltrate to insert looping code. Thanks ---cortez

    Franklin:

    "Kellys Tips and Tricks" is a treasure chest for all things dealing with the registry. It looks like it will supply me with many days of reading and learning (which I truly welcome).

    I noticed that you use "Returnil" as well as SandboxIE, so I tried it out and it seems to be as easy to configure as SandboxIE and "interneting" is as good as ever! Thanks for the important info (and the inspiration to try Returnil)---cortez
     
  12. nomarjr3

    nomarjr3 Registered Member

    Joined:
    Jul 31, 2007
    Posts:
    502
    Ever since I used Sandboxie, never once did I get my system infected.
    I've set it up to auto-delete all data once I close my default browser.
    I've accidentally downloaded SpySheriff (and its variants) on numerous occasions, but it was deleted by Sandboxie.

    I love the way you have total control over which applications you can sandbox. All of my applications that use internet access are all sandboxed, except for some anti-malware programs.
     
  13. CircleGirl

    CircleGirl Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    61
    Location:
    Circle Campus
    Is there a shelf life when using returnil w/ SB? I have been using both for browsing for 2 months solid now.

    I had to do a major tune up-- defragg 2 times (that is two times more than usual), use different cleaners, get rid of some limited user accounts,-- to finally get SB and returnil to get back on tract and speed firefox up again.

    This makes me think that there is a self life of about 2 months before firefox gets slowed downed when using both SB and returnil together.
     
    Last edited: Jul 10, 2008
  14. Huupi

    Huupi Registered Member

    Joined:
    Sep 2, 2006
    Posts:
    2,024
    Thats the way how you configered Returnil to save session data to disk C: ? or other partition or other drive.Save to disk wil always cause fragmentation,IMO its better to save to another part. or other drive to keep fragment. low on system part.
     
  15. CircleGirl

    CircleGirl Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    61
    Location:
    Circle Campus
    Your solution makes sense and from here on out all downloads will now go to the data partition directly.

    Even though I needed to give my SB/returnil partition a tune up due to a slowing down of firefox it has not failed me so far and I am impressed with the two fisted defense of these excellent malware fighters.
     
  16. ragnarok2012

    ragnarok2012 Registered Member

    Joined:
    Jun 20, 2007
    Posts:
    45
    That's where adding returnil will cover all bases.

    They definitely work well together on most setups.
     
  17. cortez

    cortez Registered Member

    Joined:
    Nov 19, 2006
    Posts:
    450
    Location:
    Chicago
    XP Activation Problems using SandboxIE (o_O):

    Two of my SandboxIE partitions have asked for Re-Activation over the internet before allowing me to boot up XP!!

    These are the only times a Re-Activation request has ever occurred on a Pre-Activated XP installation of any sort (this includes Images from TI10 and "copy partition" operations from DD10!!

    Am I crying wolf and unjustifiably ascribing fault to SandboxIE??

    On these partitions I did not have any "calling home" blocking applications ( I believed that I did not need them as a reboot would return the partition back to it's already activated state).

    I now realize that I have used these partitions with SandboxIE disabled at times to save data and thus prone to being subjected to Microsoft's "Call Home" strategy. These partitions now have XP Antispy (freeware) which tells Microsoft that Activation has occurred and is up to date.

    I hope that this puts an end to this Activation problem as I dread calling Microsoft's "Activation Center" and dealing with the overwhelming entering of numbers to reactivate (and the often long waiting period to talk to a real person).

    I think that 4 activations in any 2 to 3 month period requires a telephonic Re-Activation (correct me if I am wrong on this point).

    I have now left these 2 partitions always active, SandboxIE wise and merely drag and drop any "data" to a data partition to check for malware ( in Windows Explorer).

    I hope this is the solution and Microsoft is not randomly seeking internet Re- Activation with XP (some have suggested that this is now a reality).
     
  18. cortez

    cortez Registered Member

    Joined:
    Nov 19, 2006
    Posts:
    450
    Location:
    Chicago
    SandboxIE and Windows steady state= High Maintenance:

    It seems that Window's "Steady state" may have some benefits for Microsoft updates ect. , and possibly the ability to install applications the need to reboot to install ( a great and much needed function), but is otherwise clumsy, needing multiple reboots ( and long ones at that).

    I found it easier to use SandboxIE easier to use ( turning it on and off much easier and much faster) that using Sandboxie with Window's Steady State together.

    SandboxIE still has a very small footprint:

    SandboxIE w windows steady state off.JPG

    With both SandboxIE and Window's Steady State on:

    SB and steady state both on.JPG

    Wow!! a bigger footprint than SamdboxIE andf Returnil both on !!

    Ultimately it depends on one's usage and needs (time wise/ footprint wise) to determines if it is a good candidate for one's particular set up.

    I resolved the problem by having separate and dedicated partitions for SandboxIE alone, Returnil and SandboxIE, and SandboxIE and "Window's Steady State" as the best solution for my needs.
     
    Last edited: Sep 8, 2008
  19. ragnarok2012

    ragnarok2012 Registered Member

    Joined:
    Jun 20, 2007
    Posts:
    45
    I have both SBIE and returnil on separate partitions also but today have encountered the first SBIE malfunction. SBIE would not allow Firefox to be sandboxied--it just let the hard drive LED blink but no Firefox. I reinstalled SBIE but still nothing.

    Then I upgraded but still nothing!!! Finally I emptied the newest SBIE container and Firefox booted up and has since worked fine.

    I have been comparing returnil and SBIE and they both have worked perfectly against malware. The biggest difference is the large returnil footprint which SBIE does not have.

    Overall SBIE has been superior ( in regards to being able to operate on a small partition) until this hang up today. I checked the partition and no malware was present, so I think that IF I had emptied the container it would have worked OK.

    But since this is after the fact I can't be certain. So whatever happened to cause SBIE to not boot up it still protected the partition (and my other partitions went un-effected), so I would say that SBIE has been exceptional in it's ability to protect against malware --even with this snafu.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.