I Can See Underbelly Of The Net With SANDBOXIE!!

All good pointers!

SandboxIE makes it like starting all over again with yet another invisible shield, HIPS being my other. I am so new to sandboxes but they are not so unlike the Virtual protection i been used to but then again they are.

I took a tip from (Thanks) MikeNAS and applied the registry blocks and then fire up a vbs script file that writes to the registry and sure enough, no dice! I could even let my HIPS "allow" it and it hit a brick wall. SandboxIE is one cool app that i think i've found a new respect for. Add a virtualizer and such and i dunno, maybe even use that SuRun app to run as LimitedUser if possible in this combo, and it's a dead lock of security IMO.

 

If Aaron's wife doesn't install software, AE is a very good solution.

So, you let training mode to build your ruleset for you? That's not the proper way of using a classical HIPS and rule-based firewall.
Also, how do you know that the thing you're installing is clean? That's the issue you brought here with SBIE.

 

Your welcome! I understand what your saying. You could take a look at DefenseWall or GeSWall. Other's have mentioned they are wife proof LOL. I haven't used either, but I'm guessing the attachment would be tagged as untrusted automatically.

You might also consider setting up a Limited User Account on her computer. I'm trying desperately to talk my sis and her family into setting up all of them as Limited Users. What's funny is my oldest niece keeps asking me about it. I think I'm wearing them down .

 

I totally agree with what you have said. I was very intimidated by Sandboxie because it was considered an 'advanced security application'. I started with Power Shadow and experimented with it to understand what it did. I then tried Sandboxie and after I understood what it did, I was hooked. It simply isolates your internet facing applications from the rest of your system. Whatever runs in the sandbox, stays in the sandbox.

 

The reason for training mode is so you do not get pop ups like mad.I am also a gamer and most games will lock up the first time you play it with any firewall. I have used Zone Alarm,Outpost,Online Armor,Kerio, L-n-S and Comodo. They all have a training mode to lesson pop ups. Then after the firewall learns everything you can edit you rules. Its better then having to 3 finger salute out of the game just to find out your firewall was giving you an alert that could have been prevented by simple using training mode. I made a post about this in the Comodo forums and Melih made it a sticky.

 

If you're saying what I think, with experience you can surf everywhere and not run into problems, you just have to know how to do it, been there...

I've been surfing the Net since it started and in 20 years I've had maybe only one problem I couldn't handle and needed to reinstall Windows.

Now is this the way for people to handle security for themselves, no not really, all I'm saying is you can surf the net without a sandbox, or heaps of malware apps if you are experienced.

Now if we are talking about the business side of computing, I wouldn't mess around, and have something more in place, but for my home box all I surf the Net with is FF with NoScript and Avira PE...

 

Sandboxie is quite complex in its underlying coding but to make easy to use for us users is a compliment to Tzuk.

 

Couldn't have said it better.

Tzuk is done a brilliant job with it thats for sure, let's hope it stays that way. He's sure seeing to it that it does.

 

Actually all most users really need to browse safely is Firefox w/NoScripts installed... However it does require a little thinking in deciding which scripts should be allowed or not. But it knows how to detect many XSS type exploits...

As for the Secunia, you should download and install their new application, instead of doing the monthly web scan. It is also free and it is more thorough especially if you select it to show the hard to remove vulnerability option. Another thing about it worthy of mention, is that it's also working realtime, so as you install new programs it picks up if it's one with a known vulnerability or in the background if there is one already installed that suddenly gets listed as having vulnerabilities... Very nice tool indeed!

Here is the link to their "Full Application" scanner it's called PSI Scanner:
https://psi.secunia.com/

 

So an AE wouldn't stop her from opening safe email attachements? ....and if the attachment contains malware, does the AE stop it from being installed (or would the AE allow it to install but prevent it from running)?

 

I don't know. I'm hoping somebody more knowledgable about anti executables can answer. It seems to me it could be configured to allow the opening of an email, but if there was something attached, that part couldn't open.

Don't trust what I've just said though. I'm brand new to anti-executables. I'm certain I saw some tests somewhere here on Faronics, where it allowed an email to open but refused an .exe or some other 'dot' something IN the email from installing.

 

AE with security on high and all protections enabled should not allow any excutables reguardless of their extension at all.(EXE,SYS,BAT,ETC) I haven't used AE for a while but what I recall, with AE enabled, all exe's that were not present durring install, will be stopped dead in their tracks.

 

With copy protection on, it will not even let executables to download.

 

See here

 

Thanks Lucas, that was quite informative, but I still have a couple of email attachment related questions:

1. My wife often receives email containing documents (*.doc, *.pdf, *.txt), sometimes (but not always) within a zip or rar attachment. She also often receives photos (*.jpg) as email attachments. Would AE deny opening any of these (assuming they are 'clean')?

2. Can you (or anyone here) address the likelihood of false positive instances using AE?

 

1- No
2- No FP because AF is not signature based.

 

Thanks aigle. The more I learn about AE, the more I'm inclined to believe it's the best single security solution for the way my wife uses her PC. It seems that once I install AE (and set it up) my wife won't have to concern herself with signature downloads, rebooting, flushing a sandbox, or anything else, other than her usual email/internet activities! ....or am I missing something?

Is there any other similar product that might even be better than Faronics AE in this respect?

 

And who told you to do that.....Satan?

 

Any HIPS like EQS, SSM, NG can be configured to make rules for all application on ur system, then disconnect the user interface( silent mode/ locked mode) and it will be similar though not exactly same( EQS is free and SSM has free version too). But u need time to make rules.

ProSecurity has a good wizard to make rules automatically but not sure if it has a silent( no pop up) mode or not. It has a free version too though a bit outdated but it must be OK.

 

AE won't interfere with data filetypes. AE will block data filetypes only if:

1. they have double extension (i.e .JPG.EXE) and the final extension is of executable nature (disguised executable)
2. they have a data file extension (i.e. .DOC) but they contain executable code (the MZ magic byte for example)

AE won't protect your wife against:

1. script malware, because AE only works with executables (compiled code). Not big deal, because script malware isn't common nowadays and it's relatively easy to setup a security policy against them
2. exploits, because AE doesn't intercept shellcode. However, since almost all exploits try to put a new executable (trojan downloader/dropper) in your system, AE will BLOCK the outcome of almost all exploits. See the WMF example.

There are no FPs with AE. AE is like a guest list of executables (SYS drivers, DLL libraries, EXE apps, SCR screensavers, COM apps and so on). Anything that isn't included in that list is banned (whitelisting). OTOH, an AV is like a criminal list, anything that isn't included in that database is assumed to be good (blacklisting)

AE is really good, strong and quiet on a stable machine (i.e. you setup it once and no new programs are installed/downloaded/updated afterwards)

 

Can,t srcip malware be avoided by simply turning off windows scripting host?

 

Yes, but you may need to run scripts (I do). Also, you still have to deal with macro viruses (another "non-issue")

 

Get rid of the wife-keep the pc.
Enjoy the day.
Hugger

 

LOL

 

Lucas, thanks for all of your constructive help in this matter. It's most appreciated.

Btw, I don't think my wife would object if I changed her browser from IE7 to FF2 as long as I retain her current home page ...would doing that result in more security browsing? ...and if so, why?