Is Sandboxie useless on Windows 10?

Discussion in 'sandboxing & virtualization' started by CoolWebSearch, Dec 1, 2016.

  1. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    982
    Location:
    UK
    I been thinking about this the last day or so.

    I had appcontainer enabled in my flags setting on chrome, I changed it to default after reading some advice on another security forum, which suggested on default the feature is still enabled but with a whitelist applied to prevent broken functionality on incompatible code.

    However when I changed it to default all my chrome rendering processes changed from appcontainer to untrusted, which means for whatever reason the chrome developers still do not have faith in this feature. I am also aware of relying on anything that has to be enabled in chrome flags because chrome developers have a habit of removing features from there on a whim without any notice given, you may see some log in their code log discussed via internal developers or on one of their blogs, but thats often it in terms of notice. As chrome flags are not intended for mainstream use and as such they dont really get supported properly.

    Personally I am not a big fan of using 3rd party software for security over integrated OS features. Their reliance often on things like undocumented api's can lead to bugs, and performance issues. As an example I see in this thread people talking about using A/V software to deny malware execution when windows already has applocker and SRP to do the exact same thing, a default deny for executables. Another reason been of me not been a fan that is if I employed 3rd party software for all my system hardening, on all 3 of my machines I would be spending 100s of dollars(pounds) every year on security as a home consumer, which is completely ridiculous. There is a guy on this website who provides nice bits of info where you can get your system really hardened just using builtin windows features and/or free software only and I applaud him.

    Also to bo yes your guy got saved by sandboxie, but the question why did he do something so stupid as to disable his javascript protection in the browser. Sandboxie can of course save people from stupidity.

    I still run firefox on my laptop inside sandboxie, never got round to enabling its new integrated sandbox after mozilla implemented it, I am now thinking about whether I do the same with chrome or enable the chrome flags appcontainer again. Bear in mind of course I have the usual other mitigations like default deny exe, limited write folders for chrome (manually configured locations to restrict where it can write to, in windows you can set the integrity level of folders, no need for 3rd party software so e.g. untrusted integrity exes can only write to temp folder), memory exploit protection, whitelisted javascript only, and the biggest one common sense. I think I am leaning towards sandboxie tho giving thats its primary feature so obviously well supported by them, and I agree with the concept that a malware author is more likely to concentrate on breaking chrome's sandbox than sandboxie's.
     
  2. guest

    guest Guest

    @chrcol i believe appcontainer is disabled by default for compatibity matters, not because they don't trust it (in that case they would remove it).

    Appcontainer = modified lowbox token (aka untrusted IL) + capabilities.

    About SRP/Applocker, indeed you don't need much softs on top, but only if you have those features, home version's users don't.
     
  3. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,191
    Location:
    Nicaragua
    No, he wasn't stupid. Sandboxie is the safety net, and he didnt disable SBIE. So, he was never in danger. Anyway, what our friend did is something that you and I would also do sometimes. It was here at Wilders that the incident he relayed to me took place. Someone posted links to pictures in an image hosting site, he disabled UBlock Origin (he was using Chrome) to view the pictures and got hit by malware. He was never in danger, due to SBIE. Personally, I would not have disabled NoScript but temporarily allow scripts until I got the content (the pictures). Is not necessarily so but likely that even without disabling NoScript or UBO, the malware wold have been allowed to run once we allowed the scripts required to view the images.

    Anyway, the whole point of him telling me about that particular incident is because he had been reading posts here at Wilders about running Chrome with or without SBIE just minutes earlier, and then all of the sudden he was getting hit by malware and was saved by Sandboxie. So, he telling me about was like saying, "Hey Bo, read this, Sandboxie just saved me after I disabled my script protection in Chrome".

    chrcol, I remember two or three years ago, you and I talked about NoScript via PM. I am glad you were converted and I reckon you are still using some sort of script blocking. But remember, most regular users dont block scripts, when they land in webpages (any webpages), everything in the pages, all content in the webpages is allowed to run, so, the vast majority in the universe of internet users would have been hit by the malware our friend was hit with if they had visited the image hosting site to see the same pictures he did at the time he visited that site. And very likely, would have been infected if they were not using Sandboxie, regardless of the browser that was used at the time.

    Bo
     
  4. guest

    guest Guest

  5. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    982
    Location:
    UK
    I cannot remember the conversation, but yes I do use whitelisted script blocking. Security should ideally always be a layered approach tho, so by turning it off, its removing a layer, so e.g. I dont just only rely on blocking scripts in the browser, I have other mitigation's in place as well.

    So you are saying somehow a drive by malware code was running to show images on wilders? What was the hosting site, then I may answer if I would have added a whitelist for the pictures. Its very improbable I would have just globally disabled scripting protection tho, do we know if e.g. the code to make the images work was what was the bad code or if there was further code inside that code going to another 3rd party host? (if the latter then whitelisting the image host only would have been ok).

    In regards to the appcontainer stuff, I will definitely be keeping it off now, as it seems that was the cause of a bug I had noticed, so about a month ago I noticed when closing chrome half of my chrome rendering processes would stay running, I had to manually kill them. I then discovered that by disabling isolated processes (the model used to mitigate spectre), the issue vanished and chrome behaved normally again, at this time appcontainer was enabled in chrome flags. When reviewing my flags last week, the security feature was enabled again, but this time I had reverted appcontainer to default, and of course discovered default is off. Interestingly this has resolved the bug. I think I would rather have isolation without appcontainer, than appcontainer without isolation. Yes guest that is what I mean by lack of confidence, lack of confidence that it was a stable feature, compatibility issues is of course a stability issue.

    As part of my current review of my system setup, enabling sandboxie for chrome I think has a reasonable chance of happening, as providing I get no issues caused by it, I dont see the harm of adding a new security layer and it has no cost given I already have a active sandboxie license on this machine.
     
  6. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,191
    Location:
    Nicaragua
    About our conversation. You asked me for a copy of my blacklist, and I emailed it to you with the following note: I suggested it was better to create your own blacklist, instead of copying and using mine, since, if you created it, it would be based on your personal browsing experience and habits.

    Regarding the images. The images were hosted in imx.to. I am not familiar with imx.to, and wasn't curious to click the links to see what happens. I am not a curious person. Anyway, what happened is basically what I wrote earlier. To see the pictures, he disabled UBO, and malware ran for a few seconds. When he regained his composure, he terminated all programs and deleted the sandbox. And malware was gone, DONE.

    Bo
     
  7. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,191
    Location:
    Nicaragua
    FWIW, Sandboxie is working properly in Windows 10 recent release (Build 18362.116 1903). I upgraded to 1903 last night. Right now, I am trying to find something wrong with Sandboxie, my programs and the functions and activities I do sandboxed, and so far I haven't been successful. What can I say? Sandboxie is rock and rolling in W10 1903.....

    Bo
     
  8. Beyonder

    Beyonder Registered Member

    Joined:
    Aug 26, 2011
    Posts:
    545
    I've been running this for the past few weeks. Roughly once every week it fails to start properly, but aside from that WDAG Edge-Chromium is pretty dam solid! Writing in it right now, in fact.
     
  9. IvoShoen

    IvoShoen Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    851
    Same here. :thumb:
     
  10. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,897
    Location:
    The Netherlands
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.