MD's File and Folder rules an alternative to sandboxie?

Discussion in 'other anti-malware software' started by arran, May 21, 2009.

Thread Status:
Not open for further replies.
  1. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,139
    For people here who have tried or currently use Malware Defender's file and folder rules what are your thoughts on using it as a replacement to sandboxie?

    Because you can set it up so as your browser cannot download or create any new files or folders any where on C Drive, you can also make it so your browser cannot modify any existing files or Registry keys any where on C Drive. After doing this I found that at the end of each browsing session there was nothing there for Sandboxie to flush down the toilet. hence the reason why I no longer use Sandboxie. Because If Sandboxie has never got any thing inside it to Isolate from the harddrive then what is the point of having sandboxie running? Surley this must be a more effective and efficient method than using sandboxie. Because I am sure that most people would agree that its impossible to get infected without the creation of new files.
     
  2. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    not only for files/folders but critical areas of your operating system:system32/start up program/program files/system etc to denny writes/modify and only allow reading:thumb: mor effective than a sandbox i think whole control of the c:\* drive;)
     
  3. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,139
    In some ways it also Acts like a firewall.

    Because the creation of all new files are blocked any where on C drive, therefore all incoming files from the internet are blocked. This would have to be one of the most powerful security solution I have ever seen.
     
  4. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    C:\* full lock down;) default-denny:thumb:
     
  5. innerpeace

    innerpeace Registered Member

    Joined:
    Jan 15, 2007
    Posts:
    2,095
    Location:
    Mountaineer Country
    It sounds like you may have achieved isolation but how convenient is it for normal users? The point of Sandboxie would be compatibility with other apps and small conveniences like saving bookmarks. I'm not sure if you can create a rule in MD to allow bookmarks. Also, what about downloads and updating add-ons?

    If you want total isolation you could burn a small Linux distro and surf with it.
     
  6. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,139
    I would have the rules disabled if I ever needed to do updating and add-ons Just like you have to run your browser outside of Sandboxie to do updates and add-ons.

    When ever I download anything MD gives me a pop up asking if the file can be created.

    as for book marks I haven't yet tried that, but I'm sure its possible I will keep u informed.
     
  7. innerpeace

    innerpeace Registered Member

    Joined:
    Jan 15, 2007
    Posts:
    2,095
    Location:
    Mountaineer Country
    Ok, that's what I thought but is it easy to disable the rules?

    Very interesting!

    Be careful, if it works you may be helping others create rules for IE, FF, Opera, etc. :D

    I'm not good with Windows inner workings and HIPS and that's why I use simple security programs and policies. I'll keep an eye on this thread and see if I can learn something.

    P.S. I was talking about running a linux distro by booting from the cd where it runs in memory only.
     
  8. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,139
    spending a few seconds to temporary disable rules so you can do updates isn't much of a problem considering its only once every few months.

    And the installed add-on's is normally done when you do a fresh install anyway.

    PS, still yet to fine tune rules for book marks, its just a matter of allowing access to modify certain existing files, the creation of new files is still blocked.
     
  9. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,139
    with FF speed tweaks and inbound filtering you will find that with caching disabled it makes no difference in browsing speed. with cookies cslite blocks all global cookies and lets u create a white list of sites that u need cookies for.
     
  10. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,139
    But why would you need to have no script updated every week? is it a major security risk if you don't?

    From what Ive read most people using Sandboxie flushes the toilet after each browsing session. So all your cookies,caching, history etc is gone gone gone. So at the start of each browsing session it is always slow, so wouldn't it be better to instead use FF Tweaks and inbound filtering? That way you could also have fast browsing at the start.

    hmm you may have a point, depending on how and on how many files you download it could be an issue.
     
  11. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,060
    The other Sandboxie functions that would be a challenge, would be the start/run restrictions, and internet access restrictions.

    I don't allow anything but Opera, to run in my opera sandbox, but it would be tricky to say no other programs can run when I am using opera with MD. I can do this with SBIE. ALso in my Opera Sandbox nothing else can access the internet. But I have other software running that does need the access. Again that would be pretty tricky with MD.

    Pete
     
  12. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,060
    Hi Arran

    Alway's being open to something new, I gave your approach a try, and was totally unsuccessful.

    Would you please post idiot level step by step instructions on how you did what you did.

    Thanks

    Pete
     
  13. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,139
    no no you don't understand how it works. It doesn't work the same way as a sandbox but it produces the same results as a sandbox by isolating your browser and all browser downloads and activities from the rest of the operating system.

    Other than your normal already installed programs there is nothing to restrict start run and internet access. Because no malware gets in in the first place.

    Think of it like this instead of the Battle taking place on your Territory on your pc inside Sandboxie the Battle has now been pushed forward out of your Territory into no mans land. By Blocking the creation on all incoming files.
    So seen how there is no malware coming in then there is nothing for Sandboxie to do as it is always empty, there is nothing there to be blocked from start run and internet access, and there is nothing there to flush down the toilet afterwards.
     
  14. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,139
    ok here is the rules of how I have done it. with MD it reads the rules from the bottom going up, not from the top going down like most firewalls. So you have your white list at the bottom and all other files and folders on C Drive blocked at the top.

    you actually don't need to disable any rules to add or remove book marks.

    The rules are very strict FF is only allowed to create / modify certain files with certain file names in certain places. As you can see most of it takes place in firefox/profiles/33mk3hx3 folder that is where FF operates and works from.

    For any downloads you will get a popup asking if the file can be created.
    If you are downloading lots and lots of jpg image files you can add this rule at the bottom.
    c:\documents and settings\awilliam\desktop\downloads
    *jpg
    and set all to permit and you won't get any popups.

    my setup is MD version2.1.1 FF version 3.0.5 with caching and ff virus scans disabled.

    It cauld do with some fine tuning but this is basically how.

    Next step is I will be working on Registry Key Rules soon.

    Any questions, just make a post.
     

    Attached Files:

    • ffr.JPG
      ffr.JPG
      File size:
      273.3 KB
      Views:
      49
  15. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,139
    By the way it is possible to do updates and change settings in FF without disabling MD rules, its just a matter of giving read / write permissions to certain files in certain areas. I just haven't got this far yet.


    And also I have not been able to do updates and addon updates with FF inside Sandboxie can any one else confirm? or is it just me?
     
  16. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,139
    No I am not giving permissions for cookies and history to be remembered, I have cookies and history disabled. And every one else should also have these disabled.

    And the only files that can be downloaded is the files that you download which MD gives you a popup asking if the file from the internet can be created. all other files from the internet are Blocked.

    well there must a be a setting in sandboxie which I have missed to enable updatting for addons and FF updates and FF settings.

    Because for the updates and new settings to remain Permanent it has to be able to write to your main hard disk outside of your isolated environment.
     
  17. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    That is exactly how I use MD, see https://www.wilderssecurity.com/showpost.php?p=1360445&postcount=4

    Works like a charm and very fast, but I fear some replies are right, you need some knowledge to set it up that way.
     
  18. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,139

    I already have the general rules set up the same way, but this thread is more about file and folder rules.

    I notice your file rules are very limited for example c:/*
    you do know that to cover all layers it needs to be more like this?
    c:/*
    c:/*/*
    c:/*/*/*
    c:/*/*/*/*

    and Which are the replies that you fear are right?
     
  19. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,139

    Right so my original point still stands you can't do permanent updates while FF is running in Sandboxie. I take it that you never ever empty it out and flush the toilet.

    If you don't care about privacy and you don't care about getting tracking cookies then by all means enable global cookies and browsing history.

    And no I don't like Linux, How would I run all my windows apps and windows games on Linux? and MD is a hobby I am finding it quite addictive.

    and Defense wall still has a purpose.
     
  20. demoneye

    demoneye Registered Member

    Joined:
    Dec 30, 2007
    Posts:
    1,356
    Location:
    ISRHell
    welp , i dont know how ppl even comapre SB to MD , both work differ.
    SB is a msut software for ppl who know jack s**hit on pc security , MD(paid only) / CIS(free) can be used as an addon , to increse the line of defense.
     
  21. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,139
    It gives me such a warm and fuzzy feeling that after surfing thru dozens of porn sites loaded with malware and crap, and I run cc cleaner after wards and this is what there is to delete.
     

    Attached Files:

    • ccc.JPG
      ccc.JPG
      File size:
      67 KB
      Views:
      4
  22. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,060
    Hi Arran

    Thanks for the reply. I'll have to give it a play. But offhand, the time and effort to configure, is high, compared with sandboxie, which can now simply be configured at the gui.

    Pete
     
  23. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Fear o_O

    Just select the radio button Files and Folders in MD and C:\ will be sufficient.
     
  24. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,060
    Well, I hate to burst the euphoria bubble, but I've been doing some testing this afternoon with real malware using this concept.

    Does it work. Well maybe if, I hope. Would I do this in place of Sandboxie. NO!

    First, I tested to be sure I was doing it right. Protected Winzip so it couldn't write to c: drive. Sure enough couldn't extract a file, so cool I understood. Did take a bit to get the hang of it.

    Then I took our old friend Killdisk. Added a rule for it protecting the c: drive. So long c: drive.

    Then I sandboxed IE, and ran it sandboxed, and ran Killdisk thru IE. Disk perfectly protected. Then I ran IE unsandboxed, but with the rules protecting the c:\*.* etc ad naeusum. Ran IE unsandboxed with rules in place and then ran Killdisk from IE. Bye Bye disk drive.

    In this case the reason should be obvious. Killdisk doesn't write files to folders, it uses direct disk access to screw up the partition table.

    So then I took another cheerful virus in the stable, that does do it's magic writing to the disk. First I created an MD rule for the virus with the c: drive blocked and sure enough MD stopped it dead. But wait, like I am going to know the virus file name ahead of time...I don't think so.

    So next I again put the c: drive rules in place on IE, and ran IE unsandboxed. Tested and sure enough could not download and save a file to the disk. Protection on IE working. Then I opened and ran the virus thru IE, and wham, totally infected.

    In summary, this technique while great, may well not protect you against nasties, in anyway like Sandboxie will.

    Pete
     
  25. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,139
    I have restricted my browsers rights as much as I can with MD, But according to Defense wall's logs it is still Blocking certain Browser activities. Probably not serious but still I just like to have FULL CONTROL over all my programs behavior. It looks like Defense wall seems to cover areas that MD misses, I haven't had to time to properly investigate yet. And even tho it is highly unlikely that Defense Wall will ever have to deal with Malware on my pc, I just like to have FULL CONTROL over all my programs behavior and activities. And its not like my security setup is over kill they are very light on resources. That said there is a Remote possibility that I could download movie or image files infected with malware, so by default all movies and Images are run as untrusted. But in the whole 5 yrs out of all the movies and images I have downloaded I have never got 1 infected.

    Yes Sandboxie is a good product I am not saying it isn't. But other products like MD can also achieve these same results that you have mentioned. By the way I have discovered some thing interesting, from MD's logs firefox can create files outside of the sandbox while running inside sandboxie.

    No It wouldn't sacrifice usability and convenience, it is only the Blocking of creation of files downloaded from the internet via your browser that I am currently working on. All other files from within your operating system can be created as per normal by normal trusted programs.

    With regards to transferring files over and unzipping them from other hard drives. you can block the creation of any Executable files which may pop out during the unzipping process. Because MD has the ability to not only Block the creation of files in certain places but also has the ability to block the creation of certain file "TYPES" But this is for another discussion all together.

    I don't like SP3 features and I found it to conflict with certain programs. can't remember which tho. and I don't think Easter likes SP3 either.

    yea I know I have done that now, My Bad. I still had EQS rules in my mind lol.

    The blocking of the creation of file rules isn't for to control the BEHAVIOR of the viruses after they have been given permission to enter onto your harddisk and execute.

    The file rules primary purpose is to prevent them from entering onto your operating system in the first place. Not controlling their BEHAVIOR after they are already on your hard disk.

    If you want to test it get a list of malware infected drive by websites and surf thru them and see how many malware files the infected sites can drop onto your pc.

    I probably should have called the thread title instead
    MD's File and Folder rules an alternative to sandboxie for Browsing?
     
Loading...
Thread Status:
Not open for further replies.