MD's File and Folder rules an alternative to sandboxie?

Discussion in 'other anti-malware software' started by arran, May 21, 2009.

Thread Status:
Not open for further replies.
  1. HungJuri

    HungJuri Registered Member

    Joined:
    Nov 23, 2007
    Posts:
    104
    Location:
    USA
    Sandboxed programs that use system services will have those services taken over by Sandboxie, and if you have Internet Access limited to just those programs you specify, any other programs will be denied internet access.
    http://www.sandboxie.com/index.php?ServicePrograms
     
  2. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,155
    So what you guys are saying is that it is not possible for anything that is running inside the sandbox to give instructions to a program outside of the sandbox whether it be a browser, system service or any other app to make outgoing connections??
     
  3. andyman35

    andyman35 Registered Member

    Joined:
    Nov 2, 2007
    Posts:
    2,336
    You're missing the point though.Since the malware would have to be initiated via the brower it would be subject to the same policy restrictions of the browser therefore if Fifefox was blocked from accessing a particular folder then so would any malware brought into the sandbox by it.The malware doesn't limit itself to what it can do but the configuration of SBIE does limit it greatly.
     
  4. andyman35

    andyman35 Registered Member

    Joined:
    Nov 2, 2007
    Posts:
    2,336
    That's correct as long as the sandbox is configured to only allow the browser network access.:thumb: Also if you deny the browser permission to communicate with any other app. then even if it somehow partially bypasses SBIE it won't have any access rights to any of the blocked items anyway.An analogy would be if the sandbox was a jail cell and you are the prisoner,you find a loose brick and remove it allowing you to stick your arm out of the cell,you still remain imprisoned though.
     
    Last edited: May 27, 2009
  5. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Arran, yes. Myself and other users constantly put Sandboxie thru it's paces with real malware. No it may not block it from acting like it is supposed to, but it doesn't break out and infect the system. There have been many similiar claims, and they don't hold up. Usually operator error. So your claim substantiated only by your were a newbie and don't have the sample don't wash.

    I totally am impressed by what you've showed you can do with MD, but if you claim sandboxie has a flaw, I am going to challenge you unless you can provide proof.
     
  6. HungJuri

    HungJuri Registered Member

    Joined:
    Nov 23, 2007
    Posts:
    104
    Location:
    USA
    Yes. That is true. Let's say that you have keylogger.exe on your system already. That exe may in fact signal out just on its own ------ but if for some reason a sandboxed program contacted your existing keylogger.exe, that would put the action in the sandbox. Then if you have Internet Access setup it could not contact out. Let's say you have virus.exe already on your real system and a sandboxed program issues the order "Destroy computer" -that will also happen in the sandbox.
     
  7. andyman35

    andyman35 Registered Member

    Joined:
    Nov 2, 2007
    Posts:
    2,336
    Yeah it takes a lot of getting your head around to try and understand the full nature of Sandboxie but it does offer an amazing degree of security,Tzuk is something of a genius IMO.
     
  8. metalforlife

    metalforlife Registered Member

    Joined:
    Mar 29, 2009
    Posts:
    96
    I guess I have repeated myself many times. A malicious keylogger could attach itself to the web-browser as an add-on from a website with hidden script.

    A buffer overflow exploit can use your web-browser to do harm your real system. If you allow your web-browser to communicate outside the sandbox, of course.

    A HIPS app. will protect you from the above two threats.
     
  9. metalforlife

    metalforlife Registered Member

    Joined:
    Mar 29, 2009
    Posts:
    96
    The POCs again should that there is possibility that, in the near future, Sandboxie can be bypassed by "real malware" - as you people seem to put it out.

    Malware, in my opinion, is anything that does harm to your OS, be it freezing your mouse or wiping your hard disk. The POCs did harm the system despite running under the supervision of Sandboxie. So, the conclusion is, Sandboxie was bypassed.
     
  10. metalforlife

    metalforlife Registered Member

    Joined:
    Mar 29, 2009
    Posts:
    96
    Just like any of your add-ons would. It will sit there innocently on the browser toolbar, and everything you type will be logged, gift-wrapped and delivered to the author of that marvelous add-on to puncture holes in your bank account.
     
  11. metalforlife

    metalforlife Registered Member

    Joined:
    Mar 29, 2009
    Posts:
    96
    Why is there even a need to "fix". The malware was not supposed to freeze your system forever. It was supposed to freeze until restart. It was ABLE to freeze until restart. Hence, bypassed.

    The way it should be view is, "Sandboxie was bypassed by the POC, but since it is fixed by a simple restart and I can live with it. It is a BYPASS I AM NOT WORRIED ABOUT."

    Are you saying that if a virus, from within a sandbox, managed to corrupt your system files, disappeared right after a reboot, it wouldn't be a bypass?

    What exactly is the criteria for bypassing a security app.?
     
  12. metalforlife

    metalforlife Registered Member

    Joined:
    Mar 29, 2009
    Posts:
    96
    I don't know much either, but it is like a drive-by-download. It is a matter of visiting a website that drop malware onto your system without the user having to click anything. Sorry, I cannot give a technical explanation. It is beyond what I can comprehend.
     
  13. metalforlife

    metalforlife Registered Member

    Joined:
    Mar 29, 2009
    Posts:
    96
    Any HIPS will prevent BOs exploits. Even the simple anti-executable cannot be penetrated by BO attacks.

    COMODO's BO protection is just another layer, which again is not 100%.
     
  14. metalforlife

    metalforlife Registered Member

    Joined:
    Mar 29, 2009
    Posts:
    96
    Sorry, got it wrong. I think an anti-executable will protect only if the the BO makes the web-browser spawn a new executable. If the web-browser is itself made to do the damage, then a HIPS will have to come in.

    I was wrong about Sandboxie too. It will prevent a BO, the same way a HIPS would. But not the way you think - default-deny. I also take back what I said about Sandboxie failing against script based add-on-keyloggers. There is way you can configure Sandboxie to prevent it (I discovered the method after a bit of experimentation with CIS).

    But I stand by my opinion that the POCs did bypass Sandboxie.
     
  15. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Lets see. If I repeat this a hundred times it must be true.

    Sandboxie for the hundredth time, does not control things. I got a pretty nasty virus. When you run it you see all kinds of things pop of on the desktop before you get the final screen display. Reboot the system and you discover the virus owns the system.

    Run it again again sandboxed, and you will see exactly the same display, that is until you reboot. Then you discover your system unchanged. Everything the virus did is contained in the sandbox and goes away. The system is intact, and Sanboxie wasn't breached.

    Never mind POC's I've got another trojan that does indeed wipe out the hard disk. Run it sandboxed and the disk is protected just fine.

    As for keyloggers, phewy. So a keylogger gets attached to my browser. Big deal. Last thing I do before going to a critical site, is close browser, and let the sandbox empty. Bye bye keylogger.

    How many times do we have to explain thiso_O?
     
  16. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    It can't pure and simple. I have another less then lovely malware, that runs around your hard disk encrypting all txt,doc,xls, etc type files. Then at the end it gives you and address to send money for unlocking mechanism. Lovely.

    Running it sandboxed, it indeed does it's deed, ONLY, the encrypted files are all written in the sandbox, not on the real system. Then at the end you still got the payment message. But all the encrypted files were indeed written in the sandbox. Delete sandbox and bye bye.


    You know I have to comment here. I only challenge this nonsense for the sake of new readers, who may only first be hearing about Sandboxie. Those that make these "it can be bypassed arguments" don't concern me. They don't have to use Sandboxie. Their choice and loss.

    Pete
     
  17. metalforlife

    metalforlife Registered Member

    Joined:
    Mar 29, 2009
    Posts:
    96
    I did state earlier that it will be bypass only if the POCs require to communicate outside the Sandbox, and are able to do so.

    During your test, if the malware (which did wierd stuff to the desktop) did what it did without breaking the Sandbox, then it is not a bypass. Very difficult believe though, that what is happening inside the sandbox could affect the real system. Now, that is a worry in itself!

    ssj100, for Firefox, just deny it permissions to write to it's profile folder. It is usually "C:\Documents and Settings\%User Profile%\Application Data\Mozilla\".
     
  18. demoneye

    demoneye Registered Member

    Joined:
    Dec 30, 2007
    Posts:
    1,356
    Location:
    ISRHell
    @peter

    good you have the petition to reply 100 times for all the stupid reply about sandboixe , the bad part, ppl dont ask they just write a bad / mislead statement , making other / new users get bad /wrong impression in this case SB

    cheers
     
    Last edited: May 28, 2009
  19. metalforlife

    metalforlife Registered Member

    Joined:
    Mar 29, 2009
    Posts:
    96
    Yep, and there is your 100%. Usability will certainly get a hit if you enforce the restriction through Sandboxie. Rather do it with CIS and configure it to "ask" everytime Mozilla tries to write to it. Block all the alerts, except when it is you doing the installations or updates.

    The thing is all that configuration is unnecessary and redundant, since Firefox will do a perfect job of altering the user everytime any such installations occur.
     
  20. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,155
    you do have a good point here.


    Kinda like my File rules. I forgot about the CIS file rules.
     
  21. wat0114

    wat0114 Guest

    As a huge proponent of both SB and MD, they satisfy the needs of those who either want to twak to their heart's content in order to achieve near bullet proof security (MD) or those who want a virtually bullet proof setup without having to answer alerts (SB)

    This latter scenario was the obvious choice for my kid's old pc, so SandBoxie paid is the only security app on it - no AV, HIPS, firewall (except XP's built-in) or anti-spyware. The machine runs light and whatever trouble they might get themselves into will all be flushed down the cyberspace drain when they close SB, as I've got it set up to force internet facing apps to run in it, as well as other tweaks bred from ideas I gleaned from these forums.

    I have utmost confidence in it to secure the machine without the need for other security measures that will only grind this poor dog of a machine to a snail's pace cadence :)
     
  22. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    What you are missing is that with the exception of installing drivers, or starting services which are blocked, Sandboxie is copying into the sandbox the system pieces(like the registry) things it needs to run. So what you see on the screen seems to be the real system, and the program thinks it's the real system, but in reality it is taking place inside the sandbox.

    As for useability, once configured the first time, it's set and forget. Only difference is if you want to capture a downloaded file. One click.
     
  23. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    DW is a very good app.
     
    Last edited: May 28, 2009
  24. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Franklin,

    Please keep it easy keep it sandboxy (as I mentioned in my posy NR54 https://www.wilderssecurity.com/showpost.php?p=1474058&postcount=54).

    It becomes very fuzzy when you start to praise DW. I would understand when you should have said something like: the second best security program in the world (off course SBIE is the best) is also very good.
     
  25. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,155
    seen how you will now be cleaning out your sandbox more often to avoid keyloggers, this would now mean that you would have to run your browser outside of the sandbox to do weekly updates :D
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.