New Antiexecutable: NoVirusThanks EXE Radar Pro

I see you have 2.7 pro and I still have 2.6 pro ( paid for no trial ) did I miss a new pro or its not out yet?

 

It was released 3 weeks ago...
https://www.wilderssecurity.com/showpost.php?p=2124183&postcount=801

Have you checked your email Spam folder?

 

@siketa

Thank you for reporting the text bugs, we'll fix them in the next version.

@SIR****TMG

Actual version is 2.7.0, you should have received the download link by email, I can send you the download link by PM in case, let me know by PM.

 

I'll update my pc and laptop today. Thank You... Pm was sent to you....

 

Is "Auto update" feature going to be included in the next version or later?

 

Auto Update feature will be included in v2.7.2 as it should take few weeks considering the tests needed.

 

Thanks, nvt!
I'll wait, test for bugs and purchase it then.


BTW, I am not satisfied with your email support.
I have sent two emails asking for pro trial and got no response at all.
This forum is completely opposite experience.

 

Usability improvements:
Master Password Security is enabled.

1) If you enter the password in pop-up when asked to approve an action, it doesn't accept pressing an <ENTER> button from keyboard. You have to move cursor with mouse/touchpad and then press on "Ok" button.
I think this should be changed to accept <ENTER> to confirm.
It is faster and more convenient.

2) Help file should be updated. It still reflects menus and options from older versions.


GUI text change:

1) It is better to use "OK" than "Ok" text in button.

 

Got fed up waiting for the trial so purchased. I find it a very odd AE I'm afraid am I'm regretting my decision. In my testing processes started by White-listed apps seem to be able to run without any intervention by ERP on this Win 7 x64 box.

For example I put ERP into Lockdown, downloaded a bog standard exe, try to run it and as expected it is blocked. So far so good. However run the same exe in my test sandbox by 'right-click>send to' and the exe runs, I assume because Sandboxie processes are whitelisted. (Had to Whitelist Sandboxie as blocked in lockdown otherwise)

Similarly I took another bog standard exe blocked by ERP and compressed it with WinRAR. When I uncompress it using WinRAR the file will execute again from the temp directory, again I assume because WinRAR is white-listed. (Again because WinRAR has to be White-listed in Lockdown)

Can anyone confirm this? Happy to say I'm missing the point and have got it wrong or I'm testing it inappropriately if that's the case but you can't have an AE that allows trust to be inherited surely.

Thanks

 

IE is whitelisted.
When I run files from malc0de, all of them are properly blocked.
That is the most important for me because if my AV is bypassed, NVT jumps in to protect me.

I can only guess, but I think it is expected behavior regarding Sandboxie cause it is run virtualized in sandbox and not in real system.
Just my 2 cents....
I still have to test WinRAR scenario....

 

Can't replicate the WinRAR thing now but Sandboxie issue is real for me. Executable files run in the sandbox but are blocked outwith, dozens of examples now including real malware, happily contained by SBIE. Run outwith the Sandbox ERP blocks.

That means it's no use for me, would only use if it complimented SBIE virtualisation. Oh well back to AppGuard and/or Start/Run restrictions.

Uninstalled but kept one log of App (ccleaner) installed and running inside SBIE but blocked outwith if NVT want to see it.

Cheers

 

@siketa

Usability improvements will be added. Thank you for the suggestions

@chris1341

I tried to reproduce your issue:

1) EXE inside RAR issue

- I added to the white list the process of 7Zip
- I compressed in ZIP format the file notepad.exe
- Then I opened notepad.zip with 7Zip and I double-clicked on the item "notepad.exe"
- The execution of notepad.exe was detected by ERP, see the image below:
http://postimage.org/image/5j9pn23yl/

2) Sandboxed processes

Basically let me explain what happens: if you run a process that is inside the sandbox and it is used to run another process, everything is done inside the sandbox itself. As long as the process does not bypass SBIE, ERP cannot detect the execution of the process as it is executed inside the SBIE system. If a malware successfully bypasses SBIE and it then tries to run itself in your real system (started by SBIE process or by any other process), it will be detected by ERP as the real system is monitored by ERP.

More details about parent processes (not related to previous text):

If you add to the white list a process named A and it tries to execute a process named B, ERP is able to detect the execution of process B, it does not matter if the parent process is white listed, the execution of unknown processes are detected (or blocked by Lockdown Mode) from ERP.

 

Yeah, as noted I can't get the the WinRAR thing to fail again. Perfectly willing to say I got that wrong first time. Apologies for that.

However your logic on SBIE I don't quite get. The reason is malware does not have to escape the sandbox to do damage. If you take a keylogger as example, if it downloads and installs in the sandbox it can easy steal your details without ERP saying anything. There are other scenarios that us confirmed SBIE users tweak SBIE settings to cater for.

I was hoping ERP would be complimentary to SBIE i.e. SBIE virtualises, ERP prevents unwanted execution in the virtualised environment. You've confirmed that doesn't happen.

As an aside as I long term user I know SBIE's capabilities. I know it can prevent execution on it's own, I know even dropping rights would have prevented this but I like my security software to work independently from and in conjunction with the overall plan. That won't happen here.

For information AppGuard, Faronics and Comodo 'deny unknown' all work inside a SBIE sandbox.

Cheers

 

Hi chris.
Im sorry to be off topic here but im a user of sandboxie and you seem experienced in its use and i would be very interested in your settings to harden sandboxie and make it as secure as possible.
Thanks.

 

No software is perfect.
You should use NVT along with AV (for detection) and FW (to block outbound traffic).
At least, you could add decent antikeylogger to complement your protection (SpyShelter, Zemana, etc.).
BTW, CIS 5.x at default settings is vulnerable to keylogging.
You have to raise settings and manually add some protected D+ entries in order to block it.

 

I use the settings as suggested by chiron and others,protect against ransomware.
Are there any other settings i should be made aware of.?

 

I've used SBIE a long time (longer than I've been a member here), whether that equates to experience I'm not sure.

Plenty here who really know this product. Sully, Bo Elam and pegr among others I sit up and pay attention to when they talk about SBIE. It is those guys you really should listen to. Anything you need please post in the sandboxing/virtualisation forum and you'll get wider and more informed view than mine I'm sure.

No doubt siketa, if there was a panacea we'd all be using it but we're all allowed to post our experiences. If a product, no matter what it is, does not meet your expectations why shouldn't you highlight it?

For clarity I don't use products that 'should' be used along side real time AV.

Lets keep this topic about ERP.

Regards

 

@chris1341

I have not yet played with SBIE and ERP, but I believe there are some tricks (such as from SBIE you can select external DLL to load in all processes, see Buster Sandbox Analyzer for example) that should allow ERP hook modules to be loaded inside the sandbox. In the next week I will see what can be done to probably allow ERP to work inside the sandbox.

 

Much appreciated. Thanks.

 

Any possible release dates of the next version?

 

The next week we should release v2.7.1

 

I'm new to the program and thread. Am I correct that I will receive an email with a download link when the new version is out?

 

Yea that is true.

 

Thanks

 

I have a suggestion regarding usability improvement.

When Lockdown mode is turned off, all "trusted" applications (both options Allow Windows Protected Processes and Allow Softwares from Program Files folder are checked in Settings) are run with no pop-ups. Great!

After enabling Lockdown mode those two options are ignored and you get lots of Blocked pop-ups for "trusted" applications. Then you have to go to Events tab and manually put each one of them in whitelist. And "trusted" applications can trigger many processes (pop-ups). Hmmmm!

Let's make a "new" Lockdown mode which will not ignore already "trusted" applications if those two options in Settings are checked.

This "new" Lockdown mode would be the same as Comodo's Defense+ "Treat unrecognized files as Blocked" option and it would still be immune to digitally signed/not signed trusted malware that can now bypass Comodo. It would not give you any pop-up for already "trusted" files and users (especially novices) would not have to deal with pop-ups and manual whitelisting.

So, in basics....it would behave the same way like it is disabled but would automatically block new "unknown" processes with only single Blocked pop-up.
No usual multiple "Allow Once/Block Once....." pop-ups. If you are sure that the process is safe, go to Events and whitelist it.
Plus, you would save time needed to "train" your NVT about apps/executables in your system.

Can you evaluate this idea and check for potential risks?

Best regards.