OA/SBIE/DW Configuration

Discussion in 'other anti-malware software' started by SafetyFirst, Jul 13, 2009.

Thread Status:
Not open for further replies.
  1. SafetyFirst

    SafetyFirst Registered Member

    Joined:
    Jan 26, 2007
    Posts:
    462
    Hi!

    On a newly installed XP Pro system I intend to use Online Armor, Sandboxie and DefenseWall.

    I would kindly ask you experienced guys to advise me how to configure these programs to optimally perform and coexist.

    Beside security (preventing malware from doing any harm to the system), privacy is a high priority too (the less writing to the disk the better).

    Plus, I plan to use PrivacyKeyboard too. Any possible conflicts?
     
  2. Blackcat

    Blackcat Registered Member

    Joined:
    Nov 22, 2002
    Posts:
    4,010
    Location:
    Christchurch, UK
    I would reconsider first whether you need this trio of programs running together.

    Most people would recommend a layered defence but IMO, there are better combinations you could consider.

    Depending upon what other security software you have on your computer, choosing only OA (as a HIPS/firewall) and one of the "sandboxes", plus an AV, router and an Imaging/Rollback program may be a better bet.
     
  3. Keyboard_Commando

    Keyboard_Commando Registered Member

    Joined:
    Mar 6, 2009
    Posts:
    690
    I have the same set up, presuming you're just using Online Armor as a firewall? No conflicts, so far, for me.

    Blackcat is probably right that an AV + DW or OA is more traditional set up to go with. I use just the firewall of OA, the maker of DefenseWall says there are no conflicts with OA's HIPS and his program working together. I guess you'd notice if they were bogging your system down. That's my only concern with using both together. But anyway, I haven't had to change or set up Defensewall especially to run with Sandboxie or OA, everything runs fine from that point of view. Defensewall will just run the other two apps 'out of the box' perfectly.

    My Sandboxie config is set up to delete everything inside the sandbox on closing the application ... sandboxes for each application. (Sandboxie will prompt if you wish to recover any items (JPG or files) within the sandbox before auto deletion)

    This is the config for Firefox: and pretty much every sandbox.

    Appearance - Display a boarder = yes (just personal choice)

    Recovery - I've added Desktop, my default recovery place.

    Delete - Invocation - Automatically Delete

    Delete - Command - %SystemRoot%\System32\eraserl.exe -folder "%SANDBOX%" -subfolders -method DoD_E -queue -resultsonerror

    I use the Sandboxie recommended secure deletion application for better privacy HERE Sandboxie help HERE explains it simply.

    TIP: if you decide to use Heidi Eraser, make sure you config it to run just 1 pass over = Pseudorandom Data. Open Eraser, click Edit, Preferences, Erasing. The default 32 passes will take FOREVER!

    Program Start - I have browsers forced

    Program Stop -


    Restrictions - Internet Access - PDF viewer - Firefox.exe
    Restrictions - Start/run Access - PDF viewer - Firefox.exe
    Restrictions - Drop rights - Ticked

    Resource Access (if you do find some application giving you troubles, you might find they work when added to Direct Access or Full Access boxes) for example, Yahoo Messengers voice option will not work unless added into Direct Access rights)

    Resource Access - Blocked Access (closed file path)

    • %Personal% (this will appear when adding My Documents)
    • \Device\MUP\ (appears when adding individual files)
    • I have added all other drive letters and USB Drive
    • C:\AUTOEXEC.BAT
    • C:\boot.ini
    • C:\ntldr
    • C:\NTDETECT.COM

    These below I'd use with caution. You may see problems with internet connection.

    • !,\Device\RawIp
    • !,\Device\Ip*
    • !,\Device\Tcp*
    • !,\Device\Afd*

    You can add files to be protected via copy and paste using Edit/Add

    Registry Access - Blocked Access

    (These below cover all start/run areas for greater protection)

    • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnceEx\
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\

    Registry Access - Read-Only Access ... I don't know the benefits of this option. I know some use it.

    I'd steer clear of IPC Access settings, other than leaving defaults

    Applications - Web Browsers ... unless you add direct access to bookmarks and history database you will loose any bookmark added while using Sandboxie.

    Security/Privacy - there is an Online Armor compatibility option to improve performance. Keyscrambler is a good option to add (I think its ticked by default), if you use it.



    I Haven't seen compatibility options for PrivacyKeyboard but Tzuk will no doubt help you should you get any problems. Another couple of things; Windows Update needs to run with full admin rights ... if you use Sandboxie to protect IE ... remember each time to remove IE from protection of Sandboxie. The same if you enable the Drop Rights/Run Safer option with IE, using OA firewall; remember to disable and run with full admin rights. With Defensewall you're ok. Defensewall leaves update to run normal admin/install. These are the only things I can think of, for now.

    Tally Ho!
     
  4. wat0114

    wat0114 Guest

    Hi Keyboard_Commando,

    Wow! you have practically a bullet-proof configuration with those settings :thumb: It's more than I do (I don't protect registry keys, Resource access or use read only) but no doubt you have little to worry about ( or nothing to worry about :D ) regarding browsing security.
     
  5. SafetyFirst

    SafetyFirst Registered Member

    Joined:
    Jan 26, 2007
    Posts:
    462
    Many thanks, guys, especially to you, Keyboard_Commando, for your excellent reply!

    One thing: you said you use one pseudorandom pass to erase the sandbox, and your command line says you use DoD method, which is a 3 or 5 pass method?

    Another thing, just out of curiosity, what happens if you set DW to run Sandboxie as untrusted? How would Sandboxie behave? :blink:

    Some of you think that OA/SBIE/DW setup is overkill, and I thought to add Shadow Defender and Malware Defender? :doubt:
     
  6. Keyboard_Commando

    Keyboard_Commando Registered Member

    Joined:
    Mar 6, 2009
    Posts:
    690
    Hi there.

    https://www.wilderssecurity.com/showthread.php?t=240008&highlight=sandboxie+configurations
    Some other Sandboxie Configs there ^^

    For Heidi Eraser (if you use it) I meant it adds a right click explorer extension to erase files, but the default is set to 32 passes for some reason (they might have changed it now),you have to manually set to your needs.

    Random 1 =1 | DoD_E = 3 passes | DoD = 7. The DoD_E is fine, though, its quick. There is another secure deletion tool recommended on Sandboxies site but I haven't tried that one, might be less hassle than heidi easer. Eraser does add itself as a start up, I had to manually remove, I think its in scheduler tab unticking start at boot.

    DW runs parts of Sandboxie untrusted (from what I can see) ... apart from the service component (might have it wrong) ... Dcom and Rpcss for Sandboxie are in untrusted when its running. I'm sure someone else knows a bit more and can explain.

    The only thing I notice is a little slow down with the deletion of sandboxes when using DW with Sandboxie (about 2 second more). Might be worth trying the other deletion method and see if its any better. Its not annoyingly slow, for me, and Sandboxie works fine. Of course Sandboxies delete is ok too, just depends if you're concerned with privacy.

    If you have a good backup plan, and you're smart about where you browse and what you download (have an on call scanner) I think DW and Sandboxie can be a decent AV alternative way to go. So far ok for me.



    wat0114, I would be almost ... almost confident enough to just run Sandboxie as my browsing security. :) I bet quite a few just run Sandboxie.
     
    Last edited: Jul 15, 2009
  7. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    Would you have to worry about a secure deletion of the sandbox if using a ramdrive as Sandboxie's container folder?
     
  8. Keyboard_Commando

    Keyboard_Commando Registered Member

    Joined:
    Mar 6, 2009
    Posts:
    690
    I have mine set up with the container in a ram drive ... I guess its kinda overkill, secure deletion, all traces should be dumped from memory at reboot.
     
Thread Status:
Not open for further replies.