Question about expermental protection Sandboxie...

Discussion in 'sandboxing & virtualization' started by CoolWebSearch, Feb 13, 2013.

Thread Status:
Not open for further replies.
  1. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,211
    Tzuk specifically said:
    Differences between 64-bit Experimental Protection and 32-bit Protection:

    1. There is no kernel mode protection for use of the EndTask API to terminate processes outside the sandbox.

    2. There is no kernel mode protection that can prevent malware setting the password for a user account which does not have a password set.

    3. There is no kernel mode protection that can prevent a program from writing event messages to the Windows logs.

    Note that Sandboxie does offer user mode protection for all these things, in this version as well as past versions. However, it must be noted that user mode protection is weaker than kernel mode.

    All in all, these are trivial differences and I think it is safe to say that with Experimental Protection enabled, 64-bit Sandboxie can now offer 99% of the security of 32-bit Sandboxie.

    Edit:

    One more detail I should mention about the differences. Where the 32-bit version is able to completely deny access to a resource, where necessary, the 64-bit version cannot do this. The 64-bit version can still prevent mis-use of the resource, but to be extra sure, the 64-bit version will immediately terminate any program that is misbehaving and issue a message - SBIE2314 Canceling process.

    http://www.sandboxie.com/phpbb/viewtopic.php?t=10201

    So what does this all mean that SBIE cannot protect against kernel level threats anymore?
     
  2. drhu22

    drhu22 Registered Member

    Joined:
    Aug 21, 2010
    Posts:
    343
  3. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,211
    Believe it or not, the reason why I gave myself this name because my computer was infected with this nasty spyware, I had to re-install the whole system from scratch.
    But I didn't know there is a program which can actually delete/remove this spyware.
    Bah...
    Now, this infection is present in the real world (sorry for a bad joke here).
     
  4. jna99

    jna99 Registered Member

    Joined:
    Apr 18, 2012
    Posts:
    94
    Location:
    127.0.0.1, Netherlands
    You could also try sandboxie 4.01 beta, it uses a different approach to the 64-bit part of the protection.
    I believe, and I'm not very technical, that sandboxie 4 does not use "hooks" into the kernel.
    But it uses a different method, what that new method is, is a bit beyond my knowledge and I can't answer that part.
    But you should try the version 4 beta and read what tzuk wrote in the 4.01 beta section on the sandboxie forum.

    The "experimental 64-bit" option is removed in the beta version 4 and is not needed anymore and still it has the same protection or maybe a bit better, but that is something I can't verify or confirm. But Tzuk mentioned that the protection should be the same.

    Maybe someone else can give some better explanation about sandboxie 4 beta.
     
  5. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,211
    I don't use betas I use SBIE 3.76, but if SBIE in this version on 64-bit systems uses user-level hooks they are much less secure than kernel-level hooks used in 32-bit systems.
    And anyone using kernel level programs/bypassing/hacking can bypass SBIE (on 64-bit systems).
     
Loading...
Thread Status:
Not open for further replies.