Question - can SBIE alone make it for your security scheme?

Discussion in 'sandboxing & virtualization' started by Sully, Dec 23, 2009.

Thread Status:
Not open for further replies.
  1. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Yes, this is a serious question.

    I have dropped all other methods and been trying what I am about to describe for a few months now.

    I really just wanted some input from others as to why or why not this would work for them. Yes, I understand some have specific needs or desires. But put that aside, and consider that you were using this method. What would you see as it's pros and cons. I ask because I like it so far, but I also realize I don't always think of everything, so others input can help to bring to light things I might have overlooked.

    First, I have 3 harddrives and a local file server with additional removable hdds/mem stix. I have a new hdd with my data I wish to keep on it, and usually rotate a new hdd in place every 3 years. I also have data backed up to optical or removable hdd if it is really important. So from the stand point of data integrity, this proposed setup is not one of 100% data integrity, but more for the small amount of data not currently backup up yet and for the convenience of having most of my stuff on a local hdd.

    So I have been using Macrium Reflect personal to make my images and Sandboxie along with SRP as the only forms of security. I am running as Administrator only because I do admin actions all the time and being a User is not conducive to what I do on a computer (other than playing games).

    I will lay out what I have done.

    1. I always make my c: drive/partition small, usually <100gb, but lately only 20gb. I install XP here and customize it, installing only small softwares, nothing large like games or program suites. Just the basic everyday stuff.

    2. I make an 'baseline' image of a normal install to 2nd hdd.

    3. I put SRP rules in place for browsers, email clients, media players, and essentially any normal application that I might use that goes online.

    4. I make a new image, something like 'srp ready'.

    5. I create a few special folders that SRP applies to for downloading items into and testing. I install SBIE and force much of the same programs I use SRP on, along with those download directories.

    6. I make another image titled 'net ready' or something.

    7. I now have my basic images. As I add new settings or applications, I will fresh load one of these images, install the new features, then make a new 'current' image. The images I archive on a 1tb hdd, so I can go back and forth between images if one is not quite to my likings. I never store anything of value on the c: other than in very specific locations (download and storage folders) so that before I re-image I know right where to look for things that I might want to keep permanently (as imaging will remove those).

    8. I install programs into c:, and copy/paste thier contents to storage drive and export thier registry entries if needed. Now when I restore an image most of my software actually live on d:\program files, and this keeps them across image restorations and I normally do not have any problem with this method. This way large programs can be installed there.

    9. I have created a BartPE image that sits on c: , and there is an entry in the boot.ini that allows the boot option to start BartPE in ram. This way, when I want to restore an image to c: , BartPE boots in about 30 seconds, I start the Macrium plugin, choose my image file etc, and restore the image. The whole process takes about 5 minutes. This is largely due to the fact that my image is only about 4 gb because large programs are not installed into c: . It also means an average of 3 minute to create a new image.

    At this point, I have no firewall (but do use a router), no AV, no AS/AM, no HIPS. My browsers and other network apps are both (for the most part) restricted to User level and forced into a sandbox that is fairly restrictive. I have done some other things like take user rights away from some directories and registry keys.

    So, that is it. Nothing really fancy. A virus could attack, a malware could install. I might not even know it (except for the fact that I know what processes run etc etc). It is thus far been the most pleasant security setup I could have. I reimage when I want because my c: does not have anything really to lose in it.

    What would you think about running this? Good or bad?

    Sul.
     
  2. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Hello, Sul,

    EDIT:

    I removed my comments, since after reading your second post, I see I misunderstood what you were asking.

    regards,

    -rich
     
    Last edited: Dec 24, 2009
  3. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,053
    Hi Sul

    To answer your basic question, yes. It is indeed remarkable what you can do with Sandboxie. I however do run Online Armor ++, and Malware Defender.

    I do have one minor exception. I do have two banking applications, that I do thru browsers, and they both require Java. Although I've set it up so Java can run in the Sandbox, and if I go to the Java website, although all appears okay, these apps just don't like to work sandboxed. So I disable the sandbox and run the browsers under Online Armor's Run Safer(reduces the privileges)

    I run OA for the firewall, and I can occasionally scan a file removed from the sandbox. Nothing AV wise running normally.

    I run Malware Defender for two reasons. One as back up to OA, as I am always running the latest OA beta's and 2ndly if you want you can setup some tight restrictions with MD.

    Note though back to your basic question. Many times I run both OA and MD in learning mode and don't give it a thought, and that's because of Sandboxie.

    Pete
     
  4. wat0114

    wat0114 Guest

    Hi Sul,

    I'm surprised you would even ask. You are closest to expert in this area than most of us here. Anyway, if I was running your setup I'd have no concerns with it. It's ultra secure. Soory, need to add I think you must spend more time creating images than doing anything else o_O
     
    Last edited by a moderator: Dec 23, 2009
  5. Keyboard_Commando

    Keyboard_Commando Registered Member

    Joined:
    Mar 6, 2009
    Posts:
    690
    It's quite amazing how flexible and reliable Sandboxie really is. Without doubt SB is the most used, and most stable, non MS application integrated into my OS. I definitely over rely on SB for protection (much like in this post). The over-reliance is to the point I rarely use 64-bit at any length - just doesn't feel as safe browsing without Sandboxie.


    Just hope Sandboxie isn't ever specifically targeted by someone seeking glory for cracking it - seems like many have invested a lot of trust in its protection capabilities.
     
  6. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    SBIE is not a one stop fix all for everything. Indeed it is very robust, but it does have limitations, notably in installing some new software. Some work in SBIE, some don't.

    Perhaps the title is not as concise as I had hoped. What I mean is that, if you are only using one product, that being SBIE (along with OS stuff), and you are imaging in a somewhat strict manner, what would you see as the fatal flaws or great aspects. With no AV/Hips etc, anything not ran inside SBIE is safe? Hardly I have to assume. So, you can see in the first post how I have been doing this. What comes to your mind immediately that says 'if THIS happened you would be borked' or 'wow, you wouldn't even have to worry about THAT'.

    @wat0114 - thank you for the kind remarks. You would be correct in the assumption that there is much time spent imaging, and I too would probably think that also, but that is just not the case. I have spent some time initially getting all my settings just so. However, when I restore an image, do remember that EVERYTHING is done in that image. Installed apps (or shortcuts to other drives), tweaks, network settings, bookmarks. It is all just the way I use it everyday.

    My time spent imaging works something like this. I place the last good image in place -time 5 minutes.

    I download what I want, install what I want and in general play. I do have a firewall installed in the image, but it is not normally active unless I am 'playing', and then only to see if the new apps I am trying out are doing anything I don't like. I have a vmWare box that is setup with HIPS so that if I am suspicious I drop it in there to see really what that new app is doing. But most of the time, I try stuff out in SBIE when I can, or try it out in the live OS.

    AFTER I have determined I like some new chess game or whatever, and I want to use it enough to warrant it being on my system all the time, I save the install file to d: , then put my image back in place - time again roughly 5 mintues.

    Once my image is back in place, nothing has changed. I go into d: and run the install, and put the new chess game on, or perhaps I have copied/installed it into the d:\program files directory, then all I have to do is put a shortcut or something in the OS. However I decide to do it, once I have the new 'chess' game ready, I make another image of c: - time about 3 minutes. Now I am good to go. As the occasion calls for it, I put the latest image back on. If there is no need, I just use what I got.

    Maybe I go to a lan party to play some games (it has been known to happen lol), when I come back, before I hook to the LAN in my house, I restore my image - time is 5 minutes. Now my system is re-introduced into my home network in the same state it always is.

    I guess my purpose of this is that I was not really happy with the rollback applications. ShadowDefender (which I use sometimes) is a nice app, but still requires so many reboots and I still cannot install what I want on the real system that requires a reboot. So after lots of imaging in another scheme I was using, I started using my imaging as a sort of psuedo-rollback. I can browse the images, but there is really no need. I decided to just work out a method of placing 'keeper' files and large softwares to someplace other than c: so that the images are small and fast and I don't have to 'remember' to save something before I wipe the c: with an image again.

    Perhaps this is not coming across the way I had intended it. Oh well, someone might get some ideas from it anyway.

    thanks.

    Sul.
     
  7. wat0114

    wat0114 Guest

    Hi Sul,

    what counts is your solution works for you in practice and sometimes a written procedure appears to be more labor-intensive than it actually is. You no doubt have covered all angles. I have spent a great deal of time, this past year especially, honing my backup skills/procedures to the point where I feel my plan is better than it's ever been. The advice I read on some site to backup to two separate physical locations is something I do religiously. In spite of all the security software I've ever used and placed tremendous importance on, whether it be Sandboxie, firewalls, HIPS, av, I hold image/restore solutions above all of it. I absolutely love to have this solution in place. it allows me to throw caution to the wind when I want to try mucking about with the system, modifying things, experimenting (the best way to learn imo) - with no fear of breaking anything, because a restore puts things right again in mere minutes :).

    The number of people who attempt to clean malware infested machines is astounding. If only they knew how hopelessly desperate that measure (or re-formatting) is as opposed to simply restoring to an unequivocally clean image. Malware cleaners in various forums are very kind people but they should be pushing clients to implement image/restore solutions.

    As for Sandboxie as the only security solution, absolutely no problem. My kid's machines have only SB on them with SRP running in limited accounts. I check things now and again and never see any issues. Their drives are also imaged.
     
  8. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,053
    I might give you a run for your money on imaging.:D I take incrementals every 15 minutes during the day.
     
  9. wat0114

    wat0114 Guest

    LOL, yes, your backup procedures are ISO9000 certified, I'm sure :D
     
  10. innerpeace

    innerpeace Registered Member

    Joined:
    Jan 15, 2007
    Posts:
    2,095
    Location:
    Mountaineer Country
    Hi Sully,

    It's a shame that you couldn't get a copy of the original FD-ISR. I think it would serve you well and you could probably maximize it's potential.

    Not sure if you have thought about it but there is malware that can jump into other partitions. Peter2150 wrote about it in the past and tested a partition locking program against it and the locking program failed.

    We had a former member here that was looking into ways to protect his data partitions and while sandboxie can protect other data areas from things running in it, it may not protect against that chess program that your testing on C: from jumping in your D: partition. I'm talking about if you were testing programs that weren't sandboxed.

    I'm not sure what the odds of that happening is or how to prevent it but it's something to think about. When Peter2150 discovered the malware on the D: partition it was not active but it did leave info behind. I hope I remembered that correctly :).

    Edit: changed drive to partition.
     
    Last edited: Dec 24, 2009
  11. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,053
    You sure are about malware jumping drives.

    Sully, missed the part about the chess. What I would do is use the images, install a game on the system and try running in sandboxie as opposed to trying to install it in the sandbox.

    Couple of other alternatives. 1) good VM machine, and 2) if the software doesn't need a reboot to install, Shadow Defender. It will protect all the partitions, and can handle larger disk usage.

    Pete
     
  12. innerpeace

    innerpeace Registered Member

    Joined:
    Jan 15, 2007
    Posts:
    2,095
    Location:
    Mountaineer Country
    I should have said partitions. I will fix it :). However, if malware can jump into other partitions, couldn't they jump into another drive? I honestly don't know and have a hard time wrapping my head around the whole concept of if and how they could run.

    In your test the malware only left bits behind. It was in the FD-ISR forum and you tested the partition locker program that Erik Albert was using at the time.
     
  13. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,053
    That's okay. I should have said you are right about it. and indeed it did jump drives. I don't know if it could run, but it sure blew by the locker programs.
     
  14. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Yeah Pete, I do have vmWare, and I do use it when I feel there might be a reason.

    I am wondering, why would you suggest installing the new chess game in the real OS but then running it inside SBIE? Is there a reason you would not just install it into SBIE in the first place?

    Regarding Shadow Defender, you are correct, and that is how I use it, again, when I feel there is a need. I suppose it sort of goes along the lines like this:
    a. item has limited potential to cause havoc (trusted download) - use in real OS.
    b. item is trusted, but nature of item might be a 'dirty' install, install into SBIE
    c. item is questionable, but not overly so, then run Shadow Defender and lose all traces on reboot.
    d. item is unknown, suspect very dirty install or possible havoc, try in vmWare with HIPS to see what may happen

    As far as things 'jumping', I have always thought it might be possible that a writer may target other drives, but unless there is an autorun or the other drive is an OS drive, I don't know that the concern is great to have a piece of virii/malware residing somewhere. I suppose if many people installed software to other drives, writers would start to scan drives and replace dlls or exes, hoping you would launch it from an installed location. This is thus far un-handled in my scheme.

    Thanks for the thoughts, these are exactly what I am seeking -- food for thought.

    Sul.
     
  15. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,053
    Couple of reasons for me. First I see people have problems when they try installing in SBIE, and some stuff simply won't install. But running it in SBIE still protects the system.

    My rule of thumb is if I don't trust something enough to install it the first shot is in a vm machine to see what it does.

    IF I know I am playing with something nasty, I use SD shadow both my host drives and then play in the VM machine.

    Pete
     
  16. mjgent

    mjgent Registered Member

    Joined:
    May 19, 2008
    Posts:
    43
    Location:
    Sandboxed in a VM behind a UTM
    I have a similar image routine except as I make changes (settings, program installs, etc.) to the current image I’ll make a dynamic text list that shows what changes I make. That way when I want to make a clean image with the newest changes, I’ll restore the last clean image and make the changes from the text list. I then make a new updated clean image from that. I can go longer between images than I did before. I keep my data and program installers on another drive so my c: is also relatively small. I also do three version daily backups of the other drives/partitions automatically using SyncbackSE.
     
  17. mjgent

    mjgent Registered Member

    Joined:
    May 19, 2008
    Posts:
    43
    Location:
    Sandboxed in a VM behind a UTM
    I've seen you post this before and that is how I test new programs that I want to keep on my real system.

    The issue that is bothering is that testing new programs that need to reboot in a VM and/or sandboxie (I use both) won't necessarily reveal malware that is VM (vmProtect), sandboxie (anti-sandboxie), etc. aware. Most times I just leave the program installed in a VM to use and never install into the host anyways. But sometimes I do want to install into the host. I know one solution is to have another pc for just testing, scanning, sniffing suspect or unknown programs/file but not everyone has an extra pc.

    I've also read about uploading the suspect file to Threat Expert since anti-threat expert scripts are rarely used by malware writers because that method causes detections. But even Threat Expert has a 5Mb file limit so it can't be used on larger files.

    I found another site at Georgia Tech University http://ether.gtisc.gatech.edu/ called Ether that will allow you to upload a suspect packed file to have analyzed on there system. Has anyone else used or know about this service?
     
Loading...
Thread Status:
Not open for further replies.