Returnil or Sandboxie

Discussion in 'sandboxing & virtualization' started by trjam, Dec 6, 2007.

Thread Status:
Not open for further replies.
  1. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    trying to decide which is the most logical way to proceed.

    Returnil-based on my setup I still need a AV for scanning emails since I choose to save them. Clean system on reboot and the only entry point is literally if my AV doesnt catch something in my email. A little more time consuming because of scheduling updates but protects entire PC.

    Sandboxie-covers my web browsing but again, need a AV to protect my emails. I can not sandbox outlook due to my dsl login popping up. Tzuk is aware of this. Updates can go off as planned.

    It really seems like a toss up no matter which I choose, and I still will need a AV, which is not a big deal. Frustration,Frustration. Either way, I think I am fairly secure. Adviceo_O?
     
  2. Empath

    Empath Registered Member

    Joined:
    Nov 13, 2002
    Posts:
    178
    Don't open email attachments, don't click on any links, and only read email in text mode. Your email won't be a concern, then. Scanning emails is unnecessary overhead.
     
  3. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    TRJAM,

    GeSWall or DefenseWall will do the job. Since your e-mails are untrusted they could do very little harm (you can add the default directories of you stored e-mail as untrusted). They would also protect you when surfing.

    Regards Kees
     
  4. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    good thought kees:thumb:
     
  5. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,039
    My initial reaction to your question was....Both. I use them together, and it's good combo

    Pete
     
  6. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    I use Sandboxie in a frozen mode constantly, not with Returnil, but FDISR and until now both are working properly, but I'm not a long time user of Sandboxie (less than one month).
     
  7. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,039
    And how does this relate to the topic of this threado_O?
     
  8. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Returnil has also a frozen mode, just like FDISR. Sandboxie seems to survive in a frozen mode, at least until now.
     
  9. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Peter,

    Could you explain in what situations you would use both? I have played with SafeSpace and you can define some setups (virtualise all except one directory, virtualise OS+program directories only). Since Chris (TiddyUp) even will help you to set up Policy Sandbox setup (like GeSWall), so you have three options policy+light virtualisation, sandboxie like virtualisation and returnil/powershadow like virtualisation.

    Regards Kees
     
  10. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    Well my thread and the answer is both and nothing else. I am a tad bit slower then you guys but after a couple of days found the 2 are all I need. Once a month a online scanner to check.
     
  11. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    I use Sandboxie mainly to protect my data partition [D:] and the extra bonus is, that Sandboxie isolates downloaded objects via Firefox in my system partition [C:]. I assume that malware can't do much harm in a sandbox, at least that's what I hope.

    What Sandboxie doesn't tell me is which downloaded objects are good or bad.
    So I still can store a bad object in my data partition, which is a problem, unless I verify them. Even legit downloaded objects can be modified by the bad guys and that happened in the past.

    How am I going to verify downloaded objects ? Using scanners with incomplete signatures ? Or something like VirusTotal ?
     
  12. innerpeace

    innerpeace Registered Member

    Joined:
    Jan 15, 2007
    Posts:
    2,095
    Location:
    Mountaineer Country
    Hi trjam, I'm not familiar with Outlook but, can you download your emails first without Sandboxie then close Outlook? Now reopen Outlook in Sandboxie and not connect to the server and check your 'pre-downloaded' emails while Sandboxed? Sorry if I'm missing something or way off base.

    FWIW, I use Sandboxie daily and when I'm doing risky things, I also fire up Returnil. I also still use Online Armor 2 and Avira. They all seem very light and play well together (for me). I also scan everything I download with 3 scanners and when I'm not familiar with a program or their company, I send the file to VirusTotal or Jotti. I don't mind all the scanning because after I execute the program, it could be too late.

    Your AV should also be able to reach in the sandbox to snatch a nasty if necessary. There was a post about it here in the past and I was told that Anti-viruses operate at a lower level than the sandbox.

    You really wouldn't need an anti-whatever, but I've noticed that patches and updates seem to come in swarms. When you get them, you have to be un-sandboxed and un-virtualized. It's good to have some kind of backup protection during these periods.

    Good luck,
    innerpeace
     
  13. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,039
    You took the words out of my mouth re both uses. What I do with respect to Outlook email, is treat it outside the sandbox. If something is suspicious and I don't care, I delete. If I care, I still delete, but then go to my email isp, via webb mail. Outlook instructs server to keep mail for two days. By going via web mail, I am in my browser, hence sandboxed. Then I can look to my hearts content and am safe.

    Pete
     
  14. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,632
    Location:
    U.S.A. (South)
    Same page here.

    I never run SandboxIE without also either Power Shadow/Returnil. You likely notice i'm one of those PS holdouts that still cling to that one because it's so darn light but stable with zero delays each and every boot.

    I don't think it gets any better then this except to add a solid HIPS, only if you don't mind spending a few extra moments occasionally to add new rules and such.

    In any FD-ISR snapshot which also has a duplicate archive waiting in the wings (if needed); With EQSecure (HIPS) + SandboxIE both covered by Power Shadow or more profoundly these days, Returnil....... leaktests, viruses, proof-of-concept malwares, rootkits; you name it, are all but H.I.S.T.O.R.Y. :cool:
     
Loading...
Thread Status:
Not open for further replies.