Running an anti-virus in a sandbox

Discussion in 'sandboxing & virtualization' started by fred128, Dec 23, 2006.

Thread Status:
Not open for further replies.
  1. fred128

    fred128 Registered Member

    Joined:
    May 21, 2006
    Posts:
    152
    It just dawned on me that if you run your browser in sandboxie plus run your anti-virus in the same sandbox, you are probably protecting yourself from keylogging programs that might get in. Am I off base on this?
     
  2. ggf31416

    ggf31416 Registered Member

    Joined:
    Aug 20, 2006
    Posts:
    314
    Location:
    Uruguay
    You should run the antivirus outside the sandbox. I tried the eicar sample inside sandboxie and my antivirus worked perfectly.
    Also it's a good idea to run a firewall with good outbound protection.
     
  3. EASTER.2010

    EASTER.2010 Guest

    Good advice ggf31416

    I tried a series of SandBoxes and they all have their own advantages, my preference relying on ShadowSurfer personally. All security programs are quite on-duty outside SANDBOXED for anything even if something did happen to manage to circumvent the safety box which i.ve yet to experience.

    As mentioned keep a "LIVE" dependable firewall active and if you have a HIPS that can "keep process in memory" like System Safety Monitor offers, theres an extra bonus that if the firewall got thumped it would immediately restart again and again indefinitely, and thats enough to ward off a serious intrusion looking to drop mal files to spread in your system.
     
  4. steve161

    steve161 Registered Member

    Joined:
    Nov 22, 2006
    Posts:
    681
    Location:
    New York
    I downloaded the eicar test virus in sandboxie, and my aol kav6 (oh no, aol) file protection caught it immediately. Even though the virus was in a sandbox, it was still written to a file and, hence, my av's response. Even if possible, I don't see the advantages of running an av inside of a sandbox.
     
  5. pilotart

    pilotart Registered Member

    Joined:
    Feb 14, 2006
    Posts:
    377
    With the AntiVir's Guard page open, you can watch as it scans files that are opened inside my BufferZone protected Internet Explorer.

    Not only unnecessary but likely impossible to install within the 'box' as it would need to install files 'outside the box'.

    I had to go outside the 'box' to install the latest Direct-X.
     
  6. Jarmo P

    Jarmo P Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    1,186
    Security software needs to have access to your system. As has been told about updates, modifications.
    Such software should not conflict with each other. That is why it is not a good idea to run AV inside a sandbox.

    It is a good idea to run software having the firstmost access to malware, like browsers, email clients, testing software, etc. inside a sandbox.

    Talking only of a relatively short experience. I have no problems running Firefox and Thunderbird inside Sandboxie. One has to remember to update those programs running outside sandbox though when getting prompted and when making other permanent changes, that can be a minot inconvinience.
     
  7. poirot

    poirot Registered Member

    Joined:
    May 4, 2005
    Posts:
    299
    Hello Jarmo, what you say is true about 'sandboxes' the likes of Bufferzone, but does not apply to ShadowUser / Surfer which Easter.2010 mentioned.
    ShadowUser takes care of an entire disk and everything there is into it, replicating it on disk and working from that, so that when you reboot or disable SU everything is gone and vanished for keeps.
    In this case you can just as well operate all the programs you have in this special 'sandbox',which is really a replica of a disk or partition, to good effect and i cant see anything wrong running an antivirus,HIPS or antitrojan in such a state: antiviruses like Avast or Antivir , HIPS like ProSecurity or SSM, antitrojan progs like BOClean wont slow down your system too much, to the point i successfully ran all of these on pcs with only 256MB RAM or less,and ShadowUser eats a negligible amount of resources: more security.
     
  8. tobacco

    tobacco Frequent Poster

    Joined:
    Nov 7, 2005
    Posts:
    1,497
    Location:
    British Columbia
    Actually, Bufferzone has a mode called 'Bufferzone Desktop' whereas, everything accessed, run are done so in the virtual environment which to me does the same as ShadowUser. I've done a few simple tests such as moving/deleting files, etc and everything was returned back to normal. As for running security programs in the virtual zone, i feel it is unnecessary. Just clean the 'Zone' before any 'Important Online Activities' are done.
     
  9. Jarmo P

    Jarmo P Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    1,186
    That is the same as with Sandboxie too. It makes a 'virtual' copy with desktop and other filesystem needed and registry for those sandboxed programs. Their normal install should be protected and also other access they have to our real system.

    It leaves of course this possibility that the AV scans all also in that virtual area in real time from the operating system and if malware somehow manages to corrupt AV & then OP system by AV's scan, this thing cannot be protected by Sandboxie.
    But it is a pretty strong protection in my opinion that Sandboxie has. And also flexible.

    The sandbox type of HIPS in my opinion is providing system protection and not so much as the original poster asked against keyloggers installed and running while the sandbox is not cleared. Or what other that malware does inside the sandbox with the limited privacy break it is allowed. Other kind of HIPS are suited against that kind of privacy protection better. But once the sandbox is cleared, the malware is also gone.

    What I like about Sandboxie is that it does not take any CPU noticeable and it is thus light to run.
    Memorywise too. It has a lots of appeal, but does not cover everything in windows security.
    Mainly it covers the system protection more than other security programs can, excluding other sandboxes of it's kind I have not tested.

    EDIT
    A test I consider quite reliable about various hips and sandbox software can be found in this site:
    http://www.av-comparatives.org/
    Click 'Comparatives' on left and scroll down the page and then the link 'Comparative of various protection tools October 2006'.
     
    Last edited: Dec 25, 2006
Loading...
Thread Status:
Not open for further replies.