Sandbox testing

http://news.yahoo.com/s/infoworld/20080930/tc_infoworld/111070;_ylt=Al48NA.G1A0D8GuNv9XIJ_yDzdAF

Thoughts?

I thought Sandboxie, and especially Defensewall, were essentially impenetrable.

 

This tester rated Prevx as his favorite but states; "On just the fifth malware Web site, a password-stealing Trojan was able to infect the test system." What do you think the Sandboxie forum would look like if every fifth site allowed something out of the sandbox? He also states; "Sandboxie didn't prevent the clipboard hijack, and it did not remove all remnants of the XP Antivirus malware program when I told it to delete everything." I had no problem deleting everything in the XP Antivirus test, both with auto delete and no auto delete, so I don't know where that is coming from. As far as the clipboard, Sandboxie doesn't sandbox the clipboard cause what effect would that have - it would still be text. But there is no harm as anything pasted would be in a sandboxed address field anyway.

 

Tested heaps of rogues sandboxed, including XP Antivirus, with Sandboxie not having a problem containing, terminating and deleting all comers so far.

Can't understand what the author of the article means by:

 

hahaha I missed that comment Franklin, good post.

 

pete, relax, we know sandboxie thwarts all

 

But NOT the heartbreak of psoriasis.

 

hey bellgamin gimme a chance, im still relatively young at 34 - right about now there are about a billion things to kill me, all the while telling me I have just the one life - give them a chance to catch up to me - I know they catch up

 

If it's any consolation to the infection we missed, detection was added automatically for it by our Community Database about 30 minutes after the test took place. If he was to rescan, we would have then detected/cleaned/blocked it.

 

good try but ids vs virtualization= nill

 

Yes, it is clear that a full virtualization solution will prevent anything from changing the underlying system, but how many "normal", non-techy users can actually use a virtualization solution?

For instance, my mother could definitely not use a virtualization program, a virtual machine, or UAC for that matter. They are just far too difficult to use by a non-experienced person who just wants to use a computer and assume that everything just "works".

 

That is true, that is why solutions like Threatfire and PrevX excel.

Regarding UAC and the perceived virtualisation of DefenseWall: it is an non techie implementation of internet faced programs security with policy management. It also works seamless (only requires a change of status to trusted to install software) in a way it is install and forget. It is also the only sandbox type application which works out of the box with Digital Rights Management. As a matter of fact my mother of 75 uses it with no problems at all (I did the installation of DW on her PC).

 

I agree with Kees.
I've got Mrs. Click nicely tucked in with DW. I also have Returnil because I don't want all the garbage that she downloads to stay on the machine.
She would give permissions to Satan himself.
Hugger

 

LOL,I have mrs click as well that will click anything, if it had flashing banners saying please click here she would be all over it. Before My mrs happy click gets use I fire up Returnil.

 

For those who are interested,

The direct and original links that Drew99GT was referring to can be found below.

http://www.infoworld.com/article/08/09/30/40TC-sandbox-security_1.html (Test Center: Sandbox security versus the evil Web)
http://www.infoworld.com/article/08/09/30/40TC-sandbox-exploits_1.html (Two tenacious exploits debunk vendor claims)


Peace & Gratitude,

CogitoErgoSum

 

Just as an OT side note, I always prefer to used and give those kinda links

http://www.infoworld.com/archives/e...article/08/09/30/40TC-sandbox-exploits_1.html
http://www.infoworld.com/archives/e...article/08/09/30/40TC-sandbox-security_1.html

when referencing those otherwise slow loading mags' pages full of multimedia fluff...

 

it seems to me the reviewer was comparing apples to oranges... a sandbox is malware agnostic... the fact that a bunch of the tools he looked at identified things as malicious points to the fact that they have additional functionality built in besides just sandboxing... additional protection is good, but if you're going to review sandboxing software you should stick to the sandbox functionality...

nothing is impenetrable... if you start believing something is then you'll get careless and quite possibly pwned...

 

Specifically, does anyone have anything to say about the 2 exploits that Sandboxie missed; Adobe Flash clipboard hijack and the XP Antivirus malware program?

 

Quote Mitch:

Quote Franklin:

 

I addressed it in my earlier post. I can not reproduce his findings on the malware program.

 

i dont have a screen shot for it but sandboxie blocks the antivirus2009 very easy with no problems and nothing to scape the sandbox
so confident that i use sandboxie for testing malware insted of returnil or vm,thats me.

 

Tzuk answers the clipboard "exploit" here; http://sandboxie.com/phpbb/viewtopic.php?p=26999#26999

 

I tested Antivirus 2009 a while back in sandboxie it did show the program tray icon running on the task which was a concern at first but after the termination and deletion of the contents there where No remants on my system.Sandboxied passed with out a doubt.

 

the icon you saw was a virtual icon not real after deleting the sandbox is gone as the wind

 

My tests of SBIE vs. Antivirus2009 had the same results as those stated by djohn: The tray icon remained there until I passed the muose over it and then it dissapeared (no click needed, just pass the pointer over the icon). Otherwise, nothing at all stayed in my real system.