Sandboxes

Discussion in 'sandboxing & virtualization' started by marthe224, Apr 21, 2006.

Thread Status:
Not open for further replies.
  1. marthe224

    marthe224 Registered Member

    Joined:
    Jul 17, 2005
    Posts:
    45
    Which is the most effective and easiest to use?

    Sandboxie
    Virtual sandbox
    ShadowUser
     
  2. starfish_001

    starfish_001 Registered Member

    Joined:
    Jan 31, 2005
    Posts:
    1,041
    Depends what you wnat to achieve - I'd look at Defense Wall
     
  3. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    I can't answer your question, but don't decide/buy too quickly.

    A product like ShadowUser (SU) requires some preparation and you should read the recommendations in the manual first, because it isn't just installing SU and use it, like other softwares.

    1. One of the recommendations is to separate your Operating System from your personal files.
    If you don't know anything about partitioning and always worked with ONE partition, the famous "C:", then you have to learn, how to partition your harddisk. You need at least two partitions to work with SU.
    Some SU-users still use only ONE partition, because they didn't care.

    2. Separating your Operating System from your personal files, isn't just partitioning only. You have to move certain folders to the second partition. Which folders? How to move them?

    3. There are also recommendations for using harddisk defragmenters.

    So be prepared for SU, because it isn't that simple.
     
    Last edited: Apr 21, 2006
  4. marthe224

    marthe224 Registered Member

    Joined:
    Jul 17, 2005
    Posts:
    45
    Thank you for your speedy reply! I installed the trial version to take a look at it.
    What happens if I do not partition? I do not particularly like the fact that you have to reboot. Have you looked at sandboxie? I like it but I don't understand how to save a bookmark to my real drive. :eek:
     
  5. satchmo

    satchmo Registered Member

    Joined:
    Mar 4, 2006
    Posts:
    20
    You don't need to partition to use shadowuser. However, shadowmode protects the system on a volume basis, so if you partition your system or have multple hard drives you could have some running in shadowmode and others not.

    If you have a single partition, then you can specify exclusions on a folder basis and achieve the same affect, entire hard disk is protected except for example, the "My Documents."
     
  6. nicM

    nicM nico-nico

    Joined:
    Jul 15, 2004
    Posts:
    631
    Location:
    France
    Don't forget to look at Shadowsurfer, it seems to be still available for free , and must be easier to use than the ShawdowUser version (no exclusions to deal with, etc).

    Cheers,
    nicM
     
  7. WSFuser

    WSFuser Registered Member

    Joined:
    Oct 7, 2004
    Posts:
    10,632
    like starfish said, it depends on ur needs. ShadowUser sandboxes an entire partition (usually C:\), whereas sandboxie is for individual programs.
     
  8. marthe224

    marthe224 Registered Member

    Joined:
    Jul 17, 2005
    Posts:
    45
    I have tried to exclude certain things in Shadow like my doc but the add button is greyed out and I don't know how to save a bookmark in Virtual firefox sandboxie to my real drive.
     
  9. satchmo

    satchmo Registered Member

    Joined:
    Mar 4, 2006
    Posts:
    20
    You can set up exclusions and perform other administrative setup such as scheduling in shadowuser only if you are in standard mode (not in shadowmode).

    However, you can at anytime commit files or folders to the hard disk by using the context menu (right click the file or folder and select commit).
     
  10. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    The final goal of SU is to protect your whole system partition, so that your system partition is CLEAN again after each reboot.
    If you allow changes in the system partition, because you didn't separate your personal files, your system partition becomes more vulnerable.

    If you don't care about that, then use only one partition in spite of the recommendations of SU and it is of course alot easier to do it this way. Easier isn't always the same as better, you only have quicker results.

    EDIT:
    Between TWO reboots any possible infection can do its evil job, if it has time enough. Keep that in mind.
    Of course, after reboot, all these infections are gone.
    So SU works a little like FD-ISR and RollbackRx, but has only ONE snapshot, while FD-ISR/RollbackRx have more than one snapshot.
    And you can NOT compare SU with Sandboxie or Virtual Sandbox.
     
    Last edited: Apr 21, 2006
  11. Osaban

    Osaban Registered Member

    Joined:
    Apr 11, 2005
    Posts:
    4,222
    You keep referring to this possible window of infection between two reboots: I honestly fail to see your logic - rebooting from shadow mode into standard mode or rebooting from shadow mode into shadow mode - takes around one minute on my system.

    Hardly the time to do anything, and even if one could, what if I may ask? The virtual volume is deleted and anything in it good or bad has no chance to affect anything.

    The only danger is if you commit or save anything to an excluded file, and if a virus is saved with it, only then it could execute within your 'real' drive.

    Your approach denies the need of an antivirus, IMO in this particular case it is absolutely necessary to have one.

    The other day, somebody gave me a slide presentation on CD to check with my computer. I had it in shadow mode, and as soon as the CD rom was allowed to run, NOD32 instantly flagged a trojan. I did run the CD in shadow mode anyway but I didn't save the presentation as I originally planned.
     
  12. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Osaban,
    If you boot in ShadowMode at 9:00 AM your system partition will be clean.
    You work 8 hours on your computer (surfing, downloading, ...) and you shutdown at 5:00 PM.
    Although you are all the time in ShadowMode, your computer can be infected during these 8 hours and it's possible that these threats can do their evil job during these 8 hours, if you don't have any other protection.
    Am I right so far?
    Of course if you have additional protection they will probably stop these infections from doing their evil job.

    In other words, SU doesn't really protect you, it just gives you a clean snapshot after reboot.
    FD-ISR, Rollback, DeepFreeze and any image restore do basically the same thing only the method is different.
    The only difference is ONE or MORE snapshots and that gives you other possibilities, but no protection.

    My problem is that I still need the classical security softwares to protect my computer and that's bothering me, while it doesn't bother you. That's the difference between you and me.
    I only have ONE MORE software with softwares like SU, FD-ISR, etc., that's not what I want, I want LESSER security softwares. :)
     
  13. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,050
    Erik

    Assuming the computer you are building is something more then a Pentium III, you should be building something with enough power to reasonably take you into the future. You have been wandering around these forums with this "problem" for quite a while.

    Build your machine, test SU,FDISR,Rollback, and pick one. Then pick several of the classic AV's or HIPS(your choice) test them, and pick one. Then get on with life.

    This isn't life's biggest problem.

    Pete
     
  14. rickibm

    rickibm Registered Member

    Joined:
    Feb 10, 2006
    Posts:
    6
    You might want to take a look at a new product being introduced that is in Beta testing. Go to http://www.computersinmotion.com Check out their product called SafePods.
     
  15. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    That's the kind of software, I'm looking for. No AV/AS/AT/AK scanners, no HIPS, no firewall(?), no definition updates.
    I only wished, it was true or is it true o_O
     
  16. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,050
    It's just another sandbox product for IE. Might be good, but again no way I'd depend it alone. If it leaks??
     
  17. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Yes it could leak, BUT ...
    1. there is no proof of it, yet.
    2. AV/AS/AT/AK-scanners don't detect/remove everything, so they are leaking too and that is proven in the past.
    3. Firewalls aren't foolproof either, I still remember the article about "Firewalls are made of straw."
    4. HIPS depends highly on the user's knowledge and these users are leaking too.

    It seems to me, that these sandbox softwares have never been tested seriously, they just ignore them as possible alternative.
    "Oh it's a sandbox, it cannot be good. It's new and everything that is new, cannot be trusted."

    The classical softwares however are generally accepted, including their regular mistakes.
    Do sandboxes really have so many leaks more, than classical softwares ?
    I would like to see some scientific proof of this. :)
     
  18. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,050
    I tested Sandboxie, and it seemed okay, until it had a conflict with my system. It turned out that all the "sandboxed" files were keep in a hidden directory under documents and settings, and were easily accessed. That certainly doesn't in my mind represent a secure alternative. I haven't looked at Sandboxie recently, but I don't see it offering anything over Rollback and/or FDISR
     
  19. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    FD-ISR and RollbackRx don't protect you against malwares, doing their evil job.
    They just put your system back in a healthy state. That's not the same, because between two healthy states, malwares can do what they want, unless you have additional security softwares to stop them.

    Sandboxes are supposed to prevent the execution of malwares in your real system.
    Of course there are sandboxes and sandboxes, just like there are AV's and AV's, one is better programmed than the other one, but that is common for all softwares.
     
  20. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    Maybe you should have bothered looking at some documentation first, 'cause that how it works: every registry and file is written to "Documents and Settings\[user]\Application data\Sandbox" (and subdirectories) instead of going directly to the real system location. You can then terminate the sandboxed application and flush all the data and your system is exactly like it was before.

    As for being "easily accessed", they are being "easily accessed" only by applications that are not sandboxed. Since these should represent the trusted applications, why should that bother you?
     
    Last edited: Apr 24, 2006
  21. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,050
    I did read it, and I did know it, and yes it can be flushed. But the point is there are no special protections and privileges. For normal use that is probably fine, but for higher risk uses, I just am not sure I'd trust it as much as other solutions.
     
  22. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    There are special protections and privileges. First of all, it blocks anything from going kernel level, so it can't be terminated from within the sandbox. Second, it won't allow anything in the sandbox to be written to the actual system. Sure, it does not protect from READING, just from writing to the system. I've tried Sandboxie with a lot of actual malware, and it never failed. Sure, it might have some problems, just none that I'm aware of.

    Such as?
     
  23. EASTER.2010

    EASTER.2010 Guest

    Personally i use ShadowSurfer, at least it's on call when i decide to use it which is very rarely but adequate enough for my own needs i think.
     
  24. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    What I want is a replacement for all AV/AS/AT/AK-scanners and if possible also HIPS.
    My knowledge is too poor to be sure that sandbox softwares are at least equal or better, than the classical solutions.
    They don't need to offer a 100% protection, because that doesn't exist.
    I only want lesser security softwares on my computer and sandbox softwares could make that possible.

    I know already that scanners and "HIPS without sufficient knowledge" aren't good enough.
    What about sandbox softwares? Nobody takes them serious and they were never tested versus classical solutions and that's what bothering me. Sandbox softwares never got a fair chance to prove themselves.
    I want some scientific proof of this, done by security experts, not personal user opinions, these are worthless to me.:)

    If I was a security expert, I would use all my knowledge to prove that sandbox softwares aren't good enough to replace classical solutions. If I wasn't able to prove this, sandbox softwares might be a good alternative solution.
     
    Last edited: Apr 24, 2006
  25. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,698
    Hello,
    I have tried Sandboxie and ShadowSurfer / User.
    Sandboxie had some compatibility issues and was less intuitive than the other two. Furthermore, Sandboxie does not protect the whole system.
    I'd say go for ShadowUser.
    Mrk
     
Loading...
Thread Status:
Not open for further replies.