Sandboxie 3.39.02 BETA released!

Even if a particular malware were to be able to partially bypass Sandboxie,it'd still be constrained by the policy restrictions in place for that sandbox,anything further is purely hypothetical.

 

You could always use a behaviour blocker as a safety net just in case. Ive used threatfire in the past and its as quiet as a baby. Never gave me one pop-up.

 

Like i said just sandboxie with router firewall,on occasions i fire up returnil if kids come in as they are click happy,but on my own just sandboxie for more then a year whithout any hickup.
Net result : no conflicts,no drag,my systems just fly !

 

I've been without system realtime AV for about a year, only using the WebGuard of Avira.
For the time being I am also using Defense+, because I must go into some known risky situations, but I am looking to go totally blacklist-free, at least for realtime.
Returnil for the kids, young and old, does seem appealing also.
I agree that the system drag from any realtime AV (including BBs) is really annoying.

 

Theres something called autorun.inf which enables programs from usb drives to autorun the moment the usb is plugged in. You need to disable this on your pc.

 

By policy restrictions I assume you mean run/internet access restrictions right? If so how would malware be able to bypass a sandbox if it couldnt run in the first place?

 

As this is OT, remind me to PM you the answer.

How has Defense+ "saved" me?
I will share the most recent silly joke.

Some of my users like the GOMPlayer, a korean "freeware" media player.
I have used this media player and I trusted it, so whenever I did an install, I set CIS to "Installation Mode", and of course, the installation script did its job.

After reading about sneaky install scripts, I decided to watch all the pop-ups that Defense+ issued.
Lo and behold, Defense+ reported that the GOMPlayer installation script was trying to run an ASKTOOLBARINSTALLCHECKER.EXE, which in turn tried to connect to some server...
Note that there is no option in the GOMPlayer installation to run an Ask Toolbar checker...
I just found it somewhat ironic, and rather amusing, that CIS has been attacked for its Ask connections, yet it warned me about the GOMPlayer install script's behavior...

Anyone is free to check this by downloading the GOMPlayer from here: http://www.gomlab.com/eng/

 

How does this work anyway? The entire drive is sandboxed? So if there is malware on it which autoruns, it will execute inside the same sandbox which is sandboxing the drive? Unless you have run access denied off course? In which case it wont be able to run unless you personally remove it from the sandbox right?

 

Well the term 'bypass' is actually one I'm not entirely in agreement with,but I used it within the context of the discussion.The POC in question slipped through a loophole rather than bypassed SBIE's protection and in no way compromised that protection,so it's correct that you say that an actual bypass is a different proposition given a well configured sandbox.

 

So wait are you saying that the POC was able to slip through a loophole insbie, in spite of run/internet access being restricted to the browser and only the browser?

 

No the POC was deliberately allowed to run in this case,had the sandbox been configured to only allow the browser it couldn't have.The run/internet access restriction within SBIE was just mentioned by ssj100 as a good general security policy.

What I'm saying is that having allowed it to run it was able to interract with the 'real' system,however this wasn't a case of something able to circumvent the protection,since the interraction was outside of the SBIE remit.Had the POC been able to modify a system file or create an autorun that remained upon deleting the sandbox then this would have been a true bypass.The loophole is that something of inconvenience to the user,although not damaging was allowed to occur.

 

no he can't use a behavior blocker like threat fire for the very same reason why he uninstalled D+ and Avira. because of this conflict Issue threat fire will probably conflict with sandboxie as well.

At the moment you can't have any other security software installed with sandboxie, or rather very limited options.

 

Does DefenseWall conflict with sbie?

Edit: what about Shadow Defender?

 

I thought the conflict was between sbie and defense+? Was there a conflict with avira as well?

 

Build 3.39.03 resolves the problem with Malware Defender + htaab/htaac.

 

You did a nice job of not only bringing up the issue in the SB forum, but also for persevering when doubt was expressed against your claim. With some nifty detective work contributed by nick s, the two of you helped spearhead a fix

 

Hey ssj can you explain to me exactly what it was that caused the conflict to put my mind at ease? Also did the conflict exists with both the paid and free versions of avira?

EDIT: I can understand a conflict with a HIPS product, but I cant see how sbie could conflict with an AV? It just doesnt make sense to me.

 

Alright, thanks for that ssj100!

 

with Tzuk now preventing sandboxed programs from interacting and communicating with other programs outside of the sandbox. Sandboxie is becoming more POWERFUL than ever.

now we are just waiting on Tzuk to block the method reg test is using.

 

Arran,

And what method might that be?

 

I don't know I am not a programmer. but it is the method reg test part 2 test is currently using to bypass sandboxie. http://www.ghostsecurity.com/registrytest/

 

Build 3.39.04 now blocks regtest's ability to crash, terminate, or diminish the functionality of Windows Explorer.

 

thanks nick for the confirmation. other than fine tuning Tzuks work is done, until another poc turns up lol.

I'm still gonna be using MD tho for system wide protection. and to control the behavior of apps running outside of the sandbox. And also to help sandboxie control the behavior of programs running inside of the sandbox. And For file and folder rules MD is must have.

 

Could you possibly read and make a comment over on this thread in respect to posts #13, #14 & #17 as I'm seeing that Prevx isn't scanning sandboxed executables as I'd expect it to. It may be a configuration within Sandboxie I need to make, but unsure about that.

 

You're welcome. The only side effects of Sandboxie blocking regtest are (1) some exposed hidden windows and (2) high CPU usage by the regtest.exe process until it is terminated.

...and so will I for the same reasons .