Sandboxie 64 alternative?

Discussion in 'sandboxing & virtualization' started by Serapis, Mar 4, 2010.

Thread Status:
Not open for further replies.
  1. Serapis

    Serapis Registered Member

    Joined:
    Nov 15, 2009
    Posts:
    241
    Ive read the notes on 64 sandboxie and that got me a little nervous in terms of how well it'll hold up in the wild. Is it enough if I turn start/run and LUA on? what if a malicious flash ad is encountered, will this be enough or do I need something as backstop?

    If not I was thinking about some alternatives; Returnil free is bloated and could screw up the partition if auto defrag is on, also it won't protect my recovery partition. So that only leaves Shadow defender (lifetime license seems good)... Is Shadow defender potent enough ? Ive read tht its susceptible to low disk access byapss- something sbie x86 handles pretty well.

    *how does shadow defender work? do you start shadow session after reboot? could it be set to auto shadow after every bootup? Is it practical to use?

    I need you guys's feedback. Im absoulutely clueless o_O as to what I should install to make my 64 bit machine as powerful as the past 32bit one. I dont know how weak the x64 sbie is because no one has tested it so far...
     
  2. Saraceno

    Saraceno Registered Member

    Joined:
    Mar 24, 2008
    Posts:
    2,404
    Shadow Defender is fine. Can be set to continue a shadow session after reboot. Easy to save files you want to keep while in a 'shadowed' session.

    Also note that Kaspersky Internet Security 2010 has a 'safe run' feature which allows you to sandbox any program.

    Both have trials, so give them a spin. Even if you get the right answer here, it might not suit you, so personal trial is always best.
     
  3. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    560
    I don´t think the guy just wants to give a spin to KIS or any other software. I guess he wants to know, in terms of security, what program similar to Sandboxie is safer than it for 64-bit.
     
  4. Serapis

    Serapis Registered Member

    Joined:
    Nov 15, 2009
    Posts:
    241
    spot on Buster... I have become an addict to sandboxie on 32 bit -- its everthing I ever wanted for cleanup of surf junk, privacy and protection from viruses, I've read that x64 isn't as strong :doubt: I dont know how weak it is though cause no one tested it; Although Im pretty sure you're an excellent tester Buster. Maybe you could give me feedback. I mean, would you use sbie x64 ONLY? if not, then what other security apps do you use ?
     
  5. Carbonyl

    Carbonyl Registered Member

    Joined:
    May 19, 2009
    Posts:
    256
    I've heard people go back and forth about x64 Sandboxie. Obviously Tuzk doesn't think it's very secure compared to the x86 version, hence why he dragged his feet on the release - and then said upfront that it was mainly released to avoid brand damage. He also puts the big warning labels on the FAQ page, and he's very right to do so. The useless and deleterious implementation of PatchGuard is really to blame for setting security back a step in the x64 era.

    That being said, I've heard folks argue that the the x64 version is actually very secure for most purposes, and that when combined with the 'drop rights' feature that it will hold up under fire very well.

    I don't know who to believe.

    I'm very interested in this myself. I asked on these very forums if anyone's done any 'live' tests of Sandboxie in a x64 environment, but no one replied. Every Sandboxie test I've seen and Sandboxie review I've read has been for the x64 version - And searching for x64 reviews only nets me announcements on forums for the x64 release.
     
  6. subset

    subset Registered Member

    Joined:
    Nov 17, 2007
    Posts:
    825
    Location:
    Austria
    I have tested Returnil, Sandboxie and Shadow Defender against 10 pieces of malware with Windows 7 x64, but the test PDF is in German. :blink:

    However, the test result is boring anyway, as all three passed all tests, even against KillDisk and KillMBR stuff, which is still a big problem with x64.

    Related to Sandboxie I would say that it has more compatibility problems with legitimate software because of the x64 limitations than protection problems with malware.
    Even if you disable 'drop rights' and install a program into the sandbox to make it work - what's next?
    Open a file or document with this sandboxed program, but without 'drop rights'? :doubt:

    So if you want to primarily secure your browser, then it's also a good choice with x64.
    But if someone wants to install and test a lot of legitimate software, then Returnil or Shadow Defender may be a better choice.

    Cheers
     
  7. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    560
    I don´t think anyone really knows how weak Sandboxie 64-bit is compared to 32-bit version.

    To know this I only can imagine testing something like 100,000 malware samples with both versions and checking if anything bypasses Sandboxie´s protection.

    Nobody is going to make such test so Sandboxie´s security for 64-bit will remain unknown.
     
  8. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    560
    I´m sorry to say that using just 10 malware samples to test make your test irrelevant.
     
  9. bman412

    bman412 Registered Member

    Joined:
    Mar 4, 2008
    Posts:
    261
    Wouldn't start/run access settings stop downloaded malware from running at all? I currently don't have a 64 bit machine so if anyone's running SB and a 64 OS, can you please see if start/run restrictions work. Thanks.
     
  10. dja2k

    dja2k Registered Member

    Joined:
    Feb 15, 2005
    Posts:
    2,040
    Location:
    South Texas, USA
    Are you even familiar with KillDisk and KillMBR?
    All restriction features do work normally on x64.

    dja2k
     
  11. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    Which will eventually kill off the program, in my opinion. I certainly don't wish that on Tzuk, Sandboxie is one of the easiest to use, solid (in 32bit) applications you can use. Not to mention Tzuk is one of the best developers out there as far as supporting the product. All those good things being said, 64bit is here to stay and is now commonplace. And, we need security solutions that are proven and tight, regardless of 32 or 64 bit systems.

    With malware becoming smarter and harder to detect on a daily basis, "hoping for the best" is no longer an option. I love Sandboxie, but, I have a 64bit system I need to protect, and, having the security of Sandboxie "unknown" is not something I feel comfortable with, no matter how much I appreciate and respect both the program and Tzuk.

    Tzuk was right, without at least trying to take Sandboxie to 64bit, the program would have suffered greatly in regards to public relations. But, Tzuk admitted it wasn't the best solution and, again, the "unknown" status of its security will end up hurting the program anyway. That's simply my two cents.
     
  12. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    560
    Of course, but the two malware samples I found that were bypassing Sandboxie were not any kind of KillWhatever.

    My turn...

    Are you even familiar with the malware samples that bypassed Sandboxie?
     
  13. subset

    subset Registered Member

    Joined:
    Nov 17, 2007
    Posts:
    825
    Location:
    Austria
    Are you a professional AV-tester? :doubt:

    However, awaiting your test with 100,000 malware samples.
    But please analyze every sample and write down a report.
    Because the strange thing with x64 is, that even if malware may bypass SBIE e.g. to load a driver, this one won't be loaded by Windows, or a 32-bit DLL won't be loaded to the Explorer etc.
    So you have to make sure with your 100,000 malware samples test - is SBIE bypassed and has this any relevance with 64-bit.
    Or your 100,000 malware samples test will be irrelevant. ;)

    Cheers
     
  14. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    560
    Yes, I have done antivirus tests for several spanish computer magazines.

    You should learn to read. I told: Nobody is going to make such test

    Do you understand the meaning of "nobody"?

    I disagree. Bypass Sandboxie means that a piece of software is able to write out of the sandbox folder. If the malware is able to do anything else in 64-bit systems is other question.

    Regards.
     
  15. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,121
    Location:
    USA
    .
    As far as an alternative to SBIE all security programs are subject to the restrictions of Patchguard so I don't see any other sandbox being inherently more secure on x64. Other vendors don't talk about the limitations of 64 bit implementations of their products. The last thing people want to hear is a vendor admitting their product isn't perfect (which is true regardless of x86 or x64). SBIE x64 offers significant security compared with not using it.

    Regardless of what combination of security software you use it's good to make disk images to fall back on in case of a disaster. By the way, in all the years I've been using computers the only time I lost the OS was due to a failed service pack installation, not malware. I found that kind of ironic at the time (is Windows Update the ultimate malware...?) :)
     
  16. subset

    subset Registered Member

    Joined:
    Nov 17, 2007
    Posts:
    825
    Location:
    Austria
    Is Nobody also a AV-tester?
    No, just kidding. :D

    A test against 10 pieces of malware just shows how the tested programs defy these 10 pieces of malware. Nothing more, nothing less.
    A test against 100,000 pieces of malware which will never be performed shows nothing.

    Statistical AV test relevance means nothing to me, I don't perform on demand AV test garbage, only HIPS, Behavior Blocker, Sandbox tests or the like.
    If a Sandbox or HIPS is not able to block direct disk access e.g. of a KillDisk malware, then it sucks.
    That's all I want to show with my tests.

    Cheers
     
  17. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    560
    And I´m in my right to opine that a test using 10 malwares is irrelevant.

    I consider that´s a pretty fair comment and it´s the truth.

    Obviously direct disk access will be one of the first things that a product like Sandboxie will protect.
     
  18. Serapis

    Serapis Registered Member

    Joined:
    Nov 15, 2009
    Posts:
    241

    Buster, its your right to comment on 10 malwares being a small sample. However I don't see why you don't appreciate that some one decided to test some of the nastiest viruses out there against the 64bit v . Before that test it wasn't known whether or not Direct Disk access protection was provided due to Patchgurad's limitations on sandboxie. I think that the findings are an important contribution.

    100k samples seems like alot but Ive read that you've test 50k so that should be a mild task :D Could I ask that you carry out all your future testing in sandboxie 64?
     
  19. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    560
    I didn´t say I don´t appreciate the test, I just say the sample set is too small to be relevant.

    It´s correct I have tested thousands of malwares under Sandboxie, but always for 32-bit. That´s how I found the samples bypassing Sandboxie.

    At the moment I´m a 32-bit user and it´s not in my plans to migrate to 64-bit, so I´m afraid I´ll not be testing Sandboxie x64 soon.
     
  20. Saraceno

    Saraceno Registered Member

    Joined:
    Mar 24, 2008
    Posts:
    2,404
    From my understanding, there aren't hundreds of thousands of samples like killmbr.

    A test of say 3000 samples including rogues but without files that would nuke your whole system would be more irrelevant, to me anyway.

    Buster_BSA, I'm guessing you're on the sandboxie forum and posted the samples that have bypassed it?
     
  21. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    560
    Yes, I have been on the sandboxie forum for a while.

    I sent the samples directly to tzuk and he fixed the problem.

    Now it´s me who is guessing that you´re not on the sandboxie forum, right? :)
     
  22. Osaban

    Osaban Registered Member

    Joined:
    Apr 11, 2005
    Posts:
    4,216
    It is also my understanding that the number of malware that can either bypass or damage a sandbox/ virtualizer is really very limited. Subset's test of presumably 'dedicated' malware would probably be enough, we are not talking about antivirus engines that have to be tested against the whole malware spectrum.

    As far as I'm concerned Sandboxie is very practical and safe, but one mistake and you are infected. Shadow Defender and their ilk, are more comprehensive in their protection as once in shadow mode almost anything can be returned to its original state, and if you run a good AV within, it makes the whole system almost impossible to infect.
     
  23. Saraceno

    Saraceno Registered Member

    Joined:
    Mar 24, 2008
    Posts:
    2,404
    Correct. After posting here, my time is chewed-up. lol :D
     
  24. Serapis

    Serapis Registered Member

    Joined:
    Nov 15, 2009
    Posts:
    241
    So Osban, would you recommend running shadow defender in conjunction with SB 64? Do you think that it provides superior protection?
     
  25. subset

    subset Registered Member

    Joined:
    Nov 17, 2007
    Posts:
    825
    Location:
    Austria
    I didn't test only KillDisk malware, also some ordinary stuff like Security essentials 2010, Backdoors, Infostealer etc.
    But that's pretty boring with this kind of protection programs, even with x64.

    Just a note about the more comprehensive protection.
    There was a worm, which copied itself with an autorun.inf to drives.
    This one was not able to do this with Sandboxie, the files ended up in the sandbox.
    But with Returnil and Shadow Defender it was at least able to copy itself to the Floppy, which can't be virtualized with both programs.
    So I think it depends a bit on the malware and the environment, which kind of protection is really more comprehensive.

    Cheers
     
Loading...
Thread Status:
Not open for further replies.