Sandboxie Acquired by Invincea

Discussion in 'sandboxing & virtualization' started by ad18, Dec 16, 2013.

  1. guest

    guest Guest

    Yes my young apprentice, while offline, clean install the OS+drivers.
    Install ESET with hips on default , let it allow all processes, reboot several times so most windows processes will be loaded and allowed. Then set interactive mode when back online or when installing your softs and keep it that way.
     
  2. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    3,608
    Location:
    Mexico
    Thank you master Skyw... *cough" Darth guest.
     
  3. Azure Phoenix

    Azure Phoenix Registered Member

    Joined:
    Nov 22, 2014
    Posts:
    952
    On default, ESET hips doesn't do much. At least not in terms of alerting users.

    If one wants to fully use it. Change the hips to Learning Mode for a couple of days. Then to Interactive Mode.
     
  4. guest

    guest Guest

    I would use learning mode only after a clean install of the OS and offline .
     
  5. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    3,580
    Location:
    Under a bushel ...
    At least we know he's older than 51! :D
     
  6. guest

    guest Guest

    Not that much :argh::p
     
  7. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,642
    Location:
    U.S.A.
    The Eset HIPS in default "Auto" mode only uses Eset built-in HIPS rules; many of those are specifically to protect Eset processes, files, and registry areas. The only way to get the HIPS to recognize all your existing processes is to set it to "Learning" mode for a while. Also as you mentioned in a subsequent posting, there is always a risk in using this mode at any time other than after a clean install. As long as your 100% sure your device is malware free, it would be acceptable to employ learning mode. Finally, the rules the HIPS generates are not just specifically related to process startup and the like. Rules are generated for every activity that process performs. You could have upwards of a dozen rules related to just one process. Also there is no way to sort user rules in the HIPS. As a result, the rules for one process can be interspersed throughout existing other process rules.

    You might be thinking of "Smart" mode which is a bit mode aggressive than the default Auto mode. However, no automatic user rule creation is made in this mode.

    Eset recently introduced "Advanced Machine Learning." The problem is that there is no detailed info on what it actually does. My best guess is it will auto generate Smart/DNA behavioral signatures that Eset uses in its real-time scanner and this new feature will have nothing to do with the HIPS.
     
    Last edited: Jul 18, 2019
  8. guest

    guest Guest

    @itman long time I didn't used ESET, I was quite sure that auto mode permits the allowance of some running processes or at least prompt the users less intensively than interactive.
     
  9. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,642
    Location:
    U.S.A.
    Based on my experience and multiple like postings in the Eset forum, it doesn't alert at all in Auto and Smart modes.:argh: This does not mean that rules are being automatically created internally. It means the activity is either being allowed per pre-defined internal rule or not being monitored at all by the HIPS.

    If you want alerts and logging from the HIPS, you do the following:

    1. Run in Interactive mode. This will drive you crazy unless Leaning mode was first employed.
    2. Create your own custom user rules.

    -EDIT- I will also add you have to be careful how you create rules and respond to Eset HIPS alerts from those rules. Case in point.

    You create a rules to monitor PowerShell and cmd.exe execution. Attacker embeds PowerShell script in a .bat script. You allow the the .bat script to run. You're nailed. This is because the HIPS implicitly applies the allow action for the parent process to any subordinate child processes. In this instance, you need to create an additional rule to monitor PowerShell startup from cmd.exe.
     
    Last edited: Jul 18, 2019
  10. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    3,608
    Location:
    Mexico
    No, he's younger than that but wiser and smarter. You know some are just born loaded with better hardware and software /not fair /lol

    Edit: This is my last off-topic post and should be your last too guys. You know the axe is coming to cut them off.
     
  11. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    6,196
    Location:
    USA
    The new Cleaner module is doing its job! No more failure to delete sandboxes. :thumb:
     
  12. guest

    guest Guest

    This is silly... I think it is why i ditched it long time ago. I still miss its firewall component tough. It was pretty well made.
     
  13. Bob D

    Bob D Registered Member

    Joined:
    Apr 18, 2005
    Posts:
    1,189
    Location:
    Mass., USA
    Confirmed here. Kudos to Eset for their recognition / efforts & response.
     
  14. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    5,274
    Location:
    Nicaragua
    Yesterday (updated today), I tested Firefox 68.0.1 in a sandbox and found an annoying change that really bothers me. Mozilla made the decision to make it more difficult than how it was before, to disable Multiprocess. This change and knowing how to overcome it is something that should interest some Sandboxie users.

    Ever since the beginning, I have disabled Multiprocess, I do it because I think Sandboxie works better. Thats my view. Using Multiprocess doesn't cause issues with Sandboxie for me but we all know that some users have had sound, video or some other kind of issue when having MP enabled and running Firefox under Sandboxies protection.

    So, if you are one this users that have issues with Multiprocees when running Firefox sandboxed this is what you got to do to disable Multiprocess:

    You have to create a System variable (I never needed to do one of this before, I didnt even know what a System variable was but thanks to Mozilla, now I know what it is and how to create one).

    Navigate to: System Properties>Advanced>Environment Variable, Click New, and add:

    Variable name: MOZ_FORCE_DISABLE_E10S
    Variable value: 1

    When you are done, it ll look like this:

    vvvvv.jpg

    You can see the new variable, third from the top under System variables. I done it in my W10, I ll do it later in my W7, should work the same in W7.

    Bo
     
  15. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    2,943
    i already told you that disabling multprocess is lowering the complete firefox security - this includes the firefox sandbox (level) which is now at NULL - NONE. this is and was a solution when people had sound/video issues in sandboxie to lower the sandbox level in about:config for 1 or 2 steps (5>3). no sandbox means firefox has the ability to run any process with full privilegs of your given level in sandboxie (could be worse for the host system when working with admin rights)

    do what you like to with your system but this is general warning to other users and me personally consider such settings as really dumb.

    the whole story
    http://forums.mozillazine.org/viewtopic.php?f=38&t=3052239
     
  16. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    5,274
    Location:
    Nicaragua
    Brummelchen, my post is supposed to help Sandboxie users, and sooner rather than later, regardless of your opinion, it will. You will see that being so, right here in this thread.

    Note: Firefox in my computer is my browser, not yours, and is my computer, not your computer. What are you? the vanguard of the people? You think you are smarter than the rest of us and that gives you the right to decide whats best for us and how we should use Firefox. Stop pushing your views on Firefox. There are many users who don't care about Multiprocess. If everyone who used Firefox had to use it the same way, look the same, function the same, without being possible to make changes, using Firefox would be very boring.

    Bo
     
  17. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    2,943
    i did not harm you, nor will i abandon you. i wrote:
    and yes, concerning firefox i am "smarter".
     
  18. wolfrun

    wolfrun Registered Member

    Joined:
    Jul 26, 2009
    Posts:
    620
    Location:
    Canada
    Works on Win. 7 as well. Thanks Bo.
     
  19. Moose World

    Moose World Registered Member

    Joined:
    Dec 19, 2013
    Posts:
    564
    Location:
    U.S. Citizen
    Hey there, Greetings/Salutations!

    If YOU DO NOT feel comfortable with Firefox/Sandboxie.
    You always can make changes.......below:

    * go to privacytools.io
    * Browser
    * FireFox Privacy Add-ons.
    * Firefox: Privacy Related "about config" Tweaks

    Just different ways of looking at things.....Their call choices
    in life......Hope this help.......:confused:
     
  20. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    5,274
    Location:
    Nicaragua
    You are welcome, Wolf. I got it done also in my W7 last night, it works fine.

    Bo
     
  21. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    5,274
    Location:
    Nicaragua
    Yeap, that's usually how people who see themselves as protectors, the vanguard think of themselves.

    Bo
     
  22. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    12,161
    Location:
    Here
    I had problems with multiprocess FF and sound not playing on some sites even without SBIE. When MP was disabled, problem went away. I didn't test if those problems were resolved but since I have no problems I just left MP disabled.
    From security side of this setting: so far I didn't hear about an attack on FF that would be thwarted by MP.
     
  23. guest

    guest Guest

    By disabling MP and the sandboxing capabilities depending on it, you just reverted to the old FF, Which was easily exploited.
    I guess you tried FF MP on a clean installed Win10, to check if the issue was still present?
     
  24. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    12,161
    Location:
    Here
    No it's not on Windows 10, I use Windows 8.1. I did not retest if issue is resolved, I might give it a try.
    Can you please share some examples (if you know any) of exploits that work on single process but not on multi process FF? I somehow doubt that attackers would specifically attack SP FF users - market share of such installations is IMO too small to be interesting for attackers (not considering targeted attacks).
     
  25. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    2,943
    @bo - i am just an "informer", not more. ofc its a way to push people in a direction or start them think about this or that. its not that i am experiencing that much but i read a lot and so many about other users configuring their firefox - css and scripts. and most of them dont get along alone with these changes - they need to ask each new version because of disfunktional. you can image that it could end in boring thread over and over agian for each member.

    on the other hand i am a regular user of sandboxie and dont know much about the deeper functions. but i dont ask that much about because it works as it is here.
    not guest but i wrote
    mozilla has a wiki for description how MP = sandbox is working
    https://wiki.mozilla.org/Security/Sandbox/Process_model
    https://wiki.mozilla.org/Security/Sandbox/Hardening
    https://mozilla.github.io/firefox-browser-architecture/text/0012-process-isolation-in-firefox.html
     
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.