Sandboxie Acquired by Invincea

Discussion in 'sandboxing & virtualization' started by ad18, Dec 16, 2013.

  1. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    2,706
    Location:
    Canada
    There are lots of ways to interfere with any infection steps from malware. Sandboxie would very likely work in this regard, but it's important not to lead the uninformed into believing it's the only way to browse securely.
     
    Last edited: Dec 10, 2019
  2. syrinx

    syrinx Registered Member

    Joined:
    Apr 7, 2014
    Posts:
    424
    I'd argue with the interfere label. While SBIE has mechanisms that can do just that those are not its primary functions.

    Underlines are added by me.
    From Chromes own pages:
    The more important quote takes place a few lines down under Design principles.
    Oops, well this is Sandboxie by definition as it already tries to give its users a 'better security model' using a driver and service so /shame on them, right? OOF!

    The chrome devs may not agree and honestly I'm tempted to side with their sentiment in general but when it comes to browser escapes as we've been discussing here it's a different story. I'm not trying to to say those writing such escapes couldn't target SBIE and eventually find a bypass to pull them off even from within chrome or other browsers (I'd actually love to see a working example), just that in most cases SBIE would isolate them already as intended.

    I've always said that if it can be written it can be broken. Still, just because you can break one does not mean you can break another the same way.

    The fact that we don't yet understand HOW Sandboxie has made changes in regards to chrome or other browsers to enable them to function within is a big deal. IF they reduced protections on some hard-coded level then yes, we have more holes for potential exploits to make use of. IF on the other hand they added more logic questions to handle things then that potential is greatly reduced (but still exists as one could potentially target things in a certain way to try and result in the desired answer at the same time.) At this point we don't know for sure how it works and arguing further over a 'maybe' seems rather pointless but by no means have I been trying to make SBIE the answer of answers.

    I started this drunken ramble with a goal of saying 'interfere' was not the word I would choose, it would be 'isolate' and I lost my way somewhere in there adding other thoughts in edit upon edit so I apologize for that.

    That's what the chrome broker process and SBIE all attempt to do, isolate certain things in their own ways.

    To reiterate in a different fashion, "Just because you might get your grandmother to sign off on something does not mean that you can also get your father to allow it using the same argument."
     
    Last edited: Dec 10, 2019
  3. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    5,458
    Location:
    Nicaragua
    We agree on that. Sandboxing and Sandboxie is isolation. Isolation is what Sandboxie does.
    But, what I wrote regarding the "interfering" that Sandboxie can do to malware when it tries to infect, that is not something I took out of the blue. Tzuk himself used that word to describe what Sandboxie does when malware try to do its thing in the sandbox and Sandboxie interferes during the process that malware has to follow to infect. He said that we wont know the result in advance, we wont know if the interference that Sandboxie creates is enough to successfully break or not break the malware until the attack takes place. If I recall correctly, when he wrote that he was talking about malware of the worst type. I remember him using the words that the interference that Sandboxie creates "might or might not" be enough to successfully break the malware. And (paraphrasing) "We ll only know the result after the attack takes place".

    The old forum is dead so we cant find the quote over there, but I know I quoted that quote a few times and posted it here at the forum. For sure, if you care to search for it, search the Bromiun thread. I know I wrote that quote for Kees (the anti SBIE hater and leader at that point in time) in that thread. Look for the word "interfere", Its probably somewhere in the last 30 pages of that thread. I posted the quote and link to it. :)

    Bo
     
  4. stapp

    stapp Global Moderator

    Joined:
    Jan 12, 2006
    Posts:
    12,986
    Location:
    UK
  5. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    5,458
    Location:
    Nicaragua
    Yes, that's the one (good find). :)

    Bo
     
  6. camelia

    camelia Registered Member

    Joined:
    Nov 4, 2011
    Posts:
    250
    Location:
    Mexico City
  7. GrDukeMalden

    GrDukeMalden Registered Member

    Joined:
    Jun 16, 2016
    Posts:
    211
    Location:
    VPN city
    I still have time on my HMP.ALERT! license so now I'm beefing up the defenses of sandboxie with that too.

    So now if something is started by something running inside of sandboxie I have voodooshield that will block the command line of those processes calling upon windows system processes and I also have HMP.ALERT! to further mitigate anything that VS can't catch.

    For anyone who's worried about exploits that could potentially bypass sandboxie, you should beef it up with HMP.ALERT!. But when you add the rule in sandboxie's configuration file, just add it to one sandbox from the menus in the UI and then go into the configuration file and cut&paste it to the global rules instead, that way, it will apply to ALL sandboxes instead of just one by one.
     
  8. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    12,317
    Location:
    The Netherlands
    The thing is, how they achieved it isn't interesting for this discussion, because it won't change anything about what I said, it's still true. And they can't publish this info because Google pays big bucks for these high risk holes.

    Don't forget how this discussion started, it's because Brummelchen said that Sandboxie won't provide any protection if Chrome's or Firefox sandbox is bypassed. This is false, because Sandboxie will still contain the malware. So let's say the malware happens to be ransomware, it won't be able to encrypt files on the system.

    Yes exactly, if you don't want malware to run at all, then you should use a tool like HMPA or MBAE. And in case they are bypassed, Sandboxie will still contain the malware. It's true that certain type of malware can still steal data even when run in the sandbox. That's why I've always adviced to combine Sandboxie with other security tools.
     
  9. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    2,706
    Location:
    Canada
    The trouble is, Rasheed, you give the distinct impression that the only way to contain, mitigate or eliminate these type threats is by using Sandboxie, when clearly there are other ways as well.

    BTW, even though I debate much of what you post, I like your contributions to these forums. You get into some deep, meaningful technical discussions. I look forward to your posts on the weekends :)
     
  10. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    12,317
    Location:
    The Netherlands
    I'm sorry but you have to be kidding me. In my last post, I even explained that it's best to combine SBIE with other security tools, because malware can even do damage inside the sandbox.

    And I also explained how this latest discussion started, it was because of a false claim from Brummelchen. I don't see why you seem to think that I'm acting like SBIE is the only way to protect the browser. We also have AV and AE as I have said numerous of times, just look for it in my posts.
     
  11. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    2,706
    Location:
    Canada
    Okay, maybe I'm reading too much into your Sandboxie posts, so my apologies there, but it it is quite a common theme in them.

    EDIT:

    Btw, you might remember the Bromium Lab's opinion of a "sandbox within a sandbox" as being futile because of fundamental flaws and strategy involved in the approach. I'm not allowed to quote the .pdf article but I have it on hand. They were even able to break out of it using a true type font parsing bug.

    Here's the link to it:

    https://bromiumlabs.files.wordpress.com/2013/07/application_sandboxes_a_pen_tester_s_perspective2.pdf
     
    Last edited: Dec 14, 2019
  12. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    5,458
    Location:
    Nicaragua
    Hi Wat. Dont forget, Bromiun was selling something when they published their "report"....their product.

    Their "report" was a selling tool.

    Their opinion of a "sandbox within a sandbox" is easily proven wrong, if you recognize and accept as fact that the Chrome or Firefox sandbox will not protect the user if he gets hits by ransomware, but this same user will be protected if he/she is using Sandboxie on top of the browser and gets hit by same ransomware attack. And don't forget, their aim was to sell their product as being better over using sandboxes.

    Bo
     
  13. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    2,706
    Location:
    Canada
    Maybe a selling tool, but I believe their test results were factual and not fabricated, and that's what's important. I'm not disparaging Sandboxie. You know I bought a license years ago, and used it for an appreciable time. It's a terrific security solution for a number of applications, and one that works well for many, including yourself and Rasheed. It's just that there are so many other security approaches that are just as, if not in some cases more, effective and are better suited for others. Sandboxie might contain the exploit, but in my case, for example, I'm more interested in a security approach tailored to break the chain of events early on that takes place in triggering the exploit.
     
  14. syrinx

    syrinx Registered Member

    Joined:
    Apr 7, 2014
    Posts:
    424
    Back when I started trying to use MBAE with SBIE I got quite annoyed at both their failures to really attempt playing nice together. Prevention has always been better than isolation in my book so for a short time I toyed with the idea of dropping (my still kind of new but awesome) SBIE in favor of MBAE but ultimately did some learning and testing instead so wasn't forced to choose between them.

    As for your earlier comments on the kind of old 'bromium' document which took place on an OS (Win7, SP1) that is about to reach EoL alongside a very early SBIE 4.04 version where they were still transitioning to using ANONYMOUS LOGON:
    No solution is perfect nor am I suggesting any including SBIE is.

    Yet the 'exploits' they used to escape SBIE were previously known OS vulnerabilities and patched years before, meaning they must have tested on a machine that wasn't up to date with readily available patches so they lost a huge chunk of credibility with me on on that. eg SBIE 4.04 was released in 2013 but they used MS11-063 & MS11-087 which were issued in 2011 and then MS12-042 in 2012. All of which were OS level exploits that were already patched. Better yet we can assume they used an INTEL processor as AMD wasn't even affected by MS11-087!
    In fact, they didn't have a single successful ~SBIE~ escape without relying on an 'already patched OS vulnerability'.

    My biggest takeaway from their testing ends up being that it's generally a good idea to stay rather recent with your updates. Related to this, unexpected revelation, I'll leave a one liner that my kid(s) often drop which expresses my thoughts about this:
    /derp

    The other points they made about screen scraping, internal keyloggers, copying clipboard & file info etc are all valid. The file ones can be mitigated using the options within SBIE but aren't set up by default. The screen and keylogger aspects can also be mitigated via SBIE addons and again potentially by making use of pre-existing SBIE launch options within said box. Outside of SBIE there are also other options a user might add to help fight them should they even happen to run inside a box.

    All this said I do NOT believe that SBIE is perfect or that a determined adversary couldn't find a non OS hole to enable an escape.
    Finally this ramble circles back to your quote where I'd like to leave you with one last line in response.
    /thumbs up
     
    Last edited: Dec 14, 2019
  15. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    5,458
    Location:
    Nicaragua
    I have no issue with that. I believe we all are entitled to our opinions.
    The sandbox in Sandboxie is the meat of the program but we also have Sandbox settings that can be used to tailor what programs can do in the sandbox. As you know, you can set it up so only a few programs can run or connect to the internet. Any of those 2 will break (or lets use the word interfere if you like) the chain of events malware has to go thru before it infects. And if you put on top of those restrictions, "Drop rights", nothing is going to install in the sandbox. Drop rights will not allow any program (malicious or not) that gets downloaded into the sandbox to install. So, for breaking the chain, we get plenty from SBIE, but if someone likes to use something else along SBIE (if this is the case, I suggest to make sure it works well with SBIE/Compatible) or instead of SBIE, I personally don't have a problem with that.

    The only thing I have a problem with is when I see someone minimizing the effect of using Sandboxie when there is actually no good reason to do it other than hate or to promote other programs. In your case, I know this doesn't apply to you.

    FWIW, I think is interesting to note, in all the years I used Sandboxie, I never seen anything that I thought might be malware attempt to run. Is like it doesn't exist. I never even seen a Sandboxie message telling me of some program with a weird name that cant be explained attempting to run or connect to the internet. Likely, for my browsing sessions, this can be explained because of how restricted I use NoScript but for the rest of activities, have to give credit to Sandboxie. What else can I give the credit to if I don't use nothing along SBIE? Let me also point out that most of my sandboxes are as restricted as possible but I also use some sandboxes were restrictions are very relaxed, with same results. Nothing funny ever runs. So, Sandboxie does what it does very well, and it does more than what we know that's supposed to be doing.

    Bo
     
    Last edited: Dec 14, 2019
  16. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    2,706
    Location:
    Canada
    @syrinx and @bo elam thank you both for your comments.

    One question I have before I can make any further comments: does Sandboxie run at all in kernel space, or does it use only user-mode hooking? I think because of patchguard it's the latter, but I want to be sure.
     
  17. syrinx

    syrinx Registered Member

    Joined:
    Apr 7, 2014
    Posts:
    424
    Last edited: Dec 14, 2019
  18. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    2,706
    Location:
    Canada
    Thank you for clarifying. Only very recently I've gained a greater appreciation for security applications or systems that run in the kernel.

    EDIT:

    I guess what I'm trying to say is no security approach seems like complete security unless at least one component is running from the kernel.

    EDIT#2:

    yet ironically, so many advanced exploits can be stopped before they reach the kernel stage using user-space security measures. This includes the all important one above one's shoulders.
     
    Last edited: Dec 14, 2019
  19. syrinx

    syrinx Registered Member

    Joined:
    Apr 7, 2014
    Posts:
    424
    yes but sadly as so many experience the user-mode hook method tends to also result in broken apps quite often until the checks are updated =( This is why I currently feel that while SBIE isn't dead something closer to ReHIPs is the way to go these days. Please keep in mind I use neither solution at this moment and while I feel they both have potential I think SBIE is sort of already in the dying stage, "without a ton of attention". I just don't enjoy seeing incorrect information on it festering.
     
    Last edited: Dec 14, 2019
  20. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    2,706
    Location:
    Canada
    Maybe, which is why I would hope people can think outside of the "sand-box" and not led to believe there are no other comparable or potentially better solutions available. No, I am not a Sandboxie hater, just someone who is open-minded enough to seek out alternative security solutions in the event it either is not suitable for a particular user or, worse, it's no longer developed.
     
  21. syrinx

    syrinx Registered Member

    Joined:
    Apr 7, 2014
    Posts:
    424
  22. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    2,706
    Location:
    Canada
    Your Win10 security setup is more heavily fortified than I can shake a stick at! Applocker, Memprotect and Windows FW is as far as I'd go. But this being a Sandboxie thread, I don't want to veer OT.
     
  23. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    3,076
    thats what i do. and sandboxie do not need tons of adjustments here. if i cant manage security without sandboxie or tons of other programs i am complete in the wrong place. you probably would earn a ********* for this statement.
    the funny thing with windows 10 is that defender has anti-exploit (since 2018 ), anti-ransom (i think both not full blown but enough to care) and is added by a firewall and smartscreen and some other minor features.
     
  24. Beyonder

    Beyonder Registered Member

    Joined:
    Aug 26, 2011
    Posts:
    545
    Aren't they removing this in the next update?
     
  25. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    12,317
    Location:
    The Netherlands
    Yes I do think it's getting a bit unhealthy to keep pointing out that we can also use other tools for protection, as if this is something new. This topic is purely about Sandboxie, which is a browsing protection tool. And again, this particular discussion is about if Sandboxie can help in case browsers like Chrome and Firefox get hacked. In my view the answer is yes.

    About the Bromium report, what it showed is that they could hack Sandboxie, but only after targeting it directly in case the Windows kernel exploit was used. In other words, when hackers try to target only Chrome and Firefox and don't know that Sandboxie is running on top, it could still interfere with certain malicious actions.
     
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.