Sandboxie Acquired by Invincea

Discussion in 'sandboxing & virtualization' started by ad18, Dec 16, 2013.

Thread Status:
Not open for further replies.
  1. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Cool, but why are you so obsessed with that? Most exploits and malware can probably also easily be stopped by AV and AE, but we are currently focused on Sandboxie.

    Pure from a technical point of view it's an interesting discussion. Let's take the Firefox exploit from this year, hackers used two exploits in order to bypass the Firefox sandbox and elevate rights. I seriously wonder if elevation would have worked if it was running under Sandboxie's control.

    But even if it could, I think it's likely that Sandboxie would have still contained the malware. Of course you can even harden the sandbox, to block process execution, network connections and limit file access. But I prefer third party tools for that stuff.

    https://www.zdnet.com/article/mozilla-fixes-second-firefox-zero-day-exploited-in-the-wild/
     
  2. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,064
    Location:
    Canada
    Because I kept seeing random, repeated posts of how sandboxie would protect, or sandboxie is needed...as though it were the one and definitive solution.

    Edit:

    more importantly, just trying to illustrate the importance of seeking alternative solutions, starting first with utilizing O/S mechanisms. I'm always concerned about one-man supported software. Even though Sandboxie may not be in this category yet, there is a bit of uncertainty about its future. It's how I feel about my favorite browser extension, uBlockO. If its developer ever abandons it, it's probably doomed.

    On another note, an interesting, if not old, post here regarding Defensewall's developer on Windows transition to x64:

    64-bit systems and anti-malware software
     
    Last edited: Dec 15, 2019
  3. GrDukeMalden

    GrDukeMalden Registered Member

    Joined:
    Jun 16, 2016
    Posts:
    487
    Location:
    VPN city
    Just be sure to set that rule for HMP.A! as a global rule in the configuration file though. It's objectively better than doing it one sandbox at a time. However you will have to use the menus in just one sandbox to get the rule to show up in the config file. Just cut&paste the text for the rule out of the sandbox you first set the rule in and paste it into the global rules section next to any other global rules for other security software you might have.

    Also, to the best of my knowledge Malwarebytes A.E. isn't compatible with sandboxie.

    However Sandboxie and HMP are both owned by sophos
     
  4. GrDukeMalden

    GrDukeMalden Registered Member

    Joined:
    Jun 16, 2016
    Posts:
    487
    Location:
    VPN city
    We're focused on sandboxie because that's the topic of this whole thread. Sandboxie is really more of a utility than a security product.

    I use it to keep data from different applications I use separated and to be able to wipe out any changes made by software while I'm using that said software.

    Second point:
    If the setting to auto-deny admin access (drop rights) in the affected sandbox(es) is enabled, I'm confident that something meant to exploit firefox or chrome wouldn't be able to get admin access as long as sandboxie, an application NOT targeted by the exploit is automatically denying everything running under its supervision from getting admin access.

    There aren't that many people who ever used sandboxie to begin with, even fewer now. That's why it's always been so effective at thwarting malware. Not that many cybercriminals are attacking it, because they're plenty successful without ever putting any effort into exploiting sandboxie.

    A lot of security software is so crappy that they don't even have to bother attacking that security software at all either. McAffee for example or norton or even Zemana in recent years. or lots of other antivirus products that fail as soon as they encounter unknown malware. *cough cough* windows defender! *cough* Excuse me!
     
  5. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,453
    Location:
    .
  6. GrDukeMalden

    GrDukeMalden Registered Member

    Joined:
    Jun 16, 2016
    Posts:
    487
    Location:
    VPN city
  7. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Well, I'm sorry but I think this is a bit silly. Because I already explained why I mentioned Sandboxie, those weren't random posts. And yes, SBIE's future is unclear but no need to worry about this right now. It's still working and still an excellent browsing protection tool.

    In case you still don't get it, the reason why I mentioned Sandboxie in the threads about the Tianfu Cup and WizardOpium is because of claims that Brummelchen made. It's an old discussion, and certain people still seem to think that because browsers like Chrome and Firefox implemented their own sandboxes, Sandboxie is now pretty much useless. I believe this is BS, and I was trying to explain this.
     
  8. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    How is this even relevant? Since then, security tools including Sandboxie have been redesigned. And even without kernel hooking they are still able to offer good enough protection.

    But anyway, to give some background information:

    I joined this forum back in 2004 because I was worried about browser exploits. Even back then I came to the conclusion that it's probably best to use multiple layers. I've always used the AE + sandbox combo. I started with Process Guard + SBIE, then it became System Safety Monitor + SBIE and currently it's EXE Radar + SBIE. If the first tool fails, then Sandboxie should still contain the malware.
     
  9. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,064
    Location:
    Canada
    I suppose it does. You probably know the developer of Defensewall refused to redesign his product for 64 bit O/S' because of the weaker protection user-mode hooking would provide over that of patching the 32 bit kernel. At least I'm pretty sure that was his reason. Please correct me if I'm wrong. "Good enough" protection I guess didn't cut it for him. I just think it's interesting that he chose the opposite course of action that Sandboxie's developer chose.That's why I though it relevant to post it.

    BTW, your layering approach is similar to mine, except I focus on using the O/S mechanisms as much as possible, especially Group policy, Windows security and SRP, for example in Windows 10 Pro. In Linux as well but that's a different O/S so I won't go there.
     
  10. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,064
    Location:
    Canada
    That's exactly the way I see it, too. it's not even a focus on omitting sandboxie or any one particular 3rd-party program; it's all about utilizing O/S hardening as the primary security, then add minimal 3rd-party security to fill in the gaps, or areas I feel the O/S is lacking.
     
  11. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,144
    Location:
    Nicaragua
    I think your post is more suitable for the Whats my security setup thread than the Sandboxie thread (only my opinion).

    But anyway, how much more minimal than that below can it get?

    Sin título.jpg

    Some of us, for years have used Sandboxie and will continue to use SBIE for as long as it works. Some of you, think and push the notion that we shall have dropped using SBIE years ago, I am sorry but thats not gonna happen. If we choose to use SBIE over other products in our computers, we are entitled to do that same as you are entitled to use what you want in your computer. In our computers what we choose to use is our choice, not yours.

    Bo
     
  12. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,064
    Location:
    Canada
    LOL! I'm not trying to brainwash anyone into dropping Sandboxie in exchange for using another security approach. There is a method to my madness, but few seem to grasp it yet. If one's judgement is clouded because of an emotional attachment to a security product, then I guess they'll never consider alternative options. Rasheed actually hit the nail on the head in an earlier post with a "good enough protection" comment without probably realizing it. Is "good enough protection" satisfactory enough, or is it more important to seek better than "good enough protection"?

    At one time I used to feel "security through obscurity" (think Linux) was good enough security, but then realized it isn't real security.
     
  13. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,144
    Location:
    Nicaragua
    You might not believe this but the day Sandboxie dies, I will not shed one tear. That day I ll move on and perhaps afterward remember Sandboxie with fondness but without tears or sadness. Emotional attachment to Sandboxie? Thats not so, but I feel strongly about being allowed to choose what I want regardless of what it is without getting mocked or criticized for the choices I make. That yes, I am highly attached to what I want and what I choose.

    For the past 10 years or so, I chosen to use Sandboxie and to this day I haven't found any reason to change it or to make me doubt that my choice (for me personally) was the correct choice. Over the years I heard a lot of noise about why not to use it, but is always the same, and always comes from people who never used Sandboxie or don't use SBIE anymore. Its constant and repetitious. :)
    If you ask me, I believe Sandboxies protection is great. It has always been great. In over 10 years using it, I havent seen any malware. Wouldn't that make it a good reason for me to believe that Sandboxies protection is great when I haven't seen any signs of anything thats malicious since the day I installed SBIE for the first time? Why should I change SBIE when nothing gets thru it? Why, give me a good reason. Not just becauses. I mean, how much better than that can Sandboxie be? Isnt that enough proof that Sandboxie is actually a very good security solution? You question Sandboxies effectiveness, and disregard the constant proof and testimony written in this forum about SBIE by many members, is not only me, but the many Sandboxie users who over the years have written about their personal experience using SBIE. This positive experiences are written all over this forums, including in this long thread. Open your eyes, dont ignore what others have been saying about SBIE over the years.

    Bo
     
  14. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Seems like you misunderstood. What I was strying to say with the "good enough" comment, is that there is no such thing as 100% security. That comment that Ilya posted was made in a time when it was unclear for developers how to develop security apps after PatchGuard was introduced in Win Vista. Since then, M$ has introduced lots of API's for Windows that make current security tools just as powerful. So that's why I said that it's not relevant, and it hasn't been for the last 10 years or so, so I was surprised to see you bringing this up.

    Another thing that you seem to forget is that there isn't anything special about using O/S mechanisms like SRP, in fact all security tools including Sandboxie are using the same O/S mechanisms, that's what an OS like Windows is for. These third party tools have simply implemented these O/S mechanisms or API's in a certain type of way. This doesn't make them inferior to "first party" stuff like SRP, SmartScreen and Win Def for example.
     
  15. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Also, since you wanted to make this a technical discussion, don't forget that SRP and whitelisting won't block "in-memory" exploits. This means that in theory, hackers could use so called "file-less" malware, and everything happens inside the attacked browser process.

    However, a tool like for example Sandboxie can mitigate this. Let's say it's file-less ransomware, it still wouldn't be able to encrypt data outside the sandbox. Of course, home users normally don't have to worry about these advanced "targeted" attacks, but I mentioned it, because it's interesting from a technical point of view.
     
  16. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Now that I think of it, I was reading the Bromium report and it's worth mentioning that they used Windows kernel and user mode exploits in order to bypass Chrome and Sandboxie. So they weren't even using holes in Sandboxie. In fact, they weren't even using holes in Chrome.

    In a real life attack, you first need to get remote code execution, and only then can you try to elevate privileges by bypassing the browser sandbox via either a browser or Windows hole. So I'm quite certain that Sandboxie would have neutralized the "Coinbase" attack on Firefox. Also, Sandboxie has since then been redesigned, so it's now more similar to the Chrome sandbox.

    https://www.zdnet.com/article/mozilla-fixes-second-firefox-zero-day-exploited-in-the-wild/
     
  17. GrDukeMalden

    GrDukeMalden Registered Member

    Joined:
    Jun 16, 2016
    Posts:
    487
    Location:
    VPN city
    I don't know about that last point that I edited to bold, but when I learned about patchguard and the way a normal antivirus can't hook into the kernel anymore. I stared using HMP.A! with sandboxie In addition to my other measures. And the things I can't sandbox, the PC games I have, are all protected by my other security measures AND HMP.A!
     
  18. GrDukeMalden

    GrDukeMalden Registered Member

    Joined:
    Jun 16, 2016
    Posts:
    487
    Location:
    VPN city
    I agree with pretty much everything here. Any time my browser starts acting funny after visiting a certain website I can just clear the affected sandbox and I'm golden again. I hope sandboxie never dies, because it's one of 2 products that hasn't ever failed to protect me and has never caused any significant performance issues, even after a windows update breaks it.

    With my setup, sandboxie is probably overkill, but it works, why change my setup if it runs smoothly on my system?
     
  19. Special

    Special Registered Member

    Joined:
    Mar 23, 2016
    Posts:
    454
    Location:
    .
  20. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,144
    Location:
    Nicaragua
    I know it has happened, and probably happens more often than not. So, it is possible.

    I already updated in W10, and quickly tested all I test after updates, all seems to be just fine between Sandboxie 5.33.1 and W10 18363.535.

    Sin título.jpg

    Bo
     
  21. Special

    Special Registered Member

    Joined:
    Mar 23, 2016
    Posts:
    454
    Location:
    .
    Same, and works fine, just seems like a big version bump (5.31.6 to 5.33.1) for "ClosedFilePath=*\cryptngc.dll" .ini inclusion though...
     
  22. syrinx

    syrinx Registered Member

    Joined:
    Apr 7, 2014
    Posts:
    427
    It sounds like they addressed the root of the issue in their RPC handling and didn't just hardcode a block for cryptngc.dll
    Best way to tell for sure though would be to see if its working as expected while trying to login on the affected sites with cryptngc.dll allowed again and check if it's actually loaded.
     
  23. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,144
    Location:
    Nicaragua
    They probably had an internal version with the 5.32 numbers.

    Bo
     
  24. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,144
    Location:
    Nicaragua
    I dont use a MS account or had an issue login in anywhere but it would be nice to hear from someone who experienced the problem confirming that is fixed.

    Bo
     
  25. n8chavez

    n8chavez Registered Member

    Joined:
    Jul 19, 2003
    Posts:
    3,336
    Location:
    Location Unknown
    I can confirm that the issue with as lagging, sometimes crash causing, is completely fixed in this new build. Good, because that was bugging me!
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.