Sandboxie Acquired by Invincea

Discussion in 'sandboxing & virtualization' started by ad18, Dec 16, 2013.

Thread Status:
Not open for further replies.
  1. silat

    silat Registered Member

    Joined:
    Oct 30, 2006
    Posts:
    191

    Well I thought I had v 4 13 4 but I have 4 13 1. Sorry about that.
     
  2. silat

    silat Registered Member

    Joined:
    Oct 30, 2006
    Posts:
    191
    Hi Bo. Found it in "miscellaneous" but not "all applications".
     
  3. rookieman

    rookieman Registered Member

    Joined:
    Mar 26, 2006
    Posts:
    411
    Does this still freeze when playing videos?
     
  4. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    5,789
    Location:
    Nicaragua
    Hi Silat, you can find the new setting in either Miscellaneous or All applications. Look at the picture, you ll see the setting in Applications>All applications.:)

    Bo

    untitled.JPG
     
  5. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    5,789
    Location:
    Nicaragua
    Flash, Protected mode/Plugin container, Sandboxie and Firefox don't work perfectly together but its OK. I might experience a freeze where I have to close the browser about once every 10 days. To me, that's nothing.

    Bo
     
  6. silat

    silat Registered Member

    Joined:
    Oct 30, 2006
    Posts:
    191
    Right you are my friend. ;)
     
  7. demoneye

    demoneye Registered Member

    Joined:
    Dec 30, 2007
    Posts:
    1,356
    Location:
    ISRHell
    Maybe You are right regarding tzuk not fixing security in first priority , But i can tell you SB new team doest fix even more basic issue like sb crashed using waterfox consequentially and inside google chorme (time to time).

    i report the waterfox issue , no one even bother to reply ...so what the heck...:thumbd:

    http://forums.sandboxie.com/phpBB3/viewtopic.php?f=11&t=19570
     
    Last edited: Sep 17, 2014
  8. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    5,789
    Location:
    Nicaragua
    Demoneye, test disabling Protected mode in Flash and see if it works for you. And if it does, report it in your thread. I realize disabling PM is not something everyone is willing to do but I seen many peoples problems related to Flash go away when they do that. If you always run Flash contents sandboxed, it wont matter to disable PM.

    Bo
     
  9. rookieman

    rookieman Registered Member

    Joined:
    Mar 26, 2006
    Posts:
    411
    It froze on me alot more often then that :(
     
  10. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    5,789
    Location:
    Nicaragua
    Rookieman, I am not sure what system or browser you are using for viewing Flash videos but if you are using W7 and Firefox, try disabling Protected mode. It might work for you. I rarely use Flash in my W7 so I don't have it installed anymore but an issue that I used to experience related to Flash when I had Flash installed in the computer, completely went away after disabling PM.

    On the other hand, in my XP, I watch a lot of videos and experience the freezing issue that I mentioned in another post. In this PC, I have to have Flash installed, my workaround is to disable plugin container. Its not a perfect workaround but it works OK. I can live with the issue, it doesn't bother me too much.

    Bo
     
  11. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    5,789
    Location:
    Nicaragua
    A new version (Alpha:D) has been posted, released for fixing Chrome 37 issues.
    http://forums.sandboxie.com/phpBB3/viewtopic.php?f=48&p=103514#p103514

    Bo
     
  12. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    13,401
    Location:
    The Netherlands
    BTW, I decided to upgrade from v3 to v4 on my Win XP SP2 system, and I was afraid that it would break things, but it's actually running quite stable. I did notice that it does not seem to use any user or kernel mode hooks anymore. Very interesting that the architecture was also changed on Win XP. It does make me wonder why Tzuk did not think of this earlier and if SBIE is technically just as strong as v3 on Win XP. :)
     
  13. In XP-Mode wth SBIE, the sandboxed Chrome seems to run with anomyous user rights only (like Untrusted Guest), only able to launch programs, read user folders. Sbie must enable write access to its own sandbox folder and should own the process to apply sandbox limitations (but since it launched the process itself, that should be no problem).

    How did you check the user/kernel mode hooking?
     
  14. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,247
    One question, you said you are not going to run Chrome under SBIE's supervision, how come you changed your mind?
    What happened?
     
  15. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    13,401
    Location:
    The Netherlands
    All apps run with "anonymous user rights" on XP, apparently this is enough to restrict apps from performing dangerous activities. As you know, SBIE v3 relied heavily on kernel mode hooks (like old skool HIPS) but with this new approach it does not need this stuff. I think this is the reason that it's running so stable on XP, there is now less chance of conflicting with other security tools. But anyway, to answer your question, you can check it with GMER: disable quick scan, and choose IAT/EAT, Devices and Sections.

    http://www.gmer.net/
     
    Last edited: Oct 1, 2014
  16. True on Win7 or higher I won't, thay has not changed.

    I installed XP-mode in my Windows 7 ultimate. In XP there is no low rights integrity level. So I wanted something to protect Chrome as a layer between the application running as Admin in Virtual PC. I had given DW to my mother (becomes 81 next week) on het XP laptop, so my first candidate was GeSwall. GW did not run nicely in XP-mode. Second candidate Bufferzone launched slowly so I tried Sandboxie. Seems that Sandboxie now managed to create an Untrusted container in XP also). so up site of the Invincea takeover is starting to show now.
     
    Last edited by a moderator: Oct 1, 2014
  17. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    13,401
    Location:
    The Netherlands
    @ Windows_Security

    OK I see, but SBIE runs just fine on XP. Of course you can also use MBAE to protect Chrome. About GMER, I gave you wrong instructions. You need to choose "quick scan" + "system", and then you will get to see kernel-mode hooks.

    On my XP system, the SSDT has been modified by SSM, ZoneAlarm and Neoava Guard. I think SBIE v3 also hooked the SSDT, but v4 does not do that anymore. As you know, hooking the Windows kernel is forbidden in Win Vista/7/8 by PatchGuard. :)

    http://en.wikipedia.org/wiki/System_Service_Dispatch_Table
     
  18. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,247
    Here is my problem with this, I read many good things about Google Chrome when it comes to security, but also the same goes with SBIE4.
    The problem with Google Chrome is the following-it has vulnerable/exploitable plugins-so, why not use it under SBIE4's supervision?
    Even if Google Chrome does not have any kind of these exploitable/vulnerable points in its architecture, I'm not sure how secure it would be without SBIE4 supervision, it seems to me if any exploit or any malware breaks out of Chrome (even though let's say it does not have vulnerable parts, plugins in this case scenario), it might be contained inside/under SBIE4's supervision, because SBIE4 would block applications because all applications and processes are targeted by exploits and malwares that are used by all forms of exploits and all forms of vulnerabilities (even operation system vulnerabilities, for example, kernel-level exploits used Duqu malware but it could be blocked/was blocked by blocking access to t2embed.dll).

    But there is one question that tortures me here: what about browser process exploits, malicious add-ons exploits and similar. For example, I saw on SBIE thread that SBIE4 does block/protect against fileless, memory payload/execution/memory malware where
    the whole anti-exe/HIPS/AV approach that focuses on the malicious binary moot from the exploit detection perspective:
    http://malware.dontneedcoffee.com/2...014/08/angler-ek-now-capable-of-fileless.html

    Curt from Invincea confirmed that SBIE4 does actually protect against something like this that does not need the whole anti-exe/HIPS/AV approach that focuses on the malicious binary moot from the exploit detection perspective.
    Quote from Curt's post:
    "Angler has not crossed our radar screen here. Sandboxie protects against these things because all sandboxed processes run at untrusted integrity under anonymous user login credentials. If they break out of Silverlight (or whatever), they will still be contained in Sandboxie."
    The same goes for such exploits like memory payload based Angler EK (EK=Exploit Kit) breaking out of Google Chrome (newest version).
     
    Last edited: Oct 2, 2014
  19. @CoolWebSearch

    You explain my point to add SBIE under XP-mode. This started by the question Rasheed, so I decied to have a look and found the answer of Curt , see post #788 in this thread. This is no small feat IMO.

    On my Win7 ultimate I use Chrome locked down through GPO. With these templates I only allow the plug-ins and add-ons I explicitely allow (like the admin allowed plug-ins/add-ons in IE). Point is on Win7 the broker runs in Medium Integrity Level, while under CBIE itself runs in System/HIGH. When malware breaks out ol LOW-IL, I rather have it nibbling at a Medium Level processes than HIGH/System processes. But then again this "IL-level access" and "adding attack surface" is all theoretical talk: when you feel comfortable with SBIE why not use it?

    I now have a dual browser approach: stripped IE for my favourite sites, Chrome in SBIE(untrusted/anomyous user) in XP-mode for all other browsing
     
  20. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,247
    Well, according to Curt your theory is wrong:
    "SbieCtrl.exe runs at medium integrity.
    SbieSvc.exe runs at system integrity.
    Everything inside the sandbox runs at untrusted integrity (which is lower than "low"),

    "SBIE4 itself runs in System/HIGH. " doesn't make any sense. The service runs as System, but that is not Sbie "itself". What matters are sandboxed apps, and they all run at untrusted integrity under Anonymous Logon with almost zero rights in the host system. That's about as restricted as you can get and still execute.

    So what does this user do to safely run any webmail attachments or other downloaded executables?"

    You can join for asking questions here:
    http://forums.sandboxie.com/phpBB3/viewtopic.php?f=5&t=19642
    Cheers.
     
  21. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    13,401
    Location:
    The Netherlands
    I think I may have misunderstood you, but are you saying that you run SBIE in XP-mode on Win 7? Why would you do that? :)

    And BTW, I spoke too soon, sometimes I get some weird problems on XP, I'm not sure if this is caused by SSM, but after cleaning the sandbox the problems seem to disappear. Also, I've noticed something strange, when running the Zemana Key-Logger Simulation tool, SSM can only stop "low level keyboard access" when both the logger and the app (that is being key-logged) are sandboxed. If only the logger is sandboxed it can capture keys from apps outside the sandbox, a bit weird.

    http://www.zemana.com/LeakTest/keylogger-test.aspx
     
    Last edited: Oct 3, 2014
  22. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    13,401
    Location:
    The Netherlands
    The way that I see it is that SBIE is not designed to block exploits. So he probably means that if some sandboxed process is exploited by malware, it should be able to contain the malware. But it does not stop the exploit (memory corruption) itself. :)
     
  23. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,738
    The reason I don't run Chrome under Sandboxie is compatibility, convenience, and usability. Why worry about some obscure threat the SBIE may protect against when the browser isn't compatible with other security programs that are more specialized and less redundant, convenient when updating extensions and whatever changes to your profile/settings/data, and usable to the degree of native performance and accessible by your other programs + files?

    What do you use a computer for, to build a Fort Knox?
     
    Last edited: Oct 2, 2014
  24. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    5,789
    Location:
    Nicaragua
    Hi Rasheed, perhaps there is a conflict between SSM and SBIE. I don't know. But I can tell you, I ran the tool in a sandbox, the tool doesn't log key strokes on files that I have specifically blocked in Sandbox settings or files that are inside folders that I block sandboxed programs from having access to.

    About XP and Sandboxie. I run a lot more programs under SBIE in XP than in W7 and use twice the amount of sandboxes in XP than I do in W7. All my programs run well in XP using the latest beta version 4. In detail, I can tell you that Flash in Firefox worked better for me in version 3 than it does in version 4 but I workaround my issue by disabling plugin container. This is something I did not have to do in version3. To me, disabling plugin container is not a big deal since I never watch any flash content outside the sandbox.

    Another minor quirk in XP and version 4 for me is that I have to untick Drop rights in my Word sandbox or in any sandbox where I run Word files, otherwise, opening and closing Word files is not done immediately. Again, something that I did not have to do under version 3. Last, I use a very old KMPlayer version, under version 4, I Hide a SBIE message that doesn't really mean nothing. After hiding the message, videos play well. In version 3, I did not have to do that.

    For all that I do under SBIE which is running any file or program that runs in my computers, my personal issues that I described above are nothing. Other than that, the rest work great. I dont get errors or unexpected messages or any headaches due to using SBIE version 4 in my XP.:)

    Bo
     
  25. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,247
    Sure, it does not block them but if they are contained inside SBIE than all that memory corruption is under SBIE4's supervision, and there is not a single harm on the real Windows system, and I'm not talking about just malware, but also memory corruption, the real system memory is untouched, that's the point of containing something, that's a key difference.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.