Discussion in 'sandboxing & virtualization' started by ad18, Dec 16, 2013.
Well I thought I had v 4 13 4 but I have 4 13 1. Sorry about that.
Hi Bo. Found it in "miscellaneous" but not "all applications".
Does this still freeze when playing videos?
Hi Silat, you can find the new setting in either Miscellaneous or All applications. Look at the picture, you ll see the setting in Applications>All applications.
Flash, Protected mode/Plugin container, Sandboxie and Firefox don't work perfectly together but its OK. I might experience a freeze where I have to close the browser about once every 10 days. To me, that's nothing.
Right you are my friend.
Maybe You are right regarding tzuk not fixing security in first priority , But i can tell you SB new team doest fix even more basic issue like sb crashed using waterfox consequentially and inside google chorme (time to time).
i report the waterfox issue , no one even bother to reply ...so what the heck...
Demoneye, test disabling Protected mode in Flash and see if it works for you. And if it does, report it in your thread. I realize disabling PM is not something everyone is willing to do but I seen many peoples problems related to Flash go away when they do that. If you always run Flash contents sandboxed, it wont matter to disable PM.
It froze on me alot more often then that
Rookieman, I am not sure what system or browser you are using for viewing Flash videos but if you are using W7 and Firefox, try disabling Protected mode. It might work for you. I rarely use Flash in my W7 so I don't have it installed anymore but an issue that I used to experience related to Flash when I had Flash installed in the computer, completely went away after disabling PM.
On the other hand, in my XP, I watch a lot of videos and experience the freezing issue that I mentioned in another post. In this PC, I have to have Flash installed, my workaround is to disable plugin container. Its not a perfect workaround but it works OK. I can live with the issue, it doesn't bother me too much.
A new version (Alpha) has been posted, released for fixing Chrome 37 issues.
BTW, I decided to upgrade from v3 to v4 on my Win XP SP2 system, and I was afraid that it would break things, but it's actually running quite stable. I did notice that it does not seem to use any user or kernel mode hooks anymore. Very interesting that the architecture was also changed on Win XP. It does make me wonder why Tzuk did not think of this earlier and if SBIE is technically just as strong as v3 on Win XP.
In XP-Mode wth SBIE, the sandboxed Chrome seems to run with anomyous user rights only (like Untrusted Guest), only able to launch programs, read user folders. Sbie must enable write access to its own sandbox folder and should own the process to apply sandbox limitations (but since it launched the process itself, that should be no problem).
How did you check the user/kernel mode hooking?
One question, you said you are not going to run Chrome under SBIE's supervision, how come you changed your mind?
All apps run with "anonymous user rights" on XP, apparently this is enough to restrict apps from performing dangerous activities. As you know, SBIE v3 relied heavily on kernel mode hooks (like old skool HIPS) but with this new approach it does not need this stuff. I think this is the reason that it's running so stable on XP, there is now less chance of conflicting with other security tools. But anyway, to answer your question, you can check it with GMER: disable quick scan, and choose IAT/EAT, Devices and Sections.
True on Win7 or higher I won't, thay has not changed.
I installed XP-mode in my Windows 7 ultimate. In XP there is no low rights integrity level. So I wanted something to protect Chrome as a layer between the application running as Admin in Virtual PC. I had given DW to my mother (becomes 81 next week) on het XP laptop, so my first candidate was GeSwall. GW did not run nicely in XP-mode. Second candidate Bufferzone launched slowly so I tried Sandboxie. Seems that Sandboxie now managed to create an Untrusted container in XP also). so up site of the Invincea takeover is starting to show now.
OK I see, but SBIE runs just fine on XP. Of course you can also use MBAE to protect Chrome. About GMER, I gave you wrong instructions. You need to choose "quick scan" + "system", and then you will get to see kernel-mode hooks.
On my XP system, the SSDT has been modified by SSM, ZoneAlarm and Neoava Guard. I think SBIE v3 also hooked the SSDT, but v4 does not do that anymore. As you know, hooking the Windows kernel is forbidden in Win Vista/7/8 by PatchGuard.
Here is my problem with this, I read many good things about Google Chrome when it comes to security, but also the same goes with SBIE4.
The problem with Google Chrome is the following-it has vulnerable/exploitable plugins-so, why not use it under SBIE4's supervision?
Even if Google Chrome does not have any kind of these exploitable/vulnerable points in its architecture, I'm not sure how secure it would be without SBIE4 supervision, it seems to me if any exploit or any malware breaks out of Chrome (even though let's say it does not have vulnerable parts, plugins in this case scenario), it might be contained inside/under SBIE4's supervision, because SBIE4 would block applications because all applications and processes are targeted by exploits and malwares that are used by all forms of exploits and all forms of vulnerabilities (even operation system vulnerabilities, for example, kernel-level exploits used Duqu malware but it could be blocked/was blocked by blocking access to t2embed.dll).
But there is one question that tortures me here: what about browser process exploits, malicious add-ons exploits and similar. For example, I saw on SBIE thread that SBIE4 does block/protect against fileless, memory payload/execution/memory malware where
the whole anti-exe/HIPS/AV approach that focuses on the malicious binary moot from the exploit detection perspective:
Curt from Invincea confirmed that SBIE4 does actually protect against something like this that does not need the whole anti-exe/HIPS/AV approach that focuses on the malicious binary moot from the exploit detection perspective.
Quote from Curt's post:
"Angler has not crossed our radar screen here. Sandboxie protects against these things because all sandboxed processes run at untrusted integrity under anonymous user login credentials. If they break out of Silverlight (or whatever), they will still be contained in Sandboxie."
The same goes for such exploits like memory payload based Angler EK (EK=Exploit Kit) breaking out of Google Chrome (newest version).
You explain my point to add SBIE under XP-mode. This started by the question Rasheed, so I decied to have a look and found the answer of Curt , see post #788 in this thread. This is no small feat IMO.
On my Win7 ultimate I use Chrome locked down through GPO. With these templates I only allow the plug-ins and add-ons I explicitely allow (like the admin allowed plug-ins/add-ons in IE). Point is on Win7 the broker runs in Medium Integrity Level, while under CBIE itself runs in System/HIGH. When malware breaks out ol LOW-IL, I rather have it nibbling at a Medium Level processes than HIGH/System processes. But then again this "IL-level access" and "adding attack surface" is all theoretical talk: when you feel comfortable with SBIE why not use it?
I now have a dual browser approach: stripped IE for my favourite sites, Chrome in SBIE(untrusted/anomyous user) in XP-mode for all other browsing
Well, according to Curt your theory is wrong:
"SbieCtrl.exe runs at medium integrity.
SbieSvc.exe runs at system integrity.
Everything inside the sandbox runs at untrusted integrity (which is lower than "low"),
"SBIE4 itself runs in System/HIGH. " doesn't make any sense. The service runs as System, but that is not Sbie "itself". What matters are sandboxed apps, and they all run at untrusted integrity under Anonymous Logon with almost zero rights in the host system. That's about as restricted as you can get and still execute.
So what does this user do to safely run any webmail attachments or other downloaded executables?"
You can join for asking questions here:
I think I may have misunderstood you, but are you saying that you run SBIE in XP-mode on Win 7? Why would you do that?
And BTW, I spoke too soon, sometimes I get some weird problems on XP, I'm not sure if this is caused by SSM, but after cleaning the sandbox the problems seem to disappear. Also, I've noticed something strange, when running the Zemana Key-Logger Simulation tool, SSM can only stop "low level keyboard access" when both the logger and the app (that is being key-logged) are sandboxed. If only the logger is sandboxed it can capture keys from apps outside the sandbox, a bit weird.
The way that I see it is that SBIE is not designed to block exploits. So he probably means that if some sandboxed process is exploited by malware, it should be able to contain the malware. But it does not stop the exploit (memory corruption) itself.
The reason I don't run Chrome under Sandboxie is compatibility, convenience, and usability. Why worry about some obscure threat the SBIE may protect against when the browser isn't compatible with other security programs that are more specialized and less redundant, convenient when updating extensions and whatever changes to your profile/settings/data, and usable to the degree of native performance and accessible by your other programs + files?
What do you use a computer for, to build a Fort Knox?
Hi Rasheed, perhaps there is a conflict between SSM and SBIE. I don't know. But I can tell you, I ran the tool in a sandbox, the tool doesn't log key strokes on files that I have specifically blocked in Sandbox settings or files that are inside folders that I block sandboxed programs from having access to.
About XP and Sandboxie. I run a lot more programs under SBIE in XP than in W7 and use twice the amount of sandboxes in XP than I do in W7. All my programs run well in XP using the latest beta version 4. In detail, I can tell you that Flash in Firefox worked better for me in version 3 than it does in version 4 but I workaround my issue by disabling plugin container. This is something I did not have to do in version3. To me, disabling plugin container is not a big deal since I never watch any flash content outside the sandbox.
Another minor quirk in XP and version 4 for me is that I have to untick Drop rights in my Word sandbox or in any sandbox where I run Word files, otherwise, opening and closing Word files is not done immediately. Again, something that I did not have to do under version 3. Last, I use a very old KMPlayer version, under version 4, I Hide a SBIE message that doesn't really mean nothing. After hiding the message, videos play well. In version 3, I did not have to do that.
For all that I do under SBIE which is running any file or program that runs in my computers, my personal issues that I described above are nothing. Other than that, the rest work great. I dont get errors or unexpected messages or any headaches due to using SBIE version 4 in my XP.
Sure, it does not block them but if they are contained inside SBIE than all that memory corruption is under SBIE4's supervision, and there is not a single harm on the real Windows system, and I'm not talking about just malware, but also memory corruption, the real system memory is untouched, that's the point of containing something, that's a key difference.
Separate names with a comma.