Sandboxie again....and won't stop grc leaktest

Discussion in 'other anti-malware software' started by Chuck57, Nov 22, 2006.

Thread Status:
Not open for further replies.
  1. Chuck57

    Chuck57 Registered Member

    Joined:
    Sep 2, 2002
    Posts:
    1,422
    Location:
    New Mexico, USA
    I tried sandboxie with the grc leaktest 1.2 last night. Downloaded it, ran it in the sandboxie folder, and it showed responding to grc.com. At that time, I had only windows firewall, so no outbound protection.

    My understanding was that Sandboxie stopped all that stuff, or did I misunderstand.

    I installed my old version of ZA 6.1.xxx and ran it again. ZA caught the test and stopped it.

    So, is Sandboxie at fault, or should I not worry that this one particular program got out? This stuff is all new to me, and not criticizing Sandboxie. It's a great little program
     
  2. WSFuser

    WSFuser Registered Member

    Joined:
    Oct 7, 2004
    Posts:
    10,632
    sandboxie does nothing to stop network connections and its not meant to.
     
  3. Chuck57

    Chuck57 Registered Member

    Joined:
    Sep 2, 2002
    Posts:
    1,422
    Location:
    New Mexico, USA
    Thanks much for that info. I figured it was a minor detail I'd overlooked in reading about this sandboxing stuff.
     
  4. Jarmo P

    Jarmo P Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    1,183
    Sandboxie only isolates malware.

    Leaktest.exe is just a normal program exe file.
    Running SSM, it would be recognized as a new application (if not in learning mode) and user gets asked what to do.
    If allowed, the program acts just like other normal outbound connection applications, so if a firewall protects outbound, a user gets asked again.

    Sandboxie protects rather your real system of not getting infected and does not restrict what malware does in a sandbox (sure can connect to internet too :p ). Leaktest.exe is though also run in a Sandboxie when executed, so it can only read your real system if even that.
     
    Last edited: Nov 22, 2006
  5. Chuck57

    Chuck57 Registered Member

    Joined:
    Sep 2, 2002
    Posts:
    1,422
    Location:
    New Mexico, USA
    I'm using CyberHawk. Have SSM but wanted to try CyberHawk. It did nothing in the way of warning me, but it's not exactly the same as SSM, which I think I'll return to today.
     
  6. FastGame

    FastGame Registered Member

    Joined:
    Jan 15, 2005
    Posts:
    677
    Location:
    Blasters worm farm
    Hello Chuck57

    If you want to take full advantage of Sandboxie here's what you do...

    Lets say you want to do online banking or shopping, first you start off with a clean sandbox. After you're done do a simple clear sandbox. Now lets say you want to mess around with some porn or check the underworld out, you have a clean sandbox, visit your underworld sites and clear the sandbox when you are done. For best protection you can clear the sandbox between site visits :)

    Clearing the sandbox is fast and simple, things can't leak when they aren't there. :)
     
  7. Jarmo P

    Jarmo P Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    1,183
    Leaktest.exe is a normal program, it is not malware.
    It should not be detected by Cyberhawk and also SSM treats it as any other normal program.

    I don't run SSM real time normally. But it is usefull when installing new software or trying to "monitor system" behaviour when in paranoid or suspicious mood.
     
  8. WSFuser

    WSFuser Registered Member

    Joined:
    Oct 7, 2004
    Posts:
    10,632
    leaktest if meant to test outbound filtering, so you would need a firewall or HIPS with outbound network control (like SSM or AppDefend).
     
  9. Chuck57

    Chuck57 Registered Member

    Joined:
    Sep 2, 2002
    Posts:
    1,422
    Location:
    New Mexico, USA
    I've got a lot to learn. This is a whole new area of security for me. Time to start reading and playing with software in this area.
     
  10. Jarmo P

    Jarmo P Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    1,183
    Quite new to me too. ;)
    I don't much care about diagrams that are currently discussed in some other thread. I take rather a pragmatic viewpoint.

    To me I am safe when running programs in a Sandboxie from infecting/corrupting my system.
    With SSM i can control what processes/programs I allow to run. It does not protect me from infections in a same way. That is antivirus's etc. department.
    I can just block realsched.exe from launching realplay.exe, so it does not have to be about malware.
    Cyberhawk smells "bad behaviour" from programs and has some community list knowledge features too.
    Though it often reports my Skype.exe of a trojan like behaviour when starting it too :D

    I see a theoretical possibility of a conflict if running SSM and CH same time. Who knows these days what security programs will conflict each other etc. Sure am glad to be running a very well functioning simple packet filter like kerio 2.1.5.
    Common sense more important than diagrams, lol:
    https://www.wilderssecurity.com/showthread.php?t=155098
     
    Last edited: Nov 22, 2006
  11. ggf31416

    ggf31416 Registered Member

    Joined:
    Aug 20, 2006
    Posts:
    314
    Location:
    Uruguay
    Sandboxie prevents the sandboxed programs from changing your "actual system" but not from reading files or making outbound conections.
    For example you can send the EICAR test file to VirusTotal through a sandboxed browser.
     
  12. Chuck57

    Chuck57 Registered Member

    Joined:
    Sep 2, 2002
    Posts:
    1,422
    Location:
    New Mexico, USA
    Kind of off topic but regarding sandboxing, what about DefenseWall? I tried it a while back, briefly, and was completely lost. I spent more time trying to figure out the help files than actually using the program. According to the tests in another thread, it might be the best of the bunch - if it can be figured out.
     
  13. WSFuser

    WSFuser Registered Member

    Joined:
    Oct 7, 2004
    Posts:
    10,632
    heres a quote from an old defensewall thread:
    basically u just place browsers, email, p2p and other internet-related programs into the untrusted list and your all set.
     
Thread Status:
Not open for further replies.