Sandboxie and Full Virtualisation?

Discussion in 'sandboxing & virtualization' started by Someone, Jul 4, 2008.

Thread Status:
Not open for further replies.
  1. Someone

    Someone Registered Member

    Joined:
    Jan 18, 2008
    Posts:
    1,106
    Hi

    In terms of security, does a full virtualisation program like VMWare provide better security than an application sandbox like Sandboxie?

    Because I just started using Browser Appliance in VMWare and have used Sandboxie for a while.

    Thanks
     
  2. jrmhng

    jrmhng Registered Member

    Joined:
    Nov 4, 2007
    Posts:
    1,268
    Location:
    Australia
    In terms of security, it is a definite improvement in terms of security. Light virtualization programs probably wont cover all the bases while full virtualization will (assuming there are no crazy vulnerabilities in the VM software)
     
  3. Someone

    Someone Registered Member

    Joined:
    Jan 18, 2008
    Posts:
    1,106
    Hi

    Thanks. But how does it provide better security? Won't I achieve the same level if I just do not allow anything onto my real computer?

    Thanks
     
  4. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,046
    In all honesty, unless you really go looking for bad trouble, Sandboxie can probably provide the protection you need. There are some excellent idea's on configuring it there. There are folks there who have thrown some of the worst stuff they can find at Sandboxie and it holds up.

    True a VM machine will provide another excellent layer if you are doing high risk stuff. When I play with nasty stuff, I do it on a vm machine. I also place my desktop in shadowmode with ShadowDefender just in case.

    Pete
     
  5. jrmhng

    jrmhng Registered Member

    Joined:
    Nov 4, 2007
    Posts:
    1,268
    Location:
    Australia
    When you are using light virtualization, everything is still executing natively on your computer. Sandboxie just intercepts disk and registery access saves it as part of the sandbox. However it is conceivable that here might be something that Sandboxie may allow something it shouldn't have.

    With full virutalization, there is a much more robust containment.

    Agreed. However were there not a few that did pass through?
     
  6. Someone

    Someone Registered Member

    Joined:
    Jan 18, 2008
    Posts:
    1,106
    Hi

    So would I gain any additional security if I browse the web (not looking for malware or anything) if I use VMWare instead of Sandboxie?

    Thanks
     
  7. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    If using a virtual machine it's sorta like using Returnil on the real system which can still be infected requiring a reboot to be rid of any infections.

    Running your browser through Sandboxie contains any and all browsing data to the sandbox and only requires a deletion of the sandbox contents to be rid of anything.

    Some user initiated and obscure methods have bypassed Sandboxie in the past but they are patched asap by Tzuk.

    Sandboxie and Returnil combo is my setup on my XP/Vista installs.

    Sometimes I do browse using a VM but they have Sandboxie and Returnil installed as well.:D
     
  8. jrmhng

    jrmhng Registered Member

    Joined:
    Nov 4, 2007
    Posts:
    1,268
    Location:
    Australia
    Yes you do. Think about 'additional security' as percentage of malware that would not have been been stopped by sandboxie but would have been stopped by a VM. This is a very small percentage.
     
  9. jrmhng

    jrmhng Registered Member

    Joined:
    Nov 4, 2007
    Posts:
    1,268
    Location:
    Australia
    I'm not sure how good a comparison a VM and Returnil is.

    Depends on how you set the VM. You can configure it to remove all changes after every reboot or you can save the data even after reboots.

    Also have a look at https://www.wilderssecurity.com/showthread.php?t=212092
    I think that cs.exe would have bypassed RVS2008 when it would not have bypassed a VM.
     
  10. chris2busy

    chris2busy Registered Member

    Joined:
    Jun 14, 2007
    Posts:
    477
    run vmware in a setup with LUA...same with sandboxie..so even in the rarest of cases something does jump out of the box,it still has no access to your system
     
  11. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    To me it's very simple : Sandboxie is security and full virtualisation is recovery and certainly not security. I never confused security with recovery. I combine both. Don't need VM either, I don't test softwares from an unknown source.
     
    Last edited: Jul 4, 2008
  12. Huupi

    Huupi Registered Member

    Joined:
    Sep 2, 2006
    Posts:
    2,024
    Why you always pointing out the differences,to me security is the all inclusive practice of preventing against mishaps from whatever source,so recovery is also included,they're just words needless to make a distinction.
     
  13. jrmhng

    jrmhng Registered Member

    Joined:
    Nov 4, 2007
    Posts:
    1,268
    Location:
    Australia
    Look this is just downright confusing if someone is trying to understand how light and full virtualization is different. OP is obviously in that scenario.

    Full virtualization has many applications and 1 of them is security. If you are trying to compare the level of security between full and light virtualization, look at my previous post.
     
  14. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    If you don't see it that way, that's OK with me, I'm just telling my opinion. I always separate things from one another, if they are not the same. If you consider it as the same, there is no difference and then you can ignore my opinion.
    Opinions are like butts, everybody has one. :)
     
  15. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,046
    Actually VM machines are indeed full virtualization and not really recovery at all.

    There is though one hugh difference. Take any of the malware that destroy's the mbr/partition table. Sandboxie(and other programs) do indeed protect against the malware. But the in the VM machine, I can let the malware do it's thing and watch what happens. And if the m alware trashes the disk, no big deal. Just revert to the previous snapshot and everything is back. None of the ISR software can match that.
     
  16. Trespasser

    Trespasser Registered Member

    Joined:
    Mar 1, 2005
    Posts:
    1,194
    Location:
    Virginia - Appalachian Mtns
    I've used VMWare Server running XP in Linux so I'm not new to this. My thoughts are if you get infected while running in VMWare the infection is still going to be in your virtualized OS once you boot back into it. Sure, your host operating system is clean but the virtualized one isn't. How do you all deal with that? Sandboxie? An antivirus? You go to all that trouble to install a second OS and you still got to deal with an infection. Just curious...

    Later....

    Yes, you can delete the virtualized OS and problem solved but then you're facing another install. I fail to see the benefit.
     
  17. Someone

    Someone Registered Member

    Joined:
    Jan 18, 2008
    Posts:
    1,106
    Hi

    OK, I think I get it. So full virtualisation (VMWare, VirtualBox, etc) has better security than light virtualisation (Sandboxie, Returnil, etc).

    But in most cases if you're not specifically testing malware light virtualisation is adequate.

    Is that right?

    Thanks
     
  18. jrmhng

    jrmhng Registered Member

    Joined:
    Nov 4, 2007
    Posts:
    1,268
    Location:
    Australia
    Farmerlee has the approach where he installs the security software inside the VM. If you only use the VM to browse and email, the slowdowns associated with security software are only relevant to the browser and email client and neither of these are intensive applications.

    Alternatively, you can install an operationg system like linux that arent targeted by malware writers.

    In either case, an infection in a VM is much easier to deal with than one on your actual computer. You can use snapshots to do a restore, you can mount the image to do a flat file scan etc.

    Sure you can have an opinion but it isnt relevant in this thread. The comparison by the OP is obviously between light and full virtualization as an extra layer of security to isolate attack vectors like the browser and email client. Let us try to focus on this issue rather than boot to restore.

    Yes that is my view. The additional risk minimization from using a VM is quite low. On my computer (low end laptop) the performance trade off is not worth it. If you have a 10k gaming rig, then performance is not an issue and you may well consider using a VM. It depends on your situation.
     
  19. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    When making virtual machine state changes that I want to keep, I avoid doing anything dangerous. Then I shut down the virtual operating system and take a snapshot. During all other times, when I am done with a session, I revert back to the previous snapshot.
     
  20. Someone

    Someone Registered Member

    Joined:
    Jan 18, 2008
    Posts:
    1,106
    Hi

    OK. Thanks! My laptop is not that good either so I think I'll just stick with Sandboxie.
     
  21. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    With MS Virtual PC I do a base install of XP and Vista then copy and paste the VHD's as needed to their own folders and assign a new VM.

    Saves a reinstall and you can copy and paste forever.

    I even have a VHD/VM that I copied and pasted to a usb stick and it runs fine on any machine that has MS Virtual PC installed.

    These VMs are stored on another partition as I prefer C drive as slim as possible.
     
    Last edited: Jul 4, 2008
  22. nomarjr3

    nomarjr3 Registered Member

    Joined:
    Jul 31, 2007
    Posts:
    502
    Yes, that's a pretty good combo. Virtualization software is a must these days.
     
  23. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    This question is specifically constrained to security while browsing the web. In such a scenario, both SBIE and VM can conceivably allow a keylogger to grab and compromise private information.

    To me, a keylogger (with ensuing loss of private information) is a VERY nasty sort of threat.

    I use SBIE configured such that ONLY Firefox can access the internet. Thus, I feel well protected from keyloggers -- unless something manages to hi-jack Firefox itself.

    If and only if a VM is configured to protect against keyloggers, then I agree with those who have said a VM is (at least theoretically) more secure than SBIE. Otherwise, I do not agree.

    Yet another *super safe* option would be to run something like Deepfreeze or Shadowuser, and (in that mode) use SBIE to surf the web. I am not yet paranoid to the degree needed for me to do that, but it's something for OP to consider -- wot?
     
  24. Someone

    Someone Registered Member

    Joined:
    Jan 18, 2008
    Posts:
    1,106
    Hi

    Well I don't think it's really necessary for me to use so many programs to only fractionally increase the security when Sandboxie will suffice in most cases.

    Thanks
     
  25. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    Well, the next best thing is going to be OS virtualization, MS has already launched Hyper V for Win 2008 server, and they might make it compatible with Vista. In theory this would be a killer tool, imagine having, let´s say 10 virtual instances of the Win OS all running at full speed, if you´re not sure about some app or game, or if you fear a drive by attack, just use one of the virtual OSes.

    But I´m not really sure what´s possible with such a virtualized partition, I suppose you can still install your security tools on it and I hope there is no need to boot the virtual OS? That would be a serious drawback of course. The Soloris OS is already offering such features btw:

    http://www.sun.com/software/solaris/virtualization.jsp
     
Loading...
Thread Status:
Not open for further replies.