Sandboxie fan may need alternative solution

I find myself suddenly faced with the possibility that I may not be able to iron out an issue I am having with Sandboxie and Chrome in 64-bit Win7.

Assuming that I opt to keep Chrome (because for one thing, it has its own sandbox), what would be some good, solid alternatives to Sandboxie? They don't necessarily have to be in the same class as far as type of protection. In other words, I am asking for recommendations from members whether the program is a sandbox, policy restriction or whatever.

I know we all have varied opinions on what works, but we all seem to agree that layers are the code of the road. So that's the kind of input I need. Please take a look at what I am running and tell me what you think I could add/subtract to keep me in the same secure league as when I am running Sandboxie.

Right now I have:

NAT Router
Sandboxie
Online Armor Free
VIPRE AV
MBAM Pro
Norton DNS
Chrome
KeePass
and HitmanPro on demand.

What would tighten this up for me, if I could no longer run Sandboxie?

 

No EMET no the list is a biggie for me.

 

You're right.
I had problems with EMET on XP, and I guess I forgot about it when I recently (finally) bought a 7 machine.

 

I had to find an alternative to Sandboxie because it doesn't run well on my system. A major plus point of Sandboxie is that it combines virtualization and policy restriction. In order to achieve a similar level of protection, you could consider combining light virtualization with either an anti-executable or policy restriction program.

A combination of LV and AE/PR would give you a similar level protection to Sandboxie, but on a system-wide basis rather than a per-application basis.

Some options to consider (listed in no particular order): -

LV: Returnil Virtual System, Faronics Deep Freeze, Shadow Defender, Toolwiz Time Freeze.
AE: Returnil Virtual System, Faronics Anti-Executable, NoVirusThanks EXE Radar Pro.
PR: DefenseWall (32-bit), AppGuard (32/64 bit).

Kind regards

 

Hi pegr

That's exactly the kind of reply I was hoping for... plenty of food for thought. Thank you.

But, when it rains it pours. I was right in the middle of addressing this SBIE/Chrome issue when all of a sudden my Outlook email folder won't open and errors have been detected. This is all too much fun.

Edit in: Ha ha! I ran the Outlook Inbox Repair Tool and got that problem squared away! Now back to finding a Sandboxie alternative.

 

I think you could try SysWatch - it has

http://www.safensoft.com/security.phtml?c=698
If no - you can leave sandbox and try RunSafer mode in OA

http://www.emsisoft.com/en/info/oa/KF-RunSafer.shtml
Of course all LV apps mentioned earlier by Pegr...I think AE apps are not needed - OA has fine strong own HIPS.

 

Hi ichito,

I actually forgot about RunSafer! That's amazing, because I have been a proponent of it, yet I got away from it because I've been using Sandboxie's Drop Rights. But you are correct, and I appreciate the input.

 

I agree with ichito, Run Safer is a good alternative and you already have OA installed.

One thing, though. If the problem is a conflict between SBIE and Chrome why not ditch Chrome? No browser is worth Sandboxie.

 

Hi Montmorency
You make a very good point about Sandboxie's worth, and I do not disagree with you.
I am at the moment fortunate enough to have been handed the solution to my SBIE/Chrome problem... Scoobs72 figured it out for me!
Thanks for posting.

 

Considering the issue happens in the Windows 7 x64, why don't you make use of WMIC (Windows Mandatory Integrity Control), a.k.a Integrity Levels?

All you have to do to make Chrome's sandbox even stronger, is to apply a low integrity level to both chrome.exe and the profile folder. This way, Chrome's broker/parent/main process runs with a low integrity level, and the children/spawned/renderer processes run with an untrusted integrity level.

No conflict issues, at all. If you also add EMET into the equation...

-edit-

You could even see if running Chrome (with low integrity level) with RunSafer mode works properly. If it does... why not? Because, disabling your firewall isn't the solution, right?

 

I have disabled OA but am still running Windows firewall... and I may install Privatefirewall later today.

 

Yes, I did think about Windows firewall, but my thought was that if you were using OA (and you've been using for a long time now, since Windows XP), it's because you like what the firewall offers you.

I also know you like what Sandboxie offers you, which is why I suggested you could try a different approach with Google Chrome - WMIC + EMET, and perhaps RunSafer. So, you'd still keep OA. And, you'd use Sandoxie for whatever works as well.

And, hopefully sooner than later the conflict would be worked out.

 

You are correct, I have been a steadfast proponent of OA for a long time.
But I think I have reached the end of the line with that software, m00n.
I have also used Privatefirewall. My only complaint about that was that it didn't run well on my XP box with 1GB RAM. The 4GB RAM XP box handles Privatefirewall successfully, as I anticipate the 8GB Win7 box will too.

Anyway, regarding your ideas and suggestions for a "different approach with Google Chrome - WMIC + EMET, and perhaps RunSafer"... are you saying that applying a low integrity level to both chrome.exe and the profile folder would be a way for me to run Sandboxie/Chrome without the conflict I just bumped into? Because when I get done shuffling the cards, I prefer to see SBIE and Chrome still on top.

 

I use SBIE on w7 ult x64 with chrome and chromium (as well as other browsers). I have seen a few "hiccups" where I had to reboot, but have not done anything but install it and configure my settings. Works very well.

Hopefully it is a clash with the OA. Now you just have to decide what to do.

Maybe you should think about whether you need a firewall since you can use SBIE to also control network connections within the sandbox?

Sul.

 

m00ns suggestion of running Chrome at LowIL isn't a bad idea. It will probably break silverlight (netflix) and Java but otherwise you can save yourself from a potential sandbox exploit that allows control of the broker process.

You'd have to set your downloads folder to low integrity too.

 

First I'd have to elevate my security game to a previously unattained level.
Or to put it another way, there's a big learning curve up ahead for me in what you just said.

See above response to Sul.

 

Sadly, one cannot control certain connections with Sandboxie. I understand it's a no-brainer for you, considering you run as admin. But, those running either as Protected Admin or Standard User, and of course UAC enabled, may not want UAC's binded process consent.exe to connect out whenever they get a prompt for something.

So, if Page42/others are like me , they will want to prevent consent.exe from connecting out. This is just an example, of course.

Sadly, consent.exe isn't something to force to run in a sandbox...

 

I think that Silverlight would break... I did test it in the past. But, I'm not sure if most recent versions of Silverlight would allow it to work just fine.

Regarding Java, user MrBrian tested it in the past, and it worked... exception in one situation. Don't recall which. If someone searches the forum, they'll find the answer, though.

 

Page, if for me, a dummy user, learning how to use SBIE to block programs connecting out was easy, I am sure it will be easier for you. Let me give you an example. Today I installed Libreoffice on my new W7 laptop. After I noticed that its always connecting out, I restricted its sandbox forbidding any program to connect.

I don't know much about firewall but when I see peoples screens of what they block using their firewall, the programs are usually the same programs that I have forbid to connect in the sandbox.

Bo

 

→ Bo knows ←
Thanks for the input, man.
At this time I am grateful that I can run SBIE and Chrome together.
That wasn't the case for me when I began this thread.