Sandboxie fan may need alternative solution

Discussion in 'sandboxing & virtualization' started by Page42, Aug 2, 2012.

Thread Status:
Not open for further replies.
  1. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,829
    Location:
    Last Breath Farm
    I find myself suddenly faced with the possibility that I may not be able to iron out an issue I am having with Sandboxie and Chrome in 64-bit Win7.

    Assuming that I opt to keep Chrome (because for one thing, it has its own sandbox), what would be some good, solid alternatives to Sandboxie? They don't necessarily have to be in the same class as far as type of protection. In other words, I am asking for recommendations from members whether the program is a sandbox, policy restriction or whatever.

    I know we all have varied opinions on what works, but we all seem to agree that layers are the code of the road. So that's the kind of input I need. Please take a look at what I am running and tell me what you think I could add/subtract to keep me in the same secure league as when I am running Sandboxie.

    Right now I have:

    NAT Router
    Sandboxie
    Online Armor Free
    VIPRE AV
    MBAM Pro
    Norton DNS
    Chrome
    KeePass
    and HitmanPro on demand.

    What would tighten this up for me, if I could no longer run Sandboxie?
     
  2. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    No EMET no the list is a biggie for me.
     
  3. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,829
    Location:
    Last Breath Farm
    You're right.
    I had problems with EMET on XP, and I guess I forgot about it when I recently (finally) bought a 7 machine.
     
  4. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,279
    Location:
    UK
    I had to find an alternative to Sandboxie because it doesn't run well on my system. A major plus point of Sandboxie is that it combines virtualization and policy restriction. In order to achieve a similar level of protection, you could consider combining light virtualization with either an anti-executable or policy restriction program.

    A combination of LV and AE/PR would give you a similar level protection to Sandboxie, but on a system-wide basis rather than a per-application basis.

    Some options to consider (listed in no particular order): -

    LV: Returnil Virtual System, Faronics Deep Freeze, Shadow Defender, Toolwiz Time Freeze.
    AE: Returnil Virtual System, Faronics Anti-Executable, NoVirusThanks EXE Radar Pro.
    PR: DefenseWall (32-bit), AppGuard (32/64 bit).

    Kind regards
     
  5. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,829
    Location:
    Last Breath Farm
    Hi pegr

    That's exactly the kind of reply I was hoping for... plenty of food for thought. Thank you.

    But, when it rains it pours. I was right in the middle of addressing this SBIE/Chrome issue when all of a sudden my Outlook email folder won't open and errors have been detected. This is all too much fun. :)

    Edit in: Ha ha! I ran the Outlook Inbox Repair Tool and got that problem squared away! Now back to finding a Sandboxie alternative. ;)
     
    Last edited: Aug 2, 2012
  6. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,486
    Location:
    Poland - Cracow
    I think you could try SysWatch - it has
    http://www.safensoft.com/security.phtml?c=698
    If no - you can leave sandbox and try RunSafer mode in OA
    http://www.emsisoft.com/en/info/oa/KF-RunSafer.shtml
    Of course all LV apps mentioned earlier by Pegr...I think AE apps are not needed - OA has fine strong own HIPS.
     
  7. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,829
    Location:
    Last Breath Farm
    Hi ichito,

    I actually forgot about RunSafer! That's amazing, because I have been a proponent of it, yet I got away from it because I've been using Sandboxie's Drop Rights. But you are correct, and I appreciate the input. :thumb:
     
  8. Montmorency

    Montmorency Registered Member

    Joined:
    Oct 9, 2011
    Posts:
    181
    I agree with ichito, Run Safer is a good alternative and you already have OA installed.

    One thing, though. If the problem is a conflict between SBIE and Chrome why not ditch Chrome? No browser is worth Sandboxie.
     
  9. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,829
    Location:
    Last Breath Farm
    Hi Montmorency
    You make a very good point about Sandboxie's worth, and I do not disagree with you.
    I am at the moment fortunate enough to have been handed the solution to my SBIE/Chrome problem... Scoobs72 figured it out for me!
    Thanks for posting. :)
     
  10. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Considering the issue happens in the Windows 7 x64, why don't you make use of WMIC (Windows Mandatory Integrity Control), a.k.a Integrity Levels?

    All you have to do to make Chrome's sandbox even stronger, is to apply a low integrity level to both chrome.exe and the profile folder. This way, Chrome's broker/parent/main process runs with a low integrity level, and the children/spawned/renderer processes run with an untrusted integrity level.

    No conflict issues, at all. If you also add EMET into the equation... ;)

    -edit-

    You could even see if running Chrome (with low integrity level) with RunSafer mode works properly. If it does... why not? Because, disabling your firewall isn't the solution, right? :D
     
  11. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,829
    Location:
    Last Breath Farm
    I have disabled OA but am still running Windows firewall... and I may install Privatefirewall later today.
     
  12. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Yes, I did think about Windows firewall, but my thought was that if you were using OA (and you've been using for a long time now, since Windows XP), it's because you like what the firewall offers you.

    I also know you like what Sandboxie offers you, which is why I suggested you could try a different approach with Google Chrome - WMIC + EMET, and perhaps RunSafer. So, you'd still keep OA. :) And, you'd use Sandoxie for whatever works as well.

    And, hopefully sooner than later the conflict would be worked out. :argh:
     
  13. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,829
    Location:
    Last Breath Farm
    You are correct, I have been a steadfast proponent of OA for a long time.
    But I think I have reached the end of the line with that software, m00n.
    I have also used Privatefirewall. My only complaint about that was that it didn't run well on my XP box with 1GB RAM. The 4GB RAM XP box handles Privatefirewall successfully, as I anticipate the 8GB Win7 box will too.

    Anyway, regarding your ideas and suggestions for a "different approach with Google Chrome - WMIC + EMET, and perhaps RunSafer"... are you saying that applying a low integrity level to both chrome.exe and the profile folder would be a way for me to run Sandboxie/Chrome without the conflict I just bumped into? Because when I get done shuffling the cards, I prefer to see SBIE and Chrome still on top.
     
  14. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    I use SBIE on w7 ult x64 with chrome and chromium (as well as other browsers). I have seen a few "hiccups" where I had to reboot, but have not done anything but install it and configure my settings. Works very well.

    Hopefully it is a clash with the OA. Now you just have to decide what to do.

    Maybe you should think about whether you need a firewall since you can use SBIE to also control network connections within the sandbox?

    Sul.
     
  15. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    m00ns suggestion of running Chrome at LowIL isn't a bad idea. It will probably break silverlight (netflix) and Java but otherwise you can save yourself from a potential sandbox exploit that allows control of the broker process.

    You'd have to set your downloads folder to low integrity too.
     
  16. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,829
    Location:
    Last Breath Farm
    First I'd have to elevate my security game to a previously unattained level.
    Or to put it another way, there's a big learning curve up ahead for me in what you just said.
    See above response to Sul. :doubt:
     
  17. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Sadly, one cannot control certain connections with Sandboxie. I understand it's a no-brainer for you, considering you run as admin. But, those running either as Protected Admin or Standard User, and of course UAC enabled, may not want UAC's binded process consent.exe to connect out whenever they get a prompt for something.

    So, if Page42/others are like me :argh: , they will want to prevent consent.exe from connecting out. This is just an example, of course.

    Sadly, consent.exe isn't something to force to run in a sandbox... :D
     
  18. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    I think that Silverlight would break... I did test it in the past. But, I'm not sure if most recent versions of Silverlight would allow it to work just fine.

    Regarding Java, user MrBrian tested it in the past, and it worked... exception in one situation. Don't recall which. If someone searches the forum, they'll find the answer, though.
     
  19. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    3,770
    Location:
    Nicaragua
    Page, if for me, a dummy user, learning how to use SBIE to block programs connecting out was easy, I am sure it will be easier for you. Let me give you an example. Today I installed Libreoffice on my new W7 laptop. After I noticed that its always connecting out, I restricted its sandbox forbidding any program to connect.

    I don't know much about firewall but when I see peoples screens of what they block using their firewall, the programs are usually the same programs that I have forbid to connect in the sandbox.

    Bo
     
  20. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,829
    Location:
    Last Breath Farm
    → Bo knows ←
    Thanks for the input, man.
    At this time I am grateful that I can run SBIE and Chrome together.
    That wasn't the case for me when I began this thread.
    ;)
     
Loading...
Thread Status:
Not open for further replies.