Sandboxie - How safe do you think it is?

I've decided to evaluate Sandboxie. I'll return in 1-1/2 hours with some questions for the experts, especially about How safe you think it is.

By the way, in answer to a question earlier about ActiveX keyloggers, I mentioned that the current DirectShow exploit does in fact install a keylogger.

Is it correct to assume that users of Firefox and Opera are not vulnerable to this exploit?

----
rich

 

Well, a bit late, but it took me longer than I thought to test.

My main interest in Sandboxie is how it deals with drive-by downloads. From tests I've asked Peter2150 to run, I was sure that Sandboxie handled this type of exploit well.

But I wanted to see for myself how it dealt with the current DirectShow exploit which uses an ActiveX CLSID to trigger the download of a keylogger.

ActiveX implies Internet Explorer, so presumably Firefox and Opera users are immune, correct?

Not in this case. If you look at the code sample I provided in a previous post, you see that an IExplore.exe process is launched to call out to the server to download the malicious keylogger.

The question I had was, would launching IExplore.exe (not sandboxed) from within my default browser, Opera (Sandboxed) result in IExplorer being sandboxed or not?

​

The answer is yes. In running a remote code execution test in Opera, where the code launches IExplore.exe and triggers an IE exploit, you can see below that Opera, my default browser, is sandboxed; the instance of Internet Explorer, and the executable file, astro.exe, which is downloaded/run by remote code execution, are also sandboxed:

​

So, this seems to be definite proof that Sandboxie does indeed protect against this type of exploit. Very impressive.

You can also see that a person using Firefox or Opera without Sanbox could be vulnerable to this exploit, since launching IE will trigger the ActiveX part of the exploit.

However, anyone with a product that has execution prevention would be protected:

​

Many ways to take care of these types of exploits.

And kudos to Sandboxie.


----
rich

 

I used the free version of Sbie for a long time and yes, you have access to both start/run and internet restrictions. In other words, if you limited start/run access to let's say IE, firefox and Opera then astro.exe would never be able to execute in the sandbox.

Edit: To access the start/run restrictions, click Sandbox - default box - Sandbox settings - expand Restrictions - click Start/Run access click Add by name and type opera.exe and then click Apply and then Ok then close the window. Now Opera.exe should be the only program able to run in the sandbox.

Edit #2: Rich, glad to see you finally gave Sandboxie a chance. Keep up the great work!

 

Just happened upon this thread a while ago and gave it a read. Interesting stuff here. Also, thanks for the test and results, Rich. BTW, Pete mentioned some time ago in another SB thread, maybe this one too but I didn't see it, where it is also possible to check a download by running it sandboxed to see how it behaves, so this type of check along with traditional av scans is also a nice way, though maybe not guaranteed, to see if a file is launching in a suspicious fashion without harming the real system. I employ this practice sometimes.

 

Indeed, with a little bit of configuring in key areas, SB is a powerhouse. In fact, I run av on only one of our 4 home pc’s because taking into consideration my family member’s surfing habits, what has happened malware-related over the last six years (absolutely nothing) and the way the machines are set up, the probability of infection is extremely minimal, I can state with confidence.

Recently, I have embarked upon a sort of “pilot project” now in full swing with one very old (PII) machine with a clean install of XP with onlySP2 – absolutely no MS critical updates released subsequently to it – installed, with only custom-configured Sandboxie as the installed security software, along with SRP (thanks to Wilders member tlu for the info), limited accounts, lots of disabled services (has 19 running processes, including SB), and Windows worm door cleaner closing off vulnerable ports, behind a NAT router. I will let it run this way for six months or until it becomes infected, whichever comes first (the latter scenario I believe to be highly unlikely, but if it does get infected I’ll be honest and report it ) and report results in a new thread.

Basically my agenda is to prove it is possible to run an old home pc with no Critical patches released post SP2, and only one security app (Sandboxie in this case) without it incuring malware, while getting the most out of its old and decrepit hardware.

If this experiment fails, I will try the same with SP3. Anyways, more on this later.

 

The only limitation with the free version is the ability to create multiple sandboxes tailoring for individual applications. Pretty much advanced user territory anyway so well worth the small cost, of €22 Euros lifetime license

Rarely do you get the configuration depth of a free version application, like Sandboxies. Much credit to Tzuk.

 

I some times wonder why people need sandboxie when all you really need is a product such as a hips to prevent such things from executing and running. And then just delete the exe files and clean them out with cc cleaner or what ever from your internet temp folders, it's really quite simple.

 

Having been a huge advocate of HIPS software, Sandboxie is just so easy to setup and use, and it's a great solution for those (most everyone) who would have difficulty answering HIPS prompts. With proper configuration of a few key areas such as forced programs, Internet restriction and even start/run access, SB can secure a machine like Fort Knox

 

An emotional response based on emotions with no technical backing.

I'm sure this has already been said before

But you can't properly test programs unless they are properly installed.
Secondly when was the last time anyone downloaded any reputable programs from a reputable source and got infected?

Unless you are always allowing dodgy executables and malware to Run for the sake of it that's all sandboxie is really good for.

 

no I'm not trying to bash it. all I'm saying is that if you only use sandboxie to surf the dark side of the net, As Rmus has demonstrated all you need is a product to prevent drive by downloads from executing. You don't need to have sandboxie installed for this.

 

True, but then I guess you don't need a HIPS either What it comes down to is there are so many different and unique solutions to secure a pc. Rmus provides excellent solutions that don't require additional require software installed, while installed software such as HIPS, Sandboxie, personal firewalls and the traditional antivirus are solutions that, depending on a user's comfort level, are usually the preferred choices. There's always more than one way to skin a cat

 

And that above explanation is exactly why I use Sandboxie. I tried HIPS and found it to be one big annoyance. Those more skilled than I may breeze through the HIPS prompts with ease. But I speculate the majority of the population would get very tired having to research those prompts in order to figure out how to respond. And one bad decision could result in a mess.

I've been using SBIE for one and a half years now and am quite pleased.

 

sandboxie with forced prog. start,auto delete on close,drop my rights/start/run/internet access restrictions set is as safe as any app could ever be....well in my opinion atleast

 

Hello arran,

I'm not sure whether or not you're familiar with past attacks to the Kaspersky's Malaysian affiliate (I believe it was an affiliate) by a hacker, by SQL injection?

Personally, I never found any information stating whether or not the available trial versions were tampered. But, we could say that the Malaysian affiliate is 100% trustworthy? At least, for the Malaysians.

So, never say no.

But, I do agree with you that, to test most applications, they need to be installed without any sandboxing effects. For that, the most appropriate are virtual machines. Not sandboxes. Unless, people want to test non-installable applications. Then, I guess a sandbox would fit the purposes quite well.

 

People, with today's powerful processors and tons of RAM, why not employ both SB and HIPS? I do. All those resources were put there for a reason, I might as well use them otherwise they're just sitting there doing nothing.

Acadia