Sandboxie + Shadow Defender = ?

Discussion in 'sandboxing & virtualization' started by n8chavez, Dec 19, 2008.

Thread Status:
Not open for further replies.
  1. n8chavez

    n8chavez Registered Member

    Joined:
    Jul 19, 2003
    Posts:
    2,302
    Location:
    Location Unknown
    I'm thinking of could the way of complete virtualization. I want to use the combination of SBIE and Shadow Defender. Obviously, that is extremely repetitive but I think that would provide the ultimate "no configuration needed" security. What are your thoughts on the below configuration?

    Sandboxie, WinPatrol Plus, LooknStop, Proxomitron, Shadow Defender
     
  2. illicit

    illicit Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    91
    I use a similar configuration. IMO, the way to go. As soon as my paid subscriptions to OA and NOD are over, I will most likely rely on Defensewall (hopefully then with outbound protection :p ), Sandboxie, and SD.
     
  3. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    cool:thumb:
     
  4. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,040
    I agree. I use Online Armor, and Sandboxie as the primary, with ShadowDefender, if I am going dodgy. Thats it. But it does help a bit if you know what you are doing. I don't think it's a newbie approach.

    Pete
     
  5. pidbo

    pidbo Registered Member

    Joined:
    Dec 25, 2006
    Posts:
    198
    I use the great Shadow Defender sometimes and it will be complete when it allows installed software that requires a re-boot. Sandboxie is a fantastic piece of software, I use it for all my browsing and downloads. The best thing about it is that Ronen Tzur (Sandboxie forum name "Tzuk") keeps in touch with Sandboxie users and offers support in the Sandboxie forum.
     
    Last edited: Dec 23, 2008
  6. n8chavez

    n8chavez Registered Member

    Joined:
    Jul 19, 2003
    Posts:
    2,302
    Location:
    Location Unknown
    That's it then. I'll be using this setup from now on. Yeah!! Bye-Bye yearly subscriptions fees for dumb-ass inadequate signature based products!

    Virtualization is the key.
     
  7. mjgent

    mjgent Registered Member

    Joined:
    May 19, 2008
    Posts:
    43
    Location:
    Sandboxed in a VM behind a UTM
    Have you had any problems running Sandboxie, Defensewall, and SD? I'm considering the same setup.
     
  8. illicit

    illicit Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    91
    None. Opening the browser can be a little slow, but there are a couple tweaks you can use to speed it up (i.e trusting firefox in DW, but untrusting the Sandbox folder itself - therefore still untrusting anything that may escape).
     
  9. philby

    philby Registered Member

    Joined:
    Jan 10, 2008
    Posts:
    940
    Any thoughts on Returnil Free?

    Simple enough for me to understand and very useful if you feel the need to backstop Sandboxie...

    I've just ditched ESS on one of my boxes to test combination below.

    philby
     
  10. Boost

    Boost Registered Member

    Joined:
    Feb 2, 2007
    Posts:
    1,293
    works fine here :thumb:
     
  11. illicit

    illicit Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    91
    Returnil worked fine for me as well. In the end I went for the paid version of SD for various reasons, but would definitely recommend Returnil.
     
  12. philby

    philby Registered Member

    Joined:
    Jan 10, 2008
    Posts:
    940
    Thanks for responding.

    I noticed you have fwalls -

    I've taken the leap of abandoning this layer on the premise that, for "normal" internet work, sboxie + prevx edge + wing and a prayer will be enough.

    Just leaves me worrying about keyloggers, though afaik the chances of any logger I have already picked up piggybacking on clean session of forced ffox are negligible (??)

    philby
     
    Last edited: Dec 19, 2008
  13. n8chavez

    n8chavez Registered Member

    Joined:
    Jul 19, 2003
    Posts:
    2,302
    Location:
    Location Unknown
    That depends. How tightly configured is sandboxie? It has the ability to prevent any application from running or connecting to the internet except the ones that you list. That way, even if you were to get infected with anything it wouldn't matter because it would never be allowed to connect out. Plus whatever it was would be erased the moment you terminate the box.
     
  14. Osaban

    Osaban Registered Member

    Joined:
    Apr 11, 2005
    Posts:
    4,214
    I couldn't agree more. This has been my approach for a couple of years using ShadowUser(similar to Shadow Defender) + AntiExecutable on an XP laptop. It was really impenetrable. With Vista I have Shadow Defender (unfortunately ShadowUser hasn't been updated for Vista) and Avira, because of a conflict between the new AntiExecutable and First Defense PC Rescue.

    Even though I'm also in principle against AVs, it is the only way to check something I want to retain from a shadow session. Mind you one could have the AV only on demand, to check if something got through. AntiExecutable is still the best alternative IMO to AVs, but alas it is so tight that sometimes it doesn't let even legit applications run properly no matter how you tweak it.
     
  15. n8chavez

    n8chavez Registered Member

    Joined:
    Jul 19, 2003
    Posts:
    2,302
    Location:
    Location Unknown
    You know, this new setup has got me thinkong. If all I need to do is restart to get things back to when I know everything is 'clean', do I even need WinPatrol? After all, its purpose is to alert the user to changes that might hint at infection. Do I need it now? I din't think so, not with a tightly configured Sandboxie and Shadow Defender.

    And it gets lighter still...
     
  16. crofttk

    crofttk Registered Member

    Joined:
    May 15, 2004
    Posts:
    1,976
    Location:
    Eastern PA, USA
    You'll have to answer if you need WinPatrol, IMO. For example, I just started using SandboxIE. I immediately paid up and implemented the forcing of IE into the sandbox on my 8 and 13 years olds' PC - no brainer right? However, I haven't grasped what SandboxIE's limitations are, I have other programs that access the internet, and there are other features of SandboxIE that I haven't begun to get up to speed on yet, so I am by no means ready to shut WinPatrol off on any of our machines.

    WP has become the first place I go to get a glance all across the system at what's running, what's starting up and even to manage startups to run "lean" or "full bloat" with selective disabling and re-enabling of background programs. So, it can serve purposes for me other than the original purpose of alerting me to new startup programs.

    Need it? Well, I don't really "need" a beer when I get home from work on Fridays, but I like to think of it that way.;)

    Yes, it can be lighter still. If you know ShadowboxIE well and how to tighten it sufficiently and have SD (plus some kind of back-up/image, at least of data, I presume) then indeed why run WP unless you use other of its features and like to have them immediately accessible?

    EDIT: ah, yes, I see IFW (excellent for plugging in the WD Passport and imaging my laptops!) in your siggy, so you are imaging I take it.
     
  17. philby

    philby Registered Member

    Joined:
    Jan 10, 2008
    Posts:
    940
    This is what I'm dwelling on right now.

    Assume I pick up a keylogger when unsandboxed.

    I then run an internet session with firefox forced in sandboxie and the only allowed startup programme.

    Could the logger still send out anything it's stolen on the back of firefox.exe?

    This is really a critical point.

    Would a fw add any effective extra outbound coverage in this particular case or would it be redundant by this point as firefox.exe would have already been allowed outbound access in the fw configuration?

    I'm from the generation of users that has taken the necessity of s/w firewalls as an unquestionable given, but I'm really interested in knowing whether tight sandboxing means these can be dispensed with.

    If I am allowing only firefox to go outbound via sandboxie, then why do I need to tick a rule in a fw to allow firefox out?

    Again, the only danger I can see is nasties taking firefox.exe for a ride through sandboxie.

    philby
     
  18. andyman35

    andyman35 Registered Member

    Joined:
    Nov 2, 2007
    Posts:
    2,336
    I'd argue that in fact you don't need anything else,with a proviso.If you want to update,etc caution will need to be taken and on demand scanners would be wise.It can't be overstated just how good the protection offered by SandboxIE is.
    The only possible way to get infected while sandboxed would be to come across a malware specifically tailored to exploit a flaw within SBIE,these are few and far between due to the excellent coding and the fact that specialist malware such as this just isn't economically viable and is highly unlikely to be encountered outside of a POC at a black-hat convention.

    Coupled with Shadow Defender and the use of a secure browser you'd need to be extremely unlucky and spend all your time surfing the dark side of the web to get infected IMO.To be doubly secure you could protect SBIE from malicious tampering by using a HIPS such as D+,but if you really want to keep it light Opera or Firefox (w/noscript) sandboxed is as near to bulletproof as is necessary,at least for websurfing.


    As to your point: Could the logger still send out anything it's stolen on the back of firefox.exe? the sandboxed and unsandboxed Firefox are entirely separate,therefore the answer is yes if you're running FF unsandboxed,no otherwise.
     
    Last edited: Dec 20, 2008
  19. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,040
    One question here is how you would pick up the keylogger. I have a sandbox for each browser. My firefox sandbox only allows firefox and my foxit pdf reader to execute and only firefox to access the internet.

    All my email is either in a web browser or Outlook which is also sandboxed and only allows Outlook internet access.

    Finally I use the default sandbox to check out say a jpg I've downloaded. I use the right click function to run it in the default sandbox. This sandbox will allow anything to run, but nothing can access the internet.

    So other than a rogue CD where would the keylogger come from.

    Yes indeed you can button up your system with sandboxie.

    Pete
     
  20. Saraceno

    Saraceno Registered Member

    Joined:
    Mar 24, 2008
    Posts:
    2,404
    n8chavez, try a-squared's hijackfree.

    Also has a portable download link which contains only one file.
    http://download3.emsisoft.com/a2HiJackFree.exe

    Can manage your autoruns, view your network connections, kill and delete processes, stop/start services, enable/disable start-up programs and so on. I still like winpatrol but find hijackfree provides more detailed information.

    Just use it on-demand with sandboxie and shadow defender.
     
  21. mjgent

    mjgent Registered Member

    Joined:
    May 19, 2008
    Posts:
    43
    Location:
    Sandboxed in a VM behind a UTM
    So would adding something like DefenseWall (to Shadow Defender and well configured Sandboxes as you described) take care of this gap? Or would DefenseWall just be redundant? I'm trying to see where the benefit of adding DefenseWall to this strong setup would be beneficial.
     
  22. n8chavez

    n8chavez Registered Member

    Joined:
    Jul 19, 2003
    Posts:
    2,302
    Location:
    Location Unknown
    SBIE allows you to specify both programs and folders that can then have restrictions places on them to running or accessing the internet. If malware on CDs is a concern, simply place your optical drives within the forced folders configuration. There is no need for Defensewall with a tightly configured SBIE, especially now that is has incorporated Drop My Rights characteristics.
     
  23. Frog01

    Frog01 Infrequent Poster

    Joined:
    Dec 20, 2008
    Posts:
    25
    Location:
    Vancouver B.C Canada
    I am going to try Shadow Defender in the future right now Im sticking with Sandboxie and Avira.:cautious:
     
  24. mjgent

    mjgent Registered Member

    Joined:
    May 19, 2008
    Posts:
    43
    Location:
    Sandboxed in a VM behind a UTM
    That makes sense. Thanks
     
  25. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,040
    I didn't go into that, but it's exactly right. Amazing what you can do with this jewel.
     
Loading...
Thread Status:
Not open for further replies.