Sandboxie technical tests and other technical topics discussion thread

Rasheed, perhaps Avant browser will run if you don't enable Drop Rights. As of now, most people running Chrome can run Chrome sandboxed under SBIE 4.14. And most of the people running Chrome that still have a problem running Chrome sandboxed, are able to run Chrome when they run it in a sandbox that doesn't have Drop Rights enabled. So, give that a try.

I don't use Chrome but I tested Chrome 37 immediately after it came out and people were complaining about having issues running it sandboxed. I tested it twice in my W7 and once in Xp. In my experience, the browser felt great sandboxed and I did not even have to untick Drop Rights.

Opera had problems when 25 came out but Sandboxie beta 4.13.7 fixed the problem,. I know at least 3 users that got their issues fixed when they installed 4.13.7.

When you tried Avant, did you try it in Xp or W7? Let me know and I ll check it out.

Bo

 

I'm not sure why it's incorrect to compare the same scenario using the same version of Sandboxie with the same settings on two different operating systems?

 

Something that you have proved with your testing, in my opinion, is that Sandboxie protects us users against keyloggers more in W7 than it does in XP. FWIW, you know but others don't, I have being doing your tests as well and I can confirm that the results that you are posting for W7 and XP are the same that I got.

Bo

 

Have you compared the built-in security between Windows 7 and Windows XP?

 

For keylogging yes - scenarios A.1 and B.1.

 

Then if all things being equal (security & settings) then you should get same results. As your test results
indicate that's not the case because Windows XP security & Windows 7 security are not exactly equal.
Just like someone can't fairly compare Windows 7 firewall and Windows XP firewall in a monitoring test.
Windows XP doesn't have some of the capabilities as Windows 7. Many users running XP might install
third-party software in the area of Keylogger protection and a 2-way Firewall for better monitoring/security.

 

When you tested on Windows 7 and on Windows XP, did you use default settings or did you use maximum protection with the tightest configuation with all internet access restrictions and with all start/run restrictions in the work?
Because there's a huge difference between the 2, also the best part of these keylogger tests is with start/run restrictions-they cannot even start/run, and if they can't start/run, the party is over, keyloggers in these tests cannot start/run, and everything is protected.

 

I don't understand, I thought that both Chrome (newest version) and Sandboxie4 are all about kernel-level sandboxing, and yet they are only user-mode sandboxes/sandboxing.
So what does this all mean for both Sandboxie 4.14 and Google Chrome (newest version)-how secure they truly are against let's say kernel-level malware if they use user-mode sandboxing to protect against malwares?

 

I'm not sure what exactly you mean by saying kernel-level sandboxing, but do you mean sandbox which use kernel hooking? Then, SBIE 4.x for Xp & 3.x for any Windows are that.
4.x for Vista+ also uses kernel driver because it have to act as supervisor to maintain compatibility with many software while keeping security (e.g. Global hook will be converted to app-specific hook by SBIE).

But I think SBIE 4.x for Vista+ is basically user mode sandbox as they use integrity level & desktop separation for sandboxing, once tzuk admitted IIRC.
I suppose MrBrian's result is due to desktop separation, though I don't know the test's detail, maybe I have to read another SBIE thread.
It is possible that SBIE also uses other restriction such as restricted token, but I don't know. Maybe someone knows?

Chrome is definetely user-mode sandbox, it uses restricted token, privilege stripping, integrity level, job object, window station isolation, and desktop isolation - so, everything!
And in recent version, pluins are also sandboxed by default (you can configure it through setting>content setting>unsandboxed plug-in access), so they removed --safe-plugins flag maybe you know.

If kernel mode malware is already on system, then nothing is guaranteed.
Both SBIE & Chrome's sandbox are not designed to protect user from such a threat, they are built to protect user from initial intrusion.

Maybe this is interesting for you because Bitdefender Safepay also use desktop separation, and they are built upon Chromium.
http://forum.bitdefender.com/index.php?showtopic=37584

 

If we run the tester in a Start Run restricted sandbox, the tester is not gonna run. Thats a given. When Mr Brian posted that in W7 when he ran the tester in a default settings sandbox, in none of the tests, the tester logged what he wrote in a text file that is outside the sandbox, that kind of caught my attention. I mean, I thought we had to block access to files in Sandbox settings for that to be the case. So, I decided to do the test myself. And I found what he said to be correct. That is a plus for Sandboxie in W7.

But in XP, as I expected, using a default settings sandbox, the tester logged when I wrote something in an unsandboxed text file in all 6 tests. Thats what I expected and its what I found. Then I did another test in XP in which I blocked access to the same text file, in this test, the logger was not able to log what I wrote in the first three tests but succeeded in tests 4 to 6.

Then later, Mr Brian asked me to do another test that only can be done with the paid version. He asked me to run the tester in one sandbox and a text file in another one and see what happens. And what happens is that the tester was able to log what I wrote. XP or W7, default settings or not. Bottom line with this test and what I learned out of doing it is that to do banking or sensitive browsing with Sandboxie, we have to follow Tzuks recommendation of terminating programs in all sandboxes and only have one open when doing it.

Bo

 

Thats interesting. Multiple sandboxes for one specific browser does not quarantee a total separation? That is what I have suspected too.

Still there are things like if you use a script blocker in a browser. One sandboxed instance might have allowed many scripts while the other sandbox has browsing done with strict/different settings for say NoScript or Http Switchboard that might justify using multiple sandboxes for the same browser. This is of course not directly directed to this keylogging thing you are playing with. I just hope I don't have any installed on my system.

 

Hi Jarmo, I think a Sandboxie user can safely do sensitive browsing if you are not infected by a keylogger, you do it in a fresh browsing session and delete the sandbox immediately after the sensitive activities are over. All this being done is a Start Run and Internet restricted sandbox where only the browser is allowed to run and connect. And if possible, doing it with a no addons browser or only perhaps with NoScript, Adblock plus. I only use three addons in my computers. I think doing sensitive browsing like I described is pretty safe.

Bo

 

Yes.

Even safer, if people wish, is to boot a clean pendrive Linux (I use Puppy Slacko) which is only written to when you need to update the distro. For browsing sessions, the pendrive is removed once the OS has loaded and before browsing, and so only runs in RAM. I go straight to the banking site, do the business and close. The vulnerabilities are much smaller with that than using a general purpose machine which has history - even if this has been protected with Sandboxie and other controls.

 

deBoetie, to make things a little closer to what you do, you can use a new Firefox profile that gets deleted immediately after banking is done. For example, create a new sandbox (in this example is named Sensitive), restrict it so only Firefox runs and connects and set the sandbox to delete on closing, then make a shortcut in Desktop>New>Shortcut, with this target:

"C:\Program Files\Sandboxie\Start.exe" /box:Sensitive "C:\Program Files\Mozilla Firefox\firefox.exe" -no-remote -P "NewProfile"

Thats a brand new sandboxed Firefox with no addons at all, no history, nothing old, for critical browsing. The profile is gone after you are done..

Bo

 

Depends on OS used. Different results as reported already by other Wilders posters.
On XP Apps used:
Sandboxie v. 4.14 ( default settings changed)
Notepad
Zemama Spy Simulation leak test (keylogger test)

Result: Keystrokes were captured in a sandboxed notepad.

If you applied Blocked Access (ClosedFilePath) to Zemana file then access would be denied
even if you gave Zemana Start/Run Access in Sandboxie.

Apparently Install location matters: (Windows Temp was used for Zemana)
If you give Zemana Start/Run Access in Sandboxie then access would be denied.
Note: ClosedFilePath was not used.
If you removed Zemana file from Start/Run Access (All programs can start and run)
and forced (Forced Programs) it then Sandboxie would also deny access.
Note: ClosedFilePath was not used

Checked these settings by going to the Zemana file > right-clicking > 'Run Sandboxed'.

Conclusion:
The only way I know of to stop a installed keylogger tool from capturing keystrokes in XP
is to install an app that has Anti-keylogger capabilities.

 

Agree, that's what I'd normally do on a sensitive session. What I'm really guarding against is anything that's arrived or I've installed with administrative permissions outside the sandbox, I'm not perfect. The OS is complex and has history, and it's hard not to add anything dodgy eventually to a complex and rich environment, and Sandboxie can't protect against that.

 

Oh OK, didn't know that the problems were fixed. I installed Avast with the Chrome engine on Win XP.

But it was just a "general" idea of mine, because SBIE does not add any security to Chrome, as others have said, so a "virtualization only" option would be cool, I will post this idea in the Sandboxie forum.

 

The article gives a general impression about how user-mode sandboxes work. However, SBIE also monitors other stuff, so it has to use a driver (kernel-mode). So it's quite secure, it's not a "simple" sandbox.

 

Just for fun, an old article:

http://www.infoworld.com/article/26...ox-security-really-protect-your-desktop-.html

 

Others dont include Tzuk. This is what he said about running Chrome under Sandboxie.

http://forums.sandboxie.com/phpBB3/viewtopic.php?f=5&t=11788

And Rasheed, what about if you go to your Web mail using Chrome and opened an infected email attachment like a Word file, Would you have been safer if you had been running Chrome under Sandboxie or not? Or if you use plugins like Silverlight and Java and all of the sudden a webpage starts downloading malware, I know Sandboxie contains that, Can Chrome do so?

Bo

 

What Tzuk mentioned is about v3.x and v4.x is another story since, you know, she made fundamental change in 4.x and it uses OS' own security rather than kernel hook.
So v4.x have much duplication with Chrome sandbox.

There's a chance that sandboxing Chrome by SBIE still makes sense though, e.g. if Chrome has vulnerability in broker and attacker can chain render exploit with broker exploit, or there's a vulnerability which is very specific Chrome's architecture.

However it will be really rare case, and even if occurred, probably it is in APT and in such a case, attacker will also bypass SBIE.

I think making office programs forced program is better as it allows you to make strict rules for that sandbox compared to using both chrome and office in the same sandbox.

Or what I actually doing is making download folder forced folder, so it not only sandbox documents or pictures, but also any executable will be sandboxed thus prevents mistakenly execute them.
Since Chrome has strong exploit protection, you don't need to care about drive-by-download executes malware in other folder.

As to plugins, now they are sandboxed by defualt( my post#84).

However by default user will be asked to allow disable sandbox if it is demanded so novices will disable it w/out doubt.
You can change this behavior through Chrome setting.

 

Obviously equally secure as Chrome sandbox, since in its 4x versions it uses OS's own security mechanisms very similar to Chrome sandbox?
What about Sandboxie 3x versions which uses kernel hooks-how secure Sandboxie 3x versions are, and what are advantages and disadvantages in both Sandboxie3x versions and in Sandboxie4x versions?

So which Sandboxie is more secure: Sandboxie3x versions where Sandboxie used kernel hooks or is Sandboxie more secure in its versions 4 where Sandboxie4x versions use OS's own security very similar to Chrome sandbox?

 

I agree, Yuki. But most people who are using Sandboxie are using the free version. And with the free version, you cant force Office programs. So, if any of these users open an infected Office attachment while browsing their web mail, they ll get infected if their antivirus doesn't detect the malware. On the other hand, if they are running Chrome under SBIE, the malware gets contained.

About the plugins. I dont use Chrome so I never seen the setting that you mentioned in post #84: setting>content setting>unsandboxed plug-in access

Yuki, like I said, I dont use Chrome so I am not familiar with the browser. But in the setting there is the word "unsandboxed." Unsandboxed means unsandboxed.

Bo

 

Or you can just run the attachment itself sandboxed, but for non-techies sandboxing Chrome (without them noticing) might be best. Unfortunately, they probably will notice and run things they trust unsandboxed anyways.

 

I'm not sure SBIE's protection(4.x) is similar to Chrome.
As I said, I know SBIE uses integrity level and desktop separation, but I don't know other part.

The reason Tzuk introduced OS security is 64bit compatibility.
As we know, 64bit Windows has PatchGuard which restricts kernel hook.
So usermode sandbox which uses OS security is more secure in 64bit, while hook-based sandbox is hevily limited in 64bit.
And as Rasheed said, PatchGuard can be bypassed but its robustness vary (Win8>Win7).

Sorry I'm not techy enough to talk about kernel hook problems, but historically it have been bypassed and have even made additional attack surface.
It's a kind of 'High risk, high return' approach as any mistake can cause serious probelm.

Also there is a vulnerability in 3.x though it can be easily mitigated, but more serious problem is those old version don't fully support ASLR.

So I believe basically 4.x is more secure.