Sandboxie technical tests and other technical topics discussion thread

Discussion in 'sandboxing & virtualization' started by MrBrian, Oct 17, 2014.

  1. 142395

    142395 Guest

    Thanks for PM, Bo

    I originally wrote about how I use SBIE in #121, but removed simply it was toooo much long! lol.
    Okay but just give some example.

    Yes, most people sandbox browser and I'm no exception, though not limited to that.
    Though I don't sandbox Chrome, my another main browser Firefox is always sandboxed except when update.
    I use dedicated sandbox named FoxBox, which of course strictly restricted but I allowed Office programs and explorer to launch just for convenience.
    This box is set to auto-delete after use, and I set firefox as leader program.

    I added Firefox's profile directory to quick recovery list, it helps me to decide whether I want to leave changes or ditch them, especially addon configuration as I use many addons.
    Some addon such as Noscript has option for temporary change, but I found SBIE with Quick recovery is more easy and it care about all other change.
    As to bookmarks, I use Sync so no need to locally save this.

    I said I made donwload folder and actually also Temporary Internet Files forced folder but explaining this must be quite long story, as it is related somewhat unusual form of use for my computer so I'll skip this but in short, it's more for my girl friend who is much more techy when it comes to programming but strange enough have no idea about security and even bypass e.g. whitelisting program by pushing allow.

    I also have Mediabox, of course it is for all kind of media player, though I only use 3 (WMP, VLC, and another minor player), and I set video folder to forced.

    Though now I don't have, when I had SumatraPDF, I had SumatraBox.
    Maybe I'll install Sumatra again and then I'll make it again.

    I tried Sandboxing explorer too, but maybe by different reason: I wanted to zip/unzip safely. But somehow when I delete files in sandboxed explorer, it freeze. It occurred at least previous version too, though I so far didn't test in latest.

    Currently I don't force explorer, but I also use 7-zip when password protection is needed.
    I keep 7-zip installer, and when needed I install them in DefaultBox (I only made slight change for DefaultBox), and then zip with password.
    People might ask why I don't install 7zip permanently, but I don't feel any inconvenience for this and it helps save my SSD disk space.
    I also sometimes install apps temporary just like you, but some apps are regular, others are just for testing.
    When an app requires driver installation, I use Toolwiz Time Freeze. I think TTF & SBIE are complementary each other.

    Sorry, I can go on but it's alredy too long, much longer I initially thought.
    Hope it don't bother you!
     
  2. 142395

    142395 Guest

    Yes sandboxie can block, or more exactly contain exploit well. I also don't doubt SBIE can contain memory-only-exploit in that sandbox so that it can't interact with rest of the system.
    What I said is a situation where attacker have plenty of $ and time to analyze those security program to bypass them.
    In that case I believe finally either of them can be bypassed but I believe bypassing Chrome will be harder as it is already thoroughly analyzed and as to sandbox component simpler than SBIE.
    You might think such situation is unlikely, but it happens in sophisticated APT, and Duqu is such one.
    BTW, accoding to TrendMicro, Chrome is also attacked in targeted attack thoush it doesn't reveal detail.

    As to 'ask', it's a company notorious for it's toolbar and serch. I suppose in your case it is installed by any of your program on disk, but it can't insert it in sandboxed browser as it is isolated.
    But I recommend you to ask this in more suitable place, maybe malware problem subforum here or malwaretips.com (if you have account)?
    In APT, attacker thoroughly look up victim's system, network, or any other info about them via various ways.
    So basically they know what security software the victim use and make bypass for them.
    But seriously, you can block t2embed.dll because you know it is exploited.
    In that time, it was unknown so why can they block t2embed.dll?
    Well, it was not the first time TTF is exploited and blocking component which is exploited in past makes sense, but who knows what component next kernel exploit use?
    In next exploit, blocking t2embed.dll might not be relevant at all.

    I haven't thought about those essential dlls being infected, but at least they are in Windows folder so protected by OS to some extent, and by default SBIE forbid modifying system settings so maybe those system components are also protected, but not sure.
     
  3. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,162
    Location:
    Nicaragua
    Yuki, I am not sure how you ran Windows explorer sandboxed but try running Windows explorer in a sandbox where you don't tick Drop Rights. It might keep your sandbox from freezing when you delete it. Also, perhaps, only when you run certain programs the Windows explorer sandbox freezes when it gets deleted and its not the case when you run most other files or programs. It could be that this freezing occurs when installing 7Zip but not when you run something else. This should be easy for you to test.

    By the way, you should not force Windows explorer. That is not something you want to do. But you can create a new sandbox, name it Windows explorer and then create a sandboxed shortcut to run Windows explorer in it. You can leave the shortcut in your desktop or move it to the taskbar. I have mine in the taskbar.

    Even people using the free version can do this but most people don't. And they are missing one of the best tools that Sandboxie has to offer. A gift from Tzuk that is almost totally ignored.

    I have 7Z installed in my XP but in Windows 7, I install it temporarily in a sandbiox whenever I need to use it, pretty much like you do. Thats what I also do with plugins like Flash in W7. It works great for me using Sandboxie like that.

    I used to use TTF, for the last couple of years I been using Shadow defender. Both of this programs work great along Sandboxie. I use this kind of programs for trying changes in my system or installing something like MBAM or HMP to run a scan. Sometimes I install software to try but for me that's rare.

    And Yuki, you don't bother me, you are making me smile:). Thank you.

    Bo
     
  4. 142395

    142395 Guest

    I tried to delete a file in DefaultBox, and again it freezed.:(
    As I said, I keep DefaultBox almost default so DropMyRights is unchecked (confirmed).
    I just opend explorer sandboxed and immediately tried to delete file, so it's not due to other program sandboxed.

    Maybe my other software conflicts some of SBIE function, or possibly my system config causing the error?

    When explorer in sandbox freeze, CPU usage is 0%. It's just go unresponsive, but I can purge DefaultBox w/out problem.
    Ah, sorry that's typo, I had to say 'sandbox' not 'force'.
    Pardon me as that time I'm sleepy.
    Actually I made '[DefaultBox] User' shortcut just next to user icon on desktop (My user name is User) with similar icon image, which launches explorer sandboxed in user directory.

    Also, I confirmed issue with Chrome 64bit is fixed but I then get error which says SBIE 2318 Initialization filed for ntmarta.dll, and also SBIE 2335 for process coNatHst.exe.
    coNatHst.exe is Norton's component so it seems there's some conflicts with Norton, though I can use Chrome sandboxed w/out problem.
    I've read what you wrote about SBIE with Norton, but it's somewhat concering, though I confirmed Norton's protection correctly work in sandboxed environment.
    (BTW, though I don't sandbox Chrome usually but I sometimes do, e.g. when I want to test new addon, or when I care about privacy.)

    I understand you, as every program launched from it are always sandboxed, it's a kind of sandboxed program launcher that is very useful for free user who don't have forced function.

    While I have flash permanetly installed (if not, the girlfriend will complain!), I install Free Download Manager Lite and VLC temporary whenever I want.
    I always feel this capability of SBIE is quite useful.:thumb:
     
  5. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,162
    Location:
    Nicaragua
    Thats right Yuki. But the sandboxed explorer its also a great tool for paid version users. I use it every time I download a picture. I don't download many but if I download one, no matter where from or who I got it from, I run it sandboxed using a sandboxed explorer. Its done automatically, I don't even have to think about it.

    You hit the nail when you said, "as every program launched from it are always sandboxed, it's a kind of sandboxed program launcher." Because thats what the sandboxed explorer really is. So, I also use one to run files that I am not sure what they are. This doesn't happen often but the safest way to run a unknown kind of file is to use a sandboxed explorer. That is because no matter what kind of file it is, it is gonna run sandboxed if you run it using the sandboxed explorer.

    Bo
     
  6. Compu KTed

    Compu KTed Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    1,414
    One thing though when installing apps inside Sandboxie. If for example I want to test a browser I have to allow
    all programs Internet Access and all programs Start/Run Access in Sandboxie to install and run the browser.
    A installed browser on the real system you can restrict just the browser for Internet Access and Start/Run Access.
     
  7. 142395

    142395 Guest

    Yes, sandboxed explorer is also useful for paid user.
    Personally though, I prefer using each dedicated sandbox for each program, sometimes at the same time.
    As to picture, also forced download folder and forced picture folder care about it in my case.
    But I don't force document folder, as I only open untrusted document after thorough scan and they'll be opened in protected mode (I admit protected mode in Office2010 is much weaker than SBIE though), and the fact most document I open/modify are trusted one (I made that document!).
    I also have MBAE so I think it's good enough for most document threat.
    If you regularly install certain app in sandbox, you can allow those installer and other related component unless it generates random-named temp file which require internet access and/or start/run.
    Or, first allow all and after installation temporary shutdown that sandbox w/out deletion, then apply restriction and restart the app.
    It may sound complex, but I recommend to use Configure>Edit Configulation and copy/paste restriction settings.
     
  8. Acadia

    Acadia Registered Member

    Joined:
    Sep 8, 2002
    Posts:
    4,335
    Location:
    US
    Shoot, this technical Sandboxie thread has been great. I have used SB for years, my favorite security program bar none, but I have learned so much, keep the good stuff coming!! :-*

    Acadia
     
  9. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,247
    Regarding exploits, I still disagree regarding exploit protection of SBIE4 and Chrome, I still think it as good as Chrome despite all the complexness, besides, Curt did actually say that this summer they have tested Sandboxie4 itself and its code with an independent security company and the short answer was, since they cannot talk about this in details, is that "nothing has been exploited".
    I still don't see the benefits of using Chrome alone, especially when I only want chrome.exe to be able to connect on the internet and nothing else.
    However, Google Chrome has the dark side: ask.com, read my post on malware problems forum. I don't think I'll be using Google Chrome again.
    Also, can you please check this out; supposedly chrome.exe runs on low, while chrome.exe inside Sandboxie4 runs on untrusted integrity level-so yes another reason why everyone should use chrome.exe/Chrome under the supervision of Sandboxie-but of course if this is true at all, this why I'm asking if this is true.
     
  10. SLE

    SLE Registered Member

    Joined:
    Jun 30, 2011
    Posts:
    361
    You misunderstood Curt. He means that nothing was exploited for Sandboxie (and its processes) itself. That means, nothing can break out of sandboxie (according to settings) and make permanent damage to your system.

    But some exploits even can run with the restrictions sandboxie sets. That means: System isn't infected but while the active sandbox session (or semi-permanent if you never rest sandbox) damage can happen. Exploited browser in sandbox can f.e. steal passwords from that sandbox session and so on.

    Thatswhy the advice: dedicated only banking sandbox (where you do nothing other), delete sandbox automatically, don't visit suspicous sites and sites where you enter personal data the same time etc.

    If a browser for itself has good exploit protection it's the best you can have. And in that chrome browsers are top (followed by IE) and so often more secure against browser exploits than f.e. even a sandboxed firefox and so on.

    Of course, chrome has some side-effects. (but your ask-problem has nothing to do with that, there is definitely an issue with another software)

    It's a theoretical discussion. In theory sandboxie adds nothing fundamental (beside of virtualisation) for chrome. In theory attack vendor can be larger.
    But in theory also sandboxie could jump in if chrome is bypassed because of a bug. And in practice, there are no known exploits or bugs that affected sandboxie and chrome...

    You have to look also at the highest integrity level in process start group. So sandboxie control f.e. runs at medium.
     
  11. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,247
    Big thanks for this detailed explanation, this settles everything, I knew that Chrome has top exploit protection, but I didn't know or expect that Internet Explorer (Internet Explorer 10 or 11?) is the second best after Google Chrome when it comes to exploit protection!
    And big than thanks for the tip and explanation regarding ask.com thing.

    Regarding Sandboxie Curt says this:
    "SbieCtrl.exe runs at medium integrity.
    SbieSvc.exe runs at system integrity.
    Everything inside the sandbox runs at untrusted integrity (which is lower than "low"),

    "SBIE4 itself runs in System/HIGH. " doesn't make any sense. The service runs as System, but that is not Sbie "itself". What matters are sandboxed apps, and they all run at untrusted integrity under Anonymous Logon with almost zero rights in the host system. That's about as restricted as you can get and still execute.

    So what does this user do to safely run any webmail attachments or other downloaded executables?"

    So, according to Curt every application, process, .exe, .dll and etc. that runs inside Sandboxie4 runs at untrusted integrity level under anonymous user login credentials?, while unsandboxed Chrome/chrome.exe runs at low level-which is btw, higher than untrusted, so what am I missing?
    So why do you say that everything that runs inside Sandboxie4 runs on medium integrity level?
     
    Last edited: Oct 31, 2014
  12. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,162
    Location:
    Nicaragua
    Hi SLE, Sandboxie control is not a sandboxed process.
    http://forums.sandboxie.com/phpBB3/viewtopic.php?f=5&t=19642#p103675

    Bo
     
  13. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,247
  14. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,162
    Location:
    Nicaragua
    I agree with SLE, you probably got Ask when you installed something and has nothing to do with Chrome. I would follow the link for how to get rid of it posted in the other thread by the big guy from HMP:cool:.

    Bo
     
    Last edited: Oct 31, 2014
  15. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,247
    Sorry, but there was no ask.com when I uninstalled Google Chrome, no nothing, not even a trace of it.
     
  16. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,162
    Location:
    Nicaragua
    CWS, I am no expert on any of this but I can tell you, you yourself can kill Sandboxie processes that are outside the sandbox and that has no effect whatsoever in anything that's running sandboxed. If you do that, sandboxed processes continue sandboxed. More importantly, I remember Tzuk saying that anything running sandboxed can not manipulate Sandboxie processes out of the sandbox :)

    Bo
     
  17. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,162
    Location:
    Nicaragua
    I like this quote from the same link, it should clear things up, I think .:cool:

    Bo
     
  18. SLE

    SLE Registered Member

    Joined:
    Jun 30, 2011
    Posts:
    361
    Yes, you can easy see this in process explorer and/or process hacker for every process

    I don't have chrome installed, but here also you have to distinguish between the broker and the sandboxed processes. When you look at the rights that correspondent with integrity levels you see that the chrome approach is very secure. Finally you can't say Sandboxie is more secure for browser based exploits than chrome.

    But I'm also not a person who says: Don't run chrome sandboxed. If it runs alright - why not?
    For myself I'm a firefox user and here sandboie brings exactly that type of protection (integrity levels) that firefox atm lacks (although mozilla said a long time ago it will be implementet...)

    I know, Bo. But it's in the starting order. Now it would get to theoretical, but in theory via exploit...i'll stop. ;)

    Yes, but i know some cases the settings were set to registry and when chrome is installed - then they are used. So first search you reg for ask. A clean chrome installation won't bring ask stuff. Google has it's own search engine ;)
     
  19. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,740
    Location:
    The Netherlands
    @ SLE

    I liked post #135, good explanation. But to be honest, I think this thread spiraled out of control because of the same old questions that have already been answered in some other thread. In a way this was also a bit my fault.
     
  20. Compu KTed

    Compu KTed Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    1,414
    I tried several ways to install & run a browser inside Sandboxie. It installs fine, but unless
    I allow (All programs can access the Internet) and (All programs can start and run) in
    Sandboxie Restrictions settings the process cancels resulting in browser not being able to run.
    Most likely how Sandboxie is designed to work.

    Again, once the browser is installed on the real system (not inside the sandbox) then you can
    restrict the browser to "ONLY" have Internet Access and Start/Run Access in Sandboxie.

    Sandboxie Control > Configure > Edit Configuration whether you type it in or copy & paste the
    browser name does not show up in Sandboxie Internet Access or Start/Run Access settings.
    Browser does however, show up in Select a program name under Programs that were recently started.

    Browser file name examples:
    seamonkey.exe
    iexplore.exe

    Some examples you would find in Sandboxie.ini file using these browsers:

    ProcessGroup=<StartRunAccess>, seamonkey.exe
    ProcessGroup=<InternetAccess>, seamonkey.exe

    ProcessGroup=<StartRunAccess>, iexplore.exe
    ProcessGroup=<InternetAccess>, iexplore.exe

    NOTE: Sandboxie Forced Programs and Drop Rights were added when browser was installed in sandbox.
    Don't know for sure when adding ProcessGroup lines in Sandboxie.ini file manually means the browser is
    actually the "ONLY" app that has Internet Access and Start/Run Access since its not present in these
    two settings in Sandboxie. (browser program Installed in sandbox)
     
    Last edited: Oct 31, 2014
  21. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,162
    Location:
    Nicaragua
    Thats how it is by design. And it is clearly stated at the bottom of the Start Run and Internet access windows in Sandbox settings. That is like that for safety. That way, for example, if a malicious program that is using the name Firefox gets downloaded in your restricted Firefox sandbox, the malware wont be able to run or connect as if it was the real Firefox (the one you have installed in your system).:cool:

    Tzuk is a pretty clever guy, aint he.

    Sin título - copia.jpg
    Bo
     
  22. Compu KTed

    Compu KTed Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    1,414
    @bo elam
    Your screenshot shows firefox and other apps having Start/Run Access. In order for the browser to run it would have to be installed OUTSIDE the sandbox. (Seamonkey only has Start/Run Access set)
    You would get similar message with (firefox.exe) See screenshot.

    The other screenshot shows what I would have to do in order to get browser to run.
    Same thing applies to Internet Access. (browser program installed in sandbox)

    test 3.JPG Test 2.JPG
     
    Last edited: Oct 31, 2014
  23. 142395

    142395 Guest

    CWS, sorry now I don't have enough time for detailed answer, and probably I can't reply today (and possibly tomorrow too).
    So I'm glad that SLE made good explanation for you.
    BTW, can you post a link that Curt said independent security lab didn't find vulnerability for SBIE?

    3 short answer:
    -While it's good one security lab couldn't exploit SBIE, it doesn't prove SBIE never have vulnerability. Every software have.
    Chrome also have, but it is not only audited experts in Google, but also many experts (including McAfee, Symantec, and so on...) and even DIY programmer as Chromium is open source.

    -Chrome's renderer process runs in untrusted integrity, not low.

    -Ask is nothing to do with Chrome, though some not-polite program might bundle ask to Chrome.

    @Compu KTed
    Ouch! sorry I forgot about that, yes installed programs can't start/run or connect if not all programs are allowed!
    Sorry for completely wrong infomation!
    However, I believe even w/out those restriction SBIE is pretty safe.

    I think Bo just wanted to show that message and he have firefox installed outside of sandbox i.e. real system so nothing wonder?
     
  24. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,247
    So, like SLE said, Google Chrome is obviously more secure than SBIE 4.14 when it comes to exploits, however this does not stop me if I want to use both (I mean sandboxed Google Chrome, and regarding ask.com-it is one of Google Chrome's search engines-I checked this out myself, case closed, no malware at all!

    But are you 100% sure that Google Chrome's renderer process runs in untrusted integrity level (which is, of course, below low integrity level)?
    Also, does chrome.exe run on untrusted integrity level, and is chrome.exe broker or renderer process, because it could be the case that broker runs on low integrity level, while Google Chrome's renderer process runs at untrusted integrity level-what are key differences, here?
     
    Last edited: Nov 1, 2014
  25. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,247
    So, does Google Chrome's renderer process and chrome.exe run at untrusted integrity level or low, Yuki confirmed that Google Chrome's renderer process does actually run at untrusted integrity level (which is below low).
    So you said: Google Chrome is obviously more secure than SBIE 4.14 when it comes to exploits, however this does not stop me if I want to use both (I mean sandboxed Google Chrome, and regarding ask.com-it is one of Google Chrome's search engines-I checked this out myself, case closed, no malware at all!

    Unless you say that chrome.exe is broker runs at low integrity level, while Google Chrome's renderer process runs at untrusted integrity level-what are key differences, here?
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.