Sandboxie technical tests and other technical topics discussion thread

Then, just use SBIE with tight settings and before your transaction empty all sandbox, you're done!

You should never block all dlls as most of them are there because they're needed.
If you do that, you'll just break the app. Is your desire to sacrifice everything for security?―probably not.
Also even if you blocked all dlls, what if next kernel exploit doesn't involves dlls?
E.g. how can you block this when SBIE can't block driver(.sys file)?
http://nakedsecurity.sophos.com/201...ay-xp-kernel-bug-being-exploited-in-the-wild/

I'm not sure what you mean by 'via API', but maybe you misunderstand API.
API―application programming interface is a kind of a middleman who make OS functions available to programmer. In Windows, there're 2 kinds of APIs, Win32API and Native API, and former is in user space while latter is in kernel space.
It is possible that a driver targeted by some kernel exploit is needed for ceratin API, or API itself might have vulnerability, but those won't be you're meaning by saying that.

Exactly speaking, SBIE doesn't block any exploit, it's just contain them in restricted environment.
Honestly, I can't get what you're meaning.
SBIE will never decrese attack surface for Chrome, it can only increase―though it's almost neglectable.
Chrome gives the least attack suface for attacker, its renderer can't access anything. If you say what if the broker is exploited, then actually same goes for SBIE.
SBIE's architecture is somewhat similar to Chrome's one, SBIE service is like broker process and sandboxed browser is like renderer.
But in each case, exploiting broker or SBIE service is really hard.
Also potentially SIBE might reduce Chrome's own security because when sandboxed, even broker process runs in untrusted IL.
You might think it's better thing, but it might broke some of Chrome's own function―but even if that is the case, still now SBIE care about any breach instead of broker.

 

No, I just said pretty safe.
Not the same of course, but SBIE with default setting provides good enough security as long as you keep best practice.
Make sure your system & software are up-to-date, never be click-happy, keep up latest threat info, and empty all sandbox before you login to any service.
I'm sure it gives you more than 99% security even w/out Start/Run & Network restrictions, and anyway 100% is never possible.

If you still mind, you can combine strict firewall rules and application whitelisting software which is compatible with SBIE.
You can also combine Toolwiz Timefreeze or Shadow Defender.
I use SecureAPlus for whitelisting, and they can block unknown programs in sandbox.
Also I'm combining Toolwiz, just enter time-freeze mode and install any program, then launch is via SBIE with any restriction you want.
Those are what I'm doing.

Keeping pragrams permanently installed in sandbox is not good as they're left behind update unless you do update for sandboxed program, and yes they might have infected.
Just install every time you need, and delete them when no more needed.

If you feel configuring browser each time is too trouble, just save their profile just after you build the ideal conifig and be sure that they're clean.
Then I think you just have to override original profile with that inside SBIE via sandboxed explorer.
But I haven't tried it.

 

I wonder why people don't understand Duqu is targeted malware.
Once attacker got kernel priviledge, he can forcibly uninstall security software. A fact that certain program could stop Duqu makes no sense when it comes to targeted attack, that simply means that target didn't deploy the product.
If attacker know target uses the program―remember in APT attacker usually know what security the target have and much more―they will try to bypass the product.

But most of us will never come across such an advanced attack anyway.

 

Hahaha, you really hit the nail on the head!

Well, there're still some exception, of course.
But I agree, most company are easily compromised even w/out advanced attack.
In those case just tricking a employee and common already patched exploit works well.

 

You mean why would SBIE be stronger than Chrome in the first place if both SBIE4 and Chrome are based on OS security mechanisms/integrity levels?
First question:Is there any way to be 100% sure to say which one has more benefits_Google Chrome or Sandboxie-more knowledgeable posters here simply say that running Chrome under SBIE4's supervision will actually decrease Chrome's protection against exploits and everything else-so this is my question, to what is true and what is a myth, because like you said all the posts made concerning running Chrome under the supervision of SBIE4 are purely theoretical, what are the facts than?

Second question, I'm saying this if I allow only sandboxed Google Chrome/chrome.exe start/run and access the internet, and everything else regarding communication is blocked, how come Chrome would not be more secure under SBIE4's supervision, again is ther any way to test this and see for sure if Chrome under SBIE4's supervision is less secure again exploits and everything else than unsandboxed Google Chrome?
What exactly I'm missing here?

So, what's the point and what is the solution with or without Sandboxie, running sandboxed or unsandboxed Chrome?

How good is unsandboxed Google Chrome against against exploits? They answered me that Google Chrome against exploits is truly very, very strong-but is Google Chrome equally strong/(how strong, exactly) against buffer overflow exploits-again I'm not talking about kernel-level exploits and I'm not talking about kernel-level buffer overflows/overflow exploits at all, but all other exploits and and all other buffer overflows!

And what do you mean by "The only thing I can imagine is that the additional SBIE restrictions and side-by-side (hook based) protections make it more complex to exploit a bug in a predictable manner".

I would like to post this to Curt, I wonder what would he answer?

 

Wait didn't you say that anyone can bypass any security software including Sandboxie, Chrome, MBAE, HmPA, EMET and etc., by using API or APT in an earlier post?

Let me see if I understand this or not:
Regarding SBIE4 and Chrome, so basically from what I understand from this is the following, some of the functions can be or are broken when you run Chrome sandboxed, which actually decreases Chrome's security and protection, but SBIE4 itself manages to nullify this decrease in Chrome's security and protection (against exploits and everything else) by SBiE4 (which protects those areas on the same level of unsandboxed Chrome protects) where security and protection of sandboxed Chrome is decreased (caused by running Chrome sandboxed).

The real question is what is harder to exploit SBIE service/sandbox browser or unsandboxed Google Chrome?

Is sandboxed Google Chrome easier to exploit (if SBIE4 simply nullifies that decreased level of sandboxed Chrome's security and protection and than unsandboxed Google Chrome is than equally strong to sandboxed Google Chrome when it comes to protection/security against exploits and everything else) than unsandboxed Google Chrome/chrome.exe and etc?

This means that you're basically trying to say that sandboxed Chrome's protection/security=unsandboxed Chrome's security protection against all exploits and everything else-based on your statements and the above statements about SBIE4 nullifying the decrease of sandboxed Chrome's security/protection.

Sorry, for my english, it seems to me that I got lost in translation and in explanation-my bad, sorry, I'm not even sure if this is correct what I wrote here about Google Chrome and Sandboxie.
Sorry, for being very, very stressful person here.
But when you give me answers I come up with some newer questions, I should really stop doing this.

 

Don't stop, please. This is the true way to acquire knowledge and acquaint with this great program Sandboxie.
The worst thing could happen is that no one could answer any of them, by the time being.

 

Short answer is no, I didn't say that.
I'll explain the day after tomorrow as I'll have time, but sorry not now.
Also you don't need to apologize

 

From Tzuk, about running Chrome under Sandboxie.

http://forums.sandboxie.com/phpBB3/viewtopic.php?f=5&t=11788

Bo

 

Setup consists of:

All sandboxes used are changed from default settings.
Programs installed inside sandbox are used for trying out the program and then contents are securely deleted.
Restricted account in Windows for everyday use and Drop Rights in Sandboxie for admin account.
Any Internet facing apps are run sandboxed along with any others I choose to run sandboxed.
Already have Firewall rules and system wide virtualization in place.
Keylogger protection since Sandboxie cannot notify (already tested) and not designed as an Anti-Keylogger.
Sandboxed Explorer when needed and all USB flash drives able to run sandboxed as well.

Think I covered most bases and along with other security software in place am pretty well protected.

 

@cws
just an clue: APT≠API

Quite robust setup, isn't it?
So I think you're safe even w/out Start/Run and Network restriction.

 

Chrome uses three levels of integrity (medium, low, untrusted) so it has reduced side-by-side attacks also (medium level IL process is allowed to change objects of another medium IL process). Sandboxie has protection (problably also userland hooking) mechanism which prevent side by side infection. This makes it more complex for an exploit to operate. This is problably the reason why some exploits are not effective when SBIE is protecting chrome (at least that is what I read in the post of Curt you quoted here).

 

Thanks for confirming what I figured I was seeing in Process Explorer a few days ago

 

What do you mean by some exploits, you by many exploits? So, I presume there are exploits which Chrome protects against better without SBIE4's protection than sandboxed (if you know what I mean)?
Are there any examples?
One more question: Also you could read Bo's last post here about what Tzuk wrote about that one exploit that was able to run webpage outside Chrome's sandbox-and this is why it is recommended to have SBIE4 protect Google Chrome.

 

Everybody is ignoring this, Bo, I don't ignore it, this is why it is recommended to have SBIE protecting Google Chrome in the first place, sandboxed Google Chrome is undoubtly more secure-and this is direct evidence, about what Tzuk posted.

 

I don't know why you coming up with that idea. I know most people who use Sandboxie and Chrome sandbox Chrome, all you have to do to know that is go to the Sandboxie forum. I would sandbox Chrome if I was a Chrome user. CWS, haven't you realized yet that most of the people who talk about increasing the attack surface by sandboxing Chrome are not even Sandboxie users. If they were SBIE users, they ll probably sandbox Chrome or drop Chrome and start using Firefox.

Bo

 

CWS, there is no software that can protect you against everything. Clear your sandbox etc as recommended before any critical stuff like keyloggers after you and banking etc. And you will be fine. I sandbox Chrome same as Firefox ( and I know some person will always come after reading this, to post the opposite, let him/her and try to ignore, but I know you can't, with your want of a perfect protection)

 

As I learned on this forums and Sandboxie forums, low are the odds to catch a very specialized kernel mode exploit in the wild which could bypass Sandboxie. More likely is to catch user mode buffer overflows or exploits (which are the higher percentage) in the wild that is easily contained by Sandboxie. So for me it's better to use Sandboxie even it increase my attack surface since Sandboxie protects a lot more than otherwise.
Due there is no perfection in this Universe (and it doesn't exist since just exists as a mere human abstraction), perfect security will never get accomplished and people (hackers) who make software exploitation a way for living never stop working...

 

What I would like to see in SBIE, is a "malware detection" feature based on "behavioral monitoring" like FreeSpace. So instead of only containing, it actively blocks malicious behavior inside the sandbox.

http://www.invincea.com/how-it-works/detection/
http://www.invincea.com/2013/02/inv...massively-exploited-java-0-day-cve-2013-0422/

 

And I know that. This is why I use Zemana Anti-Keylogger protection with Sandboxie, just in case and yes my computer is 100% clean.

 

Would be great an edition called "Sandboxie Plus" or the like.

 

We should ask Curt for this proposition.

 

I agree with you, here.

 

Oh, with Sandboxie 4.14, I always sandbox IE11, I also always sandbox Mozilla Firefox 33.02 and I also always sandbox Google Chrome (newest version)-all of my web browsers (all versions of mentioned web browsers) are always running sandboxed.