Sandboxie Technologies (SBIE Open source)

Discussion in 'Sandboxie (SBIE Open Source) Plus & Classic' started by bo elam, Apr 22, 2020.

  1. imdb

    imdb Registered Member

    Joined:
    Nov 2, 2011
    Posts:
    3,031
    thanks for the info, @diversenok . :thumb:
     
  2. Elwe Singollo

    Elwe Singollo Registered Member

    Joined:
    Oct 30, 2015
    Posts:
    114
    Interesting few days in this thread . It all seems storm in a tee cup to me though. Use the version you want.

    There doesn't seem any harm to me in saying you prefer the stability of your current set-up to moving to a different version. I also don't think there is anything wrong with being sceptical about a direction you don't like.

    On the other hand it is perfectly reasonable to point out potential vulnerabilities in older software.

    My own view is schism is inevitable with open source software. The only single source of truth for SBIE was its creator and sole arbiter of what was good and bad for the product for a very long time. If you didn't like his approach you were free not to use his software. He moved that on to others and we'll all have views on the success of that but it was their product to do what they wanted with. Again we could like it or drop it.

    SBIE now though is essentially public property. If you have the skills you can take it in the direction you choose. If, like most of us you don't, you use the version that suits you best.

    In the decision making process you consider many things. Your risk profile for example and whether identified security issues, that every single product has, are a concern to you or are likely real world scenarios. Even the big boys make trisk assessments about which gaps to plug in their multi-million selling products. If the issues are in your view not as important as perceived stability you gain from keeping your current version then why would you move?

    For me David is the only active developer. Operating system and software compatibility issues will grow over time. The version this thread is about therefore has an ever decreasing shelf life. I've therefore moved to David's versions as I think it is inevitable I'll have to at some point not because I worry about others. To be fair that's been a rocky road for me at times but the latest version (bearing in mind its still not reached a whole number in the development cycle) is working fine.

    The amount of info in this and other SBIE threads across the forum give enough for everyone to make an informed choice. The emphasis here is on choice.

    Cheers
     
  3. plat1098

    plat1098 Registered Member

    Joined:
    Dec 19, 2018
    Posts:
    1,072
    Location:
    Brooklyn, NY
    Yes, OK, I see that POC in post #1024. That's exactly what Sbie was supposed to prevent--at all costs. And they at Sophos left it like that....

    Why should I care about an app that the owners of the code didn't care about? Did Sophos itself disclose at least some of these issues, specifically in v.5.33.6, or did a 3rd party watchdog do it? Pfft, to me it's tainted goods regardless now, esp. since Chromium v. 89 and I would not remain loyal in ANY event. Sophos had the final say over the devs and coders. So this is a waste of time to dissect anything about that.

    My machine, my property, my opinion. But actually, I respect the opinions of all, probably because so many here are way above my pay-grade. :)
     
  4. DavidXanatos

    DavidXanatos Developer

    Joined:
    Sep 6, 2006
    Posts:
    1,099
    Location:
    Viena
    Here as a list of more or less severe vulnerabilities that have been fixed during the past year

    Code:
    ## [0.7.2 / 5.49.0] - 2021-03-04
    - FIXED: the HostInjectDll mechanism allowed for local privilege escalation (thanks hg421)
    
    ## [0.7.0 / 5.47.1] - 2021-02-21
    - FIXED: elevated sandboxed processes could access volumes/disks for reading (thanks hg421)
    
    ## [0.5.4d / 5.46.3] - 2021-01-11
    - FIXED: the registry isolation could be bypassed, present since Windows 10 Creators Update
    
    ## [0.5.4b / 5.46.1] - 2021-01-08
    - FIXED: a Sandboxed process could start sandboxed as system even with DropAdminRights in place   <---- this and ....
    
    ## [0.5.4 / 5.46.0] - 2021-01-06
    - FIXED: Sandboxie now strips particularly problematic privileges from sandboxed system tokens
    -- with those a process could attempt to bypass the sandbox isolation (thanks Diversenok)
    - FIXED: added print spooler filter to prevent printers from being set up outside the sandbox
    - FIXED: processes could spawn processes outside the sandbox (thanks Diversenok) <---- .... that were used in tne published PoC exploit
    - FIXED: bug in the dynamic IPC port handling allowed to bypass IPC isolation
    - FIXED: CVE-2019-13502 "\RPC Control\LSARPC_ENDPOINT" is now filtered by the driver (thanks Diversenok)
    -- this allowed some system options to be changed
    
    ## [0.3 / 5.42] - 2020-07-04
    - FIXED: fixed permission issues with sandboxed system processes
    - FIXED: fixed missing SCM access check for sandboxed services (thanks Diversenok)  <---- using this instead of the non DropAdminRights one would also result in a UAC less exploit
    
    ## [0.2 / 5.41.0] - 2020-06-08
    - FIXED: sandboxed processes could obtain a write handle on non sandboxed processes (thanks Diversenok) <---- that could have been used instead of the other processes spawn one
    -- this allowed to inject code in non sandboxed processes
    

    So as you can see there is more then enough material here to craft multiple exploits and most of the issues are really severe:
    • we have 2 out right sandbox escape issues allowing to break out of the box and gain execution as system
    • a non existent registry isolation on windows 10 cu and later, just write something to the real autostart and you are out of the box at the next reboot.
    • 2 in box local privilege escalations one that can't even be mitigated by the DropAdminRights option.
    • we have 2 out of box local privilege escalations that allow non sandboxed user level programs to gain execution as system
    • and last but not least a hand full lesser issues, allowing to change system presets, install printers, read the content of the entire hard disk with upmost disregard to ClosedFilePath, etc....


    Now to reply to this claims after the PoC is public:


    Whomever worked on sbie making it fit for the Win10 Creators Update has broken the enforcement of the registry isolation entirely, by misplacing a return statement by one line.

    Whomever added support for Win10 2004 to one of the last Sophos builds messed up the handling of the new ContinueEx syscall, this is for many use-cases inconsequential, but programs like the line message end up n a dead lock, also the SbieDrv driver can not be unloaded anymore if this syscall was used by a sandboxed application.
    Whomever screwed that up was not familiar with sandboxie's code base enough, as there is a comment at:
    https://github.com/sandboxie/sandbo...d2cf986621b4f27e3ed9d/core/drv/syscall.c#L256
    that explains that syscalls like NtTerminateJobObject, NtTerminateProcess, NtTerminateThread, ZwContinue, ZwCallbackReturn, ZwRaiseException should _NOT_ be hooked and ZwContinueEx does the same as ZwContinue in fact on 2004 ZwContinue is just a wrapper for ZwContinueEx.

    Ok but thats childs play people are people they screw up if they are not carefull or uninformed.

    The next one is a big NO NO the boxed privilege escalation that bypasses DropAdminRights the SbieDll API exports a function that any sandboxed process can use to make the SbieSvc service start a process inside the sandbox as system. This function is present in sandboxie at least since the very first public 4.xx version.
    Whomever add that functionality to this function call may have head any thing in mind but security, sandboxie provides the DropAdminRights for a reason and generally the devs were carefull enough to also check it if a sandboxed program wants to start a service and with DropAdminRights block the operation. When adding said function no one thought of checking DropAdminRights at all!!!

    When implementing new CreateProcessInternalW hook code for the Win10 RS5 whomever did forgot to add the handling for lpProcessAttributes what thoroughly broke the MSI installer and a couple of other things.


    Also a really great thing, the windows driver verifier: https://sandboxie-website-archive.g...com/old-forums/viewtopiccebfcebf.html?t=25636
    Before I started working on the driver you could not even load it without crashing the system when the MS Driver Verifier was armed, now you can start firefox sandboxed and your system will not BSOD.
    I will not guarantee that I havn't missed some bad code in some obscure branch that is almost never taken, so there may be more things to upset the Verifier I just haven't stumbled upon yet but if there are and anyone brings them to my attention I will fix them as well.

    In the end i made the driver not just as far as my tests went pass MS Driver Verifier, but the hole darn WHQL testing, as required for the driver signature.

    Some thing that was calmed "due to the nature of Sandboxie" is not possible, clearly its was just a lack of afford and not an impossibility.

    And I did all that in my spare time!



    Professional windows kernel developers are no magic wizards, they also just cook with water as the saying goes. They are not special people that have only security an the highest coding standards in mind, they are just people working 9 to 5 and then going home.

    Dont get me wrong I have the upmost respect for the past authors of sandboxie, in the end they have created the most secure OS level sandbox for windows there is to date, at least known publicly.


    But I think what I have done in the last year is a testament to my skill set being more than adequate for this project.



    I am not opening any security holes, I would never knowingly weaken the isolation without making is a switchable, off by default option. I mean you can poke holes in your sandbox with wrong configuration as much as you want, so that's fine. What counts are the default presets. I even go as far as to warn users in the plus ui if one of their boxes has a particularly insecure configuration.

    I find it honestly very out of place to weald such baseless accusations eider you reed the code or at least the changelog and point to where something got supposedly weakened or please stop spreading baseless accusations.


    EDIT: One thing I must add, I don't know who add the code to fix compatibility issues with windows 8 and 10 but the code repairing the print spooler on win 8 and adding support for smart cards and proxy auto discovery on windows 10, poked a nice hole into the IPC isolation as boxed processes were allowed to tell the driver what IPC sub paths to open. So the developers were very willing to add a hole for the sake of compatibility, and to add insult to injury the hole was not required a small detour through the SbeiSvc and a check there in were enough to keep compatibility while closing said hole.


    Improving compatibility does not go hand in hand with poking holes, the way sandboxie works is it basically breaks everything and than carefully repairs all it broke by replacing windows API calls with own implementations that are secure, improving compatibility those for the most part can be achieved solely by improving the emulation of said API calls. Sometimes the emulation afford can be to big than a setting must be introduced to allow the user if he so chooses to open a small well defined hole to make a particular use case work. Like the support for screen readers already present in the old sandboxie, if you enable it a good part of the ui isolation gets disabled.



    My plans of making sandboxie not just a security product but a highly compatible software virtualization solution are not contradictory, individual boxes can be configured independently to the level of isolation any particular use case requires.
     
    Last edited: Jun 17, 2021
  5. Pliskin

    Pliskin Registered Member

    Joined:
    Feb 8, 2009
    Posts:
    431
    Amazing work, thank you very much, David.
     
  6. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    3,958
    Location:
    Mexico
    Now anyone can see who has better skills, love and transparency for sbie and users.

    Great post @DavidXanatos
     
  7. imdb

    imdb Registered Member

    Joined:
    Nov 2, 2011
    Posts:
    3,031
    @DavidXanatos great kudos and respect to you. :thumb:
    i'm sure ronen's proud of your hard work.
     
  8. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,620
    Location:
    U.S.A. (South)
    Whoa. That's on the order of a Sam's Club 4 tier steel storage rack of quite a matter-of-facts.

    Very in-depth and varied. Thanks for sharing.
     
  9. Mattchu

    Mattchu Registered Member

    Joined:
    Nov 8, 2008
    Posts:
    65
    Location:
    UK
    +1
     
  10. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,620
    Location:
    U.S.A. (South)
    I been bellyaching for years that "due to the nature of MICROSOFT", once Windows 10 was first introduced into the mix that it would create immense challenges and additional time of extra work for third party developers AND talented freelancers. In that vain Microsoft is not disappointed in the least.

    Yes Sandboxie was, and isn't immune no more than any other program of it's type to the deficiencies often experienced when having to cope with constantly adjusting code to fit another new arrangement of O/S system changes, which in turn likely frustrated some to the point of either overlooking important potential issues or getting so off track that the workflow/workload just simply overwhelmed them.
     
    Last edited: Jun 17, 2021
  11. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    5,982
    Location:
    Nicaragua
    All this uyuyuy posts keep reminding me of Bromium, and like Bromium they would come to nothing. :)

    Conditions. To get infected, infections have to go thru steps. Sandoxie has always had holes, if you are a user who hasn't gotten infected since you became a SBIE user, it ll probably take at least a 100 years before you make the mistakes that are needed for the infection to succeed each step.. And that's the truth. Is not that easy to infect or get infected.

    What amazes me is how low this guys are willing to go to push their version of Sandboxie. They are now using punishment (in their view :D) to force and push people into conforming to their views and adopt a buggy version of Sandboxie. This is what David and Driver are saying, "You don't conform, we ll punish you".

    Driver, do it, perhaps you ll find a hater who is willing to waste time playing with the pocs. I doubt you ll find serious malware guys to even take a look at it, but perhaps a hater. Go.

    Bo
     
  12. DavidXanatos

    DavidXanatos Developer

    Joined:
    Sep 6, 2006
    Posts:
    1,099
    Location:
    Viena
    Excuse me but what are you mumbling about? You asked yourself for proof...

    ...and such was provided. Nothing more nothing less.


    The job of sandboxie is to prevent an application that runs within it from altering the outside system, most notably to prevent a boxed process from spawning another one outside the box.

    Lets take a look on two infection scenarios
    case A)
    you download a keygen, or patcher or any other potentially compromised peace of software.
    you probably are going to execute this peace of software otherwise why bothering downloading it.
    bam! the software exploits the known and now very public vulnerabilities and your system is infected.

    case B)
    you visit a malicious website, that is more challenging, they need a browser exploit to first take over your browser,
    how convenient that you are running your chrome without its own sandbox in order to make it work in 5.33.6
    splendid make the job so much easier, the website takes over your browser.
    bam! and it exploits the known and now very public vulnerabilities and your system is infected.

    The entire point of sandboxie is to prevent a malicious peace of code that got its way to be executed from escaping it.


    So dear Bo, what is exactly your security boundary here?
    Use brain.exe to not visit sites that will hijack your chrome in the first place? I'm sorry but you don't need sandboxie to do that.
    Or is it never to run untrusted software? Again than you don't need sandboxie eider.


    Please explain what sort of demonstration would convince you that the version of sandboxie you are using is insecure.
     
  13. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,620
    Location:
    U.S.A. (South)
    I think I see the fervor on this one. (I experienced a sandboxie jump ONCE on old versions from a simple script kiddie file named AcidBlast which piled up launching HTML windows in rapid succession). Terminate Process in Sandboxie took care of that but you had to be quick on the draw let me tell you.

    The first 2 command boxes were indeed still contained in this sample but it's clear the 3rd one was the escapee which means the previous were the spawners. UGH
     
    Last edited: Jun 17, 2021
  14. Elwe Singollo

    Elwe Singollo Registered Member

    Joined:
    Oct 30, 2015
    Posts:
    114
    @DavidXanatos - excellent summary of your work to date and evidence of your commitment. As noted users are free to make their own choices. Your recent post gives plenty of information to inform that choice. It won't change everyone's decision and that needs to be respected if not supported by others.

    Sophos clearly didn't want SBIE, they got it with Invicea and likely the aim was to let wither on the vine. As a result the required level of focus was not applied. A commited user base likely saved it The lack of interest is not a comment on the developers but the time Sophos allowed them to spend on it. Its really not a comment on Sophos either. Commercial organisations need to focus on profit making activity. Such a niche product was never going to make them the cash required to 'waste' significant development resource on. You've spent the time and uncovered and fixed issues but it is early days and confidence needs time to grow. There have also been some challenges in the operation of new functions and GUI gliches etc. That puts some off.

    I do wonder though why you waste your valuable time in this thread. Your own version is clearly improving through the cycle, has a number of knowledgeable contributors and is widely discussed in other threads. And you've very eloquently told everyone why you believe 5.33.6 is not the best option on a number of occasions.

    I don't see anyone here saying don't use Plus, just why they use 5.33.6. That might inevitably lead to comparison but I'm sure you're own version stands up well to that.

    In short I can't see why this has become such a heated issue now when clearly at some point this version will lose its relevance. Is it simply you've taken umbridge at the views of one member or do you see the 'it works fine for me' comments as a slight on your efforts or do you see the usage of this version as a threat to the wider project by leaving an (arguably) less secure version in use? Not accusations just interested in why this has gotten everyone so exercised.

    Thanks
     
  15. diversenok

    diversenok Registered Member

    Joined:
    Oct 7, 2018
    Posts:
    18
    Location:
    Russia / Netherlands
    What is the alternative, Bo? Deliberately using insecure versions of security software? Sounds ridiculous, doesn't it?

    Severe vulnerabilities are meant to be disclosed after a certain period after they are fixed. They provide excellent educational material for security professionals, improve transparency and awareness, and remind users to update. It is a widely accepted practice that has nothing to do with punishing users.

    A typical agreement for responsible disclosure gives the vendor 90 days to address the issue, which can be extended on demand. I reported the exploits to Sophos in July of 2019, and nobody ever asked me to give them more time. So, I already waited for seven times more than necessary according to the guidelines. Even if we count from the moment David fixed them, it's between two to four times more than usual.

    Less technical users might not realize the amount and importance of security improvements made within the last year. It's my and David's job to make sure they can make an educated choice based on facts instead of roomers. A heated discussion doesn't make people more rational, but, at least, it draws attention to the topic.
     
  16. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,620
    Location:
    U.S.A. (South)
    Just run my nice notorious AcidBlast on Sandboxie Plus 5.48.5

    Also the PoC- AcidBlast ran scattering windows all over the place but not where I can't easily reach taskbar to TERMINATE from Sandboxie. Still yet this is only a prank type sample and does nothing to the system NOR jumped.

    PoC file was stopped cold first CMD window with error.

    Out of pure dumb curiosity @diversenok & @DavidXanatos have either of you or both tested it with fairly current OR even dated ransomware just to see how well or how much it can be contained?
     
  17. Peter 123

    Peter 123 Registered Member

    Joined:
    Feb 1, 2009
    Posts:
    406
    Location:
    Austria
    @Elwe Singollo: I see the things a little bit different:

    If there is (especially) one member who all the time continued to praise the virtues of the old (Sophos) version, it was good, necessary and logical that at one moment David asked in this thread the crucial questions:
    And from this moment on started one of the most interesting and fascinating discussions concerning software that I know. It has technical, but also "ideological" and even psychological aspects. ;)

    I think by this discussion we already learned a lot - about both sides. And primarily about the qualities of "Sandboxie New" and David's enormous efforts and accomplishments in this respect (see especially his post #1029).

    You write it by yourself:
    Correct. And this is very useful information for all of us - and of course especially for some users who might still doubt if they should change to one of David's versions or stay with 5.33.6. (That the hardcore users of 5.33.6 will not become convinced is evident. :D)

    And a small clarification:
    This may apply to the Sandboxie Plus version. When chosing David's Sandboxie Classic you can use Sandboxie in the same way as the Sophos version (concerning functionality and GUI).
     
  18. plat1098

    plat1098 Registered Member

    Joined:
    Dec 19, 2018
    Posts:
    1,072
    Location:
    Brooklyn, NY
    That confirms all I need to know. How infuriating! Now I better understand what others have been angry about all along. Sophos didn't care but would take your money for its vuln-laden security software up until the end when the license server went away. Right before it was dumped. And no word of its status for weeks and weeks, people asking constantly and in the dark.

    So glad I moved on to a viable, well-running and more secure version, developed competently and much more transparently. Someone wants to stay loyal to a software whose greedy and artful owners didn't give a whoop, that's fine but it's a choice I'm glad I'll never have to make again.
     
  19. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,620
    Location:
    U.S.A. (South)
    Couldn't agree more. We all NEED these type constructive arguments (for lack of a better term) or differences in order to nail down and learn in real time what exactly drives the ambitions/motives of both user & developer.

    There are some really good points raised and you can chuck the rest. Personal preferences vs realized potential from a software that is captured an incredibly popular & massive following for some many years.
     
  20. Peter 123

    Peter 123 Registered Member

    Joined:
    Feb 1, 2009
    Posts:
    406
    Location:
    Austria
    It's not my intention to defend a software company or to ignore their mistakes. But we should also appreciate and be grateful for Sophos' decision to make Sandboxie open source. They had no obligation to do this. Without their decision there would have been no possibility for further development (by David, assisted by diversenok and others) and no possibility (for all of us) to move on to the version we enjoy today. Sandboxie would simply be dead.
     
  21. plat1098

    plat1098 Registered Member

    Joined:
    Dec 19, 2018
    Posts:
    1,072
    Location:
    Brooklyn, NY
    Maybe a dev or coder at the time indicated to Sophos corporate heads a willingness to pick up Sandboxie after it was discarded. Maybe it was even the dev. named Tom whose intention it seems was to continue the development outside the Sophos/ThomaBravo corporate circle. Who knows? I'm sorry, I'm just not as generous and forgiving. I remember clearly how concerned, even anguished some of the more advanced users were at the radio silence concerning this wonderful software in the hands of Sophos and not a word, not a peep for weeks on end.

    Well, it's moot now anyway and I'm done. This thread does have a good purpose-it allows for some SERIOUS venting! :oops:
     
  22. Elwe Singollo

    Elwe Singollo Registered Member

    Joined:
    Oct 30, 2015
    Posts:
    114
    @diversenok I find it interesting you think it's your job. Those who have the knowledge undoubtedly have a responsibility to share it. It's not quite the same as what's happening here though in my view. You've already shared the POCs with the one person currently able to do anything about it and David had resolved the issues. Both David and yourself have subsequently reinforced the fact 5.33.6 does not benefit from those fixes and many other coding changes. The whole argument is backward looking for me. You have a dynamic developing project and I guess I don't see why you need to stop and use energy best used for future development to further 'educate' users of another version. To be honest it feels at bit like 'I'm cleverer than you so you must listen to me' and that rarely gets the result you want.

    @Peter 123 and @EASTER thanks guys I really enjoy reading your posts across the forums. it is all about opinions though. I've personally learned nothing from this not available in other threads or previously discussed in this one, although there is more detail here but really I'm not technically competent enough to get much benefit from it and suspect neither are most involved in the discussion. You therefore either belive David and Diversnok or you don't. I therefore see nothing constrctive but more an attempt to move stragglers onto the DX versions by suggesting releasing the POCs which in itself I find laughable. The tiny subset of users would be never be of interest to the criminal gangs that spread modern malware. Not enough cash in it for the effort.

    It is just a matter of fact that 5.33.6 is in the public domain and people can use it if they want. It's really all I was trying to say. That David and Diversnok have helped make a version that patches issues with that version is clear to anyone interested. 5.33.6 users will accept that or not and factor in things like trust and usability. Nothing here suggests a lightbulb moment is imminent for those content with version they're using.

    I have had commercial dealings with Sophos. I thought SBIE was a gonner when they took over. There's obviously been shortcuts and lack of appropriate resource allocation but they could have killed it long ago. They didn't or we wouldn't be discussing this now. So some credit due I agree. At the end of the day it's history though. The proprietary SBIE is gone and open source is proving its worth. I appreciate trust in Sophos has been raised as a positive of continuing to use 5.33.6 but the point around issues from that time is made in my view. Why continue to 'put the boot in' as we say in my part of the world to Sophos just to prove your view/version/skill level is better. I really don't get it. Better to just move on.

    Anyway I'll take my own advice and look forward. The product being discussed in this thread is on an inevitable path to irrelevance due to lack of development when the rest of software, hardware and development world moves on.

    Those benefiting from the discussion should course continue to do so. I'd look forward to a lot more head butting with little in the way of any ground being given unless parties just agree to differ if I were you. We all have choices though. I've made mine.

    Thanks for taking time to read and respond to previous comments. Best wishes and happy head butting.
     
  23. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,620
    Location:
    U.S.A. (South)
    Pure speculation. It doesn't matter the who, what or why this far down the turnpike. The change is long since been decided and you now have an open source model of one of the most popular programs the internet is ever known reaching as far back as what, Windows 98?

    And the beforehand users as well.


    Respectfully and totally disagree. This thread is proven more useful than ever. For some users who have their systems already safely secured, those particular users who continue to use older versions can benefit either way if not enhance their curiosity as to if their comfortable or not with their own real world results. sandboxie-icon-32.png

    If nothing else it's become quite informative or the developer(s) wouldn't bother giving any attention to it at all to begin with. Rants aside. :)
     
    Last edited: Jun 17, 2021
  24. catspyjamas

    catspyjamas Registered Member

    Joined:
    Jul 1, 2011
    Posts:
    154
    Location:
    New Zealand
    It absolutely is!! For me, you've beyond proved yourself. I'm grateful to you, as well as diversenok & hg421, and really respect the skills you all have respectively in identifying and fixing vulnerabilities and making this security product secure, and therefore fit for purpose. I'm also grateful to Sophos for making the product open source, but it's to their shame that they were alerted to severe security problems back in July 2019 and did absolutely nothing about them. In my line of work as a health professional, if I'd been alerted to a failing in a product or process that I chose to ignore and therefore failed to protect my patients from, I'd be likely be dragged through court and struck off. Even if those failings did not result in harm - the fact they could have would be enough.

    Bo, it's your choice what you use on your PC and why, but don't go accusing David of not being up to the job and saying things which are not true. Saying he is poking holes in the product with no evidence of this (when in fact the opposite is true) is both damaging and extremely rude. There is nothing wrong with anyone alerting readers of this forum to the fact that this old version of Sandboxie has vulnerabilities and letting them know they have a choice of a secure product as an alternative, IF they want to use it. It's about making an informed choice. If I was consulting a SECURITY forum, I'd want to know about this, and be annoyed if that information was withheld from me.
     
    Last edited: Jun 18, 2021
  25. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    5,982
    Location:
    Nicaragua
    OK, lets take a quick look at those two scenarios. I ll do it with my personal case use of the computer in mind, Sandboxie, and whatever else I use for security. Must do it this way since everyone uses their computer differently.

    Case A. First of all, I don't download keygens, cracks, or any type of illegal software, that right there kills any chances your POC (once is turned into malware) has of infecting me. Not one in a million. On top of that, read this, I bought my W10 in July 2017. In the first few hours I had the computer, I installed the very few programs I use. Since that day till today, I have only changed one program. In other words, I have only ran one executable outside the sandbox in my W10 since July 7th 2017. And that executable was for a very well know program, widely used, program with a good reputation that has been around for many years and the executable was downloaded from the developers website. Sorry David, your POC can't even hit a foul ball against me.

    Case B: Your chances in this scenario are as bad. Look David, When I browse, NoScript blocks and Sandboxie contains. When I am browsing I give most of the credit for keeping me clean to NoScript. I felt this way for years. I wrote what I am going to say now more than a few times before but perhaps you never read it: NoScript turns the sharks of the internet into sardines. Thats how strong I feel about the protection I get from NoScript. NoScript allows me to go to any website and even though it might be infected, I ll come out like nothing.. Perhaps the guys who visited the website before and after I did got infected, but not me, I go to the website, get what I want out of it, and don't even know that the site is compromised.

    For an exploit to run, it has to be allowed to run, usually an script. And I don't. When I navigate the internet, I only allow to run whats necessary to get the content I want. If I go to a website and all I want is read and dont need to allow anything to run, I don't allow nothing. I been using NoScipt for as long as I been using Sandboxie, almost to the day. And I know how to use it as well as I know how to use SBIE. Your chances of getting to me with Case B are also 0.

    Bo
     
    Last edited: Jun 17, 2021
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.