Sandboxie vs. SpyShelter Restriction...

Discussion in 'sandboxing & virtualization' started by sweater, Apr 5, 2014.

  1. sweater

    sweater Registered Member

    Joined:
    Jun 24, 2005
    Posts:
    1,674
    Location:
    Philippines, the Political Dynasty Capital of the
    Just curious, which of the two are more effective....in protecting the Browser.

    The Sandboxie sandbox power or the SpyShelter's Restriction mode?

    Coz I was then thinking that maybe I don't need sandboxie anymore and putting my browser in SS restriction mode are just ok...what do you think?
     
  2. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,081
    Location:
    Netherlands
    Spyshelter's restricted mode is more like AppGuard's protected Aps feature.

    It makes sure the "restricted" application will always run in limited environment.

    Spyshelter can be made into a policy HIPS, for instance by "auto' allowing Microsoft signed binaries. This puts a theoretical hole in the HIPS module of Spyshelter. By running your browser as restricted, this is closed to user land level permissions.

    Comodo has a similar feature, trusting publishers and running specific programs as partially limited. See https://www.wilderssecurity.com/showthread.php?t=339661 with the new behavioral blocker being more advanced, I have no idea how the behavioral blocker is affected by the exclusion of windows/program files (Guess you could remove Windows and EMET from excluded directories, but since I have not tested that, please always backup an image before testing stuff).
     
    Last edited: Apr 5, 2014
  3. kjdemuth

    kjdemuth Registered Member

    Joined:
    Jul 29, 2005
    Posts:
    2,960
    Location:
    Boston, MA
    I don't think that you need spyshelter actually. Sandboxie can be set up to restrict just about anything on your system. You already have the HIPS in Eset that can be set to also restrict many items. You might want to put in it learning mode and make sure before setting everything to max.
     
  4. ams963

    ams963 Registered Member

    Joined:
    May 3, 2011
    Posts:
    5,965
    Location:
    Parallel Universe
    @kjdemuth
    Couldn't agree more.:thumb:
     
  5. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    3,770
    Location:
    Nicaragua
    You are right about one thing: choosing to use one or the other is the right thing to do. Countless times I seen people trying to use both programs at the same time and the result is always the same, conflict. I recommend Sandboxie over Spysheler since I know that Sandboxie in one of those rare programs that really protect users and it does what it claims (no maybe:cool: ) but I have never used or tested Spyshelter.

    Bo
     
  6. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,038
    Location:
    The Netherlands
    I haven´t used this feature in SpyShelter, but if configured correctly it´s probably quite strong protection.

    But I still think the protection offered by SBIE is slightly better, also because of the virtualization. :thumb:
     
  7. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,081
    Location:
    Netherlands
    How can you recommend one above the other when you have not used both. I have tested both, there both good, one is free at 32 bits, other is free with startup delay, so on 32 bits I would incline to use SpyShelter Free on 64 bits Sandboxie Free
     
  8. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    3,770
    Location:
    Nicaragua
    How? Easy answer.....because I know Sandboxie is "one of those rare programs that really protect users and it does what it claims (no maybe:cool: )". To be fair to people that read this thread and dont know me, I mentioned that I have never used Spyshelter. You are complaining about nothing.

    I posted earlier because people should use one program or the other since using both at the same time is guaranteed to be problematic. A warning. Whats wrong with doing that?
    Well, you use free, I use paid and both of my computers are 32 bits. And on both, I got nothing but Sandboxie. And despite me being light years behind you in computer knowledge, I cant get infected even if I tried to do so. And that Mr Kees is due to Sandboxie. Thats why I recommend the program as strongly as I do.

    Bo
     
    Last edited: Apr 8, 2014
  9. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,038
    Location:
    The Netherlands
    Now that I think of it, will SpyShelter´s restrict mode automatically block all malicious behavior, or will it still alert you? :)
     
  10. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,081
    Location:
    Netherlands
    @bo elam
    BO, virtualization/sandboxing is a good thing to do, so I can't disagree with people buying Sandboxie or DefenseWall (on 32 bits), good choice.

    @Rasheed
    The paid gives a warning with option to exclude a directory to Restricted mode protection. The free only tells you access is blocked. So for the free to work with for instance Internet Explorer, you would have a default setup (e.g. not have moved your documents to other partition). In the free version everyone can add USB drives to restricted protection, without problems.

    Regards Kees
     
  11. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,038
    Location:
    The Netherlands
    @ Windows_Security

    You misunderstood me, what I meant is:

    SS is monitoring about 57 possible malicious behaviors, right? So will SS automatically block a restricted app, from performing those actions?

    See pic. :)
     

    Attached Files:

    • SS.png
      SS.png
      File size:
      95 KB
      Views:
      97
  12. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,485
    Location:
    Poland - Cracow
    @Rasheed
    below you have quote from SS guide (page 22)

    "Restricted Apps tab
    This features allows you to choose some application that you want to run with
    lower privileges. Applications running in restricted mode have limited access to
    system resources such as registry keys, files, webcam, microphone, keylogging,
    hooks installing, usual administrative tasks (such as stopping, registering, running
    services and drivers) and so on.
    Other restrictions for applications running in restricted mode include:
    1) Registry hive HKLM are not writeable (access to other registry keys can be also
    limited).
    2) Restricted file access (as you can see in the appropriate Spyshelter tab).
    3) Restrictions on other system objects (based on system security settings).
    4) All dangerous actions are blocked automatically for applications running in
    restricted mode.
    5) Children of restricted processes are also restricted.
    (...)
    You can also allow the applications in this list to capture images from the webcam
    and to record sound
    . Usually, these two options are automatically checked when
    you add an application to the list. If this is not what you want, you just need to
    right-click on an item and select Deny webcam capture and/or Deny sound
    record."
     
  13. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,038
    Location:
    The Netherlands
    @ ichito

    I should have searched for the manual, thanks. :)

    So it looks like the restriction feature is quite powerful, but SS should give you more control over it IMO.
     
  14. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,485
    Location:
    Poland - Cracow
    Its "restricted apps" feature is similar to Run Safer mode in Online Armor or restricted/limited rights in Privatefirewall that are quite powerfull but they have any settings to making by user...so you shouldn't complain :)
     
  15. delerious

    delerious Registered Member

    Joined:
    Jul 16, 2006
    Posts:
    130
    Correct me if I'm wrong, but even if you have Sandboxie installed, a keylogger could still run in the sandbox and capture your keystrokes. This is where it would be good to also have SpyShelter installed.
     
  16. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    3,770
    Location:
    Nicaragua
    If you are browsing and a key loggers is downloaded into the sandbox, it will run if you are not using Start/Run restrictions. But if in the same sandbox, only your browser is allowed internet access, then the key logger wont be able to send information out. Despite using internet access restrictions if one of your addons is malware, then it will be able to hijack the browser and use it to send information out.

    Restrictions can help somewhat but Sandboxie is not an anti key logger. Sandboxies best protection against key loggers is deleting the sandbox. And, of course, if your system is infected with a key logger (outside the sandbox) then don't expect nothing from SBIE.
    http://www.sandboxie.com/index.php?DetectingKeyLoggers#defend

    Bo
     
  17. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,038
    Location:
    The Netherlands
    Good point, SBIE won´t protect you from malware running in the sandbox, at least not without hardening some settings. :)

    If I´m correct, a tool like SS is indeed able to notify you about suspicious behavior, even when the process is sandboxed by SBIE.
     
  18. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,038
    Location:
    The Netherlands
    I´m not sure what you mean with: "you shouldn´t complain". :)

    Do you perhaps mean that in your opinion developers should decide what´s blocked in restricted mode?
    If so, fair point, but if an app is restricted too much, it might not work at all.

    That´s why IMO, HIPS should give you full (and easy) control over all apps, I mean something like this:

    http://s14.postimg.org/h866f9jlt/NG_Sonar.png
     
  19. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,485
    Location:
    Poland - Cracow
    @Rasheed...
    I mean that SS is quite powerful even if its options to manage permissions for certain app are so "poor". SS is focused on anty-keylogging protection and "Restricted Apps" feature has been introduced ca 2 years ago to extend protection area and make SS more suitable for users.
    In apps like OA or PFW in advanced settings you can decide what certain program can do...write, read, access, trying internet connection, launching other process, etc...but its feature "restricted/limited rights" is very easy to switch on - one click and it is. In SS is in other way - no advanced options in HIPS module for each single app but there is more options for restriction.
    I'm not sure if I was enough clear in my words...forgive me please :)
     
  20. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,038
    Location:
    The Netherlands
    I now get what you´re saying. :)

    Like I said before, a bit more control would be nice. I´m very picky so that´s why I´m not satisfied with SS at the moment.
     
  21. marzametal

    marzametal Registered Member

    Joined:
    Mar 19, 2014
    Posts:
    731
    Is there still a clash between SpyShelter and Sandboxie? Not happy that SpyShelter forces me to change to better compatibility... would only be using browser for Sandboxie.
     
  22. Lagavulin16

    Lagavulin16 Registered Member

    Joined:
    Nov 26, 2014
    Posts:
    87
    Location:
    Emerald City
    @marzametal

    There is absolutely no clash between Spyshelter and Sandboxie. Initially, the HIPS factor with Spyshelter may possibly have an issue with Sandboxie ran as an unknown application. This happened with me previous versions ago--- which is why I add the caveat "may possibly." It was a simple matter to go into Application Rules and "allow" the Sandboxie executables. Clearly illustrated, easily accomplished. 30 seconds max. Give it a shot. And if you like it, don't leave home with out it. :)

    Edit: I really should add that a certain poster here has insisted that the user interface is "unhandy." I've tinkered with a few firewalls and this firewall is as easy as any other to set and forget. Consider the on-line reviews, the frequent updates, and the optional lifetime license. The best point I should make is unhandy shmunhandy.. :argh:
     
    Last edited: Jan 21, 2015
  23. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,047
    One thing that makes Sandboxie a bit unique, is the ability to kill running processes with a right click on the sys tray icon. I stumbled onto one of those nasty websites, that doesn't trigger any bad behavior alerts ,but locks the browser pretty tight. Not sure if there are any other solutions but I was able to kill it with SBIE.

    Also I want to give Spy Shelter a spin, and that stupid restriction on the trial was a real put off. That alone would be enough for me to not trust it.
     
  24. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,213
    Just for the record, Bo, Sandboxie's Internet access restrictions and especially start/run restrictions can protect against almost all forms of keyloggers (I tested this on my own many times), except those inside browser, however, like you said; you simply close your sandboxed web-browser and all of keyloggers that run within web-browser are also 100% deleted.
     
  25. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,257
    So is there no conflict btwn SBIE and SS now?
    A reason I haven't even tested SS is this, I heard they conflict in other place and I don't want to give SBIE up for SS.
    If they don't conflict in any means, it's great news for me.
    Do you know any other conflict with other widely used security software?
     
Loading...