Sandboxie VS VirtualBox...

Discussion in 'sandboxing & virtualization' started by KindaParanoid21, Jun 21, 2014.

Thread Status:
Not open for further replies.
  1. KindaParanoid21

    KindaParanoid21 Registered Member

    Joined:
    Jun 21, 2014
    Posts:
    46
    Hey again, my question \ issue is quicker this time as opposed to my inaugural issue.

    What is better for testing risky programs? Sandboxie, or a VirtualBox with XP 7 or 8? SB is less involved obviously and can be used on the fly, where a VB is more involved, but I'm curious as to what y'all think!

    And same question for risky surfing or downloading... IE Porn mode! Better to do it within a VB or with SB?

    Appreciate your help!
     
  2. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,067
    VirtualBox provides you complete virtual system and that's what I'm using for testing software. Also, if software needs to install driver you won't be able to properly install it inside SBIE.
    For risky surfing I also use Virtualbox. After each session I restore clean snapshot.
     
  3. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,046
    If I really am doing something risky, I use my VM instead of host. It has the same security load as my desktop. Additionally since Appguard is part of my security setup, I have all the VMware applications guard so they are memory protected.

    Pete
     
  4. KindaParanoid21

    KindaParanoid21 Registered Member

    Joined:
    Jun 21, 2014
    Posts:
    46
    Guys, great information... I was leaning toward a VB but wanted other thoughts on it, as where nothing is full proof, I wanted to know what gets you as protected as possible.

    hqsec - Would you say a snapshot is easier and or more secure then simply having a backup copy of a fresh VB?
     
  5. guest

    guest Guest

    When I was still using Sandboxie I did test programs inside its sandbox. I rarely tried programs which require driver installations. And as far as I can tell, it worked pretty well. When there was the need to install programs with driver hooks I just used another computer, physically separated. As for the risky surfing, well, I consider surfing the internet is always been risky, so I stay protected all the time.
     
  6. kjdemuth

    kjdemuth Registered Member

    Joined:
    Jul 29, 2005
    Posts:
    2,960
    Location:
    Boston, MA
    I normally test things in VM with my host drive in shadow mode. Also I have NVT in lockdown mode. Haven't had a break out yet.
     
  7. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,067
    IMO using snapshot is easier (and quicker) to restore than copying whole VDI file. In terms of security I don't see much difference. OTOH having a copy of VDI file on separate HDD can save your VM in case of disk failure.
     
  8. KindaParanoid21

    KindaParanoid21 Registered Member

    Joined:
    Jun 21, 2014
    Posts:
    46
    kjdemuth - Shadow mode NVT lock down mode? I don' tknow what that is but I like it already!

    GrafZeppelin - Google being our "friend" and all, I know there's an article out there that said that if anything porn sites are actually safer or have less malware attached then non-porn related. Not sure if I buy that one though

    hqsec - Good point, but I here I am living up to my name! What if you're just beatin the hell out of a VM virus wise, (not intentionally of course!) is the snapshot option still as secure as just erasing the infected VDI file? (And yes, at the very least, a backup will help you in general.)
     
  9. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,067
    After taking snapshot VB stores all further changes in different VDI file. When you restore snapshot this -second- VDI file is deleted. I don't know any malware that would survive VDI file deletion or that would somehow manage to write to original VDI file.
     
  10. guest

    guest Guest

    kjdemuth just reminded me of Shadow Defender. Less locked down than VM but some people here have faith in it. I would still recommend to use another PC to test software if it's possible, though.

    It's true. Here's what we need to worry about: a website that offers us to install an additional codec to watch/see the site's contents. But I personally prefer to disable javascript, plugins, iframe, etc most of the time and allow them only when I know what I'm doing. Heck, I never allow javascript even in Wikipedia. I'm more into "block the threats since the first place" type of person.
     
  11. kjdemuth

    kjdemuth Registered Member

    Joined:
    Jul 29, 2005
    Posts:
    2,960
    Location:
    Boston, MA
    Typically if something were to be VM aware and break out, it's not going to survive reboot. Even then I have Eset and NVT on lockdown extreme. Not much is going to be able to run. I normally only test malware that isn't VM aware and typically run it through anubis before testing it in VM.
     
  12. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Remember that data exfiltration can't be undone; advantage VirtualBox.
     
  13. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    3,770
    Location:
    Nicaragua
    Sandboxie has settings designed for keeping personal and business data safe from being stolen. In Sandbox settings>Resource access>File access, there are settings available that can be used for blocking programs running in a sandbox from having access to your personal and business data, files and folders.

    Read, File access>Blocked access and File access>Read only access.
    http://www.sandboxie.com/index.php?ResourceAccessSettings#file

    And there are settings that allow you to limit the programs that can run and connect to the net in a sandbox. If malicious programs cant run or connect, they cant steal nothing.
    http://www.sandboxie.com/index.php?RestrictionsSettings#internet

    http://www.sandboxie.com/index.php?RestrictionsSettings#startrun

    This settings might not be perfect but they work and very well. I cant see why you said that VirtualBox is better than Sandboxie regarding Data theft. Can you do something like the above in VB? Are there any settings in VB that allow you to block programs from having access to your sensitive data (Files and folders)?

    Bo
     
  14. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    @bo elam: Good point. Those Sandboxie settings aren't enabled by default though, right?

    VirtualBox doesn't have any such settings, but if your virtual machine has nothing of value to steal, that's an advantage, IMHO.
     
  15. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    3,770
    Location:
    Nicaragua
    Thats right, they are not enabled by default. You should keep in mind that the default settings sandbox (a beauty in my opinion) was created with first time users in mind. I think its well balanced between security and convenience but security gets tighter when restrictions are put in place.

    Bo
     
  16. KeyPer4Life

    KeyPer4Life Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    974
    Some of Sandboxie default settings (includes create new sandbox)

    Quick Recovery - Pre-determined list of folder locations
    Enable Immediate Recovery (checked)
    Automatically delete contents of sandbox (unchecked)
    Internet Access - All programs can access the Internet
    Start/Run Access - All programs can start and run
    Drop rights from Administrators and Power User groups (unchecked)
    User Accounts list (empty)

    Personally I would not run Sandboxie under these settings. I like to have more control of
    Internet-Start/Run Access. Also a download location of my choosing and no Immediate Recovery.
    User Accounts are specified (empty = sandbox can be used by all user accounts)
    I like to secure auto delete sandbox upon closing browser session unless I have reason to save
    contents.


    VM's such as Virtualbox are good if you want to try for example an AV program or software
    firewall. Sandboxie has limitations on installs (mentioned in posted comments)

    A VM would typically use more memory/resources as you install another OS. Sandboxie less memory and uses your existing Windows OS.


    One could install a Linux OS > install Virtualbox > install a Windows OS and then install/run Sandboxie inside Windows.

    They both have their pluses and minuses.
     
  17. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    3,770
    Location:
    Nicaragua
    In my opinion, for testing programs, the virtual machine its the better choice since it can be used for trying all kind of programs. In my personal case, I use Sandboxie for trying browsers, Firefox addons, to temporarily install Java or Flash in my W7, that kind of thing but to try any other type of program, I use Shadow Defender.

    But for everyday use, for browsing, downloading, running files that I download from the internet, attachments, nothing beats Sandboxie. For example, when I download a file, it is done using a sandboxed browser, the file download into my download folder which is forced. And if I move that file out of my Download folder, it is covered by the Forced programs feature. I basically run files sandboxed from the moment they are downloaded to my computer till the day they are deleted. There are exceptions but its rare.

    I think you ought to use both, SBIE and VB. In my mind, I don't see both programs as being programs that you choose one or the other. I recommend you use Sandboxie for everyday and Virtual box for trying programs. Thats what I would do if I was you.

    Bo
     
  18. Alexhousek

    Alexhousek Registered Member

    Joined:
    Jul 25, 2009
    Posts:
    409
    Location:
    USA--Colorado
    Bo, your knowledge of Sandboxie is mind-boggling at times. I'd like to strongly suggest that you make a series of videos on how to best utilize Sandboxie in everyday use. I suspect that there would be a lot of interest in these types of videos....
     
  19. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    3,770
    Location:
    Nicaragua
    WOW, thanks Kendall:cool:.

    Bo
     
  20. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,150
    Location:
    UK
    As above, love the ease and configurability of Sandboxie, but would not use it myself for something risky - why provoke something unnecessarily? It takes a bit of time to tweak the Sandboxie profiles (easiest if you have 1 sandbox per app), but this only really makes sense for apps you will mainstream on, and there's potential exposure while you develop the profile (e.g. as mentioned above, data exfiltration).

    For everything else, I'd use a VM (Vmware in my case). Ultimately I trust the guest isolation rather more, and don't see why I should take risks with partial Sandboxie profiles. I see Sandboxie as protecting basically good apps from bad/malicious data.
     
  21. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    3,770
    Location:
    Nicaragua
    Not using Sandboxie for something risky?

    Why not? I sandbox all applications in my computers, that gives me peace. I don't like playing God trying to figure out which file is risky and which one is not. I just run all files and programs sandboxed and it works.

    I cant understand why you say using separate sandboxes is risky when in fact, you get the most out of Sandboxie when your programs are isolated not only from the system but from other programs as well. And to do that, you most use Dedicated sandboxes or as you say "partial Sandboxie profiles".

    Bo
     
  22. KindaParanoid21

    KindaParanoid21 Registered Member

    Joined:
    Jun 21, 2014
    Posts:
    46
    Bo - Tell me, do you use, or could you use SB with uTorrent easily enough?
     
  23. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,150
    Location:
    UK
    If I could explain about the "risky" word - perhaps that wasn't clear - I mean an application that is liable to have malware built into it. It's no denigration of Sandboxie at all to observe that there are more exploits to be had against even a protected Byzantine operating system than a VM.

    There's a world of difference between protecting apps that are at least trying to be benign but can be exploited via bad data or code, and using it to test malware, and if we're talking about testing risky programs, it's no biggie to spin up a VM to do just that.

    I was trying to say with "partial" Sandboxie profiles is that the protection derived from them builds up as you tweak the profile to match your application environment and security needs, and while you are doing that, there is a higher level of risk, certainly in respect of data stealing. If you have a "bad" application, by the time you have got the profile as you want it, it's potentially too late. You can't throw away the host as easily as you can revert the VM, and you may already have lost data.

    I love Sandboxie, and would love to run everything in it too, regrettably that doesn't work for all apps in a complex environment, at least without tweaking which takes more time than the app is worth, and it isn't always feasible to run all apps this way. So, for example, let's take (file) Explorer as an instance, that has had vulnerabilities with file viewers, and unless you're willing to turn that functionality off, the sandbox for it will need tweaks from the default profile to allow to get at the file system properly, access the viewers, turn off internet access and so on. So I don't (currently) run Explorer sandboxed, even though perhaps I "should"!
     
  24. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    3,770
    Location:
    Nicaragua
    deBoetie, I don't test malware but if I did, I would not use Sandboxie for that. Sandboxie was not created for testing malware. I use Sandboxie for everything that I do while using a computer every day. And you can do too, that was the purpose for creating SBIE. You said that you would "love to run everything in it too", well I tell you, I know you can do it. Take a look at the sandboxes that I use in my XP. They cover pretty much every program that I run every day. And all of my programs run very well sandboxed.

    untitled.JPG

    Data theft while Setting up a sandbox. Do you know how long it takes to create a new sandbox and set it up? Me, it takes me about two minutes. And since nothing is gonna be running sandboxed while I setup the new sandbox, nothing is gonna be stolen.:)

    Bo
     
  25. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    3,770
    Location:
    Nicaragua
    Hi Paranoid, I don't use Torrents and never have but I read threads from people that download Torrents with Sandboxie. I suggest you go to the Sandboxie forum and search for the word "Torrents", that should bring some results.

    Bo
     
Loading...
Thread Status:
Not open for further replies.