Sandboxie With SRP & LUA....?

Discussion in 'sandboxing & virtualization' started by AvinashR, Jan 10, 2010.

Thread Status:
Not open for further replies.
  1. AvinashR

    AvinashR Registered Member

    Joined:
    Dec 26, 2009
    Posts:
    2,060
    Location:
    New Delhi Metallo β-Lactamase 1
    Hi Guys,

    I am using Windows 7 Ultimate With Limited User Account. I have also NIS 2010 and Sandboxie. Yesterday i implemented SRP in my Windows 7 Ultimate using instruction form "Here" and found that my Sandboxie 3.42 does not worked with it. Is Sandboxie incompatible with SRP? Even it did not worked with Administrator Privilege.

    Is Sandboxie Incompatible with SRP?

    Can anybody help me to Maximise Windows 7 Ultimate security with LUA and SRP...

    Please do note that i am bit paranoid person and using SRP first time, but i am comfortable with registry modifications. I specially request Tlu, Lucy and bigc73542 to help me in this.
     
  2. dcrowe0050

    dcrowe0050 Registered Member

    Joined:
    Sep 1, 2009
    Posts:
    378
    Location:
    NC
    I am not one of the ones you asked for but I think I can point you in the right direction. The guys at Sandboxie previously found some incompatibility with Win 7+SRP + Sandboxie and they have yet to figure it out as far as I know. But as a workaround they have all started using Applocker. I don't know if they have fixed the actual problem yet or not but here is a link to their discussion.
    http://sandboxie.com/phpbb/viewtopic.php?t=6401&start=15
     
  3. AvinashR

    AvinashR Registered Member

    Joined:
    Dec 26, 2009
    Posts:
    2,060
    Location:
    New Delhi Metallo β-Lactamase 1
    Thanks Brother.....I am not asking their helps only but asking of everyone. I only specially request them to help me also....
     
  4. dcrowe0050

    dcrowe0050 Registered Member

    Joined:
    Sep 1, 2009
    Posts:
    378
    Location:
    NC
    No problem glad I could help. There were a couple of people who posted that the newest version had fixed the incompatibility problems. I do not use SRP or sandboxie anymore.
     
  5. Johnny123

    Johnny123 Registered Member

    Joined:
    May 4, 2006
    Posts:
    548
    Location:
    Bremen, Germany
    I have no idea if Sandboxie is compatible with SRP but I would ask why you even need it with LUA, SRP and Norton Internet Security. With LUA & SRP I only have on-demand AV to check files I download and do a quick scan every two weeks or so.

    To be honest I would forget about it and save yourself a couple of more kernel hooks to collide with the ones from Norton. With LUA & SRP you have made the most sensible first step. With that alone you probably have 99% covered and you also have NIS.
     
  6. AvinashR

    AvinashR Registered Member

    Joined:
    Dec 26, 2009
    Posts:
    2,060
    Location:
    New Delhi Metallo β-Lactamase 1
    Hi Brother,

    I do agree with you that having SRP and LUA i am 99% covered, but i don't want to keep any hole or leak which is not covered under SRP and LUA. That's why i want to keep NIS in Real Time Protection Mode...
     
  7. Johnny123

    Johnny123 Registered Member

    Joined:
    May 4, 2006
    Posts:
    548
    Location:
    Bremen, Germany
    Then I would keep it if I were you! I was wondering why you would even need Sandboxie, not NIS. NIS has all kinds of modules like behavior blockers and the like so you are more than covered combined with LUA & SRP. If Sandboxie isn't working right then getting rid of it will save you a few headaches and some system resources.
     
  8. AvinashR

    AvinashR Registered Member

    Joined:
    Dec 26, 2009
    Posts:
    2,060
    Location:
    New Delhi Metallo β-Lactamase 1
    Sandboxie will help me to use keygens to generate keys, as well as to test unknown software's without changing any system settings. I can also protect my browser through sandboxie.
     
  9. Jav

    Jav Guest

    Quick question:
    Why are you not using AppLocker if you have Windows 7 Ultimate?
     
  10. AvinashR

    AvinashR Registered Member

    Joined:
    Dec 26, 2009
    Posts:
    2,060
    Location:
    New Delhi Metallo β-Lactamase 1
    Hi Brother,

    I heard about AppLocker but till date i have not able to find good details about it. I mean i want to know "How can i configure it"? I found SRP details everywhere and able to configure it, but in case of AppLocker i am not able to configure it as of less info on it. If you have good demo details on it please help me.
     
  11. dcrowe0050

    dcrowe0050 Registered Member

    Joined:
    Sep 1, 2009
    Posts:
    378
    Location:
    NC
  12. AvinashR

    AvinashR Registered Member

    Joined:
    Dec 26, 2009
    Posts:
    2,060
    Location:
    New Delhi Metallo β-Lactamase 1
    Hi Bro,

    Thanks for your help. Even i googled about AppLocker, and found the above mentioned websites by you except the Wildersecurity Post. I am trying my hard to get into it, but due to some reasons i am not able to concentrate on this...Trying very hard to understand fundamental things of AppLocker:D

    What i found is that SRP is far more easy then AppLocker...But due to Sandboxie incompatibility problem on Windows 7 with SRP, i m trying to implement AppLocker based policies. Hope i will understand its basics...:)
     
  13. Jav

    Jav Guest

    If you follow link given by dcrowe0050, you can understand it easily.
    They are explained very good and AppLocker itself isn't that complicated as it seems at first look.

    And if you follow the link to the thread in the forum https://www.wilderssecurity.com/showthread.php?p=1599794
    You can find a lot of usefull information aswell. (btw the thread was started by me :p )
    And read carefully chronomatic's post in the thread. It is ver easy and well explained tutorial.
    Also consider wat0114's post about troubleshooting, it explains how to use AppLocker's Audit mode.


    If you have more questions post back.

    ;)
     
    Last edited by a moderator: Jan 13, 2010
  14. Pleonasm

    Pleonasm Registered Member

    Joined:
    Apr 9, 2007
    Posts:
    1,201
  15. AvinashR

    AvinashR Registered Member

    Joined:
    Dec 26, 2009
    Posts:
    2,060
    Location:
    New Delhi Metallo β-Lactamase 1
    Hi Bro Jav,

    Thank You for your response bro. But after reading the whole article, what i feel is that AppLocker should be configured after the fresh installation of Windows 7. And we need to configure each and everything separately, but in case of SRP we can add as many file extensions as we want. This will not only ease our task but also save our time for configuration.

    Still i am trying to find out a well illustrative article on this topic, as i already go through all these websites even MSDN too.

    Till date i feel SRP is easy to configure then AppLocker. Please tell me your views too...
     
  16. AvinashR

    AvinashR Registered Member

    Joined:
    Dec 26, 2009
    Posts:
    2,060
    Location:
    New Delhi Metallo β-Lactamase 1
    Hi Bro,

    Thanks for your valuable help. But still i am not very much convinced with AppLocker...
     
  17. Jav

    Jav Guest

    Hi,
    Yes, in a way it's recommended to put AppLocker after fresh install, but it is the same recommendations to the SRP. (note: it is recommended but not must to do)
    About configuring each and everything, no you don't need to do it. It has the similar configurations to SRP. I know why you got this image because most of those articles tell about publisher rules (as it's new).
    But AppLocker still has old traditional path rules aswell.
    When you create default rules, it will allow everybody to execute from Program files, Windows folders and allow execute to Administrator everywhere.
    So it is automatically almost ready.
    You had to configure only those programs which aren't installed on Program files but on the user folder or somewhere else. (it is the same with SRP)

    So, in my opinion from ease of use SRP and AppLocker are the same.

    How you configured your SRP now, We will try to help you to convert it into AppLocker. :)
     
  18. AvinashR

    AvinashR Registered Member

    Joined:
    Dec 26, 2009
    Posts:
    2,060
    Location:
    New Delhi Metallo β-Lactamase 1
    Hi Bro,

    Thanks for your reply and help. I have a doubt, i guess that the default installation folder for every application is C:\Program Files so how can i configure it for others? And you said that in a default configuration of AppLocker everyone (Every User) is allowed and execute any file in the system..Say if Novice User execute a Virus.exe from my D drive then there is a nice chance for Virus.exe to infect my system, whereas if i configure my SRP then it will not execute as it will get blocked due to policy...

    Waiting for you inputs bro.

    And also please find the attached SRP Policy, please note that right now i am not using it because of incompatibility problem with Sandboxie 3.42 in Windows 7 Ultimate.
     

    Attached Files:

  19. AvinashR

    AvinashR Registered Member

    Joined:
    Dec 26, 2009
    Posts:
    2,060
    Location:
    New Delhi Metallo β-Lactamase 1
    Hi Bro,

    Today i did some google on AppLocker and found that AppLocker can only be used to manage four different types of files: executable (.exe), Windows Installer (.msi and .msp), script (.bat, .cmd, .js, .ps1, and .vbs), and DLL (.dll and .ocx). But in SRP based policy we can manage other different type of files like .pif etc. I have also found that .pif extensions can also be used for malicious activities and through AppLocker we cannot block it.
    Looking for your response....
     
  20. Jav

    Jav Guest

    Hi,
    Sorry, it was probably my fault.
    Let me rephrase my sentence.
    By default Everyone (every user) is allowed to execute from Program Files and system folder (I mean folder named "Windows") and denied to execute from all other locations.
    It means your novice user can't execute virus.exe from D: drive as it is denied by policy.
    He can only execute from those 2 (Program Files and Windows folder) in which he has no write access.
    So, he is allowed to execute files which are already on your system and allowed by you.
    Hope you understand what I meant this time. ;)

    For programs which are located outside of these two folders, you can create additional rules. As described here: https://www.wilderssecurity.com/showpost.php?p=1598079&postcount=2
    If Program has Digital signature use Publisher rules.
    Otherwise use Path or Hash rules.

    :\
    I am not sure about this one...
     
  21. AvinashR

    AvinashR Registered Member

    Joined:
    Dec 26, 2009
    Posts:
    2,060
    Location:
    New Delhi Metallo β-Lactamase 1
    Hi Jav Bro,

    Thanks for your "Late" reply :) , but i am happy that you did. Now again a question arises..Yo said that " By default Everyone (every user) is allowed to execute from Program Files and system folder (I mean folder named "Windows") and denied to execute from all other locations. It means your novice user can't execute virus.exe from D: drive as it is denied by policy.

    But i guess this was not possible....i am not sure about this, but what i guess is that i have to configure a rule for my D: and E: drive, so that a novice user (Sisters) cannot able to execute and run any malicious executable file...
     
  22. Jav

    Jav Guest

    Sorry for Late response. :p
    We seem to have different time zones and I was busy with my studies.

    What do you mean by not possible?
    IF you right click executable rules and click create default rules.
    It will create default rules which is based on white-listing. Which means nothing except those allowed files can be executed, so it will allow only Windows and Program Files folder and nothing else. (even CD-ROM or USB)

    But Administrator will retain his right to execute from anywhere.
    If it wasn't answer, please clarify your answer.
     
  23. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    While I am not up to snuff yet on win7, I can add to this.

    The rights and permissions that are set when you install windows are 'predetermined'. As you state, Windir and ProgamFiles get a 'generic read/execute' for every group, but only Admins and System get create/write/modify/delete.

    When a user is created, the user becomes the 'owner' of thier profile directories, and it is predetermined what that includes.

    Normally, most everything else for a 'User' is only read/execute. However, there are no restrictions to other drives or custom directories that I have ever seen. That is, D: , E: , F: etc etc are not 'known' by the windows install, and thus not normally restricted. To protect a drive like E: , you would have to set permissions yourself.

    This is why many like to use LUA and SRP, because with SRP you can create a default deny policy, so that anything NOT in SRP's list is just denied. You then open specific holes to allow for execution or you just use the default Windir and ProgramFiles.

    I would be curious to know of it is a LUA issue or an SRP issue. Try logging into the admin account and using SBIE. My hunch is that it is the LUA that is effecting SBIE.

    Sul.
     
  24. chris2busy

    chris2busy Registered Member

    Joined:
    Jun 14, 2007
    Posts:
    477
  25. AvinashR

    AvinashR Registered Member

    Joined:
    Dec 26, 2009
    Posts:
    2,060
    Location:
    New Delhi Metallo β-Lactamase 1
    Hi Sul,

    Its SRP which is creating an issue with SBIE. In Windows 7, if we apply SRP neither LUA nor Admin can use SBIE. I guess there is some problem with SBIE thats why users are also complaining about SBIE issue in Sandboxie forum.
     
    Last edited: Jan 13, 2010
Loading...
Thread Status:
Not open for further replies.