Discussion in 'sandboxing & virtualization' started by fsr, Jul 31, 2010.
Or is it redundant? In other words, is the built-in sandbox in Google Chrome good enough?
Sandboxie is quite light-weight. While Chrome by itself has not been hacked as yet to my knowledge, I see no harm in the double protection. Sandboxie also is not a disruptive aspect.
I'm running Chrome portable 5.0.375.125 in Sandboxie 3.46.
While I'm not using any extension other than WOT, I don't understand how or whether extensions are controlled by Chrome's sandbox. Case in point is IETab (Davetotski?).
i've always found it a bit redundant but i actually found a good reason to use it (i havent read it before)
i never understood chromes sandboxie. Dont you need to move files in and out of the sandbox? where is chromes sandbox that i can move files in and out of
i'm no chrome expert but that's what you do, when you acept a download, plugin installation, etc., you actually give a file permission to run outside sandbox
thanks for the input. Its just sandboxie, bufferzone, returnil use their sandbox differently so i thought there actually was a sandbox area you would know about like those products have. So if you get malware through surfing the net its contained into the sandbox and you just have to close and reopen the web browser to remove the malware?
Except for zero-day malwares yes, i think so. Read this:
Hi to all,
I would like to stress that sandboxie does not merely utilize OS security to fully protect a pc, but it goes way above and beyond that to ensure that malware doesn't infect the host. in a way, one can say sandboxie almost 'hacks' the kernel in order to gurantee true isolation and monitoring of sandboxed parent and child processes.
with chrome's sandbox, one priveledge escalation exploit in the OS and you're done - it would do little to protect from zero day. meanwhile sandboxie would ensure that even if there was an ie bufferoverflow or priveldege escalation under a system running LUA, you'd still be covered.
installing the two is by no means an overlap as sandboxie simply operates in another league
sandboxie also has other options that make it watertight when compared with chrome's minimal approach. extra settings include start/run restrictions that block unknown droppers from loading crap unto your system and also a basic robust firewall that prevents unknown software(hence viruses) from calling home.
do yourself a favor and try sandboxie, you will be addicted
Did you actually read anything i have written/quoted? Cheers.
I guess not well enough
does sandboxie slow down your pc?
No,you hardly even notice its there,give it a try!
Yep Chrome sandbox in combo with https://www.wilderssecurity.com/showthread.php?t=278011
See no use in Sandboxie since this works light and tight (in terms of Security)
My setup on play PC https://www.wilderssecurity.com/showpost.php?p=1721407&postcount=9614
On X64 Chrome's Sandbox manages to prevent side by side infections, I really do not know how they do it, since both Tzuk (Sandboxie) has not found a way to realise this. Tabs run in Low rights so they can't affect anything on the host.
Don't mean to argue but is the link with reference to Win 7 alone? What about Win XP3?
And what exactly is the status of extensions? Are they also kept in Chrome's sandbox?
The link is regarding ACL this also works on XP. When you are a happy Sandboxie user on XP, I would stay using SBIE to guard your browser of choice. Due to UAC limitations on objects and processes I would only consider Iron/Chrome plus 'some lazy admin precautions' a substitute for Sandboxie.
When you move something out of a Sandbox you are unprotected. The major streght of SBIE was that it offered a strong safety net behind your browser for what happened in your browser.
I think IE8's protected mode was a good step. Chrome's sandbox was the first real security border. Chrome was not Owned in the pawn2own browser contests for two years in a row. Set up decent policy management behind it (f.i. what is included in your OS) and you are fine.
When you are playing with malware, there is off course no greater fun playing in the sandbox with Sandboxie and Buster-Sandbox-Analyser (add A VM to and your are fine). My guess is that more than half of Wilders folks enjoy throwing stones at their window to see whether it holds.
Hi Kees 1958 (or anybody out there),
Please could you answer this (which I've asked before):
While I'm not using any extension other than WOT, I don't understand how or whether extensions are controlled by Chrome's sandbox. Case in point is IETab.
You can be rude if you wish! But please do answer!
Lack of clarity on this issue is keeping me off extensions in Chrome and there are some that seem really, really nice!
Here you go for explanation on extention security http://www.youtube.com/watch?v=DO-nzPqhdXw
Next you have the problem of installing extentions from a known/trusted source only.
a) Only implement extentions from Google, no other source unless it is from a trusted source
b) Extentions I have tried and were safe at that time: McFee SiteAdvisor for Chrome, Wot, New Tab Behaviour, Adsweep, Simple Print (a print button) and Click & Clean.
c) I start chrome using --safe-plugins switch
d) I disable the third party default plug-in from the options > Privacy content > Plug-ins > Manage plugins seperately
I found something when using the --safe-plugins switch. If Chrome is in Sandboxie when using this switch it prevents the viewing of PDF files within the browser. When you click on the PDF, error messages from both Adobe Reader and SBIE pop-up and Adobe crashes. If you remove the safe-plugins switch, everything works fine. I'm not sure if I should call this a bug or a feature, maybe Adobe Reader is trying to do something the switch is programmed to stop. I haven't tried any other PDF readers yet to see if the issue continues.
Thanks Kees. I did notice that the commentary dealt with privileges and how the developer chooses to use them. There was also a clear warning against malicious extensions. (But no mention that any mischief is restricted to the Chrome Sandbox, which is my original doubt.)
So your point a is very important. I just have WOT currently.
Could you clarify point d? Is this seen in chrome://plug-ins/? If yes, are you referring to
Default Plug-in - Version: 1
Description: Provides functionality for installing third-party plug-ins
Just to confirm, is this, the default plug-in, to be disabled?
Yes, I can not find it any more, but I had read somewhere that thi sone was needed for 3rd party plug-ins to install properly http://www.scriptol.com/chrome/about-plugins.php
I removed it. Now the only one I have enabled is Java JRE which I need for viewing some charts on-line.
but i still dont really get the chrome sandbox. If you get malware through surfing the net does closing the browser remove the malware? how does it remove malware when you get it
Chris, I can't answer your question. I just take satisfaction in the reports that Chrome hasn't been pwned as yet in competition with other browsers that went down in minutes.
Despite that, since Sandboxie runs light, I have no problem in keeping a double safety net, one of Chrome and one of Sandboxie.
Separate names with a comma.