Sandboxing

What if I combine Sandboxie and DefenseWall, then I have virtualization AND Windows Policies to protect my computer.
If I add my boot-to-restore, based on the Industrial Snapshot Technology, to both technologies, I have probably the best guarded computer in the world.

 

Right. And I would maintain that the worst one of those - by far - is the stealing of data. That is why a termination resistant firewall with outbound control to restrict everything to selected ports, addresses, direction and protocol is of utmost importance. I can deal far better with malware simply destroying my data than malware stealing my data. As long as data is backed up to external media, and especially if imaging software is used, recovering a blown away h/drive is a relative minor inconvenience compared to the theft of private data.

 

This is an acknowledged and recognised issue with Sandboxie.
While in the sandbox browsing, for eg a keylogger or datastripper can operate as long as there is no kernel driver installed ( blocked in sandboxie) and data 'could' be stripped. Any malware that can, will/may run in the current session.
Less likely with FF and noscript etc etc...

Firewall might be ok as long as config is tight to prevent o/going connection, but many trojans can install as 'trusted' outgoing connections.
Obviously if the mal requires a reboot to operate/install then not an issue when sandbox emptied after session. PrevX has for me been able to operate in the sandbox to catch any suspicious operations it recognises so far.

Any 'drive-by' type mals that might get past FF or other apps in the sandbox will be stripped out when sandbox emptied.

Obviously DO NOT use any passwords, banking logins, credit card details etc in same sessions as -heh- random browsing.

AFAIK DefenceWall can be set-up to stop this and provide a so far unbreakable barrier and rollback any changes. I dont have any experience of same; not using DW ( not sure why not lol) just from reading here and @Gladiator/DW forum. ( maybe waiting for next version of DW )

I like the "per application" control of Sandboxie and with other tools all good so far. Just knowing potential weaknesses of any app is a boon in itself.

Regards.

 

Based on my reading of all the PowerShadow,DefenseWall,and assorted sand box and virtualization posts it seems that key loggers are the main concern. While surfing in PS or any other program that protects the system ,you could have data stolen. For me I can crank up PS in my FD-ISR snapshot then enable DW protection and my system will be safe. So what is the best program to ensure that nothing can get any data?

 

IMO sandboxes and virtualization, don't recognize evil objects, they only isolate them, just like they isolate good objects.
How can such softwares recognize malware, do they have signatures, heuristics, etc. ? I don't think so. If they don't recognize them, they can't stop their execution either.

Once the sandbox is closed, the malware is gone of course, but my frozen snapshot does the same thing. That's called recovery, not security.
Security is supposed to see the difference between good and bad objects.

 

Yes I agree completely. But while in the sand box, data can be stolen unless there is something so catch it.

 

Exactly. Sandboxes and virtualization are good REMOVAL tools for malware, nothing more than that.
If a good object remains in your sandbox and you don't save it in time, it will disappear with all the rest.

 

But even still, not all security apps can do that 100 percent. So to me, a good AV, and either Sandboxie or Power Shadow makes the most sense to me. Just started using Power Shadow and really like it.

 

As a cleaning tool yes, the problem is that Sandboxie, etc. will remove the good objects too, if you don't save them in time.
A scanner removes only the bad objects, except for false/positives of course.
My frozen snapshot removes also all changes, good and bad, but only in my system partition (Windows + Applications).

 

What I am doing is manually updating everything then kicking in Power Shadow. I also have Sandboxie, why? I may go a few days before rebooting with Power Shadow. At least this way, any crap that may grab hold during a browsing session is gone as soon as I close Sandboxie. Instead of it being there for a few days until I reboot.. This is working great and about once a week run Avira and SAS. But there isnt squat to be found.

 

Even in the worst scenario, you can visit your bank site without worry, and without reboot. Just clear the sandbox. Nothing malicious came from the sandboxed session, assuming you cleared it. No rootkits, keyloggers, nothing. No reboot.

FAQ
Detecting Keyloggers
Closed File Path
Closed Key Path

 

I can see why some say that AV products ma be history before to long. My browsing speed is actually faster.

 

Pedro,
First of all, many thanks for the explanation, I'm trying to understand how these software work and I don't have always much time.

Let me see if I get this right.
If an application is not sandboxed, it can install a certain rootkit.
If the same application is sandboxed, it cannot install the same rootkit.
So all depends on whether an application is sandboxed or not, because in both cases the rootkit IS malware and even the SAME malware.

This also means that it all depends on the user, if an application is sandboxed or not and hopefully he knows when an application needs to be sandboxed or not.
Am I right about this ?

 

In GeSWall:

Defensewall also support confidential files/folders.
Combine data encryption with a sandbox, a tight firewall ruleset, browser security (NoScript) and common sense/safe hex and you shouldn't suffer data leaks.

 

I never get straight answers to my questions. I'm talking about sandboxie alone, not in combination with other softwares. Just sandboxie and put the rest aside.

 

Thanks, but note that i only copied directly from SandboxIE's site, word for word, minus a few things. Highlighting is also my doing.

Yes. You should note the quote from lucas regarding GeSWall, and his observation regarding DW. The main difference is virtualization in SandboxIE, everything is redirected to the "sandbox" folder (virtualization container), where the file system and registry is mirrored as it is needed. You then keep what you want, by copying to the real folders.

GeSWall does not redirect things to the "virtualization container, except for some registry keys if i'm not mistaken. It simply enforces a policy, which is strict. DW same deal. I'm sorry for not expanding this, but i haven't used it for a while.

Arguably GW and DW are more "housewife" material .

Also note that i don't know how redundant this is when using something like AE. This is an open question in me head.

I do know that when i install an extension in FF (a possible working possible keylogger inside SandboxIE, for illustration purposes), SSM does not intercept it, neither does SandboxIE. But the latter can flush it. Of course, FF does ask for confirmation, on legitimate extensions at least (IE too, probably).

 

Also, another possible difference is you can sandbox anything with SandboxIE, and you don't need policies specific for Word, Powerpoint or whatever. It's the same policy for everything inside.
Again, forgive me for not expanding this. But there has to be someone who can!

 

Well, you can isolate everything in GW. Due to the rigid isolation policy, rules per app (the common ones) are needed if you don't want things breaking:
GeSWall's Access Control Policy

Security = layered approach. There's no silver bullet regarding security software.
A security setup needs to deal with different kind of threats:
- Network traffic (firewall)
- E-mail threats (read mail as text, drop unsolicited mail, etc)
- Execution control/interception (HIPS/whitelist)
- Browser security/privacy (NoScript, whitelist cookies, etc)
- Data leaks (firewall/sandbox/etc)
- Etc
When the security setup fails (there's no 100 % security, although the margin of failure is very very thin in a well thought security strategy) you go to the mitigation plan (imaging, reboot-to-restore, reinstalling, etc)

 

Thanks lucas
Now i recall something. The policy for something unknown is strict, but could break it as SandboxIE can. Then it is less strict for known applications, where they designed the policy specifically for it, where certain things don't need be.

GeSWall deserves a revisit.

 

It's very important to know how the app (Sandboxie, GW, firewall, AE, etc) works in order to use it at its best.

 

Thanks. I will think about it. Seems to me more like a little protection here, a little protection there and a little protection over here.

 

This is a very informative discussion. The vendors in question should pay for the detailed descriptions and exposure their products are getting here!

I friend asked me the other day about Sandbox stuff so I started reading some of the threads and referred them to him, and today, suggested that the next step for him is to evaluate one: until then, it's all talk.

One question came to mind: several have pointed out that a keylogging program or such might be able to send out from within the Sandbox while you are on line transacting business.

The question: under what circumstances do you imagine that a keylogger could get installed on your system?

I would imagine one would have a routine such as I use with Deep Freeze:

• 1) Reboot to known good state
  
  
• 2) Connect to the internet, go directly to online site.
  
  
• 3) Log in - transact business
  
  
• 4) Log off

regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."

--Bruce Schneier​