sandoxie as a firewall,hips,anti-exe, virtualizing beside sandoxing

hi folks ,
despite i'm relatively new to sandboxie
but after 3 days of playing with the registered version of sandoxie
i wanted to share with , u what i've learned about some hidden advantages in sandboxie beside its main job of sandboxing and isolating environments

but for now i'll only begin by 2 great features in sandboxie

1-forced folders feature "only in the registered version"
2-internet access "in the resource access settings"

lets begin

1-anti-excutable and hips like features

by using the forced folder feature u can add any drive or even all ur drives so that any program " including malwares , viruses , trojans spywares , ....." if run at any time , it will be forced to run inside the sandboxie , even if autrun automatically , so that u will have the advantage of anti-excutable coz u will know instantly which is running at he moment even if it's automatically autorun , plus the advantage of hips by limiting the behaviour of such autorun malware by running it in the isolated environment of sandboxie , also it can terminate any malware process by the feature of lingering programs , in which sandboxie terminate any excutable that continue excuting after all other programs are ended

2-protection against autoruns and viruses of the flashdisks and foreign hard disks connected to ur pc

also u can add the flash drive letters and more drive letters to the forced folder section so that any autorun malware "whatever" is forced to run in the isolated environment of sandboxie causing no harm to ur original hard disk


3-firewall like features
depending on the forced folders feature and the internet access feature we can limit the internet access of all the application on ur pc to those applications spicified by u
depending on 2 facts :

A)all applications on ur pc will be forced to run sandboxied
B)we will limit the internet access to all sandboxied applications to few appliactions specified by u

so that
the end result is :
all malwares present on ur pc including trojans , spywares , viruses ,keyloggers ....ect will be prevented to access the internet
and even if they connected the internet throught another allowed application like for example ur sandboxied browser , it will have nothing to do , because it is only allowed to run in the isolated environment of sandboxie


that was a summary of some extra-advantages that can be found in sandboxie


to be continued :,,,,

-----------------------------------------------------------
continue the 2nd part of the article

4-sandboxie for registery protection
register protection is on of the hips specific features
but using the above mention sandboxie strategy , sandboxie may offer registery protection near to this offered by other hips

-setting the forced folders settings to cover most of the hard disk
-setting the registery access for all the sandboxied programs "all the applications on the pc" according to the above condition
registery access is either
A) direct access "allowed" registery keys
B)blocked access "denied"registery keys
C)read only access

5-file and folder protection
also this feature is a hips specific feature and most of the well known hips include such feature
under the same strategy , sandboxie may offer file and folder protection near to that of hips

-forced folders feature covering most the pc"all applications on the hard disk
-setting the file access for all the sandboxied applications "in other words all the applications on the pc includings any present malwares as well"
A)direct access" files accessible to sandboxied programs"
B)full acccess"files accessible to sandboxied programs together with installed and downloaded files as well"
C)blocked access"files not accessible
D)read only acccess

also u can set which program is allowed to access certain files
and which one is completely blocked from reaching certain files

6-virtualizing feature
such feature is specific to the instant recovery sofwares like the FD-ISR , deep freeze , my favorite shadow defender , returnil ,.....and so on
understanding such feature is some what complicated "to little extent"

what are virtulaization softwares protecting the windows from
for ex.
1-installed applications
2-browser temp files
3-files copied inside the "c" drive by the simple copy and paste
4-autorun viruses and worms coming from external media . cd , or flashdisks

let's take them one by one
1-installed applications
all the applications are sandboxied even if u installed one program , the install will run in the sandbox so that no files reach the windows or the program files directory
but note "sometimes applications when installed sandboxied fails to run coz it fails to reach the registery or due to other causes and allowing registery access may solve most of such installation problems"

2-drowser temp files
as the browser is sandboxied , i think there's no problem here as this is the main fuction for which the sandboxie was 1st made

3-files copied into the system drive
for me, using a specific application like "burst copy" for copy and paste
so that running it sandboxied will cause no problem here

but if u use the normal copy and paste of the windows
i think it will not also cause any proglem
because copying 4ex. a movie in the system drive will be so easy for a child to remove or move it to any other non-system drive

4-autorun viruses , worms , trojans from external media like CDs , and flash disks
setting the forced folders to cover all the drives that are and that are not yet present on the pc from D:/ to Z:/
so that any autorun malware on such external media will be automatically sandboxied and isolated completely
"this will be discussed in details below


----------------------------------
big problem and simple solution

but while configuring the forced folders settings , u will face a big problem which is some what related to some defects in the sandboxie interface

when click forced folders ----then add folder---browse window will appear
and unfortunately u will find drives that are already present on ur hard disk ,
so how can u add other drives like the any flash disk that will be added to ur pc in the future
at 1st i used daemon tools and virtual clone drive to make virtual drives to use their letters in the forced folders settings then remove them from the daemon tools
but after a long search in the sandboxie forum i found a simple solution for this problem depending on editing the configuration notepad file of sandboxie "edit configuration"
so that u can add any all the drives letters available from D: to Z:


--------------------------------------

what is the overall strategy to use sandboxie as the only applcation so that it may replace the hips , firewalls , virtualizing softwares ,
"strategy sammary"

1-sandboxie settings ----forced folders----- add folders ----add all the drives EXCEPT "C:" system drive

why

please try to imagine with me
if we added the system drive to the forced folder so that any application on the C: drive will be forced to run sandboxied

so where is the problem
Ohhh ,Dear
the sandboxie itself being installed on C: drive
when it runs it will be sandboxied , hehe i'm not jocking
the sandboxie will run sandboxied
sandboxie will run inside itself
and when it runs to sandboxie itselt , the latter will be also sandboxied and so on
a vicious circle will result
an endless series of sandboxies

so that when i tried to add the sytem drive to the forced folders , my theory succeeded , and the computer freezed

back to the strategy
remember 1-sandboxie settings ----forced folders----- add folders ----add all the drives EXCEPT "C:" system drive

2-by editing configuration
we can add all the drive letters available to the forced folders from A: to Z:

3-using forced programs feature, we can add all the programs installed on the system drive "in the program files "
so we can add all of them one by one "ofcourse except the sandboxie itself"

so that all the applications on the hard disks are now covered

a)adding all the drive of the pc except the system drive to the forced folders section
b)adding all the installed softwares on the system drive to the forced programs

and by assuming that ur system drive contains to other hidden programs or malwares "clean system drive"
now u are supposed to have all the programs on ur pc covered"

-the non system drives are covered completely "good wares and malwares"
-the system drive , all the installed programs , assuming that it's clean "fresh windows"


4-in the internet access settings , u can add the only programs on ur pc that are allowed to acces the internet
so that all others applications on ur pc "good wares and malwares "will be blocked

5-continue configuring the sandboxie settings concerning other items :
-file access
-registery access
-IPC access
-windows access
-low level access


after all of that i've mentioned here
i hope u get some benefit from it
my friend , all of u are invited to discuss , add or remove whatever u see from all what i mentioned above

sorry for the long article

best regards

 

here's some screen shots


http://img259.imageshack.us/img259/1716/12af3.jpg




http://img90.imageshack.us/img90/8388/48438064xw4.jpg




http://img216.imageshack.us/img216/4286/38350355tk6.jpg



editing configuration screen shot to add more drives to the forced folders


http://img218.imageshack.us/img218/1316/54896481ez6.jpg

 

hi pete, u know i'm not expert so that there may be some terminaology defects and i'm sorry for that
that's why i said , hips-like features , firewall like features ... , anti-excutable like ....... and so on

which means that sandboxie under certain circumstances and with some specific settings may offer some features resembling some of a hips or a firewall software
and all of the above was trying to analyze and explain how and why is that .

i very much appreciate ur opinion specially when it comes from a security expert like u
thank u , and i will

 

I was using SafeSpace earlier. Just thinking of switching and buying SB.
Thanks, Hany3 for showing me features/functionality I didn't know SB possesed. Now I am even more inclined.... Ok, I am downloading and installing now !!

If there any more such hidden treasures inside SB, do let everyone know.

 

Here's a thread that may interest you Hany3 http://sandboxie.com/phpbb/viewtopic.php?t=3711&start=0

 

Can anyone confirm that SafeSpace is almost death,i wonder why because it has good reviews here on Wilders.I tested it once but it was not to my liking so switched over to SBIE.

 

hi folks
i completed the article
have a look

 

hi HungJuri
thanks so much
the thread has more advanced settings that will very much help us
a good resource rich in basic informations

 

hi pete
the article completed with all the related screen shots in the second reply
sorry for late

 

hello Doc.
thank you for your excellent analysis and kind efforts
long articl but full of precious new information
i tried your strategy , and it works very well
go on with this new ideas
cheers

 

Thanks hany3 for your generous study and relaying some useful information along to our attention.

Personally i get skiddish in spite of the fact SandboxIE is a marvelous invention and strong containment program whenever newer versions which are inevitable are released, mainly due to the .ini syntax structures sometimes changing, but i understand the importance of this too.

Excellent details. Gonna read them over again continuously and make notes untill certain nothing is been ovelooked on this end.

GREETINGS

EASTER

 

see here:
https://www.wilderssecurity.com/showthread.php?t=213792

@Hany3: thanks again, for adding the second part of the article.

 

Just tried this after reading some reviews that mentioned SafeSpace. Found that it conflicted with some firewalls, like Comodo's (even with its Defense+ HIPS feature disabled), which severely slowed any app that ran inside of it. Worked okay with just the Windows firewall (in WinXP). Alas, as you suspect, it is definitely a dead product. Read:

http://forums.artificialdynamics.co.uk/messages.aspx?TopicID=114

The dev group got disbanded and the code sucked into the parent company (who doesn't have an free versions of their products). Another free sandboxer is lost.

Alas, Sandboxie degenerates into nagware after the 30-day trial. Being crippled, like not have Forced Programs (that always load a program into a sandbox no matter what parent loaded it as a child process), should've been enough to prod anyone that might consider paying for the product. I won't tolerate nagware ... ever, anymore than I tolerate adware.