Security Software and SBIE

Hi,

After reading the post by Joe here, I was wondering if it indeed a good practice to add software especially AVs in Software Compatibility in Sandboxie to allow sbie to work better with the software? And do you guys let sbie do it's thing alone?

I may not have clearly express my question, but I think you guys get it anyways, right?

Your thoughts, advice and suggestions are really appreciated.

Best Wishes,
Iron Man

 

I think Joe hit it right on. The two technologies (Sandboxie and Identity Shield) are fundamentally incompatible. Trying to get either one to co-exist would considerably compromise your level of protection.

The best implementation I've found is...

Use Sandboxie (most of the time) when you want OS protected from browser.

Use Identity Shield when you want browser protected from OS, like when banking.

Don't try to make them compatible. It's not worth it...

...take it from me because I'm all for layered approaches to the max; but some layers are just not meant to co-exist.

 

I usually let SBIE to add programs to software compatibility list automatically. I don't know what would be impact on my security if I remove EMET from compatibility list and have browsers under both protections. There might be some conflict or one software couldn't do it's operations correctly. I don't think that this makes SBIE's protection much weaker.

 

I look at it this way..

SBIE will keep whatever happens to itself, unless I make an exclusion. It can access anything it needs in the OS, which is convenient, but keeps what it does out of the OS. It primary purpose in life

If I have clean system to start with, and I open all my browsers in SBIE, then I can be pretty certain that whatever I do online (with a browser) will never touch the real system.

If I have one sandbox for browser A and always delete it after browsing, then I can be pretty certain that sandbox environment is always going to be clean. I can use it for banking or whatever activity I want, and trust it. I might go so far as to log into my bank, do my business, then close the browser so all traces are deleted. Then open the browser up again and go to a stock market site to order stocks or something. The concept is, keep it clean by segregating and deleting.

If I have a different sanbox for browser B, and this one I do not delete, then wherever I have gone, whatever "bugs" I may have gotten along the way, are there the next time I start browser B. I "might' need a security program to work with this box, because I don't "really" know what is in it - could be a virus, could be a keylogger, could be nothing.

Now here is my point. While I might need to have some security for that browser B sandbox, I don't "need" to if I don't want to. I can easily delete the box, thereby cleaning everything out. I could also create rules for the sandbox restricting what can run and what can have network access. There are many ways to approach this so that I don't "need" any extra security.

But, those steps don't address where I go while using browser B. I might want NoScript or WOT or something running on that browser, even while inside the sandbox. I guess it depends on just how I want to protect, what I want to protect from and whether I think I need it. It all depends on how you use your sandboxie.

If the system is CLEAN when you install SBIE, and you keep the system clean, you only have to worry about each sandbox environment, whether it is clean or not. And as shown above, you have choises on how to keep it clean or not.

HTH.

Sul.

 

@sully

Thx again, it was nice long read.

can I conclude that
it depends on how we use the sandbox
But we have no harm on using security software with sandboxie compatibility mode

 

No harm, might be on a per application basis, I don't know.

But I would say, if a program is compatible with SBIE, it does indeed depend on how you use your sandbox(es).

I am just showing how one could use SBIE in ways that could or could not benefit, thats all

I have no vested interest one way or the other I guess.

Sul.

 

Compatibility with outside applications from a sandbox by definition means you're allowing some data to leave the sandbox or that the sandbox is affecting the system. In a perfect world, this wouldn't be a problem, but if the outside application has any vulnerability or issue, you just opened yourself up for an infection.

Frankly, even if there were no vulnerabilities ever anywhere, having any data extrude from a sandboxed process to cause an external application to act upon it violates the concept of a sandbox - the OS and applications should be unaware of anything in the sandbox, otherwise there's always the potential for an exploit.

There is definitely a tradeoff here between usability and security, but if I were to use a sandbox, I'd want to be confident that nothing could affect the outside system and opening any named pipes/shared memory/mutexes/etc. defeats this model.

Hope that helps

 

This is why I prefer not to open holes/apply software compatibility. In my case the only software that the setting is available for is 7Zip, the setting is not enabled but if I was using something like Avast, I would certainly apply it.

So, Iron man, for me to apply or not to apply the setting really depends on the software. If I was using WSA/Identity protection and SBIE and wanted to use both software's, I would follow the advice PrevxHelps gave you on the other thread.

Bo

 

thx for the answer sul

I will keep my anti virus on compatibility mode
since I haven't seen any vulnerabilities yet

but from now on I'll search more carefully on what I add to compatibility mode

 

Thanks guys. I now understand what I've to do. You help is much appreciated.

Best Wishes,
Iron Man

 

Also, don't forget that it's possible to disable software compatibility in individual sandboxes. For instance, you may want to allow compatibility for 7-zip on its own sandbox, but not in any other sandbox.

There are also a few global open paths for browsers (maybe other apps, I don't recall), which you may want to disable was well. If you use Google Chrome/IE/Opera, then there's no need to allow access to Firefox's phishing database/whatever it is. Etc.

 

Thx for the trick.