The ErikAlbert Approach - A test

As concerns PC Security, that doesn't really mean much to me when running with SandboxIE. As those results already point out, SandboxIE confines the virus so it can't reach the data partition. No user should ever just depend anyway on a single app as a protect-all, hence the layered approach.

I would be curious Peter2150 if you could re-run that test again but instead of PC Security use a partition HD Manager to set the data partition flag to "hide" and see if the results are the same again or not. If different and the virus fails to penetrate, then i got an equal concern as Erik about PC Security, and will result to manually setting the flags. It also looks like if setting the data partition flag to "hide" PASSES then PC Security suffers from a critical limitation i need to take seriously myself.

 

@Pete

What about exploits for SandBoxie. You know my way is better in the end.

Setting the physical flag that the hard drives been removed is a winner. They can't see whats there to begin with but they can with any software installed.

You relying on Sandboxie protecting the browser port but not any other port that can get you.

 

When u make a deny create rule in GesWall, that means nothing will be created in target location, so no question of cleaning.

Otherwise latest beta has ability to scan, browse and delete the isolated files but it,s a bit different from SBIE as there is no file virtualization( contrary to SBIE). DW also has a rollback function but I don,t have much experience with that. GW future is questionable at the moment until we see any activity from them.

 

I already did in post69, i think you missed it as we posted at same time perhaps. Here again.

revoSleep v0.2.4_BETA http://revosleep.realspooky.de/

 

...and a cool find too. i'm sure it get better, as its sounds like a keen new project for the author and still in beta. i suggest options for hiding it from the systray and a password and a timer. it amazing no little application like that hasn't been around till now.

SandBoxie is superb i totally agree. I using it already lol. An essential.

 

Thanks for that confirmation. I thought as much but didn't have the time to throw some malware at this, but makes perfect sense of course, and you hit it right on the nose, a software IS NOT the same as setting the drive flag. So then questions, this little app you shared, does it do the partition flag setting itself? I mean, it might be a software too, but once any partition's flag is been set to "hide"/"inactive" or whatever, the drive is set isolated from the system/apps etc. if i get this right.

Thanks markymoo

 

Many thanks Peter for the detailed instructions. It all worked as you wrote.
For now, it's my understanding that any sandboxed application has NO ACCESS to my data partition [D:].
I sandboxed MS Word and I couldn't get to my documents, so that worked also.

On the other hand any unsandboxed application has access to my data partition.
I hope I understood this right.

PS: I won't discuss Sandboxie any further in this forum. If I have questions, I will ask them in the approperiate forum. This was only to protect my data partition as quick as possible.

 

Yes it will turn off a partition also. I only just discovered it so i can't vouch for its safety yet. It works by sending the drive to permanent sleep. It looks like some custom code using the power function to force it to permanent sleep and some other things, so who would guess you sent your drive to full sleep? lol so thats a secure aspect right there. i don't see how you can send a partition to sleep without the hard drive so something else too. A drive has only so many power down/up cycles built into it, apparently laptop drives are capable around 600,000 spin downs/ups compared to 40,000 of a desktop drive - if a disk spins up/down every 10 minutes, it will break within one year it estimated. As long as you don't turn your drive on and off alot each day it should last a decent amount of years anyway. This is why it better to leave your pc turned on as less wear and tear on the hard drives as discussed recently.

No a drive that has the hidden flag set is still there connected to the pc, it can be made unhidden by the same software that hid it or another and the drive isn't locked like the c drive so it can be unhidden while in windows. There's 2 ways to hide a drive either by setting the disk signature in the MBR to hidden, this is what partition software do or the milder hide it from explorer by setting it in the registry. Having said all that setting it to hidden is still a really good secure thing and will be enough in real situations. In my book if a hard drive last 2 years thats enough especially as they alot cheaper to buy for alot storage now. In 2 years we have cheaper solid state drives.

@ErikAlbert
Glad you found a solution

 

Hello,
Thanks for the sample Peter.
Having played with it for an hour, I can report that, at least for this particular virus, the folder protection program I am using called "Folder Security Personal v 1.4" from y0ys.com did its job.
As with the program "pc security", FSP also allows various types of protection for non-system partitions. And even though I've not tested other programs of this type, this one has been able to prevent access to data by 2 different trojans: Poison Ivy, and Bifrost. As well, to its credit, McAfee VirusScan Enterprise v8.5 also prevented execution of this virus with the on-access scan module.

 

what about the warning not to put the drive to sleep "too often".
The idea is interesting BUT during the working day I find myself writing a letter to be stored on D: ( better have D: turned on). Then on a whim I decide to check on Wilders ( better turn D: off) Not sure I'm too keen on the idea of on off on off
all day long. I can see situations where this would work well but not for me.


@Peter - do you use Sandoxie with Firefox or just IE ?

 

Peter, et al, so Sandboxie plays nicely with FirstDefense? How about using Sandboxie inside of a Frozen Snapshot, double protection? After a days work turn off Sandboxie which would "dissolve" everything and then the next morning upon reboot, the FirstDefense Freeze would also do its thing.

Acadia

 

Peter,
I can't tell much since I have Sandboxie less than one day and I hardly know this software.

The installation of Sandboxie was normal and I configured it according Peter's instructions to protect my data partition, which was the most urgent thing to do.

After that I turned AE back ON to add Sandboxie to the whitelist. AE approved it after a few seconds, the usual time for a new software, nothing special.

Then I frooze the system, which is a copy/update from snapshot to archive (freeze storage.arx).
No errors, normal speed. I rebooted between my off-line and on-line snapshot and vice versa. This means that the automatic copy/update from archive to snapshot also works. Even my reboot is 12 seconds faster, I also removed 2 softwares : PC Security and DefenseWall and that is probably the reason.

Until now, there is no indication whatsoever, that my system partition isn't working properly. But again using Sandboxie less than one day doesn't prove anything.

The GUI of Sandboxie has been approved ALOT and it has now the level of DefenseWall.
After protecting my data partition "D:\" in an userfriendly way, I checked
the file "Sandboxie.ini" with notepad and this line was added : ClosedFilePath=D:\
As far as I remember, I had to type this line manually in the past.

For those who wonder why I use a frozen snapshot, the reasons are very simple.
1. I don't trust any of my security applications : Windows Firewall, Anti-Executable and Sandboxie.
If malware succeeds in bypassing these 3 security softwares, my system partition is INFECTED and then my frozen snapshot will remove it during reboot : no change = no change.
If I don't believe in this, it means that I don't trust the copy/update + archives and then I don't see any reason to use FDISR anymore.

2. A frozen snapshot and its clean archive keep my system partition constantly CLEAN and I'm not talking about malware only, I'm talking about superfluous objects installed by softwares, while they are doing their job.
To keep it short, a clean archive is a supercleaner, that does a much better job than all registry cleaners and other cleaning tools together.
A clean archive does it safely, more complete, always the same way and without human mistakes.
I don't run all these cleaning tools anymore, just one daily copy/update from archive to snapshot (off-line snapshot) or a simple reboot (on-line snapshot).
In other words, I save alot of time : no scanners and no cleaning tools.

Regarding malware on my system partition, I also have my theories.
The biggest source of infections is Firefox. Not my spam-emails = no opening, no reading, immediate removal.
Whatever happens in Firefox, all bad things are isolated in a sandbox by Sandboxie and my data partition is locked.
I even isolate malware a second time, because my system partition is empty and contains only Windows + Applications.
What is a malware going to do in a double isolation ?
Change my system partition ? I fix that with a simple reboot in less than 2 minuts.
Damage my system partition ? I fix that with a simple reboot or an image in less than 10 minuts.
Steal personal data ? There is nothing to steal.
I don't even know, if I'm infected or not. The only way I can see this are visual effects.
Why would I care, a simple reboot and everything is gone and I like it that way.
An user who runs an on demand scanner weekly and finds a malware, that is SCARING.

Trusting PC Security was indeed a big mistake. Thank you.

PS: now I'm going to read and translate Markymoo's numerous posts.

 

More interesting stuff, thanks fellows. So getting back to my question, using Sandboxie INSIDE of a frozen Snapshot: Can you guys think of anything that using a setup like this would NOT protect you from, something that could still nail you?

Thanks,
Acadia