Discussion in 'sandboxing & virtualization' started by Konata Izumi, Oct 19, 2011.
=p No problem. I/'ll figure that one out myself I suppose haha
which is the better of the two, Sandboxie or Kaspersky Safe Run for Websites. Pretty new to all this and it's taking some understanding. lol
While both offering application (in this Kaspersky Safe Run for Websites case browser only) virtualisation they ultimately take different approaches to achieve a similar goal.
Sandboxie is stand alone product so needs to offer wider scope virtualisation protection while Kaspersky's is offered as part of a suite and makes use of the different routes included in the suite (HIPS/Firewall/AV etc) to give similar results. Some examples:
Sandboxie offers Start/Run restrictions to prevent unauthorised programmes running in the sandbox. Kaspersky does not but has HIPS which (if configured properly) can prevent unauthorised application launches.
Similarly Sandboxie can prevent internet access for programmes running in the sandbox while Kaspersky has a firewall to restrict internet access.
I just prefer the granularity that Sandboxie brings. For example I can prevent applications accessing the internet inside the Sandbox that I have set to allow in my firewall. Similarly I can restrict an application from starting inside the sandbox I'm happy to allow to run at other times. That can't be achieved in the Kaspersky version.
Practically that means I can prevent something like my pdf reader (often an exploit target) from starting in my browser sandbox but allow it to run normally (or sandboxed itself in my set-up) when opening pdf documents when not started by my browser. Again with Kaspersky you could use Application Control to prevent the pdf reader from starting but would not be able to view pdf's at all. Restriction of applications only when started/called as part of a sandboxed session is a big advantage for me.
Sandboxie's ability to restrict read/write access to files and folder paths is also a big advantage as is the ability to choose locations you can access directly or download to (You can only save to a single location with Kaspersky)
'Better' is a loaded word though and only really relevant in terms of opinion. In mine there is no doubt that Sandboxie is a better application virtualisation solution in terms of configurability, flexibility of usage, scope of protection, commitment to development and impact on system performance.
Anyone who just wants something on-demand that will let you surf web-sites and for the resultant data to be dropped on completion while taking advantage of the other product features the Kaspersky's version (or Avast or Comodo etc for that matter) may be a 'better' all-round solution for you.
Keep in mind that...
The Safe Run mode, the component of Kaspersky Internet Security 2011, doesn’t work with Microsoft Windows XP x64.
The Safe Run mode works with limitations on Microsoft Windows Vista x64 and Microsoft Windows 7 x64.
Some features of some applications do not work.
SandboxIE has a 64bit version, and is fully functional.
Would all that configuration prevent installation of all forms of malware, including keyloggers, rootkits, spywares, backdoors and etc...?
For example, I'm looking for someone to help how to do a configuration to protect against these keyloggers (since SBIE fails some of keylogger tests, the main problem are the real keyloggers)?
If an malware runs inside the sandbox, it would not be able to connect out of the sandbox no matter what situation is?
SBIE needs more testing like this (especially drive-by downloads).
Yes, the post above covers it pretty well.
If you empty your sandbox it will not have any malware.
Here's what I do...
I use LastPass to store all my passwords in.
Lastpass will sign you into any "saved" website without any interaction from you (no keystrokes to monitor).
If I am about to do something sensitive (banking or shopping) I empty my sandbox and then open my browser again...log into LastPass...use it to navigate to my bank...LastPass logs me in automatically.
Meanwhile, I'm in a clean sandbox so I don't have to worry about any keyloggers.
If you have been on the internet for a few hours (sandboxed) and then decide to do some shopping, there is a chance that a spyware could be running inside the sandbox...that's why you need to empty it before you do anything like that, just to be certain you're not being spied on.
Now if you have a keylogger on your REAL system, SandboxIE will not help you.
@CoolWebSearch First off I don't consider Sandboxie an anti-keylogger, it is an application virtualiser. It can though be configured to give good protection against all types of malware, including keyloggers. Some things to note:
1) If you have malware, including a keylogger, present in your real system prior to running your sandboxed application Sandboxie will NOT protect keystrokes from being logged simply because the application you are using is Sandboxed.
2) If a Sandboxed application (browser/e-mail etc) downloads and executes malware inside the sandbox, Sandboxie will NOT prevent it running including recording keystrokes if that is its goal, by default. It will however remove the infection on shutdown if you set to empty sandbox on close.
3) If you add internet restrictions so only trusted applications can access the web Sandboxie may prevent something running inside the sandbox, a keylogger for example, sending out the stolen data or other malware from phoning home.
4) If you augment the internet restrictions with (or only use) start/run restrictions then malware that tries to launch inside the sandbox will be prevented from executing. No execution = no infection.
Sandboxie is very configurable therefore there are many different set-ups that users consider safe. I for example have different boxes for every application I sandbox - add start/run restrictions, internet restrictions, drop-rights, block access to sensitive folders and have no quick recovery locations. I let sandboxed applications have direct access to certain folders for downloads, mail repositories etc but then sandbox those folders which have deny SRP policies set so anything I let out of the sandbox is either prevented from running or run sandboxed. I then use an on-demand scanner or send to VT/Jotti etc to confirm the file is safe before I move it to a permanent location.
Only you will know if that would suit you, probably not but if you set-up different sandboxes for each different threat-gate (browsers, e-mail, readers etc), only allow trusted applications to start and access the internet in your boxes and work out what you will do to ensure what you let out of the sandbox is safe and will have good protection from the malware you list.
Right...what chris1341 said.
If, however, you are using the free version (only one sandbox at a time) you should just remember to empty the sandbox before doing anything 'sensitive'.
Good point Prole thanks. I've used the paid version for so long I forget others don't!
Question, than why is Sandboxie excluded from MRG flash tests? All you have to do is do configuration on the tightest level (like block access to the Internet for any malware, as well as block start/run for any malware)?
And after you configure this, than MRG tests tightly configured Sandboxie with 80 or how many tests-only than we can see how good Sandboxie is in protection against these banker malwares or anything else.
I think that should right approach.
This is why I don't know why Tzuk excluded Sandboxie from testing, he could only give MRG tips how to configure Sandboxie on the highest level, and than MRG tests Sandboxie against all of these kinds of threats, including banker malwares.
At least this is what I would do. I'd test both default and highest level of any security program.
That seems to me as proper way of testing.
MRG use default settings. If Tzuk puts Sandboxie in results would therefore be poor. Who wants that?
I'm sure some of the other vendors would want their systems set up for maximum efficacy but from MRG's perspective they need a clean test bed so users, who lets face it in the vast majority of cases leave the defaults in place, can take a view on products tested with consistent settings.
SBIE is great, it's all I use real-time now but, while effective as part of a wider set-up on default, its not a complete solution out of the box.
Well, the expert users of SBIE would probably disagree. Because if you set tight configuration in SBIE and disable/block any malware to start/run, how come this is not a complete solution?
Yes, it's a bit complicated to block everything malicious in SBIE, but it can be done. And if SBIE blocks 100% of malware with this configuration, I fail to see how SBIE can't be a complete security solution (but only after configuration).
I hope other SBIE users could make a few words regarding this problem.
I'll leave that to them.
Forgive me if I am mistaken, but when you 'tighten' the configuration, Sandboxie doesn't know the difference between a malware and a legit program, it just stops everything from executing. It's like the ultimate 'blacklist'.
That's why the Sandboxie 'motto' is - "Trust no program".
I don't think they would disagree as my point was about a default config which no 'expert' I see here uses. Configured properly, yes SBIE is as good as it gets. My point was MRG test as default. As said SBIE is all I use real-time so I know how good it is.
This is very true. There are currently no anti-execute type software tested by MRG so they may feel 'block everything' is not what they are trying to prove, just whether products that claim to, actually manage to block malicious items.
Remember SBIE's only real weakness is you need to let things out occasionally to install on the real system. It does nothing to protect you from social engineering attacks where you are fooled into thinking a file is safe so let it out or run it un-sandboxed. You should be careful in considering it a 'complete solution' unless you have strategy for confirming what you let out is good.
Same here. The best proof that SBIE works is.....using the program for a while and not getting infected and when used on its own, the proof is even more solid.
Well, the best protection is that when malware tries to install, but it can't, because it has no place to install (if you remove Quick recovery folders/files). Isn't this the best protection available?
You can set a sandbox this way, seems like a good way of restricting the sandbox if you are not going to download nothing. Create a sandbox this way and use it when you are not going to do downloads.
Well, I never download anything, I only need to protect from infection from my removable drives (if there is any). This is why SBIE is the best solution in that category.
You can block all programs from accessing the Internet, use the setting on your USB and CD/DVD drives sandboxes.
SandboxIE does nothing to stop a browser hijack stealing your credentials either. What is everyone doing to prevent that in your setups? Just browser add-ons?
Sandboxie has a few weaknesses, but yeah, social engineering is a big one.
Only allow installation of legitimate add-ons. That's all there is to it.
Many things are being done in my setup to prevent browser hijacks.
SBIE restrictions on Internet Access, Start/Run Access and Drop Rights will go a long ways to stopping these threats.
One significant plan of action is to simply close the sandboxes that are open.
Microsoft's Safety & Security Center advises that browser hijacking takes control of the browser and "changes how and what it displays when you're surfing the web". MS then list some signs that a broswer hijack has taken place...
1) Home page or other settings change on your computer. Links are added that point to websites that you'd usually avoid.
2) You can't navigate to certain web pages, such as antispyware and other security software sites.
3) A seemingly endless barrage of ads pops up on your screen.
4) New toolbars or Favorites are installed that give you icons and links to web pages that you don't want.
5) Your computer runs sluggishly. Malicious software can slow down your computer.
Point being, there are signs that something is amiss, and a Sandboxie user, at any of these points, can close their sandboxed browser and the threat is gone.
Browser hijacks can be stopped by antivirus and antimalware programs that run alongside Sandboxie.
An AM with real-time IP blockers helps.
Ad blocking software can help.
Reputation filtering too... WOT, TrafficLight, etc.
And a firewall HIPS will be there with warnings if something is asking for access.
Just keeping your computer updated will help.
As will a program like KeyScrambler that encrypts all of the data fields being filled out.
Thanks Page42, I'm going to look into Keyscrambler. And I would agree with most of what you suggested. I use sandboxie, I like it a lot. Not to be too confrontational on my 4th post in this forum, but regarding the bit I quoted above: if you're seeing any of these symptoms, then it's too late! Someone already owns your session cookies, your credentials, etc. Closing the sandboxed browser won't change that.
If you know your system is clean, then limit what runs in the sandbox to only the browser. Limit what has network access to only the browser.
When you close the browser, clear the sandbox.
If you are worried about things like online transactions, then make sure you start with a clean sandbox, and that you only visit the website you need to access. If you can't trust your website to be secure (ie. a bank) then nothing is going to be safe for you IMO.
If you just browser and put in forum passwords, then maybe you don't need to delete the sandbox every time.
Sometimes it isn't how many security tools you use, but what you do that makes the difference.
Separate names with a comma.