Discussion in 'other anti-malware software' started by Gobbler, Jun 29, 2012.
The title says it all.
I'll take the honors of being the first to respond again, though I'm well aware that I do NOT have the honors of giving the most accurate answer as is proven by my evolving viewpoint as seen in the "what can bypass anti-EXEs" thread.
That being said, I've always, *always* been a strong advocate for a layered approach. I've also always been a strong advocate of Sandboxie since like early 2010. I considered Software Restriction Policy as the best single layer any intermediate+ user could add since it's built into Windows...again, obviously my viewpoint as evolved.
The key differece is the concept sandboxing is different fundamentally - yes, it is another white-list based measure, but unlike anti-execution, it doesn't focus on disallowing anything...rather, it *contains* EVERYTHING. On that regard, it provides 100% protection from malicious content itself, be that exploits, trojans, spyware, whatever.
From the previous thread, I laid this out:
The only somewhat reliable...or viable
(I'd go as far as to say only possible)
ways to circumvent Sandboxie (bypass,
avoid, whatever) at all are:
1. Social engineering: Trick somebody
into recovering something to the hard
2. Anticipating weakened protection:
Hoping the person you're attacking/
exploiting has manually deviated from
defaults for the worse and allowed
certain behaviors outside sandboxes for
convenience. Or, hoping a 64 bit user
didn't enable Experimental Protection
and having the expertise to make use of
these trade-offs for an attack advantage.
3. Finding a bug in Sandboxie that allows
for breaking out of containment: Doing
so would be a high cost as far as I can
tell, take a considerably large amount of
time and effort, and it can be patched by
the very proactive development of
Sandboxie thanks to Mr. Ronen Tzur. In
reality you have the same likelihood as
finding a bug in a massively popular AV
program so go do that where you can
get more people exploited for your
I'll add to that list here because I forgot one...
4. Non-computing events that ruin your set-up such as burglary, warfare, and natural disasters that destroy not only your security set-up but your entire computer, home, and possibly you.
There's no such thing as true 100% protection, but Sandboxie and related technologies like VMs come seriously as close as you're gonna get.
I'm sure somebody will respond with a differing opinion that most likely will prove absolutely nothing since there actually being any testable logic, proof-of-concept, and/or malware in-the-wild able to actually verify whatever *they* claim is extremely unlikely. Heck...there's NOTHING to verify what I already claimed (other than tornadoes being scientifically real, and social engineering continually being proven to work,) but I guess we'll see...
...I suppose my views can continue to "evolve" as they did in the previous thread!
*bites nails anxiously awaiting incoming F.U.D.*
Thanks for your views but again, I will not take opinion of a person seriously who thinks that Sandboxie can protect from an XSS attack.
I didn't ask can sandboxie protect against all types of attacs but what types of attack can bypass it.
All cross-scripting does is exploit code between mal-web pages and browser exploits and they can be prevented with a few measures including even NoScript.
Because the endgoal is not to damage the OS but rather to redirect a user to a malicious page, this attack in my viewpoint falls under social engineering rather than a true bypass/circumvention/[insert favorite term here]. Learn how to identify a fake/mal website or get WOT.
If you're concerned about a legitamate website being compromised which DOES happen, not really much anything can do about that in terms of if you get fooled and give your personal info to that site then. BUT, of course, if that now mal-site tries to exploit anything on your PC, it will be unsuccessful.
And I must say I don't appreciate your tone...
I apologize if somehow I hurt your sentiments but it is common sense that Sandboxie just cannot stop something like a session cookie from being stolen simply by design, but something like NS can save you if a sensitive (financial/social networking) site has been compromised.
You didn't hurt my sentiments...your tone just frankly ~ Snipped as per TOS ~ because I believe no good can come from that kind of ettiquete.
That being said, you are absolutely correct. It's very early, I'm not sleeping well, please forgive me everyone but on my list I forgot:
#5. Any exploit that deals with information stealing such as a keylogger that gets installed inside the sandbox, any attack capable of harvesting information already loaded inside the sandbox.
#6. Any attack not centered on the client but rather the server aka the website being visited.
This is why you clean it out and load a fresh sandbox before putting in browser master passwords (like in FFox) and before doing banking work.
Again, sorry, been a long day/night I wasn't thinking straight. I promise I'm not an idiot.
I sincerely hope you can take my opinions more seriously now.
I didn't say I didn't try to hurt but your tone too was also not very pleasing in your very first post whey you said things like warfare, burglary etc. it also sounded very sarcastic but coming back to the point
Again whatever the reason maybe but sandboxie failed to protect me against an attack but NS would protect me in such a situation which like SB a locally installed software.
I apologize if that felt negative or sarcastic which was not at all my intent - I was being serious (or at least attempting to). I do consider (and I think others do too) non-software/hardware related damage and this is why some people have an off-site backup location like a safe or bank.
As for issues SBIE can't protect, has anyone ever tried this following strategy which definitely unconventional, inconvenient, but definitely intriguing:
Disclaimer: It really can gurantee nothing since legitamate websites are routinely compromised, but...
1. Always sandbox browsing.
2. Have one non-admin account for personalized browsing when you need to log into something
3. Make another non-admin account with a new, clean browser profile with no logins saved ever for general browsing.
Natural disasters can apply to safe and banks as well lol but I am glad we made it up between two of us without stretching it too further
imagine this , we open MS Word inside the sandbox , write something and then save the .rtf file somewhere and then we open explorer.exe ( ouside SandboxIE ) and copy that .rtf file to another place.
what's the result.
STV's already broadly mentioned most avenues. Some things Sandboxie has nothing to do with e.g. what happens within the Sandbox, particularly within the browser itself. Other things depend on the rules of that sandbox, and what access restrictions have been lifted for convenience. The rest is just the theoretical chance of an exploit.
A file infector like Ramnit wouldn't be good if there is write access to the hard drive.
I've wondered if Firefox's bookmarks.html would have been at risk to this, but not looked into it properly.
Without experimental protection it's possible to do by gaining higher rights than sandboxie. With experimental protection you would likely need a bug - there isn't a hole in the idea itself.
Google Chrome sandbox is not 100% safe, they always find ways to circumvent the code, Sandboxie is not very popular, so you don't see many direct attacks against it...
Probably a targeted attack against Sandboxie or a bug found in it. There were such bugs in Sandboxie discovered in the past and has been fixed by Tzur. Check the Sandboxie forums..
Varios UNIX and LINUX dd, cp, chmod, chroot pkg, installpkg commands + some code can wipe Sandboxie and the drive. But I don't think malicious code writers are that motivated w.r.t Sandboxie. And I was just inspired to respond by the very title of the topic alone. Being perpetually lazy and more vivified than a hacker ore bad coder, even a very old Sandboxie would suffice in protecting even a fairly risky user.
PS: DO REMEMBER THAT UNIX/LINIX OS'S ARE NOT THE ONLY OTHER PLATFORMS THAT CAN GO AFTER M$. LCF, ALGOL or even PROLOG. or XLISP are out there invisibly, and can take out ANY M$ OS regarrdless the security setup! Your prob of meeting these threats is infinitesimal.
Am surprised no one has mentioned keyloggers yet, maybe i missed it. But sandboxie is powerless against advanced keyloggers if i remember correctly.
Edit- i see it has been mentioned above along with MITM attacks.
In my experience, the result is quite satisfactory.
Double-clicking the file in non-sandboxed instance of Windows Explorer results in the tainted file being opened by a sandboxed instance of its associated reader (MSWrite, MSWord, whatever).
The above behavior is true when any file of any type ( not just *.rtf ) is loaded from a sandboxed path. To subvert this behavior, you could FIRST copy the file to a non-sandboxed path, THEN double-click that copy from a non-sandboxed instance of Windows Explorer. In that case though, protection hasn't "failed" ~~ you've chosen to subvert it.
Separate names with a comma.