What would you run with WSA Essentials and Sandboxie?

Discussion in 'other anti-malware software' started by justenough, Apr 8, 2012.

Thread Status:
Not open for further replies.
  1. justenough

    justenough Registered Member

    Joined:
    May 13, 2010
    Posts:
    1,509
    I just bought Webroot SecureAnywhere Essentials to go with Sandboxie on my Windows 7 x64 machine. I haven't changed any of the settings and don't really know yet everything that WSA covers. What do you think would be good to run alongside those two programs?

    Edit: By post #17 below Kees1958 has given detailed instructions on how to set up WSA-E and I'm running WSA-E without Sandboxie.

    Further Edit: By post #22 Sandboxie is back on, used with WSA-E and Firefox. With Chrome it is just WSA-E.

    Last Edit: And by post #28 we have some good news from tzuk about Sandboxie, and coming full circle I am happily running WSA-E with Sandboxie and Chrome.
     
    Last edited: Apr 11, 2012
  2. 3x0gR13N

    3x0gR13N Registered Member

    Joined:
    May 1, 2008
    Posts:
    754
    Personally, I think you're set. Having sandboxie as part of your setup greatly simplifies things. You could change Heuristics settings in WSA to have it be more "proactivie" when dealing with unknown things running on your system (particularly any baddies that you're not running in SBIE), and maybe change the Firewall settings to "Warn if any new untrusted processes connect to the internet" instead of "...when infected".
    You could add MBAM or HMP as second opinion scanners, but not really needed IMO.
    For browsers- if you're using IE9 turn on UAC to have Protected mode, use Adblock extensions for browsers that you use.
    A DNS service like Norton DNS could also be added as a transparent protection layer.

    Edit: whoops, just saw your sig... seems you already got what I suggested.
     
    Last edited: Apr 8, 2012
  3. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,279
    Location:
    UK
    I agree with 3x0gR13N. WSA-E and Sandboxie should be all you need.

    Just make sure the Windows firewall is also turned on and you're good to go.
     
  4. justenough

    justenough Registered Member

    Joined:
    May 13, 2010
    Posts:
    1,509
    Thank you for the advice pegr and 3x0gR13N. I moved the Local Advanced Heuristics up a notch to High and changed the firewall setting as suggested. It looks like there's a behavior blocker in WSA-E so I've removed Mamutu.
     
  5. ams963

    ams963 Registered Member

    Joined:
    May 3, 2011
    Posts:
    5,965
    Location:
    Parallel Universe
    you can also take a look at https://www.wilderssecurity.com/showthread.php?t=320757
     
  6. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    I have WSA on my wife's laptop, so increased security settings are not allowed to generate pop-ups, here is how I tightened WSA

    1) Firewall
    - from main WSA window
    - click PC security button
    - select firewall tab
    - select third option "Warn if any new untrusted process connects to the internet"

    2) Heuristics
    - from main WSA window
    - select "Settings" text on the left bottom corner
    - select Heuristics text in the vertical menu

    a) LOCAL
    Apply advanced heuristics AFTER age/popularity check
    Advanced heuristics MEDIUM- Age heuristics HIGH - Popularity heuristics LOW

    b) USB
    BEFORE
    HIGH - LOW - HIGH

    c) INTERNET
    BEFORE
    HIGH - LOW - HIGH

    d) NETWORK
    AFTER
    MEDIUM - LOW - MEDIUM

    e) CD/DVD
    BEFORE
    MEDIUM - LOW - LOW

    f) OFF LINE
    BEFORE
    HIGH - LOW - DISABLED

    3) Processes protection (policy sandbox)
    In the default setting WSA has some nice containment policies for untrusted processes (like preventing untrusted processes from modifying kernel memory and system processes) and extra's for infection removal (like enabling advanced tracking analysis for untrusted processes).

    To make the most of these protection extra's I have reset all the internet facing software to untrusted manually.
    - start all your internet facing software (mail, webbrowser media player)
    - from main WSA window
    - click System Tools button
    - select System Control tab
    - click the 'START" button below the text "Control Active Processes"
    - select the radio button "Monitor" for all internet facing software as shown in the picture below

    Note
    Chrome has a build in sandbox. With WSA containing it as second safety net (process containment and stronger internet heuristics). This combo is really strong enough for normal internet usage (at least I think that my wife is using it as an average user :) ). It is advised to use SBIE with weak browsers having no protected mode/low integrity sandbox like Firefox or when you want third party protection for dodgy browsing. To understand why Chrome's sandbox is capable of dead stopping inter process messaging on x64 and SBIE is not (without experimental protection), read this http://www.chromium.org/developers/design-documents/sandbox and this http://www.sandboxie.com/index.php?ExperimentalProtection

    :thumb:
     

    Attached Files:

    Last edited: Apr 9, 2012
  7. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    thanks Kees, greatly appreciated.:thumb:
     
  8. ams963

    ams963 Registered Member

    Joined:
    May 3, 2011
    Posts:
    5,965
    Location:
    Parallel Universe
    good stuff man:thumb:....I've set all the heuristics to after and medium...
     
  9. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    A note to SBIE users on Vista/Windows7

    Chrome has a build in sandbox. With WSA containing it as second safety net (untrusted process containment and stronger internet heuristics). This combo is really strong enough for normal internet usage (at least I think that my wife is using it as an average user :) ).

    I hope Tzuk changes SBIE to not remove the low rights token. After all he added Drop RIghts after a while back in XP days (maybe my rants against running weak threat gate applications with high level/admin rights have contributed to this). Just tell Tzuk some idiot is criticizing his beautiful application because removing the low rights sandbox of IE and Chrome is really making no sense at all.

    "Hey dude I really found this cool application sandbox. It first removes the build in LOW intergrity sandbox of my browser, than drops rights to MEDIUM level again and uses some undocumented API's to achieve NEARLY the same level of messaging containment of the build in browser sandbox", logical ain't it?

    To understand why Chrome's sandbox is capable of dead stopping messaging on x64 and SBIE is not (without experimental protection), read this http://www.chromium.org/developers/design-documents/sandbox and this http://www.sandboxie.com/index.php?ExperimentalProtection . SBIE is a great application and adds a lot of protection, so I am not saying it is useless. It is advised to use SBIE with browsers having no protected mode/low integrity sandbox like Firefox or when you want third party protection for dodgy browsing (and know how to configure the paid version of SBIE).

    So maybe SBIE 4.0 has low rights sandbox included (like the free BufferZone V4 PRO is now capable) ;)
     
    Last edited: Apr 9, 2012
  10. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    My point is that different threat gates have different risks, so I would use this granularity of WSA to the max. I agree a little with Trjam's critism that WSA has so many settings, that most people use the default, so offer two interface modes, a simple one with some options and an expert mode with all the current options.

    EAM or WSA are the only security applications I considered paying for, I choose WSA over EAM on the laptop because it feels lighter and WSA essentials has the man-in-the-middle protection feature. I see you run both together, impressive.
     
  11. ams963

    ams963 Registered Member

    Joined:
    May 3, 2011
    Posts:
    5,965
    Location:
    Parallel Universe
    I get your point.....yeah wsa offers many settings and extra features so it can be tightened up thus increasing protection without much of a hassle.....
    since wsa is in your wife's laptop and so increased security settings are not allowed to generate pop-ups you could also check for 'prevent any program from modifying hosts file' in the core system shield......
     
  12. ams963

    ams963 Registered Member

    Joined:
    May 3, 2011
    Posts:
    5,965
    Location:
    Parallel Universe
    thx buddy.....I thought since wsa and eam are very much compatible with other security software why not use them together......wsa nicely fits in with eam.....with wsa tightened up , my security is in good hands I guess......
     
  13. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Yep, allready set the host file protection through ACE (users not allowed to change), standard hardening procedure: thumb:

    Although they cover same area's their HIPS and behaviour protection have different strategies of dealing with attack vectors, so they overlap in a useful way.
     
  14. ams963

    ams963 Registered Member

    Joined:
    May 3, 2011
    Posts:
    5,965
    Location:
    Parallel Universe
    oh! I see...then that's :thumb:........
     
  15. ams963

    ams963 Registered Member

    Joined:
    May 3, 2011
    Posts:
    5,965
    Location:
    Parallel Universe
    sure thing:thumb:.....I think wsa can really be compatible and in some cases complement other security software like av/is....and wsa can be run alone with tightened settings.....I prefer the first.....
     
  16. justenough

    justenough Registered Member

    Joined:
    May 13, 2010
    Posts:
    1,509
    Very helpful posts Kees1958, thank you. I'm almost done setting things up the way you suggested. Sandboxie has been my favorite security program for a couple of years and Chrome is my favorite browser, so I'm not sure how I will decide on whether to use WSA-E with Sandboxie and Firefox or just Chrome without Sandboxie.
     
  17. justenough

    justenough Registered Member

    Joined:
    May 13, 2010
    Posts:
    1,509
    This is an unexpected outcome of asking the original question. I'm going to try going without Sandboxie, using the WSA settings that Kees1958 posted here, along with Chrome. I've turned on MBAM real-time protection until I feel comfortable with this new setup.
     
  18. NNard

    NNard Registered Member

    Joined:
    Jun 23, 2007
    Posts:
    42
    Location:
    New York
    I run WSA Essentials with MBAM Pro and have no problems whatsoever.
     
  19. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,828
    Location:
    Last Breath Farm
    One month ago a student used a cross-site scripting exploit and "bad history navigation" (whatever that is) to escape Chrome's sandbox. You may recall, this was at Pwn2Own. Another vulnerability was also found by a security firm that bypassed Windows-based safe guards such as DEP and ASLR. They were then "able to exploit a vulnerability found in the default installation of Chrome which also allowed them to escape Chrome's sandbox". Noted here.

    I use Chrome browser, and I'm pleased that they are patching vulnerabilities, but I wouldn't let Sandboxie go.
     
  20. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    You could always use SBIE with FF for dark side of the internet and WSA plus Chrome for daily internet use. SBIE is a great application, just poking some criticism to get it better ;)
     
  21. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    SBIE has also been bypassed in the past. Difference with Tzuk is that he patches a few days later, compared to other big companies (the same eagerness to make his program 100% can be awarded to Ilya with his DefenseWall by the way). As said, just making some noise to stimulate Tzuk to further improve SBIE. It makes no sense to undo the low rights sandbox of IE and Chrome. Bufferzone and DefenseWall for comparison do not undo this build in security.
     
  22. justenough

    justenough Registered Member

    Joined:
    May 13, 2010
    Posts:
    1,509
    Yeah you are right, I was already missing it after half a day.
     
  23. justenough

    justenough Registered Member

    Joined:
    May 13, 2010
    Posts:
    1,509
    Okay, now running it the way you suggest, WSA, Sandboxie and Firefox for sites I'm unsure about. WSA and Chrome for well-known sites that have been safe in the past.
     
  24. justenough

    justenough Registered Member

    Joined:
    May 13, 2010
    Posts:
    1,509
    Good to know NNard, thanks. They are working smoothly together for me too.
     
  25. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,828
    Location:
    Last Breath Farm
    ;) :thumb:
     
Loading...
Thread Status:
Not open for further replies.