What's the point of sandboxes?

Apps such as Sandboxie, GesWall and DefenseWall are very popular here. But what's the use of them? Does it really provide any extra level of protection if you use alternate software and keep them updated? Such as Firefox instead of IE and Foxit instead of Adobe.

 

Layer, layer, layer.

I run FF with NoScript. But if visiting a questionable part of the web I will Sandboxie it for the added protection. My normal full time security apps. fall into a back up roll instead of the primary.

The SbieSvc. exe only uses 2,132K mem. Peak usage is the same running in the background not in use. A very small price to pay for the add`d on-demand security IMO.

 

I agree with what ThunderZ said. For me Sandboxie provides that 'warm and fuzzy' feeling when running online apps. I also think all of the sandbox apps give extra protection for those of us that run as admin.

 

The whole point is creating an area as it were, that is segregated from your real files and OS. The notion of a Sandbox is that you play in it, build castles and moats, then rake it over fresh and flat to start again.

I relations to a computer, it is an area that you may play in, that is help seperate from the real stuff. The castles you build could become infected with spiders (malware, virii, etc) which might then migrate to your bedroom . The moats you make (changes in critical files) could threaten the whole yard with soggy flooding and mud. You don't want your Sandbox where you play to threaten your real world, your house or yard. So you place a 10-foot thick cement wall around it and padlock it. Now you can play in your Sandbox, no matter the threat. You can play today building a castle. Go to bed and come back tommorrow and continue. No rain or wind will destroy it because you have walls and roof around it. Nothing can escape it either. When you tire of it, or the spiders scare you too badly, or you are too wet from your moats, you can simply rake it out flat (delete contents of Sandbox). You may start over. You can play and play, without the risks of what you do in there effecting anything you care about.

It is a great concept. One of the truly innovative ideas in the last number of years. Not just for protecting you from some nefarious website, but also for trying different things out you may not otherwise try on your real system.

vmWare is the ultimate sandbox, because it acts exactly like a real computer and you can do some things in it you cannot in a sandbox, like install an OS or put on heavier applications like firewalls.

The point is, they give you a method to keep things seperated, and that is a very very good point.

Sul.

 

Yes, I've used Sandboxie for more than a year and GesWall for several months.

 

If one only uses Sandboxie only for their web browser and not for trying new programs, wouldn't the only protection Sandboxie offers is against ulnerabilities and drive-by downloads?

 

As I see it, sandboxes are a good way of -- how shall I say it -- "deceiving" malware of their true purposes.

It makes it think that it has damaged the system, when all it did was damage the 'virtual system', to put it loosely.

Sandboxes, as a branch of system virtualization, is a good layer of protection.
Some others even believe it to be the BEST form of protection against all online threats.

 

Leaving aside "trying new programs," comments in this and other threads on sandbox seem to assume that it's inevitable that malware will sneak in, therefore, a sandbox is necessary to contain it.

To me, admitting that scenario, is admitting defeat and giving in to the malware scene. It's more fun to outwit the malware writers and prevent any intrusion of malware whatsoever.

I've never seen a web-based malware attack (drive-by download) that gets by Opera when properly configured. (From what I've observed in other forums, I suspect this would hold true of other browsers, but I've not tested except with Firefox and the PDF exploits: they fail.)

Considering the final barrier against malware intrusion, I'm reminded of fcukdat's challenge to provide a link to a web-based malware attack that gets by ProcessGuard.

Combine PG (or a similar solution) with a properly configured browser, whence the need for a sandbox, except for "that 'warm and fuzzy' feeling?"

----
rich

 

I personally don't need any of the sandboxing programs to protect me because I use CIS on Proactive Security. If I were to download something and try to execute, CIS will alert me that the executable could not be recognized and I have a chance to block the executable from running. When CIS is on Proactive Security, it acts as an anti-executable. So, I have no need for Sandboxie, GeSWall, or DefenseWall. If I were rich and interested in payware, I would have bought AntiExecutable from Faronics. While sandboxes and other features of HIPS, e.g., blocking reg changes, file changes, device driver installations, etc., can protect against known attack vectors, an anti-executable can protect against unknown attack vectors because the malware can't even run.

 

That's a useful feature. I forgot about that - it was discussed in another thread, where I was looking for something to replace Faronics Anti-Executable v.2 which will not run on Vista.

My requirement for family computers is that there be nothing to configure, as in the case of AE2 which automatically creates its own White List, meaning that no other executable process can run w/o permission in any part of the system - USB for example.

----
rich

 

That's exactly my point! From what I can see if you switch to alternate applications and keep them updated what's the point of Sandboxie/GesWall/DefenseWall?

 

Someone,

This is the Achilles heel of your assumption ". . . and keep them updated". So let's look at the life cycle of a patch release

1. some where in time everything is sunny and malware does not known an exploit

2. Mhh an exploit is discovered by malware writers

3. An exploit is actually used by an malware writer

4. After some time this gets noticed in the wild by the security world

5. The exploit will get an error severity code and resources will be allocated to create a solution for this vulnability.

6. Resources are available and a code change will be written and tested

7. Next the update will be released

Yes the patch works as intended


So I would agree with your statement when you were running Win3.1 Win95 or any other old operating system with software tested to the ultimate bounderies of their coding, so the chances of finding another exploit and a malware writer considering it beneficial to write an exploit is minimal.

In all other situations I would say, what about being protected from phase 3 and 7.

The picture below illustrates the impact of using SBIE/GW/DW/SafeSpace on your risk contingency. Draw your own conclusion.

 

Another thing I like about Sandboxie is that whatever exploit code you may stumble upon is in the virtual space and easily deleted when finished surfing. I like to keep my distance from anything bad so that's a plus for me. I don't have to run ccleaner as often as I used to.

With the policy based sandboxes or at least DefenseWall would treat any new downloads as untrusted from what I read. This could limit the damage if you happened to download something bad a execute it.

P.S. Sandboxie has a lot of little tricks that can be configured which I haven't taken advantage of. You can force a program and/or a folder to run sandboxed so anything you may download to that folder would run sandboxed if you would like to check it out. The limited executables and internet access in the sandbox has been mentioned. It can also block access to specified areas from anything running in the sandbox. In otherwords, Firefox or whatever doesn't need to be looking in my D: partition or my tax file on C: so I block the files, folders or partitions I want.

 

I agree if no malware can get in in the first place then what is there for Sandboxie to contain and isolate??

Rmus have you tried malware defenders file and folder rules? I have set it up so as my Browser is Blocked from creating new files. All New Files are Blocked from being Created, so as a result all incoming files from the internet are Blocked. I can't see how its possible for malware to get passed this strategy.

 

In my view, a security setup should protect without the need for a patch.

Take the PDF exploits as an example. At least two went for several weeks before Adobe released a patch. It got so bad that at least one vendor threw in the towel and gave up:

F-Secure says stop using Adobe Acrobat Reader
http://news.cnet.com/8301-1009_3-10224449-83.html

Yet those who understood that these exploits are triggered by javascript code in the web page knew that configuring scripting per site in the browser nullified the exploit right from the start.

Also, those with the final barrier I mentioned earlier were also protected from the malware executable from running, should the expoit get that far.

I've not seen any drive-by attacks that require a patch if proper protection against such attacks is in place. This is not to say "don't patch." Rather, that fear and uncertainty need not occur just because a new exploit surfaces in the wild.

Unfortunately, the mainstream media don't talk about this, where the usual recommendations are to keep patches up to date, and keep AV up to date - the two least reliable solutions against the drive-by download attacks.

----
rich

 

I don't want anything where the average home users have to configure rules.

As long as WinXP is around, I can keep things simple. When it's no longer viable, I'll probably retire from home-use help, unless something as simple as AE2 comes along.

----
rich

 

Whats the use then? If we take a look at SB, we see it can be set up nicely. For example, I cofigure it to work something like this:

2 boxes:

1 Browsers -- Rules:
forced folders -- meaning my list of browsers are always forced into SB
only allow items on list outbound network access -- browsers are on the list only.
do not allow virtual writes to virtual registry autostart/autorun locations
poke hole in SB to have access to special 'my downloads' folder -- don't need to recover as files are written directly.
* all browsers no longer ask where to save to, they just save to special 'my downloads' folder

2 Downloads -- Rules:
forced folders -- only allow and force the special folder 'my downloads'
no outbound network access to anything
no virtual registry writes to autorun/autostart

Method of use:
special folder 'my downloads' is in SRP rule to start as limited user only (any executable), so anything that might start is first line of defense limited to Basic User

as now this 'my downloads' executables start as Basic User, also SB forces anything there into a sandbox with no access to the internet. Since SRP rule says executable is Basic User, installing something like adobe flash would normally fail, as a Basic User has no rights to modify/create in program files directory. However, since sandbox is virtually in c:\Sandbox\box\.. the limitations to program files do not apply to the thread started by sandboxie. Benefeit === IF anything in that 'my downloads' directory started and actually escaped sandboxie to make it to the real file system, it would then be restricted by the Basic User settings of SRP

any browser or program I use online essentially is forced to start in SB, including media player etc. I open holes for favorites as well in browser sandbox, so I can save files to 'my downloads' folder and create favorites/bookmarks, and both are written directly to the real file system, with no need to recover etc.

I agree with Rmus very much. But I do like that 'warm fuzzy ' feeling in the way I am implementing it. I think it is more of an extra backup than a front line for anything. Besides I primarily use SB to test new apps and settings in rather than worrying about what the browsing might be doing.

Sul.

 

I have some screen shots of Opera's configuration for scripting here:

http://www.urs2.net/rsj/computing/tests/pdf


----
rich

 

Rich,

See the picture in my post, I do not think we basically disagree, disabling script is a deny, so it stops as early as possible in the flow.

Only the quote below has a high degree of what we call in Dutch "circle reasoning".

Those who understood = what % of Internet users is your guess?

configuring scripting per site = means you have to know know per site (I am not clear sighted). I think you intended a default deny and whitelisted allow.

Regards Kees

 

FF No Script.

 

Very impressive! Much too complicated for me, however.

Very logical question. I have no idea as to the answer, but that is irrelevant to the fact that the information is out there for those who wish to understand. For those who do understand and are in a position to inform/help others, well, that means more people who will not become victims in botnets.

Wilders requires Javascript if you want to use the HTML in posts. So, I enable scripting:

​

This is easy to do for regularly used sites. Is this what you are referring to?

----
rich

 

No, I haven't found that necessary. With AE2, the parents control the installation of all programs/software. No executables can download/install without their permission.

----
rich

 

Ad 1

I had not realised that this is complicted, left most protective and restrictive is a default deny through OS or a ProGram (like Trust-No-Exe or Anti Executable2).

AE2 is what you are using and applying. Picture illustrates that when you apply a deny, there is little added value using SBIE or DW. When you run as Admin though, moving to the left on the horizontal line (e.g. with DW or SBIE) has clear advantages.


Ad 2

Yes a default Deny and whitelist/allow for trusted sites

 

Hi Pete,

Yes, you mentioned this in another thread, and I agree that yours is a good solution since you indicated that it is not practical to lock down the system.

----
rich