What's the use of having security software?

What's the use of having security software if malware can bypass it, e.g., breaking out of Sandboxie? I had Sandboxie installed for a few days, but uninstalled it after reading about how malware can break out of the sandbox. I mean, there's no sense using Sandboxie if malware is going to break out of it and infect my real system anyway. IMHO having malware that can bypass security software defeats the purpose of having security software in the first place. Security software has no real purpose unless it can guarantee 100% security. I can't help but dream of a sandbox that is impenetrable to even the most advanced malware.

 

Nothing can guarantee 100% safety on the internet. Why? Because it is all up to the user.

If you're an extremely risky surfer you will come across those types of malware eventually. And the opposite can be said if you only visit sites you know and trust.

A Sandbox or a program like DefenseWall HIPS do not guarantee 100% safety as well, they are like a safety net. The same can be said for firewalls, antivirus', etc.

In order to be a risky surfer and maintain a high level of security you need a layered approach and no 1 product can do that. But even in having a layered approach something may eventually slip through And there is a purpose to security software, it protects you 99.99% of the time you are out surfing on trusted, somtimes even malicious sites...Downloading something you shouldn't be or visiting an unsafe website is another story.

 

Which malware can infect the real system when run sandboxed?

Strat/Run access.

 

This is not true so much any more. Remember the Miami Dolphins Super Bowl Web site that was hacked? And the many Google Search links that redirected to a server with malware. SQL injections into legitimate sites occur daily.

You just have to be prepared for anything and take nothing for granted.

This is not to assume a doomsday approach to using the internet. It does assume that you are prepared in case of a mishap.

----
rich

 

Yeah, I thought I should edit my post to say that it is not 100% guaranteed to even be safe on trusted sites anymore. But you do have to agree - being on a trusted site is a lot safer then being on a warez site downloading random applications that catch your fancy or visiting a crack site (places I know that my friends get infected)

Plus I brought up some discussion

 

Sure I could use Start/Run access to keep possible malware from running. However, I would be unable to run a downloaded game to see if the game is malware-free. Is there any software out there that lets you analyze a file's behavior without messing up your system?

 

What's the use of wearing seat belts and crash helmets, when people continue to die in road accidents?

What's the use of having a police force, since they've never managed to eliminate crime?

Seriously, is this question even worth asking?

 

A VM and Zsoft Uninstaller and besides you could create another sandbox to install the game and monitor with Zsoft?

 

Stop dreaming!

 

Nice sentence Eice

 

Hi Badget I know why you posted this. you have been reading the other thread
https://www.wilderssecurity.com/showthread.php?t=239942

Don't let it put you off using sandboxie. Using sandboxie is much better than using nothing at all. Even tho it is possible for malware to bypass sandboxie and cause permanent damage, the fact remains that no one knows
of any such malware which indicates that there is very few malware samples out there if not any atm.

Franklin when I post about sandboxie its nothing personal, so don't take it as attack, its just my opinions.

This start run access setting in Sandboxie which every one Raves on about is nothing new. Even a very Basic hips program can achieve this. If you are only using Sanboxie to prevent executables from launching in the first place then why use sandboxie?? all you really need is a simple anti executable hips program.

One of the main reasons why you use a sandbox program like sandboxie is so u can run things in it without the things inside affecting the rest of your system. Which Sandboxie is unable to do, Well not properly any way...

 

When we bought our last house (11 years ago), I got a free service to check your 'resistance' against burglary. The time it took to break into our house varied from 2 to 6 minutes. Especially the door between the garage and our house was vulnarable (wrong lock plating on a very strong lock, made it easy to penetrate). I took counter measures, so it would last at all possible entries at least 6 minutes and one easy to access room at the first floor 8 minutes. Also placed auto switch lights with movement sensors at the most likely places. According to the Dutch police a burglar on average wants to spend no more than 4 - 5 minutes to open an entry. So with the 'hunt' theory in mind (to survive an attack of a lion, you do not have to outrun the lion, only other people chased by the lion), we have settled for an assuring level of security (in our mind). We live in a reasonable safe area, so the specialist said, we did not need 10 minutes resillience time (my wife first asked this to him), because our neighbours problably did not take these additional counter measures.

PC security is about the same, determine some base line of protection level to ensure a minimum threshold for intrusions. Depending of your knowledge you choose the security applications suited for that expertise level. Also the mix of applications to use depends on your behaviour on the digital highway.

So when you have removed the locks of your house, because nothing is 100% safe, I would say YES (it is useless). In all other circumstances, I would say NO (it is usefull). Sandboxie is one the most efficient ways of reducing the attack surface of your PC, I would re-install it.


Regards Kees

 

I think malware that infects the system via browser without user intervention is almost impossible to escape from sandbox.

If you're talking about downloaded files that you have downloaded from a warez site and you run it sandboxed...then yes...there is a possibility. But if you know that you have downloaded a file from an untrusted site, then i think that you should take all possible measures. Personally when I want to run such a file...I enable shadow mode with shadow defender...there are other similar products...and then run the file sandboxed (sandboxie)( having always the latest image made with paragon around ). You never know and since nobody can provide 100% security...you can make it 100% damage free to run the file. As you have noticed I have not used any traditional security software. Those are for every day use.

 

What's the use of a lock on your door while burglars can break a window and come in from there? It helps to reduce the chance of breaking in

 

First of all, nothing is 100% secure and no security software can make Windows 100% secure.

Next point/question:
Why do people think that this 100% security (or as close as you can get to it) must come from one security app such as SandBoxie? No matter what a vendor might claim, no security app, suite or package does everything.

Regarding Sandboxie. I'm trialling Sandboxie on one of my systems and am quite impressed with it, but there is no way I would ever expect it to stand alone and totally secure my system. There is no perfect code. Sooner or later, someone will find a way to defeat Sandboxie. The vendor will fix that problem, then we'll do it all over again. Just about every good security app has gone through that process.

IMO, Sandboxie is at its best when it's used to isolate those apps that are likelly to open or make contact with malicious code (the attack surface) from the rest of the operating system. The OS itself should still be protected by the same software the user would have been running if they didn't have SandBoxie. On my system, SSM protects the OS itself while Sandboxie isolates the attack surface. If Sandboxie is somehow bypassed, any malicious code will have to defeat SSM and a default-deny security policy, extremely unlikely to happen.

 

?

you use preventative controls to as best you can vastly reduce the number of malware that can affect your system...

the use in doing so is that it's a lot cheaper (in time/energy/etc) to prevent the malware affecting your system than it is to correct the problem ('an ounce of prevention is worth a pound of cure')... prevention and correction are your only options so it makes sense to use the option that costs you the least as often as possible...

since nothing is perfect, you also need detective (to detect when prevention has failed) and corrective controls... you need them because your dream of an impenetrable sandbox will always be just a dream...

 

Remember the htaaa, htaab, htaac, stop, stop2 tests from the other thread?
when I tested them in sandboxie I tested them with Drop my rights and it made no difference.

In regards to sandboxie blocking things from accessing the internet that has also been bypassed as well with the http://www.firewallleaktester.com/leaktest26.htm
test.

In regards to sandboxie emptying the sandbox and deleting malware, I agree
that it is good at flushing the toilet after each browsing session. However there are better alternative methods like preventing such files from being downloaded in the first place.

When I was using sandboxie before I was using firefox with no script and cslite blocking all cookies and I was using admuncher and I had the offline cache storage set to 0 mb By doing all of this nothing gets saved to hard disk no files nothing. So as a end result there was never anything there for Sandboxie to delete.

Another method is by using Malware Defenders File rules. which can prevent your browser from creating files. If new files can't even be downloaded and created in the first place, then one would assume it would be Impossible to get infected by malware.

 

Are you sure about that? Sandboxie's internet access restriction is working as advertised for me...

 

Nick s How are you meant to load web pages if you are blocking internet explorer??

It is quite common for malware to access the internet using your web browser and what I am saying is that sandboxie can't prevent this.

That test is also able to communicate outside of the sandbox and is able to launch your web browser if it is not running.

 

OP is right about Sandboxie it use to work great, but bad two files that PrevX had popped up reporting there was cloak-malware in that C:\Sandboxie folder. So the way this software is suppose to work it when you terminate it everything get destroyed but not so..

No matter what you need security software if you're going to use a browser to access the internet. You can block all bad tracker cookies, run virtual OS go remote into the box thus get on the internet.

Downloading apps with embedded (malware/trojans/bots to take off) and do damage the coders are getting smarter and software can no crash security tools from trying to update their dbase or even run. I've seen it.. None can be 100% but you can come very close to it..

Maybe we should go back to the days of RAMDISK and store the internet cache on that. When you exit out the cache would clear itself.

 

Was this before or after you emptied the sandbox?

Before= not an issue.
After= more info needed.

 

It is possible to be 100%. Its very simple to do. After you have downloaded the app and scanned it with your av and or submitted it to virus total.com
Install and run the app on another operating system image on another hard disk or partition. if all is normal then you can install it on your main operating system, And if you are still Paranoid use defense wall and run it us Untrusted.

I find that with my Cache turned off it makes no difference in browsing speed
due to fast internet, firefox speed tweaks and inbound filtering ie no script and admuncher.

 

Its not about being Paranoid. Unless you are using browser caching or downloading new apps to try, why do new files need to be downloaded by your browser to your pc? what is their purpose?

from my experience so far all programs running as untrusted function perfectly normal, and correct me if I am wrong but I am still yet to read on these forums
of an example about software not working properly when it is running as untrusted.

 

I read it from the "Some test" thread in this forum. What caught my attention is the post saying that malware can shut down Sandboxie because Sandboxie can't control the behavior of the malware. stop.exe and stop2.exe are examples of malware that bypasses Sandboxie, as well as the RegTest thing that is able to shut down your computer even when run Sandboxed.