dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
6375
DarkSithPro (banned)
join:2005-02-12
Tempe, AZ

3 edits

DarkSithPro (banned)

Member

Sandbox technology, a foolproof defense?

I see a lot of positive feedback from people using Sandboxie, and other similar programs. Kaspersky is now using this technology in it's upcoming Internet Security Suite, and I'm pretty sure a lot of others will follow, if not all. Now this can't be 100%, there has to be some drawbacks, right? Can someone tell me the potential disadvantages of sandboxing our systems?

Logan 5
What a long strange trip its been
Premium Member
join:2001-05-25
San Francisco, CA

Logan 5

Premium Member

Re: Sandbox technology, a full proof defense?

Compatibility. It looks like they have a list of programs with 'known issues'...

»www.sandboxie.com/index. ··· onflicts

They claim it's light on resources here:

»www.sandboxie.com/index. ··· irements
quote:
Sandboxie works on Windows 2000, Windows XP, Windows Vista and Windows Server 2003. There is some support for older 64-bit versions of Windows.

Sandboxie does not work on Windows 95, 98 or ME, or on Mac operating systems. There are no plans to support these environments.

There are no particular hardware requirements. Sandboxie needs only a small amount of memory and should have a very small impact on performance.
Not sure if it's compatible with the 64bit version of Win7 but they say that it ONLY works under Release Candidate build 7100....(I'd assume that there's an *or higher* somewhere after that tho b/c the code base after 7100 hasn't been changed, they've only been adding more app compatibility and native driver support )..

»www.sandboxie.com/index. ··· s#v_3_38

This looks like it's matured quite a bit since I looked at it last (about a year ago now) and it seems like a good program to use in a layered security setup but I don't know if I'd trust it on it's own, or any single application for that matter....

my view
@Level3.net

my view to DarkSithPro

Anon

to DarkSithPro
My view is that it's just another layer of defense. I doubt it's fool proof, what is?

I use SandboxIE all the time and love that you can just delete everything in the sanbox after a session and all that junk, and possibly malware too, are just gone for good - pr0n sites included ™
Mele20
Premium Member
join:2001-06-05
Hilo, HI

Mele20 to DarkSithPro

Premium Member

to DarkSithPro
It would be better and safer, I think, to use virtual machines. There are a number of free ones now including Microsoft's VPC and there is a brand new version of it that I can't try because my CPU doesn't support hardware virtualization so I am stuck with VPC 2007. Most processors these days do support hardware virtualization and creating a separate machine for your risky activities is better than leaving it up to Kaspersky, etc.

tempnexus
Premium Member
join:1999-08-11
Boston, MA

tempnexus to DarkSithPro

Premium Member

to DarkSithPro
Sandboxie, Sandbox never hurt to be part of a layered defense.

If you don't mind the initial agonizing startup wait then everything after that is quite nice.

Also be aware that Sandboxie can royaly fck up your Outpost 2009 firewall afw.sys driver making it the network filtering portion useless. It's a stochastic occurrence so you can't really reproduce it, once it happens it's done, but you can run the system w/o an issue for months and then either upgrade outpost or sandboxie and boom....it happened to me recently with the new Sandboxie upgrade....real PITA.

But I think the best defense would be to install DeepFreeze then Vista 64 with normal rights then install Nod32 then Java Virtual Box in which you install Another Vista 64 with normal rights in which you install Kaspersky with Sandbox where you sandbox, the Sandboxie program and then run FireFox 3.5 with no Script within the Kav Sandboxed, Sandboxie. Also make sure to empty the sandbox on each program closure along with reverting the snapshot of the VM with each reboot on top of never unthawing the deep freeze.

At this point if you can still use the system then you are golden. Just make sure to keep all the security description and passwords on either a sticky note at your desk or as part of your profile on myspace.

nwrickert
Mod
join:2004-09-04
Geneva, IL

nwrickert to DarkSithPro

Mod

to DarkSithPro
Use of a sandbox is a good protection. But it is not foolproof. There is nothing that is foolproof.

Use of a sandbox still requires knowledge about when it is safe to write back the sandbox to the real system, or to disable the sandbox for an install.

I would guess that for many naive users, sticking to a Limited User account is simpler and probably makes more sense than using a sandbox.
maximusqb
join:2005-02-21

maximusqb to Mele20

Member

to Mele20
said by Mele20:

It would be better and safer, I think, to use virtual machines. There are a number of free ones now including Microsoft's VPC and there is a brand new version of it that I can't try because my CPU doesn't support hardware virtualization so I am stuck with VPC 2007. Most processors these days do support hardware virtualization and creating a separate machine for your risky activities is better than leaving it up to Kaspersky, etc.
I just started using the new MS Virtual PC for windows 7 and it is pretty nice. I like the WinXP mode. I had to enable virtualization in the bios as it came disabled by default.

graysonf
MVM
join:1999-07-16
Fort Lauderdale, FL

graysonf to DarkSithPro

MVM

to DarkSithPro
Full proof or fool proof?

coldmoon
Premium Member
join:2002-02-04
Fulton, NY

1 edit

coldmoon to Mele20

Premium Member

to Mele20
Hi Mele,
quote:
It would be better and safer, I think, to use virtual machines. There are a number of free ones now including Microsoft's VPC ...
It depends on the experience of the user. In the hands of a researcher, VMs are a good choice but there are still situations where they can fail badly as security solutions. Even experts can get infected using VMs. I was witness to "events" in an Antispyware research lab where the researcher accidentally dropped a test sample on his/her real desktop and mistakenly activated it...

There is also the issue of guest OS licensing. If you are only using free *NIX distros, then the second becomes a moot point, but with Windows you must use a separate licensed copy within each VM.

For the novice or less experienced user, boot-to-restore (System level virtualization) may present a more simple, and thus, effective alternative to full-blown virtual machines. Less to configure (protection on or off) rather than dealing with more advanced hardware settings, configuration/customization of the VM, etc.

JMHO
Mike
Rebirth
join:2009-06-18
33333

Rebirth to DarkSithPro

Member

to DarkSithPro
Sandbox technology from whoever only isolates/allows/dissallows certain things, either by default, and/or through interaction/options etc.

Virtualisation technology makes a copy of your system on your hard drive, or in some cases in memory, and then you work from in there. So you can experiment/trash your system knowing all changes will be discarded. On rebooting the saved real copy is re-instated. Some software lets you keep snapshots of modified copies to revert to.

I would say, generally speaking, VT is more robust than SB tech, but of course it depends on which software you choose. SB tech can take a lot more time to configure etc.

Nothing is 100% guaranteed.

I've been using Returnil free VT for some time now with no issues whatsoever, and can highly recommend it.

»www.returnilvirtualsyste ··· personal
Ravenheart
join:2006-02-10
Berkeley, CA

Ravenheart to DarkSithPro

Member

to DarkSithPro
Using Sandboxie, problems can happen with program updates, for instance, of Firefox or Thunderbird. I keep automatic updates turned off and do updates manually outside the sandbox.

There are funny kinks, for example, if you try running different instances of Firefox in different sandboxes.

Someone here reported a startup delay, but I haven't seen one.

therube
join:2004-11-11
Randallstown, MD

therube to DarkSithPro

Member

to DarkSithPro

Re: Sandbox technology, a foolproof defense?

I did run into this. I did not try it a second time & so not sure if it was because of something I did or if it was something that got out of the box?
quote:
(I can tell you that running SeaMonkeyUninstall.exe -ms from a sandboxed (Sandboxie) window did close down my current un-sandboxed SeaMonkey session. Interesting. I'll have to try that again .)

»forums.mozillazine.org/v ··· =1244885

maximusqb
join:2005-02-21

maximusqb to DarkSithPro

Member

to DarkSithPro
I like Sandboxie too, but unfortunately it doesn't work on a 64 bit OS.:( I was wondering after using Windows Virtual PC how they can let you run a free copy of Windows XP virtually and found this info in the facts:

Does Windows XP come with Windows Virtual PC?

No. Windows XP Mode, a single virtual copy of Windows XP SP3, is available for download free of charge from »www.microsoft.com/window ··· ult.aspx for PCs running Windows 7 Professional, Windows 7 Ultimate and Windows 7 Enterprise.

You can run Windows XP virtually with Virtual PC and then install sandboxie in there if you wanted I guess for extra protection. YOu do need windows 7 and virtualization enabled to use this though.

balloonshark
Lets Go Mountaineers
join:2006-08-11
WV

balloonshark to DarkSithPro

Member

to DarkSithPro
Possible disadvantages... I'm talking about Sandboxie. If you remove anything from the sandbox, you'll need to be sure it's 'safe'. I do this by scanning the file with my AV and 2 on-demand anti-malware scanners as well as upload the file to VirusTotal or Jotti (file size permitting). It also doesn't hurt to use a little common sense in what you download and where you get it from. If the program is new to you the research it first.

Another disadvantage is updating whatever app your running in the sandbox. Not a big deal for me as for example I just start an un-sandboxed browser session and update Firefox and/or my add-ons. I also have a custom path I made in Sandboxie to update my AdBlockPlus patterns which is easy to do.

I think the advantages heavily outweigh the disadvantages. Sandboxie can also easily be configured to only allow certain apps to run and/or have internet access in the sandbox. In other words, only Firefox.exe can run and access the internet and give FoxitReader.exe run access. That means keylogger.exe may get in the sandbox but it can't run or access the internet.

You can also block access to 'sensitive areas' to programs running in the sandbox. I personally block file access to my entire D: partition. So if that keylogger could run and gain internet access in the sandbox, it wouldn't have access to my data partition. Talk about layers.

There are also other types of sandboxes like DefenseWall and GesWall. They are basically policy based sandboxes but DefenseWall prefers to be called a HIPS. They are sorta like an easy to use LUA or SRP.

I've read good things about all 3 of the sandboxes mentioned above. It's definitely worth your while to investigate each.
Mele20
Premium Member
join:2001-06-05
Hilo, HI

Mele20 to Rebirth

Premium Member

to Rebirth

Re: Sandbox technology, a full proof defense?

I rarely revert to a snapshot in VMWare Workstation. But my Vista virtual machine runs on Microsoft's VPC 2007 and it has no snapshot ability. I have to use Undo Disks instead. That is a hassle because you cannot shut down quickly unless you wish to not save the changes to disk since the last time you shut down the computer. Depending on how long the computer has been running shutting it down, and choosing to save the changes, may mean 10 minutes of waiting for it to finish and shut down so you can reboot your host machine. VMWare snapshots are far superior but Workstation is expensive. People keep telling me free stuff from VMWare has snapshot ability but when I check it there is none. There is a reason why folks are willing to pay for Workstation.

tomazyk
join:2006-12-04

tomazyk

Member

Free Vmware server has ability to take snapshots. But one can only take one snapshot per machine.
Mele20
Premium Member
join:2001-06-05
Hilo, HI

1 edit

Mele20

Premium Member

Yes, I figured someone would tell me free VMWare server takes snapshots. I looked into it the first time someone kept insisting that was what I should use. But there is really no comparison between them. I have 34 snapshots for my first VMWare virtual machine that runs XP Pro SP1 and 16 snapshots for the virtual machine running XP Pro SP2.

What server does is of no use to the typical virtual machine user who is using the virtual machine to test software and maybe to go to risky sites. You want to be able to take a snap shot before downloading the software or going to the risky sites. You need multiple snapshot ability.

tempnexus
Premium Member
join:1999-08-11
Boston, MA

tempnexus

Premium Member

Yeap I use Java VirtualBox on my 3rd system (for which I have no VmWare Workstation lic) it allows snapshots and it's free. On the other two I use my VmWare Standalone lic, it's about $50.00 if you get lucky on newegg or buy.com and it's worth the money. Also VmWare allows for USB Devices to be used (same as VirtualBox but not VirtualPC 2k7) and it allows for DX9 Acceleration.

The multi Snapshots are crucial if you want to go malware hunting, it's nice to grab a snapshot prior execution of suspicious package. You can also do a multi HD spanning, where you keep one VmWare image of prior infection and then another after infection (HD Space is cheap now, so a 8GB Win Image is nothing), after that all you have to do is run a diff against the two images and see what changed and where...it's a very simple quick and dirty way to see what got dropped. However, more and more malware is getting VM aware which is great for everyday user (malware does not drop a payload in VM) but sucks if you want to analyze it in VM.
Mele20
Premium Member
join:2001-06-05
Hilo, HI

Mele20

Premium Member

What do you mean VMWare "standalone" license? I never thought to look on Newegg or buy.com.

I didn't know Java VirtualBox has snapshots. I'll have to look at it. Does it do Vista? I couldn't get Vista working on Workstation 5.5. It installed and worked beautifully until I finally shut down that guest computer about a week after I installed Vista. When I went to boot it again, VMWare said it couldn't find the machine which was where it was supposed to be and I could see nothing wrong. VMWare forum had no help for me so I installed VPC 2007 but I'd love to have Vista on Workstation instead.

tempnexus
Premium Member
join:1999-08-11
Boston, MA

tempnexus

Premium Member

VmWare standalone is Workstation.
I call it StandAlone since I am used to working with ESX Server version.

Yes I am running Vista 64-bit in VirtualBox.
Mele20
Premium Member
join:2001-06-05
Hilo, HI

Mele20

Premium Member

Ahh...I've never used the ESX Server version. Thanks for the information. I'll keep my eye out for a license on newegg or buy.com as it would be well worth $50 to get the current version...plus, 7 should be out this year I would think.

I will definitely check out VirtualBox. I am also curious about Microsoft's latest VPC but I don't have hardware virtualization so I will have to wait until I get a new machine to check it out.
maximusqb
join:2005-02-21

maximusqb

Member

Virtual box is another great program I use it too. Mele20 MS's latest Virtual PC is really cool and I like it a lot especially with the XP mode which makes it pretty seamless between the host and guest. It is nice with a dual monitor setup where you have one OS on each monitor and go between them and share with ease. I'm impressed so far.
Mele20
Premium Member
join:2001-06-05
Hilo, HI

Mele20

Premium Member

I can look into and get VirtualBox but Virtual PC latest, I'll have to just drool over what you and others have until I can buy a new machine....maybe end of this year. I want to add another monitor and I think that would be very cool to have one OS on each monitor. It still irritates me that Dell assured me that this CPU had hardware virtualization when it was actually the Pentium IV 671 not 670 that had it.