Is Sandboxie useless on Windows 10?

Discussion in 'sandboxing & virtualization' started by CoolWebSearch, Dec 1, 2016.

  1. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,195
    Location:
    Nicaragua
    On the other hand, you could sandbox Chrome (leave script blocking in place for cleaning the internet), and get rid of all that other stuff you do, and you ll be as secure (IMO, more), and leaner.

    But anyway, choices, choices and choices. We choose what we want, and we have the right to choose to use the programs we want to use without getting our choices called overkill. We shouldn't call other peoples security choices "Overkill", when we ourselves (you), are doing exactly that, Overkill security.. If I was a Chrome user, and trusted it as much as supposedly you do, I wouldn't use all that security you are using. But if thats what you want to use, that doesn't bother me. It shouldn't bother you knowing that there are people here who like sandboxing Chrome and feel better doing so.

    ~ Removed PM Discussion Remarks ~


    Bo
     
  2. guest

    guest Guest

    Indeed with modern browsers using sandboxing of pages, using a sandbox would look overkill, but I use sandboxes now mostly for their side features (in the case of sbie: forced folders).
    However sandbox apps, unlike browser ones, can still isolate downloaded content which is one attack vector.

    Both have their usefulness and can be used together or not based on the user real needs.
     
  3. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,195
    Location:
    Nicaragua
    The thing is, when you experienced the security that Sandboxie provides when you sandbox your browser, when you yourself have seen SBIE protect you, you can be told 100 times not to sandbox Chrome and they will keep on doing it. I am not talking about me, I am talking about other users.

    Edit: Forced folders is the weak part of SBIE. :)

    To get the most out of Sandboxie, you should combine using Forced programs, Forced folders and the sandboxed Windows explorer.

    Bo
     
  4. guest

    guest Guest

    I can guess why:
    1- they use sandboxes for the browser in the first place.
    2- they may not be aware of the browser sandboxing effectiveness
    3- they are just paranoid.

    Note that sandboxing the browser still have some benefits, sure less than before, but still.
     
  5. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,195
    Location:
    Nicaragua
    No, if you are browsing, and after disabling your script blocking protection, you get hit by malware, you hear noises and see jumping distractions all over the place related to sex, and you got nervous, and after gaining your composure, you clicked Terminate all programs in Sandboxie, and the malware was now gone. And everything was OK afterward, you can tell this guy 100 times not to sandbox Chrome, but he will. What I just wrote is a true experience of someone, relayed to me last week.

    Bo
     
  6. guest

    guest Guest

    I assume if one use forced folder, one already enabled forced programs.

    About the user you mentioned, i believe it was ads script rather than malware.
    Common malicious script often try to silently download and run stuff on the system.
     
  7. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,195
    Location:
    Nicaragua
    Forced folders is a separate setting from Forced programs. Forced ´programs, force a particular exe/program, to run sandboxed every time its executed. It works flawlessly with every program 100% of the time.

    Forced folder, files, programs, exes, are supposed to run sandboxed when they are executed out of a Forced folder. This setting doesn't work 100% as its supposed to be. So, you should be aware of the programs that you have in your system that will not run sandboxed out of a Forced folder. They are not many, but there are a few. Exes, 100% of the time will run sandboxed out of a Forced folder. But, in the past, programs like Window media player, Windows photo viewer and 7Zip had problems with the Forced folder feature. 7Zip works fine now, but if you like to test, set Windows photo viewer as your default pictures viewer, and go to a Forced folder, and click on a picture, and you ll see it running unsandboed. To me, this is no big deal, because I know, and work around it. But is good that you know. Sandboxie is not perfect.
    Likely it was a drive by download.

    Bo
     
  8. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,096
    Location:
    Canada
    I only implied the sandboxing of Chrome which itself already has an excellent sandboxing (of renderers) is overkill. BTW, with the exception of the firewall and a browser extension, my security enhancements are all included in Windows. System impact is negligible while the security returns are enormous.

    As I stated above about using what's already available in the O/S...

    Well, it doesn't actually bother me that some people sandbox Chrome. I just expressed my opinion about it.
     
  9. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,195
    Location:
    Nicaragua
    Wat, FWIW, I like you, I always have, but you are constantly telling users, suggesting not to sandbox Chrome. You do it over and over. I wish you read, perhaps you did, the part of my post that was removed. That was the heart of that post. After it was removed, I wanted to delete the post, but couldn't, didn't have the option to do it anymore.

    Best regards

    Bo
     
    Last edited: Feb 20, 2019
  10. guest

    guest Guest

    Yeah I know the difference both forced features, I use the 3 you mentioned. Imo, i would find weird that a paid user would not use at least both forced folders and programs.
     
  11. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,195
    Location:
    Nicaragua
    More than likely, most paid SBIE users do, but sounds to me like you don't. All the time, you mention Forced folders for your Downloads folder but nothing else.

    Bo
     
  12. guest

    guest Guest

    because my others folders are locked/denied execution via another app (Appguard Enterprise).
    I use sbie/other sandbox only for internet-facing folders where installers/executables/media files may need to be ran.
     
  13. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    6,184
    same here, and some more. limited programs in a limited box to preview some.
    forced folders have advantage, i dont need run eg firefox in the box (which ofc is not really necessary to run firefox save)
    i dont use windows explorer but you have some cve to read why it should be used in the box?
     
  14. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,195
    Location:
    Nicaragua
    The purpose of running Wndows explorer sandboxed is not to protect the computer of vulnerabilities in Windows explorer itself. I use the sandboxed explorer for security and testing changes in the computer. Is very useful both ways. I ll give you a few examples of how and why I use it.

    For testing: If I want to make a change in the computer, like for example, the first time I disabled PM in Flash, I tested the change in a sandboxed explorer, after seeing how the changes affected the computer, I did the change outside the sandbox. Another example, if I want to make a change in Folders option or any change in Windows explorer that I am not familiar with, I ll test the change while using a sandboxed explorer to see what happens. If all is well, then I make the change outside the sandbox. Another "test" example, if I get a file that when clicked, I get the dialogue saying that no program is set to open it, and I have to guess what program to use to open it, I test using a sandboxed explorer. There are countless of instances that I have used the sandboxed explorer to experiment changes. The reason of using the sandboxed explorer is so if I mess up, there is no harm done to the computer or program that I was testing.

    For security: Mostly, I use it for navigating to files that I am not 100% sure what they are. I rarely download a file that can be categorized as unknown but it does happen some time. I use the sandboxed WE for this type of files because it is the safest way to open files with SBIE. Anything you navigate to via a sandboxed Windows explorer, will run sandboxed. I also use it to open pictures that someone send me and I saved in the computer. I dont download many pictures but if someone send me some pictures, I ll use the sandboxed explorer. Most programs that open pictures, can be set as Forced program and will run sandboxed out of a Forced folder. I use Windows photo viewer as my default viewer. Windows photo viewer can not be forced and pictures will not run sandboxed out of a Forced folder if WPV is your default viewer, so, for security, I use the sandboxed explorer for pictures.

    I think sandboxing Windows explorer can be even more useful for users of Sandboxies free version as they cant force programs or folders but can use it for navigating to their Download folder, USB drives, CD/DVD drives, and any file in the computer to run it sandboxed.

    Bo
     
  15. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    6,184
    i test in real system after an image, but thank you.
     
  16. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,993
    Location:
    The Netherlands
    Yes, it wasn't directed to you personally. Like I said, if you already use other protection, you don't need Sandboxie. But the question in this thread was if Sandboxie is useless, and the answer is: no it's not. It should be able to protect the system in case browsers like Chrome and Firefox get exploited, and malware is able to elevate privileges. And this is because of virtualization. How big is the chance that a browser like Chrome gets exploited? That's another story.
     
  17. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,993
    Location:
    The Netherlands
    You see, this is what I meant. Let's say that zero day ransomware (that doesn't need admin rights) was installed via this exploit. AV and UAC wouldn't have helped. Chrome's sandbox wouldn't have helped, since it was bypassed via some Windows OS exploit. But most likely, Sandboxie would have neutralized this attack since it would simply virtualize the ransomware. Of course, white-listing would have also probably stopped it, unless ransomware was running completely in-memory.

    https://www.zdnet.com/article/google-reveals-chrome-zero-day-under-active-attacks/
     
  18. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,096
    Location:
    Canada
    The details on CVE-2019-5786 haven't been released yet, so it's only speculation for now on what measures, if any, could have mitigated or stopped the exploit. It is combined also with a Windows zero-day exploit. At least Google patched the vulnerability in a timely manner.

    EDIT:

    here's a Google Blog post where they think it may only be exploitable on Windows 7 systems.

    If this is the case, then simply running the latest Windows O/S might prevent the exploit from working.
     
    Last edited: Mar 9, 2019
  19. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,195
    Location:
    Nicaragua
    Let me add something, Rasheed. Sandboxie's sandbox is the most important protection that Sandboxie has to protect the computer, but lets not forget, each restriction in Sandboxie is an additional hurdle that the malware has to defeat in order to infect. And is not easy. If we get by malware, all this levels that the malware has to get though to succeed with the infection, makes it more than likely that somewhere along the way it will fail rather than succeed.

    Bo
     
  20. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    6,184
    sandboxie seems a jack of all trades device for people who dont know much about security and its mechanisms. its useless to tell them about, leave them alone. currently they run into more trouble with this fixed view.
     
  21. guest

    guest Guest

    +1
     
  22. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,195
    Location:
    Nicaragua
    Hi Brummelchen, I kind of agree with what you are saying regarding that the potential of running into compatibility issues is greater when using a restricted sandbox but I don't think that's a good reason for not talking about restricting the sandbox (to make it more secure and difficult to breach).

    It behooves new users to know Sandboxie can be even more secure than how it comes by default. When I first started using SBIE, I didn't change any restriction for the first two or three weeks, I wanted to know how programs behaved in a non restricted sandbox, that helped me realize that every restrictions has an effect in all programs that run in the sandbox, in what they are allowed to do. I soon realized that it was important not to "over restrict" the sandbox, because over restricting can cause issue. Once in a while I see a user who doesn't understand SBIE yet, reads a few posts blaming SBIE, and all of the sudden, he is blaming SBIE for an issue (over restricted sandbox) he himself created. So, I understand what you are saying.

    But Sandboxie is so much stronger when restricted than not, that despite that, people should know about restrictions. Look at Drop rights. Thats a great setting to apply if you run your computer as an Administrator (Like I do). When you apply that setting, programs running in the sandbox are stripped of administrative rights. Programs running in the sandbox are treated as if I was not running as an Administrator when I am. This is a great setting to use when it doesn't cause compatibility issues. Long time ago, I remember a time when every once in a while there was a POC or something, and almost every time, it was found that they would not work against SBIE/they would not escape or breach the sandbox when Drop rights was enabled. That single setting made a huge difference. So, I use it whenever I can.

    I said this many times. Personally, what I do when I create new sandboxes is try to strike a balance between convenience and security. And I always achieve that. Myself, I don't give up convenience and usability for security. So, I restrict as much as possible without losing usability or convenience. Thats one of my goals with SBIE and what I suggest people do. Users who dont over restrict, enjoy Sandboxie more.

    Bo
     
    Last edited: Mar 10, 2019
  23. Joxx

    Joxx Registered Member

    Joined:
    Sep 5, 2012
    Posts:
    1,737
    I think it's the opposite. Sandboxie is for people who know what they're doing, understand what it does and know how to configure it.
    An Internet Security suite, that is for people "who don't know much about security and its mechanisms", install and forget.
     
  24. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    5,099
    Location:
    .
    +1 I agree.
     
  25. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,993
    Location:
    The Netherlands
    To clarify, I know that this exploit probably doesn't work on Win 10, but that's not the point. The point is that this is a perfect example of how Sandboxie can protect against browser exploits. So people who say that it doesn't make any sense to protect Chrome or Firefox with Sandboxie don't really know what they are talking about.

    Of course, without actually testing I can't say for sure if SBIE would have protected against this exploit. But it's likely, because from what I know, SBIE will still virtualize processes, even when they manage to elevate to a higher privilege. So without SBIE the system would be toast, especially in case of a ransomware attack. Of course, AV and AE would have also stopped it, depending on what type of malware was used.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.