1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Sandboxie and Windows -- How effective?

Discussion in 'General Security' started by BobPrimak, Apr 23, 2010.

Thread Status:
Not open for further replies.
Advertisement
  1. BobPrimak

    BobPrimak Thread Starter

    Joined:
    Apr 21, 2010
    Messages:
    13
    I've noticed in this forum area much discussion about how or whether to use Sandboxie and similar products as part of a layered security environment. I have offered to post what I have found on the subject. I hope this posting is not over-long, as many professional analysts have weighed in over the past few years.

    Please note that I am not trashing Sandboxie and similar programs out of hand. They all may play a useful role in a layered approach to computer security. But there are also limitations, so here I go with an annotated and sourced webliography on this important security topic.

    If any of my links has problems, either PM me, or ask an Administrator to do so.

    Zone Alarm Force Field, the browser virtualizing component of ZA Extreme Security -- Roger A. Grimes of Infoworld.com:

    Roger A. Grimes tested Force Field. Read his results here: http://www.infoworld.com/d/security...eld-compromised-in-sixty-seconds-561?page=0,0

    Sandboxie -- just how effective is this program as a security measure? Here's one review of several programs, including Sandboxie. It is not 100 percent favorable, but also not 100 percent unfavorable.

    http://pcworld.about.com/od/securit1/Sandbox-Security-Versus-the-Ev.htm (The original source article is at PC World.com -- http://www.pcworld.com/businesscenter/article/151706/sandbox_security_versus_the_evil_web.html )

    Some interesting points about what Sandboxie does NOT protect:

    "Another important question is, how good is the emulation coverage? Sandbox protection products, by their very nature, don't emulate the entire operating system, as a full virtualization product such as VMware Workstation, Microsoft Virtual PC, or Parallels would. Malware programs are known to infect more than a hundred different Windows attributes, including registry locations, files, folders, startup areas, and more. How many Windows attributes and APIs are covered in the sandbox? The answer is never all. Does the product protect against remote and local buffer overflows, phishing attacks, alternative data stream techniques, file sharing avenues, and so on? Some did, most didn't."

    And later,

    "A fully patched system (OS and applications) where the user cannot install random programs would probably provide as much protection. How well your organization handles those two requirements will determine if sandbox products are worth investigating."

    The problems and limitations of Sandboxie as a security defense are many, as the reviewer clearly states:

    "[O]verall, I was more impressed with Sandboxie than I expected to be -- with three reservations. First, as comprehensive as the coverage appears, Sandboxie cannot virtualize system-level drivers, which can lead to installation and stability problems from both legitimate and malicious programs. Some of the low-level malware programs I tested caused "blue screen" errors and severe booting problems afterward. To be clear, at no time did I see a malware program installed in such a way that Sandboxie allowed it to run seamlessly outside of virtualization; however, Sandboxie allowed more browser and system crashes than most of the competitors."

    "Second, Sandboxie only protects one program or process at a time. When you use Sandboxie, you must choose which programs and processes to protect and when. You can create one or more virtual sandboxes, each with its own settings, but what goes into each sandbox is up to the user. Occasionally, I found myself accidentally running unprotected programs when I wasn't paying attention. Plus, it's just not possible to run every program and process virtualized all the time, for various reasons (consider remotely buffer overflowed system service, anti-virus software, tape backup software, and so on), which means they can be exploited. Other competitors in this review focused on protecting critical system areas against all threats and didn't rely on the user to choose which area to defend."

    "Third, all trust decisions are left up to the end-user. Sandboxie never makes a declaration of safe versus unsafe content. The nontechnical end-user usually doesn't have enough knowledge of malware to make successful trust decisions. For example, Sandboxie doesn't prevent against phishing, so if a user is sent an e-mail claiming to be a security patch from Microsoft, how many end-users would download and install the patch using an unprotected browser session? How many users might be tricked by the XP Antivirus malware program? Too many, I suspect."

    This thread at the Sysinternals Forums offers some technical insight as to just what Sandboxie and other Windows sandboxing schemes cannot protect (as well as what they can protect):

    http://forum.sysinternals.com/topic15072.html

    DSL Reports has this thread (among others) about sandboxing and Virtual Machines. Again, the picture is not all rosey and sunny. http://www.dslreports.com/forum/r22595061-Sandbox-technology-a-foolproof-defense

    And this reference gives a "webliography" of related articles and products: http://www.firewallguide.com/zero-day-protection.htm
    "This page includes articles, reviews and product links for "zero-day protection", "non-signature anti-malware products" and "host [based] intrusion prevention systems" or HIPS for short."

    This is only a brief sampling of where I have found summaries of the information which I can bring to bear on this topic. As the reader can see, I have read and researched extensively what these "sandboxing" programs can and cannot do to protect PC users against Internet threats. But I am not a degreed IT professional, and I am not a computer security expert, so I cannot claim comprehensive or 100 percent reliable knowledge on these matters. Still, I am not your average Home User. I do have some basis for the things I post in on line forums. I hope this posting helps to put an end to anyone calling me out as not knowing what I am posting about.

    And again, I am not trying to start any debates -- just some discussion of the facts, as best we can develop them.
     
  2. Stoner

    Stoner Banned

    Joined:
    Oct 26, 2002
    Messages:
    44,931
    Bob, some of your links are getting a little long in the tooth.
    Unfortunately, the malware writers seem to be advancing while the anti-malware writers are following their lead.
    Info from a year or two ago may not be as relevant today, but it does set up the basis of how these apps approach security issues.

    I have seen passing mention of Sandboxie having to update to meet new challenges and I don't doubt there will be more to address.
    One issue of interest I read about in the past few months was the concern of rootkiting the the bios and other pieces of hardware like the firmware of video cards.
    I've passworded my bios, but that doesn't cover other hardware like sound and vid cards.
    So my concerns also include the ability of the current Sandboxie to protect peripherals on the level of being reflashed.

    Any ideas on that issue?
     
  3. Gizzy

    Gizzy

    Joined:
    Aug 2, 2005
    Messages:
    3,832
    Alright, where do I start... I guess from the beginning.
    I'll mostly comment about sandboxie and not the other sandbox programs since sandboxie is the one I have the most knowledge of, being a user myself.
    Also I am reading the reviews but mostly commenting on the quotes you posted since otherwise this post would be much larger than it already is, if there's any other quotes people would like my comment on I will. :)

    And note these reviews are a bit old...

    I don't take it as that. :)

    Sandboxes aren't meant to be virtual machines,
    As for what areas are covered the important ones are usually covered and if any holes are found over time and through use/testing then they get covered as well.

    This quote looks like it's mainly for businesses/organizations,
    It is a great idea to keep everything patched and updated,
    But the other part about installing random programs that's a trade off of usability/security sure it's much more secure to not be able to install programs but not very convenient.
    Where as sandboxes allow users to install programs on their computers but only restrict programs they choose.

    That can be said about any type of security program. :D

    Sandboxie doesn't allow drivers inside the sandbox by default it just blocks the driver and gives the user an alert about it, I can see that causing problems for the program trying to install in the sandbox but I don't see a problem with that since sandboxie wasn't meant to be a virtual machine so it's not meant for users to install programs inside,
    And if malware with drivers can't install correctly inside the sandbox where's the problem with that? :D
    I don't want malware to work like it should unless I wanted to test malware in which case I'd use a VM or spare computer.

    There is a setting in sandboxie that allows programs to load drivers but it's not a recommenced setting as it decreases the security.

    I'm not sure if I'm understanding this quote or not but If I am then this is just wrong, Sandboxie allows you to run any number of programs inside a sandbox and then protects all programs/processes outside of the sandbox from being modified by the sandboxed programs,
    In the free version you can only run one sandbox at a time where as the paid allows you to have multiple sandboxes running at the same time but inside one sandbox you can run many programs/processes.

    You don't have to choose what areas of the computer you want to protect from programs inside the sandbox, You can harden areas if you want to, But the default settings are fine.

    For the first part of the quote this is a problem any security program has, being able to tell malicious from non-malicious even antivirus programs where their main job is that can't identify all malware and occasionally identify legit as malware
    http://forums.techguy.org/general-security/918351-recent-mcafee-update-causes-xp.html

    And the second part about social engineering, unfortunately you can't protect users from themselves, if they want to do something to their computer no security program will stop them, they'll just turn off the security if it gets in their way enough.

    That thread actually shows good for sandboxie, If you read the thread at first they talk about theoretical ways to bypass sandboxie but then later posts shows one of them (CrazyFish) actually testing those theories and failing. ;)

    Another user (Buster) does say he found a hole but it was fixed he then says he tested about 45,000 malware against sandboxie and none broke through. If you visit the sandboxie forum you'll see he actually tests sandboxie quite a lot.

    I read that thread and I see a lot of users saying they don't think it's 100% and that nothing is,
    I agree with that actually since IMO there's no such thing as 100% security, So that applies to any type of security program,
    So I'm not sure what you mean by not all rosey and sunny, They say the same about any security.

    But I didn't see any of them mentioning any way to bypass sandboxie.

    Same here, I've been in enough debates, I stay out of the uncivilized debate section of this forum for a reason. ;)
     
  4. perfume

    perfume Banned

    Joined:
    Sep 12, 2008
    Messages:
    2,011
    Dear BobPrimak,
    Quote " "[O]verall, I was more impressed with Sandboxie than I expected to be -- with three reservations. First, as comprehensive as the coverage appears, Sandboxie cannot virtualize system-level drivers, which can lead to installation and stability problems from both legitimate and malicious programs" Unquote. Sandboxie does not allow programs which try to install drivers, and KIS 2010 comes out "all RED" and warning is given to "limit" or "Block" the program! Since we are the biggest threat to our PC/LAPS, i respect KIS and block the program! I do not think a program like Sandboxie sits on it's thumbs. As Gizzy said the "bought version" has additional features.:)


     
  5. BobPrimak

    BobPrimak Thread Starter

    Joined:
    Apr 21, 2010
    Messages:
    13
    Stoner, nice to hear from you again. I think your concerns about flashing are firmware related, right? Unfortunately, even a Virtual Machine seems not to be a good defense against that possibility, from what little I've come across on the subject in my reading. But I have only read of one proof of concept about this type of infection, and it was pretty specific, affecting the Broadcom Networking cards. The issue was in Broadcom's updating software, not the firmware as such. No defense was offered, except that Broadcom did issue a firmware update shortly thereafter. If you want, I can go back through PCWorld.com and find the article.

    Gizzy, you offer many good insights into the present state of the art with Sandboxie. My refs include older materials, but a few of the concerns may still apply to Sandboxie and similar programs.

    I will wait for others to post their knowledge and opinions before deciding whether to post further on this subject.

    I am learning a lot about Sandboxie, and I hope to learn more.

    One thing about my post -- I did include references aimed more at the notion that a Windows browser can be virtualized, or isolated from the Windows system kernel. Google Chrome was not evaluated in these articles. There are important improvements in Chrome with regard to isolation of browser processes from the Operating System. These advances look promising. But I haven't read anything indicating that Chrome can be completely sandboxed under Windows. Does anyone know of reports or articles which address this issue for Chrome?

    And, Perfume, I am interested in what exactly the KIS Sandbox is supposed to do? I have Comodo Firewall with Defense Plus, and it also has a "Sandbox" feature. Any information or references would be appreciated.
     
  6. aka Brett

    aka Brett Banned

    Joined:
    Nov 25, 2008
    Messages:
    16,918
    The sandbox feature{safe run} for kaspersky is a little sluggish IMO..I had problem with IE right off the bat..taking over a minute to load.
    I am not knocking Kaspersky,but it doesnt like my latest machine for some reason...slow ...programs stop responding...This was a fresh install of W7..then fully patched...Installed kaspersky.It would run ok for a while then would get sluggish..I could uninstall Kaspersky...reinstall it...A week or 2 later the same thing would occur....Rinse and repeat
    Perhaps someone else has had better luck with the sandbox in Kaspersky
     
  7. BobPrimak

    BobPrimak Thread Starter

    Joined:
    Apr 21, 2010
    Messages:
    13
    Good info. I'll avoid that program.
     
  8. perfume

    perfume Banned

    Joined:
    Sep 12, 2008
    Messages:
    2,011
    Dear Brett,
    You are being modest! To be frank, the sandbox in KIS2010 is an embarassment" ! I am the reference,dear BobPrimak.;)
     
  9. SIR****TMG

    SIR****TMG

    Joined:
    Aug 12, 2003
    Messages:
    47,118
    I use it all the time
     
  10. BobPrimak

    BobPrimak Thread Starter

    Joined:
    Apr 21, 2010
    Messages:
    13
    I'm a little confused here. Perfume, you are the reference regarding what? :confused:
     
  11. antimoth

    antimoth

    Joined:
    Aug 8, 2009
    Messages:
    361
    I've tried out the Kaspersky "sandbox" modw, which they call safe run. From my experience, it's not well documented and there are some gotchas.

    For example, when running Firefox in saferun mode, I noted that the No-Script add-on that was running in normal mode wasn't active in the sandbox until I re-installed it, However, other add-ons were in place. I believe it had to do when when I first invoked FF in sandbox mode. Perhaps it stored a configuration in the sandbox folder when I had not yet added no-script, and used that. It just means one should double check an application.

    I've not seen Firefox crash or slow down in this mode. However, Kaspersky does save data or disk changes from an application in the sandbox folders and with continued use, that's going to be a lot of data accumulated, with no button as far as I can see to delete it.

    Finally, I have not intentionally tested this sandbox mode on anything suspicious. Haven't found any reviews where someone did it either. Don't want to risk my PC. I mean if you want to walk thru the mud because you think you have waterproof boots, you may get in too deep.
     
  12. bp936

    bp936

    Joined:
    Oct 13, 2003
    Messages:
    3,033
    I gave up using Sandiebox with Kaspersky 2010, had troubler and slowdowns with FF.
    Luckily I always have another Browser installed, (never use IE),
    I now mostly use K-Meleon and love it, Kaspersky seem to like it, very fast and does a lot of things, more than I need. Winpartol also has nothing against it.
    I wonder why no one mentions it.
    http://kmeleon.sourceforge.net/
    It is the perfect browser for my dial-up and when the other browsers crash.
     
  13. Stoner

    Stoner Banned

    Joined:
    Oct 26, 2002
    Messages:
    44,931
    With browsers, anti malware apps and firewalls expanding their coverage so that there is overlap in functionality, imo...it's a wonder there aren't more conflicts.
     
  14. Stoner

    Stoner Banned

    Joined:
    Oct 26, 2002
    Messages:
    44,931
    What other sandboxes are available?
     
  15. aka Brett

    aka Brett Banned

    Joined:
    Nov 25, 2008
    Messages:
    16,918
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/918802

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice