need advice

View previous topic View next topic Go down

need advice

Post by lowlight on 9/3/2011, 08:08

Ok, so I've been neglecting Virus/Spyware/Malware/WhateverWare for literally YEARS because my homegrown method of using VMWare + Linux has been 100% successful for some 10+ years and I am WAY out of sync with what works and what does not work these days. Previously my systems all consisted of Winblowz on the HD (physical HD's) and whenever I browsed the web, downloaded something, used the network, etc, it was always through VMWare. So if any nasties came in via the web, it would get stopped and scratch its head and say wtf is this, and then it would just keel over and die. This method worked for years and years, never failed me once and I was able to run my Winblowz games rather than have to reboot everytime in a dual boot scenerio. About 90% of the time, VMWare is full screened with Linux as that is my main OS. I use it for mail, web, word/excel docs, file management, videos, pics, whatever and it works great from within VMWare. The ONLY thing I use Winblows for is to run VMWare and whatever game I am into at the time (atm that is Rift).

Ok, so this ran great. Until I decided to upgrade myself to one of those nice SSD drives (I now have 2 C300 256GB in my laptop, http://media.bestofmicro.com/3/E/258026/original/index-ssd_performance.png for those interested in its benchmark results Wink ) that are F'n smokin fast compared to the crap laptop HDs I've run in the past. The problem I am going to run into now is that the SSD's in general are well known for their limited lifetimes when it comes to write process and with the VMWare sessions, write processing is quite high because it can become "swappie" very easily, especially with sites like myspace/facebook that are heavy on Java/Flash/JS. And since I've disabled swap, if that were to happen now, VMWare would simply crash and that wouldnt be acceptable for me. So I guess the question would be, does it make sense to continue as I have and just use Linux/Vmware as my sandbox or are there now viable apps that do something similar in theory? And if they work the same in theory, to they ACTUALLY work as a real sandbox and not some sort of gimmic that tries to act like a sandbox? I've read very very little about "sandboxie" so it sounds like it might do what I am thinking, but I have no real idea what it is let alone if it would actually be worth using over vmware/linux. But my experience with Winblows has always been that there is NO single cut fixes all solution and in order to get close to that, you have to run 2 or 3 different things and then your left with a machine that runs about as fast as a turtle in a tar pit. Over the years I've always found that trying to secure Winblowz from all the crap that infests it using apps for this and that and whatever has almost always been outperformed by using VMware/Linux (at least in my use cases anyway).

So what are the options available these days? Preferably something thats not going to eat my new investments for lunch, they were not cheap lol.

System specs are:
Laptop.
Single Dualcore T9300 Intel CPU (2.50Ghz or somethin)
4GB ram
Nvidia 8800M GTX (works well fer the games even compared to desktops)
2 256GB SSD drives
NO physical drives available
NO swap (This is why I'm considering NOT using VMWare. Sadly I might have to give up Linux because of the SSD's and the Swap necessity)
NO indexing
NO prefetch
NO Superfetch
NO defrag service
Winblowz 7 Ultimate 32bit (It blows ass, but there is no Linux game worth playing atm and I like ma gamez lol)

For future reference please do not use offensive language in your posts (even abbreviated) ADMIN Thanks


Last edited by patrick on 10/3/2011, 06:23; edited 2 times in total (Reason for editing : Warning about language)

lowlight
Member
Member

Posts : 12
Join date : 2011-03-09

View user profile

Back to top Go down

Re: need advice

Post by ssj100 on 9/3/2011, 09:46

Moving to "Security" forum. Cheers.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: need advice

Post by Stephen2 on 9/3/2011, 15:20

Your post is immediately irritating.

Please don't post inflammatory or personal statements ADMIN


Last edited by patrick on 10/3/2011, 06:33; edited 1 time in total (Reason for editing : Warning about inflammatory statements)

Stephen2
Member
Member

Posts : 34
Join date : 2010-10-18
Location : Melbourne, Australia

View user profile

Back to top Go down

Re: need advice

Post by lowlight on 9/3/2011, 21:44

Stephen2 wrote:Your post is immediately irritating.

Thatz probably because you're so illiterate you couldnt even comprehend the subject of the post to begin with. Which of the 2 words in the subject could you not understand. rofl

Please don't post inflammatory or personal statements ADMIN



Last edited by patrick on 10/3/2011, 06:29; edited 2 times in total (Reason for editing : Warning about inflammatory statements)

lowlight
Member
Member

Posts : 12
Join date : 2011-03-09

View user profile

Back to top Go down

Re: need advice

Post by ssj100 on 9/3/2011, 23:24

Let's get this thread back on track haha.
lowlight wrote:But my experience with Winblows has always been that there is NO single cut fixes all solution and in order to get close to that, you have to run 2 or 3 different things and then your left with a machine that runs about as fast as a turtle in a tar pit. Over the years I've always found that trying to secure Winblowz from all the crap that infests it using apps for this and that and whatever has almost always been outperformed by using VMware/Linux (at least in my use cases anyway).
I only run one real-time security application (Sandboxie) and there is no real slow-down. There's only a few second delay on cold starting web-browsers sandboxed. I'd highly recommend that you take a look at Sandboxie and learn how to use it. It may take you some time to have the confidence of just running it alone though - you will first need to understand what Sandboxie can do, then you will need to know how to harden Sandboxie. Following this, you will need to have a decent approach when managing newly introduced files.

There's a lot of information on this forum about Sandboxie (and other "security-related" methods). My advice is to slowly read through the various threads. Feel free to ask questions here.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: need advice

Post by lowlight on 10/3/2011, 03:36

Question on the sandboxie thing. It shows in a diagram on the sandboxie website that it physically tries to separate data on the HD. I assume that this is just for illustration purposes and it does not actually try to limit data to certain parts on an HD correct? Because this obviously wouldnt work with an SSD drive since there is no physical area to restrict lol.

lowlight
Member
Member

Posts : 12
Join date : 2011-03-09

View user profile

Back to top Go down

Re: need advice

Post by ssj100 on 10/3/2011, 04:18

Yes, and for the record, I know at least one person who is successfully using Sandboxie on a SSD drive.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: need advice

Post by lowlight on 10/3/2011, 04:25

Would it be safe to assume that this is like a 1 way transport? Things can be put in the sandbox, run from the sandbox, but cant exit?

If thats the case, couldnt a virus simply infect the sandbox and still eat up system resources (CPU/Ram)? If that were to happen, how is it cleaned? Would I lose all data in the sandbox since the only sure fire way to clean it would be to nuke the sandbox? If thats the case, then the next question would be, can I get data out of the sandbox that I know is kosher? It would suck to dl like Rift, a 2GB game file and lose it because it was locked in the sandbox. I'd much rather DL the game, get it out of the sandbox, install it, and then start it in its own little sandbox. That way if I have to delete the sandbox, I dont lose the actual game installation and I would only lose my browser's sandbox, and not the game's sandbox. Or is that even possible? Can you have more than 1 sandbox?

lowlight
Member
Member

Posts : 12
Join date : 2011-03-09

View user profile

Back to top Go down

Re: need advice

Post by ssj100 on 10/3/2011, 06:07

lowlight wrote:Would it be safe to assume that this is like a 1 way transport? Things can be put in the sandbox, run from the sandbox, but cant exit?
That's exactly right.
lowlight wrote:If thats the case, couldnt a virus simply infect the sandbox and still eat up system resources (CPU/Ram)?
That could be possible. A virus could certainly end up inside the sandbox. However, before I write anything further, let me clarify a couple of things for you. Sandboxie is an "application virtualiser". This means that it is not a "system virtualiser" or a Virtual Machine. Sandboxie allows virtualisation for individual applications (eg. web browsers), as well as CD/DVD, USB drives.

So to answer the question of what would happen if a virus entered the sandbox (eg. via a sandboxed web browser), it would simply be a matter of deleting the sandbox (as you already worked out) to "clean" it. However, be aware that you can configure the sandbox to only allow certain executables to run. For example, you can configure a Firefox sandbox to only allow "Firefox.exe" to run. This means that if a malicious executable tried to run (eg. "virus.exe"), it would be blocked by Sandboxie's anti-execution mechanism.
lowlight wrote:Would I lose all data in the sandbox since the only sure fire way to clean it would be to nuke the sandbox? If thats the case, then the next question would be, can I get data out of the sandbox that I know is kosher? It would suck to dl like Rift, a 2GB game file and lose it because it was locked in the sandbox. I'd much rather DL the game, get it out of the sandbox, install it, and then start it in its own little sandbox. That way if I have to delete the sandbox, I dont lose the actual game installation and I would only lose my browser's sandbox, and not the game's sandbox. Or is that even possible?
Yes, it's certainly possible to download files into a sandbox and then "recover" them on to the REAL system. In fact, you can setup Sandboxie to pretty much automatically do this. You can also install the game separately on your REAL system and then run the game sandboxed (I've done this with Starcraft 1 successfully, although I'm unsure how more modern games would fair).
lowlight wrote:Can you have more than 1 sandbox?
Yes, you can have as many sandboxes as you like. I personally use about 10 (if I recall correctly). For example, I run Firefox and IE in separate sandboxes. I also run USB and CD/DVD drives separately etc.

Feel free to ask more questions. Sandboxie actually has a fairly steep learning curve if you want to delve into it deeply. It's probably best to just install it and give it a "test run" - it has a pretty good introduction tutorial too.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: need advice

Post by lowlight on 10/3/2011, 07:28

So I've been playing with it and this thing is really sorta cool. I ran it with rift and the first thing I noticed was that it seems to copy all the files that it reads into the sandbox dir as well as all the files that it writes to. So I can see exactly how the game used the files on the HD. Does it do this EVERY time it's started with an app from outside the sandbox? Or only if the file it's trying to read/write doesnt exist in the sandbox? I poked around to see how I could setup the execution stuff you had mentioned but I didnt see anything obvious. Where is that done?

lowlight
Member
Member

Posts : 12
Join date : 2011-03-09

View user profile

Back to top Go down

Re: need advice

Post by ssj100 on 10/3/2011, 09:27

lowlight wrote:I ran it with rift and the first thing I noticed was that it seems to copy all the files that it reads into the sandbox dir as well as all the files that it writes to. So I can see exactly how the game used the files on the HD. Does it do this EVERY time it's started with an app from outside the sandbox? Or only if the file it's trying to read/write doesnt exist in the sandbox?
As far as I understand it, the files that need to be modified are required to be copied into the sandbox. This is through a process called "File Migration". You can set a limit on the file size:
http://www.sandboxie.com/index.php?FileMigrationSettings
lowlight wrote:I poked around to see how I could setup the execution stuff you had mentioned but I didnt see anything obvious. Where is that done?
Have a read through this carefully:
http://www.sandboxie.com/index.php?RestrictionsSettings

Also, Sandboxie has a very good support forum here:
http://www.sandboxie.com/phpbb/index.php
Feel free to ask questions there too. There are some very helpful and knowledgeable folk there. Not to mention the developer himself (tzuk) provides very good support there.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: need advice

Post by lowlight on 11/3/2011, 01:39

I've been playing around with "Program Start->Forced Folders" and have found that it seems to be a good plan to set each of my apps up with their own little sandbox and then set the forced folder directory settings to any folder associated with it. Like for adobe reader I have c:\adobe\reader and c:\program files\common files\adobe (since its the only adobe app I plan on using).

This seems to work good. But my next question is, I am also thinking of setting up an "Unknown" sandbox and setting it's "Program Start->Forced Folders" to c:\ Is this even possible? If so, will it break anything? The way I see it, if I am in a serious bind and something somehow creeps out of my other sandboxes, I might be able to catch it using this unknown sandbox and then as a last resort, I could kill that and it "should" act as sort of a "roll back" feature to right when I installed and setup all this sandboxie stuff. OR is that not what would happen? I'd expect that doing this would sandbox everything including drivers, services, etc. So that if anything ever infects something like my network drivers (I've had to help people fix that kinda thing before, whata nightmare), I can delete the sandbox and start from scratch without having to reinstall winblowz?

lowlight
Member
Member

Posts : 12
Join date : 2011-03-09

View user profile

Back to top Go down

Re: need advice

Post by ssj100 on 11/3/2011, 01:54

lowlight wrote:I've been playing around with "Program Start->Forced Folders" and have found that it seems to be a good plan to set each of my apps up with their own little sandbox and then set the forced folder directory settings to any folder associated with it. Like for adobe reader I have c:\adobe\reader and c:\program files\common files\adobe (since its the only adobe app I plan on using).
Why don't you just force the Adobe Reader process to open in a sandbox? Much easier than trying to figure out which folders Adobe Reader uses.
lowlight wrote:But my next question is, I am also thinking of setting up an "Unknown" sandbox and setting it's "Program Start->Forced Folders" to c:\ Is this even possible?
I don't think it's a good idea to set your system drive (C:\) as a Forced Folder. If I recall correctly, Sandboxie actually gives a warning if you try to do this. I suspect the system will become very unstable if you try this.

If you want to test "unknown" applications, you can just create a separate sandbox for that and configure it as required. So for example, if you download a program and you want to test it with Sandboxie, you can just right click the "unknown" executable and click "Run Sandboxed". However, I would personally recommend testing "unknown" stuff in a full blown Virtual Machine. For unknown programs and malware testing, I run a sandboxed VirtualBox.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: need advice

Post by lowlight on 11/3/2011, 02:34

Well, I dont use the force executable to run sandboxed because there may be more than 1 exe that reader uses. For example, it uses AdobeARM.exe which keeps it up to date. Thus, rather than having 6 or 7 .exe settings, I have 1 or 2 folders that contain all the exe's within them. That was my thinking on how it worked and it seems to function properly setup like that. The other thinking was for viruses/spyware. If I were to set for example, just chrome.exe to be forced sandboxed and then somehow rogue.exe is run from within a chrome dir (the temp dir maybe), it would be possible for it to run unsandboxed if I did not have the folder directive in place. Thus, since I use folders instead of exe's, I'm hoping to catch the little critters that are trying to sneak off and hide in a corner.

As for the "unknown" idea, thats for those things that I dont have any clue are being installed/run/used. Obviously if I download something I will sandbox it myself. But for the crap that decides to run on its own without my knowledge (virus, spyware, etc), I obviously would not have any knowledge of those and cant create sandboxes to test them. So the idea was to create c:\ to catch the bad guys doing things that they should not. In theory, this should never happen since I have all my network/external drive apps sandboxed anyway, but nothing is 100% secure when dealing with winblows so I figured, might as well try to make a backup plan just in case. But if it would make the system unstable then I will just have to run without it. As an alternative I've looked at all the temporary folders and added them to a Temp sandbox (via forced folder settings) just incase a baddie is released there and tries to run from the police, then hopefully it'll be caught in the Temp sandbox and easily sent to prison for life lol.

lowlight
Member
Member

Posts : 12
Join date : 2011-03-09

View user profile

Back to top Go down

Re: need advice

Post by ssj100 on 11/3/2011, 02:59

lowlight wrote:Well, I dont use the force executable to run sandboxed because there may be more than 1 exe that reader uses. For example, it uses AdobeARM.exe which keeps it up to date. Thus, rather than having 6 or 7 .exe settings, I have 1 or 2 folders that contain all the exe's within them. That was my thinking on how it worked and it seems to function properly setup like that. The other thinking was for viruses/spyware. If I were to set for example, just chrome.exe to be forced sandboxed and then somehow rogue.exe is run from within a chrome dir (the temp dir maybe), it would be possible for it to run unsandboxed if I did not have the folder directive in place. Thus, since I use folders instead of exe's, I'm hoping to catch the little critters that are trying to sneak off and hide in a corner.
Forcing the executable to run is actually more secure if you sandbox your threat-gates. Threat-gates are like your web-browser and chat messenger program - basically anything that connects out to "untrusted/unknown" areas of the internet etc.

AdobeARM.exe is not a virus - it's already installed on your system and does what it needs (or what you allow it) to do. So how would it be exploited? Clearly it has to be exploited through a threat-gate - but if you sandbox your threat-gates, you are protected.

Forcing "chrome.exe" to run sandboxed means anything related to "chrome.exe" will also run sandboxed. So if "rogue.exe" got into Chrome's temp directory (via the Chrome web-browser threat-gate), it would not actually be in Chrome's REAL directory - it would be all within the sandbox that "chrome.exe" is running in. In fact, it's not a good idea to (just) rely on the Force Folder setting in this case - what if "rogue.exe" ended up in a folder that wasn't set to force run sandboxed? Again, forcing the executable to run sandboxed is a much more secure method of sandboxing the respective threat-gate.

Also, keep in mind that the Force Folder setting has a weakness:
http://ssj100.fullsubject.com/t290-defensewall-pitfalls#2314

Conceptually, Sandboxie is actually quite complicated. But to make use of its full power, you'll need to understand it well. It's well worth it though, as it's all "set and forget" once you set it up to your liking.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: need advice

Post by lowlight on 11/3/2011, 03:15

So even though chrome's directory is forced to run sandboxed, it's still best to specify it's exe? I guess I dont quite understand why that would be the case. Are you referring to what if chrome gets moved out of that directory type of scenerio? Because if that were the case, wouldnt simply renaming chrome.exe do the same thing? I would assume that if it's being moved, its probably gonna be renamed too.

I guess for me the analogy would be, you're saying that it's safer to use a simple door lock on the door, and I'm saying rather than lock the door, we're gonna just cement the door hole so the door cant even be used with any key no matter what kinda key it is. Where as with the doorlock, you're saying that only xyz key can open the door. But then a thief comes along and picks the door (renames the file) and gets in anyways. I'm sure the bad guy could rent a bulldozer and knock down the cement (move the file to a dir thats not in the forced directory directives), but it's gonna have to be a big bulldozer Smile

lowlight
Member
Member

Posts : 12
Join date : 2011-03-09

View user profile

Back to top Go down

Re: need advice

Post by ssj100 on 11/3/2011, 03:26

To help you understand, consider what would happen if a drive-by virus got on to your system via the Chrome web-browser. Let's say it spontaneously downloaded itself and wrote itself into a new folder (that is, it created a new folder). Let's call this new folder "Owned" (and let's say it ends up on the desktop) and let's call the virus "Rogue.exe".

So if you only force sandboxed your Chrome related folders, "Rogue.exe" would be able to run from folder "Owned". This would take place on the REAL system.

If, on the other hand, you sandboxed the process "Chrome.exe", then the folder "Owned" will be created within the sandbox, and "Rogue.exe" will be written inside this (all still within the sandbox). When/if "Rogue.exe" executes, it will also execute within the sandbox.

Even if the virus was called "chrome.exe", it would still be unable to run with appropriate start/run restrictions - you can test it out for yourself.


Last edited by ssj100 on 11/3/2011, 03:30; edited 1 time in total

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: need advice

Post by lowlight on 11/3/2011, 03:29

Hmmz I see what you mean, but since the chrome folder is specified as forced, then it also means chrome.exe runs sandboxed, and thus the rogue.exe "should" be saved within the sandbox right? The idea for me was to make it painless by not having to track how many exe's chrome runs now or in the future. I simply sandbox all it's associated folders instead and of course that includes the dir that houses the chrome.exe file itself. So rather than having to know all the EXE's that an app uses, it's very likely easier to know which folders it uses because that list is likely to be smaller than the list of exe's that an app uses, and I thought that maybe Adobe reader would illustrate that fact as there are more EXE's than there are folders.


Last edited by lowlight on 11/3/2011, 03:33; edited 1 time in total

lowlight
Member
Member

Posts : 12
Join date : 2011-03-09

View user profile

Back to top Go down

Re: need advice

Post by ssj100 on 11/3/2011, 03:32

Yes, you're right actually. But again, it's not necessary. It's much simpler to just force the chrome executable to run sandboxed - you don't need to worry about how many exe's chrome runs now or in the future. It's really all "set and forget". Everything related to chrome.exe will automatically run sandboxed too.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: need advice

Post by lowlight on 11/3/2011, 03:34

Hmm ok, so it sounds to me like rather than being not secure enough, I am very likely making it an overkill, which is exactly what I was aiming for Smile Of course thats barring any bugs related to the Forced Folder feature. I'll need to make sure that there arent any security holes related to doing that first.

lowlight
Member
Member

Posts : 12
Join date : 2011-03-09

View user profile

Back to top Go down

Re: need advice

Post by ssj100 on 11/3/2011, 03:36

I wouldn't say it's overkill at all, since it's identical protection under the supervision of Sandboxie's protective mechanisms. It's just much more slick to force the executable only. However, you can try out what you want and see if it suits you. Sandboxie is very configurable.

And yes, I'd highly recommend carefully reading through that link I posted earlier about the Force Folder feature. For ".exe" files, the feature should always work, but the Force Folder feature doesn't guarantee that all file types will open sandboxed.

EDIT: by the way, I've probably caused a little bit of confusion with regards to the Force Folder setting. As you say, since you're forcing the folder that the chrome executable resides in to run sandboxed, whenever you open the Chrome browser, it will be forced run sandboxed. And given this, everything related to the chrome executable will also run sandboxed. Essentially, the way I see it, this is just an "untidy" method of forcing the chrome executable to run sandboxed haha. It's not necessary (in fact, it adds absolutely no benefit) to force any other chrome related folder to run sandboxed. That's why simply forcing the chrome executable itself to run sandboxed is all that's needed. That's how I've always understood it anyway.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: need advice

Post by lowlight on 11/3/2011, 03:52

I read that post and it seems that you are saying that items in a forced sandboxed dir can still be opened unsandboxed provided that the app opening them is unsandboxed (which would be explorer most likely). So, if I use an unsandboxed explorer, I shouldnt even be able to see the sandboxed dir in the first place. I would have to navigate to the sandboxie dir and then find the dir in there. But then at that point, it's no longer c:\something, and instead it would be c:\sandboxie\something and thus the rule to run it sandbox wouldnt apply? Is this what you are referring to? I'm not sure that would happen because I'd expect that the entire c:\sandboxie dir that houses all the virtual files would inherently be sandboxed anyway. But then, if the dir I am looking for is not in the sandboxie dir, and it's instead c:\something and accessible to my unsandboxed explorer, I'd expect that the sandboxie service would see that I have c:\something marked as sandbox only and then anything that the unsandboxed explorer executes in that dir would then run sandboxed. The only thing I can think of that wouldnt run sandbox would be something that isnt executed to begin with but instead "read" such as an image, an audio file,txt, or a video (excluding wmv since those are considered executable I think), etc. So there are many non-executable files that could conceivably be opened unsandboxed. But anything that is executed I'd expect would be sandboxed because of the forced folder directive.

I think the only sure-fire way around that would be to have a sandboxed explorer for each sandbox I have defined (something I've already got sitting on my desktop now. I found the create shortcut feature and used that lol)

lowlight
Member
Member

Posts : 12
Join date : 2011-03-09

View user profile

Back to top Go down

Re: need advice

Post by lowlight on 11/3/2011, 06:31

So anyways, thanx for being helpful. I now feel confident in running the Winblows OS (without bloatware) for the first time in literally 17 years. I think I have enough control of whats going on to the point where I could get infected with pretty much anything and come out ok in the end without having to reinstall and spending hours fixing it. I'm still going to keep my Linux OS since it's still my OS of choice for development, but I dont have to rely on it anymore for normal everyday things like I had been doing in the past. But, I still dont consider winblows a secure OS enough that I'd recommend it to non-puter savvy friends. I still recommend linux to the people who dont play games Wink Maybe someday I'll be able to switch totally. But for now, I'm content lol.

lowlight
Member
Member

Posts : 12
Join date : 2011-03-09

View user profile

Back to top Go down

Re: need advice

Post by ssj100 on 11/3/2011, 08:32

lowlight wrote:I read that post and it seems that you are saying that items in a forced sandboxed dir can still be opened unsandboxed provided that the app opening them is unsandboxed (which would be explorer most likely). So, if I use an unsandboxed explorer, I shouldnt even be able to see the sandboxed dir in the first place. I would have to navigate to the sandboxie dir and then find the dir in there. But then at that point, it's no longer c:\something, and instead it would be c:\sandboxie\something and thus the rule to run it sandbox wouldnt apply? Is this what you are referring to?
My head hurts haha. Did you read this post?:
http://ssj100.fullsubject.com/t88-newbie-sandbox-setup-help#488
That basically sums up the issue/weakness of the Forced Folder feature. As you now know, the same issue/weakness also applies to other programs like DefenseWall.
lowlight wrote:I think the only sure-fire way around that would be to have a sandboxed explorer for each sandbox I have defined (something I've already got sitting on my desktop now. I found the create shortcut feature and used that lol)
Yes, running a sandboxed "explorer.exe" is something I do all the time now. Here are a couple of videos I posted a few months ago showing its effect:
http://ssj100.fullsubject.com/t311-sandboxing-explorerexe-with-sandboxie#2499
Note that this can't be done with DefenseWall, GeSWall, or BufferZone.
lowlight wrote:So anyways, thanx for being helpful.
You're welcome!

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: need advice

Post by Stephen2 on 14/3/2011, 11:54

lowlight wrote:Because this obviously wouldnt work with an SSD drive since there is no physical area to restrict lol.

LOL... u r wrong m8, har har, ther iz phizikal aireaz on a SSD dur..

U r gr8!!

Stephen2
Member
Member

Posts : 34
Join date : 2010-10-18
Location : Melbourne, Australia

View user profile

Back to top Go down

Re: need advice

Post by Sponsored content


Sponsored content


Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum