Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Sandboxie: Absolute best browser malware/virus protection?


  • Please log in to reply
19 replies to this topic

#1 vrfunk

vrfunk

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:29 AM

Posted 30 December 2015 - 09:27 PM

Hello folks, when it comes to security I would consider myself a noob so I wanted to start this topic to get everyone's opinion on Sandboxie. As I understand it, and this is where I could be wrong, it is the best malware/spyware/virus protection for browsing.

 

I know there are good anti-virus/malware programs that can help with removing malware/viruses after you're already infected, but as I understand it, what Sandboxie does is it prevents anything and everything inside of the browser from accessing/infecting your computer. The thing that really separates Sandboxie from the latest, greatest anti-malware/virus software is that even those may fail to detect some brand spanking new threat as they need their database to be up to date with that threat, which means there's a short window where many users may get infected even though they have the "best" anti-malware/virus software. Whereas Sandboxie doesn't care about definitions and whatnot, it just doesn't give anything inside the browser access to your computer period. Making you safe, at least while browsing.

 

Is my assessment of Sandboxie vs. Anti-maleware/virus software correct or am I overrating Sandboxie?


Edited by vrfunk, 30 December 2015 - 09:30 PM.


BC AdBot (Login to Remove)

 


#2 Without_A_Monitor

Without_A_Monitor

  • Members
  • 339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:teh bleepinverse
  • Local time:01:29 AM

Posted 30 December 2015 - 11:39 PM

Although I do not use Sandboxie, I have read about it from various threads on this forum. With that said, my knowledge is still extremely limited if it can be labeled as "knowledge" at all.

In an attempt to somewhat answer your question, I wouldn't claim that you are overrating Sandboxies; however, you seem to be comparing Sandboxie to any/all AV and AM programs. By doing so, it is lumping different AV and AM programs together that are not exactly the same in every aspect.

For example, there are some AV and AM programs such as Emsisoft Anti-Malware and Hitman Pro that consist of a behavior blocker, which does not require definitions to block malware and even function at all.

While using Sandboxie helps, it also is not foolproof. I won't continue to explain because I am too unoriented to do so; however, I will say that there are some infections that detect if there is a a virtual machine or even something like Sandboxie running (I think.) If so, some of them are coded to cause further damage, while others will cease to infect.

I would humbly opine that you could use Sandboxie, but do not rely on it too much. Additionally, you should have other security utilities and programs such as browser extensions (e.g. ad blockers, etc.,) anti-exploit programs, and even an AV or AM (or both,) and other programs.

Edited by Without_A_Monitor, 30 December 2015 - 11:42 PM.


#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,771 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:29 AM

Posted 31 December 2015 - 07:21 AM

Sandboxing is a technique which creates an isolated operating/virtual environment in which applications can be run, tested or installed without permanently modifying the local drive. Sandboxes can be used for security and software development as well as for testing and debugging code.

A sandbox is a secluded environment on a computer, where you can run untested code or malware to study the results without having any ill effects on the rest of your software. A virtual machine is the most commonly used example of a sandbox, since it emulates a complete computer, called a guest operating system, on the main machine (called the host).

Sandbox Sensitivity

Sandboxing can also be used as a form of malware prevention as described below by virus Bulletin.

A sandbox is a small, sealed-off version of an environment offering a minimal set of services, and is used as a test area. Actions carried out within the sandbox are safely contained within the area and cannot leak out to affect more important parts of a system. Sandboxing is used within security software to unpack compressed or encrypted files, or to analyse the behaviour of unknown items. Larger-scale sandboxing tools are available for improving the security of computing environments - for example, browser sandboxes seal web browsers off from the host system, preventing malware from damaging it.

Sandbox(ing)

For more specific information about how sandboxes work, please read A Taste of Computer Security: Sandboxing.

Sandboxie is one example of a sandboxing tool.
Getting Started: How to use Sandboxie <- the tutorial has 6 parts


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,683 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:29 AM

Posted 31 December 2015 - 08:51 AM

Is my assessment of Sandboxie vs. Anti-maleware/virus software correct or am I overrating Sandboxie?


You are overrating it in my opinion, as you are comparing Sandboxie to Antivirus and Antimalware software. The three of them are different. Yes, it can be seen as a good practice to use Sandboxie when you browse the web, but this isn't bulletproof. There is exploits for Sandboxie, which allows a process to escape the virtualized environment it created, and therefore access the host. I know someone who found two 0-days in Sandboxie just by messing around with it while being bored (both are patched now since he reported them). So you can be sure that if there's working 0-days for Sandboxie around, they are being used. I don't know if popular Exploit Kits like Angler, Nuclear, Rigs, etc. come with Sandboxie 0-days to escape it if they ever hit a web browser running in it's environment, but it's a possibility. Also, a lot of malware have virtualization detection, which means that if they see that they run in a virtualized/isolated environment (such as a Virtual Machine or Sandboxie), they might not launch at all or act like a legitimate process to not raise suspicion. When this happens, you'll see the process as being normal, you might lower your guard and then run it directly on your host system, and then you'll be infected. These are the two major flaws I see with relying on Sandboxie to keep yourself secure.

On the other hand, if you use an Anti-Exploit (like Malwarebytes Anti-Exploit) when you browse the web, you'll the stop the exploits before they even reach your system (if you rely on Sandboxie, they'll be dropped on the system and if they have a 0-day to escape it's environment, you'll end up infected). An Antivirus (or Antimalware) could also block the page or request to a page where an Exploit Kit is located, or a page known to distribute malicious content. Sandboxie won't do that. In the end, if you really get infected, what will Sandboxie do about it? Nothing. This is when you'll want to have a good Antimalware installed to scan your system with, or it might even detect it in real-time if you have that feature.

I wrapped this up quickly, but to sum it up, yes it's a good idea to sandbox your web browser when you browse the web (some web browsers like Google Chrome have built-in sandboxing features, so it can be redundant), but you cannot rely only on it, nor can you compare this "protection setup" to using an Antivirus, Antimalware, Firewall, etc.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#5 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:06:29 AM

Posted 31 December 2015 - 10:32 AM

For example, there are some AV and AM programs such as Emsisoft Anti-Malware and Hitman Pro that consist of a behavior blocker, which does not require definitions to block malware and even function at all.

Just to add, HitmanPro is pure scan and clean - it does not actually have real time protection at all.

#6 vrfunk

vrfunk
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:29 AM

Posted 31 December 2015 - 10:35 AM

Thanks for the responses guys, that helps, because I always thought that sandboxing was "bulletproof".

 

With all of that was said though, out of curiosity and from a hypothetical perspective, let me ask you guys this. Would it be "bulletproof" to run another copy of Windows in VMware and then just browse from there to contain any threats/infections? Or are there 0-days/exploits for that as well? Would any infections spread to the main Windows OS from the virtual machine?



#7 Jo*

Jo*

  • Malware Response Team
  • 3,445 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:07:29 AM

Posted 31 December 2015 - 10:51 AM

Thanks for the responses guys, that helps, because I always thought that sandboxing was "bulletproof".
 
With all of that was said though, out of curiosity and from a hypothetical perspective, let me ask you guys this. Would it be "bulletproof" to run another copy of Windows in VMware and then just browse from there to contain any threats/infections? Or are there 0-days/exploits for that as well? Would any infections spread to the main Windows OS from the virtual machine?

The VM and the Real PC share the same network and router.
As you can send data from the VM to the Real PC and reverse - malware has the same options.

Edited by Jo*, 31 December 2015 - 10:52 AM.

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,771 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:29 AM

Posted 31 December 2015 - 11:01 AM

Nothing is bulletproof, however...

Four Easy Steps that will prevent malware infection:
1. Disconnect from all wired and wireless network connections (Ethernet, Bluetooth, Infrared, Router, Wifi, Cable Satellite, Modem)
2. Remove all CD/DVD-ROM/DVD-RAM drives (and floppy disk/zip drive if you still have one).
3. Carefully super glue or expoxy shut ALL other connectors, especially Firewire/USB ports and Ethernet cable port. Advanced users can use high grade solder instead.
4. Hide the computer in an safe place where no other users have access and it will not be prone to any dreaded dust bunny attacks.

Now you can relax, kick back and enjoy a cup of coffee knowing cyber criminals cannot access your computer or personal data. As the Great One would say..."How sweet it is."

MTIwNjA4NjM0MDU0NDc3MzI0.jpg

Happy New Year.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 vrfunk

vrfunk
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:29 AM

Posted 31 December 2015 - 11:18 AM

Nothing is bulletproof, however...

Four Easy Steps that will prevent malware infection:
1. Disconnect from all wired and wireless network connections (Ethernet, Bluetooth, Infrared, Router, Wifi, Cable Satellite, Modem)
2. Remove all CD/DVD-ROM/DVD-RAM drives (and floppy disk/zip drive if you still have one).
3. Carefully super glue or expoxy shut ALL other connectors, especially Firewire/USB ports and Ethernet cable port. Advanced users can use high grade solder instead.
4. Hide the computer in an safe place where no other users have access and it will not be prone to any dreaded dust bunny attacks.

Now you can relax, kick back and enjoy a cup of coffee knowing cyber criminals cannot access your computer or personal data. As the Great One would say..."How sweet it is."

MTIwNjA4NjM0MDU0NDc3MzI0.jpg

Happy New Year.

 

Haha!

 

Happy New Year to you too!



#10 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,683 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:29 AM

Posted 31 December 2015 - 11:21 AM

Thanks for the responses guys, that helps, because I always thought that sandboxing was "bulletproof".
 
With all of that was said though, out of curiosity and from a hypothetical perspective, let me ask you guys this. Would it be "bulletproof" to run another copy of Windows in VMware and then just browse from there to contain any threats/infections? Or are there 0-days/exploits for that as well? Would any infections spread to the main Windows OS from the virtual machine?

The VM and the Real PC share the same network and router.
As you can send data from the VM to the Real PC and reverse - malware has the same options.


On top of what Jo* already well explained, it's also possible for malware to escape or interact with the host system without using the network (like a vulnerability in the virtualization software). These are rare, but they exist.

Edit: Just came across this on another forum, I thought I would share it since I talked about it in my first post, important part being "it managed out of sandboxie".
chZJtB9.png

Edited by Aura, 31 December 2015 - 11:26 AM.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#11 vrfunk

vrfunk
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:29 AM

Posted 31 December 2015 - 11:44 AM

 

 

Thanks for the responses guys, that helps, because I always thought that sandboxing was "bulletproof".
 
With all of that was said though, out of curiosity and from a hypothetical perspective, let me ask you guys this. Would it be "bulletproof" to run another copy of Windows in VMware and then just browse from there to contain any threats/infections? Or are there 0-days/exploits for that as well? Would any infections spread to the main Windows OS from the virtual machine?

The VM and the Real PC share the same network and router.
As you can send data from the VM to the Real PC and reverse - malware has the same options.

 


On top of what Jo* already well explained, it's also possible for malware to escape or interact with the host system without using the network (like a vulnerability in the virtualization software). These are rare, but they exist.

Edit: Just came across this on another forum, I thought I would share it since I talked about it in my first post, important part being "it managed out of sandboxie".
chZJtB9.png

 

 

Thanks for sharing.

 

Man I don't know what to think anymore. I always thought Sandboxie made things safe. I mean I always knew that if a super expert hacker wanted to target you specifically, he could get through sandboxie + vm + whatever else no problem. But I didn't think that generic malware that is intended to mass infect can get through a vm + sandboxie while browsing.

 

I mean Jo* makes it sound like malware can go through vm to real PC like nothing. I wonder how much protection a vm really gives.



#12 Jo*

Jo*

  • Malware Response Team
  • 3,445 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:07:29 AM

Posted 31 December 2015 - 12:23 PM

I mean Jo* makes it sound like malware can go through vm to real PC like nothing. I wonder how much protection a vm really gives.

Not like nothing...
But the "bad" guys are excellent software developers like the "good" guys.

If you use a VM with good settings, it allows you to roll it back to an earlier saved basic version, if something goes wrong.
This is helpful for beta tests of software or something like that.

Edited by Jo*, 31 December 2015 - 12:24 PM.

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#13 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,771 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:29 AM

Posted 31 December 2015 - 03:15 PM

...But the "bad" guys are excellent software developers like the "good" guys...

How true plus they are very innovative. There was a time when VM's were reliable for testing malware testing purposes but nowadays not all malware will work in that environment by intention. Malware writers have been able to create malicious files which can detect if it is running in a VM. When detected as such, the malware is able to change its behavior by not running any malicious code which can infect the operating system. This is a deliberate technique to make analysis/detection more difficult for security researchers who use VMs to study infections in order to understand the attack methodology used and develop disinfection solutions. So just because you test a program in a VM and it does not behave maliciously...that does not necessarily mean it is not malicious.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#14 vrfunk

vrfunk
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:29 AM

Posted 31 December 2015 - 03:31 PM

In that second article that you posted, it says "malware authors what to compromise as many systems as possible". Why don't they just write code that does what Jo* said. Send the malware data from the VM to the real PC?


Edited by vrfunk, 31 December 2015 - 03:32 PM.


#15 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,771 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:29 AM

Posted 31 December 2015 - 03:38 PM

There are many different reasons for malware writers to do what they do. They come from different age groups, backgrounds, countries, education and skill levels...with varying motivations and intents. Most malware writers and cyber-criminals today treat it as a business venture for financial gain while "script kiddies" typically do it for the thrill and boosting a reputation as being a hacker among their peers. Others create malware for nefarious and destructive purposes. Below are a few articles which attempt to explain who these individuals are and why they do what they do.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users