Slashdot Mirror

Have you any thoughts on Sandboxie?

I use Sandboxie a lot for software evaluation purposes. However, when I right click an executable and want to choose "Run Sandboxed" that entry is right next to the "Run as Administrator" menu item. Late at night it's easy to click the wrong one, with potentially disastrous* consequences! The UAC prompt saved me a couple of times.

Easy solution: Set windows to run everything as administrator. Then the incorrect menu item will not appear.

I use Sandboxie a lot for software evaluation purposes. However, when I right click an executable and want to choose "Run Sandboxed" that entry is right next to the "Run as Administrator" menu item. Late at night it's easy to click the wrong one, with potentially disastrous* consequences! The UAC prompt saved me a couple of times.

Since then I've found moving to virtual machines with snapshots has been an easier and safer way for testing unknown software.

*Time vs time. Everything is backed up and best practices are always followed. But it's always a question of how much time is available to recover.

Sandbox your browser, use a VPN. I use Sandboxie (free for home use); It wipes any and all traces of browser activity when you close the browser.

... I'd actually rather see Docker in the user space for Windows. There are zillions of Windows applications that would benefit from Docker-isation - being able to download things off the Internet and more safely run them is something I've wanted for ages.

There are various application sandbox things for Windows (e.g., Sandboxie) but I haven't seen anything open source that is as reliable and commonly used as Docker seems to be.

I think it'd be OK on the server side as well, but I'd love to be able to download nice jailed Docker versions of most Windows apps so I can run them without having to worry too much about what they're doing in my userspace.

Let's analyze these "reasons" ...

* virtual desktops -- Virtual Desktops are hidden in Win7 ... gee, let's copy OSX which has had it for *years*
* a rumored tabs in explorer -- xplorer2 has supported this for years
* kernel level sandboxing that all browsers can use -- Sandboxie does it for ALL applications
* much improved power consumption -- we are talking pennies a month on a desktop .. big whoop
* directx 12 with low cpu overhead -- not a fan of forced obsolescence. Games _still_ support DX9 for crying out loud. We already went through this shit with Vista and DirectX 11.
* USB 3 support -- with what devices??

So basically $100 for features that MS should of done **years** ago that I can get elsewhere. *Yawn*.

Is the fact that the users run in limited accounts by default.

If you setup a limited user in XP and use the "runas" context menu, or command line utility to escalate privileges you get the vast majority of the "security" improvement in vista and newer.

That is because now an application not only has to exploit your browser/whatever to gain control of the machine, it has to exploit the kernel to get outside of the limited user sandbox. Further using something like sandboxie further lessens the likelihood of that.

Once you have a few levels of protection like this (javascript blocks, flash blocks, browser sandbox, limited user, etc) then it becomes pretty unlikely that any given piece of malware actually gets through all the layers.

(posted from an XP machine!)

So, they think that it's a good idea to go back to the days where every application had to be downloaded and given free reign to access every document on your computer?

Of course they don't. That's what Sandboxie, FreeBSD jails, a dedicated user account for each application publisher (Android's approach), and other container technologies are for.

The problem is, a lot (if not most) keygens are wrapped in ways that make it impossible to tell. After all, a wrapped keygen is a trojan, and it's so easy to do tons of things that no anti-malware can detect them call because it's so easy to do. All the trojan has to do is spawn a downloader process, then launch the real keygen, and you're none the wiser.

There's nothing any anti-malware can do about it - there's no way to tell if it's a clean keygen or a wrapped one. Heck, many of them are also packed EXEs just like the keygens themselves.

And yes, trojans are impossible to scan - your malware scanner might detect when the wrapped keygen actually downloads a known piece of malware, but that downloader will quietly run in the background until someone actually analyzes it.

Sandboxie is your friend. :)

I think what your looking for is sandboxie.

Its sort of like solaris containers, AIX's WPARS or LXC.

Others listed here: http://en.wikipedia.org/wiki/Operating_system-level_virtualization

The problem with these solutions is that when you want to actually share data (think clipboards, or word documents) you have to poke huge holes in the security model to get them in/out of the container. That is the fundamental issue with windows, either you allow applications the ability to extend the environment (think adding thumbnail viewers for proprietary image formats), share data, or even do some level of application embedding/etc it becomes very difficult to secure that environment from a rogue application.

I'll second this. Another similar option is Sandboxie. It sandboxes the browser, preventing any exploits from escaping into the rest of the system. Also, make sure they are using Chrome or Firefox. And finally, ad-blocking software makes a huge difference.

What you're looking for is software virtualization/sandboxing. Install it using one of these, and when you need to use the app turn it "on", then off when done. Prevents cruft and all the other issues you're complaining about. Trust me, same issues here.

I just went looking, and there are several options these days - when Windows 7 came out, I lost the ability to use my favorite (Altiris). Fortunately, it appears to be fixed and working with 7.

http://www.symantec.com/workspace-virtualization (click Trialware then download - the "Symantec Workplace Virtualization" used to be Altiris. Home license is free)
http://www.cameyo.com/ (free)
http://www.sandboxie.com/ (cheap)

Have you tried out Sandboxie? It does pretty much what you're describing.

... I've found regardless of what they have had installed they invariably get infected, may as well go with the AV system that doesn't choke the system to death nor constantly shove itself in your face while you're trying to get work done.

Exactly! This is precisely my thinking. And it's also what I tell my clients. I use MSE on all my (four and counting) systems, and I strip off whatever "choke-ware" my clients are running and install it for them.

Plus, I also strongly recommend Sandboxie, which is free for non-commercial use, and if they agree, I provide a prominent icon which runs the browser inside a sandbox, for those times when curiosity gets the better of them.

My own machines have been kept safe by using this approach more than once from stuff my teenaged kids clicked on, where Sandboxie prevented something bad from actually installing itself (after which I deleted the sandbox contents and it was as if nothing had ever happened). More than worth the annoyance of the occasional 5 second pop up reminder from Sandboxie when it starts, once the initial 30 days has elapsed.

For trusted browsing, I just use the unsandboxed browser.

My own machines have never actually been infected since I started doing this (five or six years now), and only once or twice have I been called out to clean a client's machine set up in this manner. Invariably, the client chose NOT to run the sandboxed browser when they knew they should have.

In any case, it's far easier to recover a system running MSE than one with a "choke-ware" which has detected but is unable to remove some malware.

Also, clients appear to appreciate the complete LACK of scare-ware pop up warnings every year or so, or whenever it's coming up on renewal time.

"Both operating systems run apps in a sandbox, unlike desktop operating systems like Linux or Windows" - by IamTheRealMike (537420) on Friday June 01, @07:32AM (#40178299)

You have measures of sandboxing you can implement in Windows natively!

1st:

Via taskmgr.exe, right-click & enable UAC Virtualization - this functions by app selected, & isolates registry access to a SINGLE user profile! This isn't what I call "true FULL sandboxing" though... admittedly.

(That way, should the user compromise their machine with a malware? It won't infect/infest OTHER user profiles too)...

OR

2nd: Via 3rd party apps, like SandBoxie -> http://www.sandboxie.com/

(Which does an even bigger/better job, via a custom driver which imo is a FILTERING one & thus, it protects the user via "truer" sandboxing effects, by not only isolating registry writes for the app, but creating a "fake registry" + filesystem layout too (etc./et al)).

* Admittedly here though? I'm no "sandboxing expert", but those are some options you have as a Windows user to achieve sandboxing is all... to one degree or another, natively (UAC Virtualization) OR by using 3rd party tools/freeware like SandBoxie.

APK

P.S.=> Linux most likely has sandboxing tools like SandBoxie, but I'm NOT familiar with them (other than things like chroot jails, which SORT of function that way in effect also, but have been KNOWN to have been "jail-broken" before too)... apk

If you're unlucky enough to be using MSFT Windows you can use a great little program called Sandboxie.
Run the browser without the sandbox to update, freshen AdBlock filters and set a few NoScript permissions, then back into the sandbox so nothing else is permanent.
Even safe enough to let your SO use after you've cleared the history!

The sandbox doesn't just run your browser, you can run keygens and other potential threats in there safe in the knowledge that 3 clicks will remove any malware that came with it. Great for testing whether an install is full of crapware.

If you use Windows give Sandboxie a look over.
When a file is downloaded you can recover to the directory the browser specifies or choose another location. Leaving it inside the sandbox and running it there (keygen, trial install) gives you the opportunity to remove the whole install if it contains malware, foistware or other crap you don't want.

Try Sandboxie. I've had good success with running apps and games in a sandbox with it. The only thing it lacks (although it's better security wise) is being able to pipe files between the boxes so you'll have to install programs multiple times if it's needed in more than one box (think PDF reader, zip stuff, etc.).

Thanks for the link. You can probably tell I don't use Windows myself and haven't for some time now (back in the day I used to dual-boot with Win98 until months went by without ever using the Windows system, so I reformatted it ext2 because ext3 didn't exist at the time). So, I'm not terribly informed about specific software available for that platform.

Still, am I the only one who thinks it's terrible, borderline irresponsible that Windows doesn't come with something like this out of the box? Configured to work with major browsers and other widely-used programs? I mean compared to writing the OS, how much more effort would that have taken on the part of Microsoft? In this age of widespread malware? It's a shame that Microsoft Security Essentials doesn't provide something like this that can recognize common programs and correctly sandbox them. At least for software that is also written by Microsoft like Office.

Try Sandboxie.
I've had good success with running apps and games in a sandbox with it. The only thing it lacks (although it's better security wise) is being able to pipe files between the boxes so you'll have to install programs multiple times if it's needed in more than one box (think PDF reader, zip stuff, etc.).

I WISH I could containerize and sandbox the apps I deployed to my windows users at work.

http://www.sandboxie.com/

You don't even need an entire virtual machine, just run the browser in a sandbox like Sandboxie. It grabs any file changes and writes them to a locked down folder instead of the system folder or registry the browser thinks it is writing to. The OP stated he was only using Firefox for the Firebug plug-in, and used Opera for general browsing. If you limit use and run in a sandbox environment, you can stick with whatever version you like indefinitely. Happens in the real world time to time, and probably more than you would think. When you buy a several thousand dollar license for software that only runs on a certain platform, you end up having to do things like this occasionally because it is the only affordable solution.

I use a program called Sandboxie that works quite well in doing sandboxed IPC (along with file and registry operations) in any app, so it's definitely possible with third party apps, but it's nice to see that sandboxing is finally natively built into the browsers themselves.

You can just use Sandboxie it'll do that for pretty much any program you wish.

For Windows, you can use a FREE program called "SandBoxie" (and it's NOT just for webbrowsers, it can sandbox any Ring3/RPL3/UserMode app) http://www.sandboxie.com/index.php?DownloadSandboxie , and on *NIX's you can use chroot (of course) & create a chroot jail.

APK

Or you could just...this is a thought, just throwing it out there...use Foxit with SandboxIE and call it a day. Or if you would prefer even more protection run Comodo AV or Internet Security and have EVERYTHING sandboxed. And that is of course if you are running on an older Windows, as Vista and 7 already do file and registry virtualization.

It really isn't hard to isolate programs anymore, or set up a machine so all but the most determined idiots can't hose it. I have my customers as well as my family on a combo of Comodo+Firefox with ABP+Foxit and frankly I can't remember the last time I had to clean a bug from one of those machines. Short of them ignoring the AV and saying "Yes, I'd like a bug, please install it!" they really have nothing to worry about. Just have everything set to autoupdate, along with an easy to setup program like Winutilities Free to automate registry and broken shortcut cleaning and defragging and the machine is as close to an appliance as one can get. It takes me less than a half hour and then I don't have to mess with it ever again.

So banning flash really is a case of chopping off your head to get rid of a headache. The users will scream bloody murder when their Farmville and videos don't work, and frankly it is unnecessary. You can even set up Filehippo update checker so all their third party programs are updated regularly as well. It really ain't hard AC.

I am not much of a WIndows user, but for all of my friends, family, and colleagues that do run Windows, I install Sandboxie on their machines. SandBoxie allows their E-mail clients and Web Browsers to run within Virtual Machines that prevents direct disk access:

http://www.sandboxie.com/

In addition, I also recommend installing FireFox with NoScript, AdBlock Plus, and Certificate Patrol addons on all platforms (Windows, MacOSX, Linux, *BSD, etc.) in order to minimize attack and spoofing vectors, which are typically JavaScript & Flash based.

Using SandBoxie, Firebox, and the above mentioned addons seems to be a just as good, if not a better solution, that the tool mentioned in the article. And they are all available now for free!

Drive by downloads are definitely real. I've had them. The only reason why I didn't get infected was that I was running the browswer in sandbox with an antivirus program which blocked it before the file was run. All I had to do was click a link to an infected site.

I'm trying to establish why this is better than a sandbox. I suppose this is an onion thing and really intended to go side by side with something like Sandboxie

Actually it doesn't perfectly support 64 bit, but it will run and probably do a good enough job. You might also want to try Shadow Defender. It has fully supported 64 bit for a long time. It is paid software, but I think there are some free versions floating around if you have a parrot on your shoulder.

And topping that off I use Sandboxie with Firefox on the Windows machines.

Try Sandboxie

One can always hope that with half of Windows 7 installations being 64 bit, malicious software readily bypassing the protection will force Microsoft to finally implement a sufficient API for sandboxing.

Seriously, this is the next wave of OS protections from malware - where are the people working on this?

Over here - http://www.sandboxie.com/

Don't let the lacking site mislead you, it can sandbox any binary I've tried - not just browsers.

One might want to also consider walling the browser with some form of sandbox, such as sandboxie.

Until that happens, check out Sandboxie. Sandboxie is a fantastic piece of software that I've been using for years on my browser (and more importantly at home, my wife's and son's). It is largely transparent, and regularly updated. And, it works with any software, not just the browser.

http://sandboxie.com/

German government warns against use of the internet and software that has bugs.

Software is inevitably going to have bugs in it and try as we might, it's something we'll always have to deal with. There are always mitigation strategies, such as running Firefox in a virtualized environment a la Sandboxie or a full virtual machine, but we'll never be privy to using only bug-free software day to day. I'm glad to see the German government taking an active approach to notifying people in regard to vulnerabilities in an attempt to mitigate them, but as TFA states, what's the point in suggesting users quit using Firefox when the alternatives are potentially just as vulnerable?

Does it have to be virtual? If you just want to sandbox IE why not just use Sandboxie?

The only solution from a security and user standpoint is to sandbox all programs you think need it. I suggest using the Windows program Sandboxie, unless someone can offer a better method that is OSS for the MS Win platform.

"Firefox doesn't need access to system files, it can be Sandboxed for safety. Your "server" can't." - by icebraining (1313345) on Saturday January 16, @09:19AM (#30790088)

Ever heard of "Sandboxie" -> http://www.sandboxie.com/

?

(It can EFFECTIVELY "sandbox" ANY application in Win32 (as it's more-or-less a CHROOT JAIL for Win32, albeit in GUI form & easy to use, on ANY app))...

Heck, that's a GOOD IDEA actually, & one I could do myself for this app, should I elect to include an updater in it for users, so they could "automagically" update their HOSTS files (since mine is updated, nearly daily, in fact).

I.E.-> I could even IMPLEMENT something like it easily too (thanks for the idea) by using a FILTERING DRIVER to do so (which is pretty much what SANDBOXIE actually does)...

HOWEVER, again - I don't have to build in that feature into my app either.

I can just let folks obtain it on a website (like when GOOGLE DOCS finalizes) easily, or just use the HOSTS files which are reputable & kept up regularly like mvps.org or the ones on WIKIPEDIA I noted (& for upkeep, use sites like Dancho Danchev of ZDNet & other I noted, or just use Spybot S&D to keep you HOSTS "up to date" etc. et al).

Too easy!

----

"Then you don't block the damn banner." - by icebraining (1313345) on Saturday January 16, @09:19AM (#30790088)

No, you don't, for THAT site (question is though, HOW MANY SITES HOST THEIR OWN BANNERS? Not many... most are served up by adbanner hosting servers, period)...

----

"Show me how you can block a banner and still access the rest of the content from the same domain, using the Hosts file. - by icebraining (1313345) on Saturday January 16, @09:19AM (#30790088)

How many sites HOST their own ad banners? NOT MANY (fact is, the majority don't)... & I only showed you a way to TEMPORARILY & EASILY + QUICKLY "deactivate" the HOSTS file so you can see sites of that RARE nature (super rare too, mind you, & certainly NOT the majority).

So, you feel you have "this 1 last leg to stand on" after I knocked ALL of your others down quickly... can you disprove THESE 10 points in favor of HOSTS files vs. ADBLOCK?

Answer = NOT SO FAR YOU HAVEN'T... see my p.s. below again, for your reference, & "good luck" (you'll NEED it)

APK

P.S.=> 10 POINTS IN FAVOR OF HOSTS FILES vs. ADBLOCK:

1.) HOSTS files eat no CPU cycles like browser addons do no less!

2.) HOSTS files are EASILY user controlled, obtained (for reliable ones -> http://en.wikipedia.org/wiki/Hosts_file [wikipedia.org] ) & edited too.

3.) HOSTS files aren't as vulnerable to "bugs" either like programs/libs/extensions of that nature are, OR even DNS servers.

4.) HOSTS files are a solution which also globally extends to EVERY WEBBOUND APP YOU HAVE

5.) HOSTS files are also EASILY secured well, via write-protection "read-only" attributes set on them, or more radically, via ACL's eve

6.) HOSTS files are also NOT severely LIMITED TO 1 BROWSER FAMILY ONLY... browser addons, are. HOSTS files cover & protect (for security) and speed up (all apps that are webbound) any app you have that goes to the internet (specifically the web).

7.) HOSTS files allow you to bypass DNS Server requests logs (via hardcoding your favorite sites into them to avoid not only the TIME taken roundtrip to an external DNS server, but also for avoiding those logs OR a DNS server that has been compromised (see Dan Kaminsky online, on that note)).

8.) HOSTS files will allow you to get to sites you like, via hardcoding your favs into a HOSTS file, FAR faster than DNS servers can by FAR.

9.) HOSTS files also allow you to not worry about a DNS server being compromised, or downed (if either occurs, you STILL get to site

Chrome uses a sandbox model, and it seems to do OK. Programs running in Sandboxie seem to run pretty quick too. Is it possible not all sandbox apps are created equal?

I'll also note that IE8 has more security than IE7, and yet curiously runs much faster than its predecessor. Seems like security vs speed is a false dichotomy.

Per my subject-line above?

http://www.sandboxie.com/

Now, from what I understand as to EXACTLY what it does & how it works? Well, what it does, is use a FILTERING DRIVER to "intercept" interrupts that send calls to the OS & filesystem to do writes to your local Hard Disk Drives, creating a 'virtual HDD' (really a set of folders, wherever YOU choose to place them also, mind you)

Foor that?? Well - I use a solid-state drive called a GIGABYTE IRAM to do this, less latency this way (because unfortunately, this DOES add somewhat of a speed-hit to things if you use a std. mechanical HDD, even IF it's say, a 10,000rpm 16mb buffered WD Velociraptor)

That's "sandboxing", in a nutshell, WITHOUT the use of a VM...

(Folks MOSTLY tend to use it for internet surfing with a LOT more safety, & today/nowadays what with javascript exploits & such being foisted on us potentially @ least? Makes sense... but, it's NOT just restricted to webbrowsers either, so you all know this "up front", and, it works pretty well!)

APK

P.S.=> I suppose that *NIX folks MIGHT call it analogous to a chroot jail, but... well, there you are: Basically a GUI model of chroot, albeit for Windows rigs! apk

Freedom. In 32-bit versions of Windows, if you want to do something that requires kernel-mode programming, you can write your own drivers. In 64-bit versions, you have to pay Microsoft to get their approval for your driver, or else it will only load if you boot Windows in a test mode where multimedia functionality is crippled.

Fuck that totalitarian bullshit. 32-bit forever.

(And yes, there are legitimate uses for writing drivers even though you're not a hardware maker. Some examples: Process Explorer, Process Monitor, Sandboxie, VDK...)

If you live in a sandbox, you can't bitch about not having functionality.

I've used SandboxIE to surf pr0n virus free for almost two years. I will continue to do so, it's only a matter of time until FF & IE private modes get gamed.
I do run NoScript when not sandboxed.

I'm not saying that MS shouldn't have in the first place but sandboxie does exist and does a pretty good job I think.

http://www.sandboxie.com/
(I just use it when I have no choice but to use exploder)

http://www.sandboxie.com/

Is it really that hard to create new x64 versions of programs with such functions?
I'd love to use it, but I can't as I'm running on Vista 64. So I'm stuck to running a whole VM to act as a sandbox.

Supplemental: http://noscript.net/ and http://www.sandboxie.com/

"I don't care how fast it loads webpages. What I want to see is a browser that isn't riddled with bugs and easy ways for badware to end up infecting my machine. I'll gladly surf on the slowest browser in the world if it really is proven to be the most secure. So what if I save a few seconds surfing web pages. That is nothing compared to the hours spent trying to get rid of a virus/trojan/keylogger/etc." - by cyberjock1980 (1131059) on Wednesday July 01, @03:14PM (#28547409)

A lot of these folks are stating to try running a webbrowser inside of a virtual machine, which does have some merit, especially considering that it tends to "shield" the rest of your system from anything that MIGHT "come thru the browser window" into your system, via say, a malware scripted page or bad adbanner... but, want to know what does pretty much the SAME thing, & without ALL of the overheads of a Virtual Machine environs? Yes, per my subject-line, you might want to look @ SANDBOXIE:

----

SANDBOXIE:

http://www.sandboxie.com/index.php?DownloadSandboxie

----

It's free, & works in the capactity you ask for, on Windows...

The ONLY thing I have noted that is a "downside" of its usage, is that it is slower on std. mechanical HDDs than it is on my SSD here!

(That is the way I "offset its slowness" here @ least, & you might also, albeit in YOUR case, possibly via a software emulation (software ramdisks) if you wish, which would be almost like what I use to increase its speed, via a CENATEK "RocketDrive" TRUE SSD (not based on FLASH ram, which is slower on writes))...

However, since you declared that you didn't care how fast a page loads & what-not, and that you were MORE concerned with security... this fits the bill.

APK

P.S.=> What it does is pretty clever: It literally uses a driver to intercept calls to apps that run under its protection, & creates a "fake/sandboxed" set of subfolders (which you can control the location of, hence, how I get it to operate as if it is on C: drive, albeit here on a SSD, so it is faster) where you tell it to that make the webbrowser (OR, really ANY application, you'll see once you use it) THINK that the area you set it to run SandBoxed apps on IS in fact, your C: drive... &, it works, for exactly what you are looking for, & without all the overheads &/or complications of setting up a TOTAL VM environs too... apk

or in my case, thank you Sandboxie

This is similar to the linux and virtual machine suggestions from above. Go here to download it. Once downloaded and installed, run their stupid little application in sandboxie and it will no longer be able to scan you machine. You can even specify which files/folders it has access to and if it has interenet access, etc. I believe that will solve your problem with minimal hassle.

Even when you have a million apps, it's not that hard.

You know times are tough when one gets modded "troll" for speaking the truth.