Trust No Program

Browser Security / Financial Malware test

If it doesn't fit elsewhere, it goes here

Browser Security / Financial Malware test

Postby Ruhe » Thu Apr 15, 2010 11:26 am

http://malwareresearchgroup.com/?p=1517

This test includes Sandboxie and will start on 15 April.
Ruhe
 
Posts: 803
Joined: Thu Jul 03, 2008 1:56 pm
Location: Germany

Postby H3* » Wed Apr 28, 2010 11:22 am

Those test with Sandboxie in standard mode? (install and forget) will put the red cross for sandboxie until we all are dead and the earth doesn't exist anymore, so whats the point if thats the way that test is done? :shock: :wink:
H3*
 

Postby H3* » Wed Apr 28, 2010 1:36 pm

A link to pdf with the result and other info.

http://malwareresearchgroup.com/wp-cont ... oject2.pdf

Comodo team cheat and have to much upset in their heads so they won't be included in the game.

from forum:

Question:

You kind of explained why Comodo disappeared from the test but why did they disappear from the poll on the home page? Could you also explain the "technical issue"?

answer:

Well the technical issue means that Comodo team was not willing to except the fact that their product gave no clear warning which would suggest blocking the threat. We didn't want to give them a pass and we decided to exclude them from the test as their behavior was going in the wrong direction.

There is also a Copyright issue involved as Comodo used our tool without permission.

One of the Comodo team representatives made some very hurtful and unprofessional remarks, until we get an official apology, Comodo will be excluded from all tests.

Regards,
Sveta
H3*
 

Postby tzuk » Wed Apr 28, 2010 1:46 pm

I was kindly contacted by the person running this test who informed they found that Sandboxie failed the test.

I explained that the concept of Sandboxie is that it doesn't try to detect threats, but rather it contains the threats in the sandbox, making it possible get rid of any threats very easily, by simply deleting the sandbox, before one proceeds to do a sensitive activity like logging on to your bank.

I asked them to run a second test for Sandboxie, one where they use "delete sandbox" to show that Sandboxie does pass the test, when it is used properly. Regretfully, the testers did not care to use the "delete sandbox" function when testing Sandboxie.
tzuk
tzuk
Site Admin
 
Posts: 16076
Joined: Tue Jun 22, 2004 5:57 pm

Postby H3* » Wed Apr 28, 2010 2:05 pm

that's good, but if we tweak our settings they wont even be able to test their tools, so the test of sandboxie seems someway not needed.. if there wasn't some way they "break out" of sandboxie?. anyway that test seems more to be a check of hips and firewalls?
H3*
 

Postby ssj100 » Wed Apr 28, 2010 8:37 pm

tzuk wrote:I asked them to run a second test for Sandboxie, one where they use "delete sandbox" to show that Sandboxie does pass the test, when it is used properly. Regretfully, the testers did not care to use the "delete sandbox" function when testing Sandboxie.


I guess that wasn't the point of their test. The key point of their test was to see if Sandboxie (and other programs) can block malicious logging at any instance of a browser session, in default configuration.

Of course, Sandboxie would "fail" this test. It's like trying to test if your Antivirus can block specific incoming port connections (that is, act like a firewall, when it clearly isn't one).

In any case, this test does remind users that Sandboxie does not block/detect logging in default configuration. And in fact, there is no specific anti-logging mechanism in Sandboxie even when configured "tightly". This is nothing new.

Anyway, some further thoughts here:
http://ssj100.fullsubject.com/security- ... 43.htm#183
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
ssj100
 
Posts: 873
Joined: Thu Apr 23, 2009 6:21 am

Postby Buster » Wed Apr 28, 2010 9:53 pm

I think it would be more like testing an antivirus and checking if with one year old detection databases it can detect a 0-day malware.
Buster
 
Posts: 2395
Joined: Mon Aug 06, 2007 7:38 pm

Postby H3* » Wed Apr 28, 2010 11:33 pm

I don't really now what to say, as said in test info: they should run those test over and over again until owner of tested applications fix them in that order to go thru the test? ok?.. but this test with sandboxie is really stupid & I thought you ssj100 that use sandboxie & know how it's do the job can see my point of it. hell test it with an easy setup the like eg: only your browser can run and it's game over! this isn't an hips or behavior blocker program in that terms even if you can tweak it wery hard. it's purpose is to not let crap go outside it's own box/es and later coded tweaks to make sandboxie more safer than it was from beginning is really thumbs up.

BUT this test means that tzuk should rebuild sandboxie just to fit their test becouse they refuse to tweak sandboxie to do a proper result that really would be over before they even got started? AND you also say "Of course, Sandboxie would "fail" this test" then why do the test? :)

There are people that cheating to get a proper result but fails even after that, oh man, what a shame?

Please don't answer the noobs don't know how to tweak it, that tells me you think they are all stupid? I didn't know how to use sandboxie either when I start to use it, but hey I read up on it and as with all applications I test, the first thing I do is to look for some options to see what I can poke around with. Included many of the tested applications.

peace :)
H3*
 

Postby ssj100 » Thu Apr 29, 2010 2:58 am

I found that post fairly difficult to read, but you appear to be addressing me at least twice, so I thought I'd reply haha. In general, I completely agree with you, and I just want to clarify some of my points:

ssj100 wrote:The key point of their test was to see if Sandboxie (and other programs) can block malicious logging at any instance of a browser session, in default configuration.


As you've noted, Sandboxie could be (and should be) configured to have start/run/internet access restrictions in place for every browser that is used (and thus be used out of default configuration). Sandboxie would then "pass" the test, since the testing program wouldn't even be able to be executed. However, many would argue that this isn't really "passing" the test at all - they would instead comment that Sandboxie is "not taking part in the test, as the malware/POC wasn't even executed". However, the main point of using Sandboxie is to prevent changes to your REAL system. So a user who does "dodgy" browsing on the "dark" side of the internet can be reassured that all malicious activity and content is discarded when the sandbox is deleted. You could argue (and have a very strong case) that the testers at MRG did not understand this (initially) when they included Sandboxie in their test.

ssj100 wrote:Of course, Sandboxie would "fail" this test. It's like trying to test if your Antivirus can block specific incoming port connections (that is, act like a firewall, when it clearly isn't one).


Going along the same point, (you can argue that) the testers at MRG did not understand how Sandboxie works by including it in their particular testing methodology. In default configuration and with no implementation of a security approach (eg. emptying the sandbox before doing any sensitive browsing), they are testing Sandboxie out of its scope of protection. It's like testing whether or not your freezer will boil an egg - it clearly isn't going to do this and would fail miserably if you tried.

ssj100 wrote:In any case, this test does remind users that Sandboxie does not block/detect logging in default configuration. And in fact, there is no specific anti-logging mechanism in Sandboxie even when configured "tightly". This is nothing new.


Indeed as stated before, configuring Sandboxie to deny initial execition of "everything else" will "pass" the test. However, this isn't because Sandboxie has specifically blocked/intercepted the malicious logger from monitoring your keystrokes etc and blocked/intercepted calling out. It's simply because Sandboxie hasn't even allowed the test to run (denied initial execution). And that, my friends, is (arguably) the most powerful method (in combination with containment and a good security approach) to always keep your computer "100%" clean.
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
ssj100
 
Posts: 873
Joined: Thu Apr 23, 2009 6:21 am

Postby H3* » Thu Apr 29, 2010 3:14 am

thank you for answer, yes my english sucks but you took your time to read and it looks like you solved it :D

same level about sandboxie, sandboxie should have lost that battle for ever in that test when run them without restrictions.

old lurker sign out ;)
H3*
 

Postby Lumberjack » Tue Dec 06, 2011 1:10 pm

ssj100 wrote:
tzuk wrote:I asked them to run a second test for Sandboxie, one where they use "delete sandbox" to show that Sandboxie does pass the test, when it is used properly. Regretfully, the testers did not care to use the "delete sandbox" function when testing Sandboxie.


I guess that wasn't the point of their test. The key point of their test was to see if Sandboxie (and other programs) can block malicious logging at any instance of a browser session, in default configuration.

Of course, Sandboxie would "fail" this test. It's like trying to test if your Antivirus can block specific incoming port connections (that is, act like a firewall, when it clearly isn't one).

In any case, this test does remind users that Sandboxie does not block/detect logging in default configuration. And in fact, there is no specific anti-logging mechanism in Sandboxie even when configured "tightly". This is nothing new.

Anyway, some further thoughts here:
http://ssj100.fullsubject.com/security- ... 43.htm#183


Question: Would this tight configuration of Sandboxie be able to block the installation of any malware on my computer?
When I mean tight configuration, I mean maximum possible protection including block internet access to any malware, as we as block start/run of any malware as well.
Would malware still install on my computer???
If yes, what additional protection I should have with Sandboxie?

Have you ever tried to put this SBIE's maximum protection against installation of malwares from Malware Domain list and all other websites just to test SBIE 3.62 on the VirtualBox if it will protect from any kind of malware?
I'm still suspicious if SBIE can be that safe with its maximum protection. But so far I have never seen anyone saying confirming that SBIE was penetrated in such way.
The good comparison would also be how good is DefenseWall compared to SBIE when both are configured in maximum protection.
I know I'm boring, but I just need to know if I need with SBIE (even though it's on tigh configuration and maximum protection) with something else (antivirus for example).
Thank you for your time and patience.
Lumberjack
 
Posts: 83
Joined: Fri Nov 25, 2011 6:37 am

Postby D1G1T@L » Tue Dec 06, 2011 6:30 pm

Lumberjack wrote:
Question: Would this tight configuration of Sandboxie be able to block the installation of any malware on my computer?
When I mean tight configuration, I mean maximum possible protection including block internet access to any malware, as we as block start/run of any malware as well.
Would malware still install on my computer???
If yes, what additional protection I should have with Sandboxie?

Have you ever tried to put this SBIE's maximum protection against installation of malwares from Malware Domain list and all other websites just to test SBIE 3.62 on the VirtualBox if it will protect from any kind of malware?
I'm still suspicious if SBIE can be that safe with its maximum protection. But so far I have never seen anyone saying confirming that SBIE was penetrated in such way.
The good comparison would also be how good is DefenseWall compared to SBIE when both are configured in maximum protection.
I know I'm boring, but I just need to know if I need with SBIE (even though it's on tigh configuration and maximum protection) with something else (antivirus for example).
Thank you for your time and patience.


You don't really need to worry about malware installing inside the sandbox. It's gone with deletion. A super paranoid setup would include a sandbox created with read only access to c:/ -- this makes sense if you'll only be browsing and not downloading anything. It ensures that nothing can be written to your hdd in the first place let alone be able to execute.

As for testing Sbie, its been pitted againstalot of samples over the years. Buster has run tens of thousands of malware samples without a single bypass. Another user Franklin (God Bless his soul) has pitted Sandboxie against GIGABYTES of malware if you consider that viruses are usually a few kilobutes large then you can imagine how many samples it takes to amount to gigs. Oh, and there were no bypasses in this case either. So if this isn't enough proof, I don't know what is :shock: :)

Unlike Defensewall, Sandboxie keeps the virus in one area for easy cleanup - that means no debris left on your system even if the virus is a deactivated state. Also consider that there were instances in the past when Defensewall erroneously labelled downloaded files as trusted processes when they should have been untrusted until their permissions were to be explicitly changed by the user.

I don't run AV in realtime. a- there is no point as I just scan whatever i'm keeping before recovery b- Using Sandboxie has freed up resources that are put to better use. It entitles me to use more resources on my PC.

I have never seen/heard of a restricted sandbox faling anyone, so rest assure and enjoy the internet.
One Program to rule them all, One Program to confine them, One Program to wrest them all and in the sandbox bind them.
D1G1T@L
 
Posts: 577
Joined: Mon Apr 18, 2011 12:40 am
Location: DefaultBox

Postby Lumberjack » Wed Dec 07, 2011 8:59 am

D1G1T@L wrote:
Lumberjack wrote:
Question: Would this tight configuration of Sandboxie be able to block the installation of any malware on my computer?
When I mean tight configuration, I mean maximum possible protection including block internet access to any malware, as we as block start/run of any malware as well.
Would malware still install on my computer???
If yes, what additional protection I should have with Sandboxie?

Have you ever tried to put this SBIE's maximum protection against installation of malwares from Malware Domain list and all other websites just to test SBIE 3.62 on the VirtualBox if it will protect from any kind of malware?
I'm still suspicious if SBIE can be that safe with its maximum protection. But so far I have never seen anyone saying confirming that SBIE was penetrated in such way.
The good comparison would also be how good is DefenseWall compared to SBIE when both are configured in maximum protection.
I know I'm boring, but I just need to know if I need with SBIE (even though it's on tigh configuration and maximum protection) with something else (antivirus for example).
Thank you for your time and patience.


You don't really need to worry about malware installing inside the sandbox. It's gone with deletion. A super paranoid setup would include a sandbox created with read only access to c:/ -- this makes sense if you'll only be browsing and not downloading anything. It ensures that nothing can be written to your hdd in the first place let alone be able to execute.

As for testing Sbie, its been pitted againstalot of samples over the years. Buster has run tens of thousands of malware samples without a single bypass. Another user Franklin (God Bless his soul) has pitted Sandboxie against GIGABYTES of malware if you consider that viruses are usually a few kilobutes large then you can imagine how many samples it takes to amount to gigs. Oh, and there were no bypasses in this case either. So if this isn't enough proof, I don't know what is :shock: :)

Unlike Defensewall, Sandboxie keeps the virus in one area for easy cleanup - that means no debris left on your system even if the virus is a deactivated state. Also consider that there were instances in the past when Defensewall erroneously labelled downloaded files as trusted processes when they should have been untrusted until their permissions were to be explicitly changed by the user.

I don't run AV in realtime. a- there is no point as I just scan whatever i'm keeping before recovery b- Using Sandboxie has freed up resources that are put to better use. It entitles me to use more resources on my PC.

I have never seen/heard of a restricted sandbox faling anyone, so rest assure and enjoy the internet.



God bless you, Digital. You're right, I'm super-paranoid. But that's because I had some horrible experience with malwares and hackers one year ago. Now I heard about this SBIE and excellent reviews about it. This is why I needed to check this product. Yes, I found out about Franklin and his testing, it looks like everything is true.
Since I never download anything I could simply sandbox my entire c: partition with read-only access.
My only fears come from removable drives, this is where I'm quite frequently infected. And I don't know if forcing my all removable drives to run sandboxed is enough. I didn't have a malware on my removable drives in this short time while I have SBIE, so I can't really know. How to stop/start/run malware on removable drives in the first place?
Do you have some link to help me out?
Big thanks in advance.
Lumberjack
 
Posts: 83
Joined: Fri Nov 25, 2011 6:37 am

Postby ssj100 » Wed Dec 07, 2011 9:10 am

With Windows XP (and I think Vista), I would recommend disabling autorun:
http://ssj100.fullsubject.com/t158-how- ... ows-xp#999

I think Windows 7 has autorun disabled by default for USB drives?

This means no malware will be able to run automatically when you plug in a USB drive. To browse the contents of the drive, make sure you open it sandboxed. By doing this, you probably don't need to force USB drives to run sandboxed.
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
ssj100
 
Posts: 873
Joined: Thu Apr 23, 2009 6:21 am


Return to Anything Else

Who is online

Users browsing this forum: Yahoo [Bot] and 0 guests