Trust No Program

Make Sandboxie log suspicious behavior

Ideas for enhancements to the software

Make Sandboxie log suspicious behavior

Postby Rasheed187 » Sun Sep 09, 2007 8:59 pm

Hi,

I just wonder if you could add an option to make SBIE show what it has blocked, so let´s say if an app tried to access memory, it would be nice if it could log this. And perhaps it could also precisely show all file system and registry modifications via a nice GUI? :)
Rasheed187
 
Posts: 167
Joined: Sat Jan 14, 2006 5:08 pm

Postby dlguild » Mon Sep 10, 2007 1:11 am

Are you asking for an embellished version of Sandboxie Trace?

http://www.sandboxie.com/index.php?SandboxieTrace

It's pretty easy to set up Sanboxie Trace to see what is blocked. Just change these settings in sandboxie.ini to:

FileTrace=D.
PipeTrace=D.
KeyTrace=D.
IpcTrace=D.
GuiTrace=D.

Then run debugview.exe anytime you want to see what is blocked. I agree the debugview GUI is a bit lacking, but I don't know what additional information could be gleaned programmatically which could be added to a new debug GUI. And the information contained is only as useful as the user's ability to interpret it.
Dan
dlguild
 
Posts: 230
Joined: Sun Apr 22, 2007 1:30 am
Location: Pennsylvania

Postby Rasheed187 » Sun Sep 16, 2007 7:54 pm

OK thanks, never really payed attention to these settings, but would be cooler if SBIE could show all this stuff via a GUI based log, just like most HIPS do nowadays. Same goes for tracking file and registry changes, right now there is no easy way to find out what an app exactly tries to do. I do sometimes get alerts from my HIPS, but I´ve noticed that it can not spot everything, probably because the process is controlled by SBIE. :wink:
Rasheed187
 
Posts: 167
Joined: Sat Jan 14, 2006 5:08 pm

Postby MitchE323 » Sun Sep 16, 2007 10:23 pm

Sandboxie takes what you are doing and isolates it away from your OS. That's it. Sandboxie has proven out to be remarkably flexable and it's beauty is in how users can shape it to their own needs. For every item that you force Sandboxie to do, a decision is taken away from you. I agree that a lot of users would be happy with that. But I would also add that a lot of users would not. I appreciate the fact that I can form/shape the program to my needs. Also the price might go up.
MitchE323
 
Posts: 2268
Joined: Thu Nov 02, 2006 3:32 pm

Postby SnDPhoenix » Sun Sep 16, 2007 10:33 pm

I completely agree. I dont want to see Sandboxie become something it wasn't intended to be in the first place, as mitch said, it is meant to seperate junk from your HD through the use of a Sandbox, thats it, why incorporate this or that to the point where Sandboxie becomes as bloated as Norton software (burn!), adding some tweaks to the program to make the program better and/or easier is one thing, but trying to add other stuff to the program to make Sandboxie become totally different software is another thing. H.I.P.S software usually keeps track of file and/or registry changes because thats there job, just like anti-viruses jobs are to detect stuff, so maybe we should also add detection capabilities to Sandboxie since other software (A/V's) have that capability (sarcasm). See the point, certain software has stuff that it can do that other programs dont/cant do, that doesnt mean you should try to incorporate those capabilities all into one program, cause then the lightest software (Sandboxie) would become the heaviest, most bloated software ever. In other words, leave the program alone.
Windows 7 SP1 x64, Sandboxie v3.70 x64 with Experimental Protection, GnuPG, OTR (Off-The-Record), Sticky Password, My Brain.
SnDPhoenix
 
Posts: 2690
Joined: Tue Dec 26, 2006 11:44 pm
Location: West Florida

Postby Rasheed187 » Fri Sep 21, 2007 8:31 pm

I don´t see how adding a logging system would make SBIE bloated. I´m not talking about some super advanced logging system, but a simple log that will show which suspicious/dangerous behavior SBIE blocked. About file/registry monitoring, I can imagine that this is a bit more difficult to add. :wink:
Rasheed187
 
Posts: 167
Joined: Sat Jan 14, 2006 5:08 pm

Postby SnDPhoenix » Mon Sep 24, 2007 9:36 pm

I didn't mean just your logging system would make Sandboxie bloated, I was merely talking about the future too, i meant that if people keep requesting Sandboxie to do this just like AppX or do that just like AppZ, then yes, it will bloat Sandboxie.
Windows 7 SP1 x64, Sandboxie v3.70 x64 with Experimental Protection, GnuPG, OTR (Off-The-Record), Sticky Password, My Brain.
SnDPhoenix
 
Posts: 2690
Joined: Tue Dec 26, 2006 11:44 pm
Location: West Florida

Postby Rasheed187 » Mon Feb 18, 2008 1:08 pm

Hi,

I still think this could be a nice new feature, I explained why at the Wilders Security Forum:

Btw, there is some discussion going on about malware that is actually able to recognize if it runs in a sandbox or not, this way it can try to act legit or will refuse to run at all. But I can also see advantages, for example, if a tool won´t run sandboxed, this might be an indication that something is wrong.

And what if SBIE could actually monitor the possible dangerous behavior that a process tries to invoke (just like GeSwall)? Of course it would stay quite when "sandbox aware" malware will run, but your HIPS will not stay quite when the malware runs on your real machine! This way you would immediately know that it´s most likely to be malicious.


So what do you all think of it? It would make SBIE a nice malware analyzing tool, if I´m correct. :D
Rasheed187
 
Posts: 167
Joined: Sat Jan 14, 2006 5:08 pm

Postby SnDPhoenix » Mon Feb 18, 2008 1:30 pm

Well, I haven't read all the posts, but isn't this something SSM can do itself? I thought SSM could log everything that a program/file has done on your system? Right?
I haven't opened the app in a long time so I might be wrong?
SnDPhoenix
 
Posts: 2690
Joined: Tue Dec 26, 2006 11:44 pm
Location: West Florida

Postby Rasheed187 » Mon Feb 18, 2008 1:47 pm

No, you´re missing the point. The idea behind this, is to first run a tool inside the sandbox and see what kind of behavior is blocked by SBIE.

But malware who are able to fool SBIE (so SBIE won´t have to block a thing, so you think, OK this tool is safe), will most likely try exploit the system as soon as they are launched on the real machine (so outside the sandbox). Normally speaking your HIPS will alert you about this, and this way you would instantly know that you´re probably dealing with malware. :)
Rasheed187
 
Posts: 167
Joined: Sat Jan 14, 2006 5:08 pm

Postby SnDPhoenix » Mon Feb 18, 2008 1:54 pm

Ok then yeah, I guess it's a good idea, though I could think of other uses for that! :twisted:
SnDPhoenix
 
Posts: 2690
Joined: Tue Dec 26, 2006 11:44 pm
Location: West Florida

Postby Rasheed187 » Wed Feb 20, 2008 1:56 pm

I think this feature would make SBIE a nice tool to analyze malware, you can let code run and see what it tries to do. And SBIE has the advantage that it can virtualize file/registry modifications, so you won´t have to block anything yet, just let the malware do what it wants to. Of course, when it´s trying to invoke dangerous things (like direct memory access, driver loading etc.) it will be immediately blocked. Basically, SBIE already does all of this, but you won´t actually know in detail what a process tries to do. For example, GeSwall (a sandbox who sucks *ss IMO) has got an "attack detection" feature.

SnDPhoenix wrote:Ok then yeah, I guess it's a good idea, though I could think of other uses for that! :twisted:


Can you explain? What other uses? :?
Rasheed187
 
Posts: 167
Joined: Sat Jan 14, 2006 5:08 pm

Postby SnDPhoenix » Wed Feb 20, 2008 3:05 pm

For example, GeSwall (a sandbox who sucks *ss IMO) has got an "attack detection" feature.

If I am not mistaken, didn't GesWall go out of development?

Rashbleed wrote:
Ok then yeah, I guess it's a good idea, though I could think of other uses for that!

Can you explain? What other uses? :?

Well if I told you, I'd have to kill you! :lol:
SnDPhoenix
 
Posts: 2690
Joined: Tue Dec 26, 2006 11:44 pm
Location: West Florida

Postby Rasheed187 » Wed Feb 27, 2008 8:29 pm

If I am not mistaken, didn't GesWall go out of development?


No, they just recently (a month ago or so) launched a new version, but this app has never worked for me, and IMO the concept sucks.

Well if I told you, I'd have to kill you!


Well, I guess I will have to take the risk, but no seriously, what do you mean? :)
Rasheed187
 
Posts: 167
Joined: Sat Jan 14, 2006 5:08 pm

Postby SnDPhoenix » Sat Mar 01, 2008 3:11 am

Rasheed187 wrote:No, they just recently (a month ago or so) launched a new version, but this app has never worked for me, and IMO the concept sucks.

Yeah, you're right, I am thinking of Greenborder which is equally as sucky IMO...

Rasheed187 wrote:
Well if I told you, I'd have to kill you!

Well, I guess I will have to take the risk, but no seriously, what do you mean? :)

Ok, I'll give you a hint, it involves coding malware. :wink:
SnDPhoenix
 
Posts: 2690
Joined: Tue Dec 26, 2006 11:44 pm
Location: West Florida

Next

Return to Feature Requests

Who is online

Users browsing this forum: No registered users and 0 guests

cron