Make Sandboxie log suspicious behavior

[MitchE323]

@Rasheed187
Let me guess, you have never used all the functions in Sandboxie, or you haven't paid for the registered version, correct? If you know how to use all Sandboxies functions in conjunction with each other, there is no need for HIPS.

[Rasheed187]

Rashbleed187

WTF? I thought I was talking to some adults? What is this lame sh*t all about, you´re not like 12 years old are you?

Well I hadn't known this, but at one point one of those sites had opened IE in the background, in a hidden window.... and it turns out that due to the site(s) that had installed all that junk, I had spyware, adware, trojans and even keyloggers, running in the background without me knowing!

This is exactly my point, with process control, this would have probably never even happened in the first place. Of course it´s cool that it couldn´t do any damage because of SBIE, but I rather have no malicious processes running at all.

Why would you want to stop them, or are you not aware that Sandboxie already does sandbox them? Every sandboxed drive-by attack already fails to do any damage, so you’re stating that as a concern indicates that you are not aware of that.

See my answer above.

PS; btw Mr. Elitist HIPS know-it-all guy, what happened? Finish your first semester last month?

I don´t see what you´re point is. That thread was about some guy trying to convince people that they don´t know how to use a HIPS. As a matter of fact, you two start to remind me of this guy, he also easily gets all worked up about this kind of stuff.

Let me guess, you have never used all the functions in Sandboxie, or you haven't paid for the registered version, correct? If you know how to use all Sandboxies functions in conjunction with each other, there is no need for HIPS.

Correct, I don´t know about all the ins and outs of SBIE, and that´s because I don´t really use it as a pure HIPS. But you´re right, it does give good enough protection, but don´t forget, you can also achieve this with regular HIPS like SSM.

[SnDPhoenix]

WTF? I thought I was talking to some adults? What is this lame sh*t all about, you´re not like 12 years old are you?

Sorry, I was in a rush when I typed that cause mommy only lets me on from 6 to 9 in the evening...

This is exactly my point, with process control, this would have probably never even happened in the first place. Of course it´s cool that it couldn´t do any damage because of SBIE, but I rather have no malicious processes running at all.

Yeah but what your asking, is for every child process to be denied from executing, however, that would conflict to much in my case, I would rather this was just incorporated as an option you could turn on, not something hardcoded into the program, cause I wouldn't use it...

Correct, I don´t know about all the ins and outs of SBIE, and that´s because I don´t really use it as a pure HIPS. But you´re right, it does give good enough protection, but don´t forget, you can also achieve this with regular HIPS like SSM.

Wth? Why do you keep saying this? Sandboxie is not a HIPS???!

So SSM, or PS could show me all the files and folders created by a program like Sandboxie can? And then if I decided to remove the program, PS would let me delete the sandbox thus truly removing all traces of the program, just like with Sandboxie?
HAHA!

[Rasheed187]

Sorry, I was in a rush when I typed that cause mommy only lets me on from 6 to 9 in the evening...

Now that´s funny!

I would rather this was just incorporated as an option you could turn on, not something hardcoded into the program, cause I wouldn't use it...

Of course all of this stuff should be optional. And to clarify, I think it would only make sense to block child processes from "forced apps", because they are the ones that are most vulnerable. But I also understand why Tzuk hasn´t implemented such a feature yet, because that´s not really how most sandboxes work. But as a workaround, people can perhaps add some HIPS with process control. For example, Haute Secure (IE/FF plugin) also tries to stop exploits inside the browser, the problem is that it might conflict with SBIE.

Wth? Why do you keep saying this? Sandboxie is not a HIPS???!

What do you mean? To clarify, to me, HIPS, Sandbox and Firewall are all HIPS, but when I say HIPS I mean behavior blockers like SSM/NG/PS etc.

So SSM, or PS could show me all the files and folders created by a program like Sandboxie can...

No, but what I meant to say was that I currently feel quite safe even without SBIE´s virtualization feature. But you would think that when it comes to isolating apps, sandboxes probably do a better job than HIPS, and they do it out of the box too, with that I mean, you don´t have to configure them.

[SnDPhoenix]

Now that´s funny!

Of course all of this stuff should be optional. And to clarify, I think it would only make sense to block child processes from "forced apps", because they are the ones that are most vulnerable. But I also understand why Tzuk hasn´t implemented such a feature yet, because that´s not really how most sandboxes work. But as a workaround, people can perhaps add some HIPS with process control. For example, Haute Secure (IE/FF plugin) also tries to stop exploits inside the browser, the problem is that it might conflict with SBIE.

Ok then fine, he could incorporate it as long as it is something easily enabled or disabled.

What do you mean? To clarify, to me, HIPS, Sandbox and Firewall are all HIPS, but when I say HIPS I mean behavior blockers like SSM/NG/PS etc.

Exactly, same here, to me something like SSM is a HIPS, not something like (old) Comodo FW...

No, but what I meant to say was that I currently feel quite save even without SBIE´s virtualization feature. But you would think that when it comes to isolating apps, sandboxes would do a better job than HIPS, and they do it out of the box too.

Im sorry, but I have never used a single HIPS out there that isolates better then Sandboxie does...
SSM or PS for example only offer control of all processes, file actions, executions, etc.. Sandboxie allows it all, true, but it is isolated in a sandbox, something those other HIPS can't do...

[Rasheed187]

Ok then fine, he could incorporate it as long as it is something easily enabled or disabled.

Well, I don´t see it happening, and I guess it´s not a real big problem.

Exactly, same here, to me something like SSM is a HIPS, not something like (old) Comodo FW...

No, what I meant was that in fact, behavior blockers, sandboxes, firewalls and even scanners are all HIPS, after all, they all try to protect the host from intrusion right?

Im sorry, but I have never used a single HIPS out there that isolates better then Sandboxie does...

It depends on what you prefer, if you think that virtualization is important, you need SBIE or SafeSpace, if not, you can use other tools. You know what the thing is, we need someone who can test sandboxes and HIPS against lots of exploits and then we can say which tool is the best solution. Because right now, my opinion is based on limited exploit/malware testing.

You know what? I will ask Matousek (professional software tester) if he can perhaps also start to test HIPS/sandboxes, right now he´s mostly into firewalls (with HIPS capabilities) and he has already found quite a few serious bugs. So at the end of the day, tools will only become stronger and more secure.

[SnDPhoenix]

No, what I meant was that in fact, behavior blockers, sandboxes, firewalls and even scanners are all HIPS, after all, they all try to protect the host from intrusion right?

Well to an extent I guess, however, for me, a HIPS is something that offers you control over processes, nothing else. Example, SSM and Pro Security...
Something like Sandboxie or SafeSpace is more of an isolation program, or more accurately, a sandboxing application. I mean, after all, you wouldn't consider VMware a HIPS would you? It is more of an isolation program then it is a HIPS right?

It depends on what you prefer, if you think that virtualization is important, you need SBIE or SafeSpace, if not, you can use other tools. You know what the thing is, we need someone who can test sandboxes and HIPS against lots of exploits and then we can say which tool is the best solution. Because right now, my opinion is based on limited exploit/malware testing.

Hmm, true, I prefer virtualization, as it allows me to do everything within the OS, but without permanent damage, with hips, even though you still have control over processes, the viruses are still running on your real OS though, you know what I mean? Also, I've done lots of malware testing with Sandboxie and it has never failed me. However, with HIPS, I did do some malware testing with them, and as far as I remember, it seemed to keep the OS safe, though I only tested about 10 different things...

You know what? I will ask Matousek (professional software tester) if he can perhaps also start to test HIPS/sandboxes, right now he´s mostly into firewalls (with HIPS capabilities) and he has already found quite a few serious bugs. So at the end of the day, tools will only become stronger and more secure.

Cool, has he done any HIPS/Sandbox testing yet?

[Rasheed187]

Well to an extent I guess, however, for me, a HIPS is something that offers you control over processes, nothing else. Example, SSM and Pro Security...

I agree, but at the end of the day SBIE is also HIPS, but we call it a sandbox because otherwise it becomes confusing.

Hmm, true, I prefer virtualization, as it allows me to do everything within the OS, but without permanent damage, with hips, even though you still have control over processes, the viruses are still running on your real OS though, you know what I mean?

Yes I know what you mean, if some malware is able to install/load, it´s still trapped in the sandbox.

Cool, has he done any HIPS/Sandbox testing yet?

No, at the moment he´s really into outbound firewall leaktesting and stuff. I also haven´t contacted him yet, I was busy with other stuff (and a bit lazy ) but would be nice if he could test SBIE for bugs. The problem is that he doesn´t do it for free.