Make Sandboxie log suspicious behavior

[Rasheed187]

Ok, I'll give you a hint, it involves coding malware

Do you really have to be so vague? Why not just tell exactly what you mean? I mean the feature has not even been implemented yet, so for what exactly are you afraid?

[SnDPhoenix]

Do you really have to be so vague? Why not just tell exactly what you mean? I mean the feature has not even been implemented yet, so for what exactly are you afraid?

Well it's not about being afraid, I just have to keep it a secret!

[Rasheed187]

LOL, do you really think that more knowledgeable people can´t figure it out themselves, without any clues from you? What are you, some top notch hacker?

[SnDPhoenix]

LOL, do you really think that more knowledgeable people can´t figure it out themselves, without any clues from you?

Then why do you keep asking me Rasheed?

Also I am not saying I have to keep it a secret so people can't figure it out, I have to keep it a secret because if I posted the details, then it would be patched (if this had been incorporated in the first place).

What are you, some top notch hacker?

Oh thank you, I am flattered!

[Buster]

If you add malware analyzing features to Sandboxie you will get even more attention over Sandboxie, and the more attention from bad guys you get over the tool the more vulnerable will be.

[tzuk]

Buster I disagree. I welcome attention to Sandboxie from both good and bad guys. The most bad guys should be able to do is design their software to refuse to run if they detect Sandboxie. They shouldn't be able to circumvent the protection; and if they do, I would like to fix it rather than sweep any vulnerabilities under the rug like your approach suggests.

Having said that, the reason I don't add malware analyzing features is that it isn't just a small feature. It's an entire area of computer resecurity search, involving behavior/execution analysis, heruistics, and who knows what else. And in my opinion it is unrelated to Sandboxie. The way to go about it is to run both the specialized malware analysis tool, and the malware itself, within the sandbox.

[Rasheed187]

Having said that, the reason I don't add malware analyzing features is that it isn't just a small feature.

Yes, but I think you got the wrong idea. Right now, SBIE is already blocking lots of stuff to keep the system safe, right? I´m just asking for a feature that would notify me about the suspicious (malicious) behavior that is blocked or virtualized, that´s all.

On the other hand, there is also a problem, namely, in order for my plan to work, SBIE must monitor exactly the same, or even more than the HIPS who takes care of actions outside sandbox. So I think this feature should probably be implemented in the HIPS itself. Btw, EQSecure is already working on a sandbox based on virtualization, but it still needs lots of work, and I don´t really like it at the moment.

[Rasheed187]

Then why do you keep asking me Rasheed?

Perhaps, because I´m not that knowledgeable? No but seriously, I don´t see how this feature could be used by the bad guys, because that´s what you´re saying, no?

then it would be patched (if this had been incorporated in the first place).

So now you want to hack SBIE?

Oh thank you, I am flattered!

Well, it was just a question, so don´t be.

[SnDPhoenix]

Btw, EQSecure is already working on a sandbox based on virtualization, but it still needs lots of work, and I don´t really like it at the moment.

Really? I thought that EQSecure was like SSM, but with basic sandboxing which is more like Geswalls version of sandboxing, then sandboxies version of sandboxing?

[MitchE323]

Yes, but I think you got the wrong idea. Right now, SBIE is already blocking lots of stuff to keep the system safe, right? I´m just asking for a feature that would notify me about the suspicious (malicious) behavior that is blocked or virtualized, that´s all.

Well, right now Tzuk is considering the flashing icon request that flashes the tray icon when any new program starts in a sandbox. That seems better to me, in that then it would be up to you to determine if it was suspicious. Rather than have sandboxie somehow keep up to date on everything that was deemed suspicious. 'Suspicious' is just too vague. IMO.

[SnDPhoenix]

Well, right now Tzuk is considering the flashing icon request that flashes the tray icon when any new program starts in a sandbox.

Dude, that would have helped me so much the other day!

[Rasheed187]

Really? I thought that EQSecure was like SSM, but with basic sandboxing which is more like Geswalls version of sandboxing, then sandboxies version of sandboxing?

Yes it was and is exactly like SSM, but now they have also added a sandbox to it, so perhaps I can ask them to implement my idea, it would make more sense to implement it in a mix between HIPS/Sandbox, than into a pure sandbox like SBIE. But like I said before, it´s not quite finished yet, and overall I don´t really like the app at the moment, but it does have potential.

Well, right now Tzuk is considering the flashing icon request that flashes the tray icon when any new program starts in a sandbox.

I honestly don´t see the point behind this. You mean like in a drive by attack? I think it´s a better idea to simply deny apps from starting automaticly without user interaction. I think this is an area where sandboxes should become better, it should block child processes automaticly. But for now a nice workaround is to make a HIPS (like SSM) take care of this, and this means that almost every "drive by" attack would fail to do any damage, even in the sandbox.

'Suspicious' is just too vague. IMO.

Let me guess, you have never used a HIPS, or you didn´t like them, correct? If you know how to use a HIPS, there is nothing vague about it.

[MitchE323]

On the other hand, there is also a problem, namely, in order for my plan to work, SBIE must monitor exactly the same, or even more than the HIPS who takes care of actions outside sandbox.

Hey, You're the one that took it up a level on what a HIPS would cover. It is vague on what it is that Sandboxie would do over and above a HIPS.

I honestly don’t see the point behind this. You mean like in a drive by attack? I think it’s a better idea to simply deny apps from starting automatically without user interaction. I think this is an area where sandboxes should become better, it should block child processes automatically. But for now a nice workaround is to make a HIPS (like SSM) take care of this, and this means that almost every "drive by" attack would fail to do any damage, even in the sandbox.

This is also vague in that are you asking for Sandboxie to actually stop all child processes or to sandbox those child processes? Why would you want to stop them, or are you not aware that Sandboxie already does sandbox them? Every sandboxed drive-by attack already fails to do any damage, so you’re stating that as a concern indicates that you are not aware of that.

You're asking for a notification from Sandboxie on some type of behavior that occurs in the sandbox, yet an alert on all new startups makes "no sense to you"? I understand what you are saying, what I am saying is that Tzuk has already turned that down. That is offered as an alternative for you to consider. I guess you are right, I just do not understand.

PS; btw Mr. Elitist HIPS know-it-all guy, what happened? Finish your first semester last month? http://www.wilderssecurity.com/showthread.php?t=197717

[SnDPhoenix]

Hmm, all I can say is this, you might not think so Rashbleed187, but the flashing icon idea would have been great the other day, why?
Well summed up shortly, I had been looking around at some "bad sites" which also led to more and more "bad sites" as well..

Well I hadn't known this, but at one point one of those sites had opened IE in the background, in a hidden window, and it was downloading one after another trojan, keylogger, spyware etc..

Now thankfully, I had IE set to be forced so it was all contained inside the sandbox (even though some people don't think so), however though, I was experiencing a major slowdown in speed (due to all the downloading) Sandboxie was a little (more?) sluggish, and it turns out that due to the site(s) that had installed all that junk, I had spyware, adware, trojans and even keyloggers, running in the background without me knowing!

Thankfullly, I just happened to open Sandboxie Control and noticed the IE and all the malicious processes running, and I also hadn't entered in any confidential information of mine while those programs were running, but point is, I could have gone to a banking site, or just some forum or my email inbox, and not even know that all that crap was downloading/recording stuff, however, if Sandboxie alerted me on new processes, then I wouldn't have had this problem, as I would've immediately seen that these new processes had started and then I'd just terminate them real quick!

[SnDPhoenix]

Oh forgot to mention, I had IE set as the only process to connect to the net, and I also had IE forced into its own sandbox (something you wouldn't know about), so when it launched in the background, it launched into it's own sandbox though, away from the sandbox I was doing my browsing in, so it couldn't communicate with my other sandbox.
Furthermore, anything it did capture couldn't have been sent off to anyone, so I guess I was always safe all along, even if I didn't terminate the programs.
Still though, it would have been nice to atleast know they were running though...