Do you really have to be so vague? Why not just tell exactly what you mean? I mean the feature has not even been implemented yet, so for what exactly are you afraid?Ok, I'll give you a hint, it involves coding malware
Make Sandboxie log suspicious behavior
-
- Posts: 216
- Joined: Sat Jan 14, 2006 11:08 am
-
- Posts: 2690
- Joined: Tue Dec 26, 2006 5:44 pm
- Location: West Florida
-
- Posts: 216
- Joined: Sat Jan 14, 2006 11:08 am
-
- Posts: 2690
- Joined: Tue Dec 26, 2006 5:44 pm
- Location: West Florida
Then why do you keep asking me Rasheed?Rasheed187 wrote:LOL, do you really think that more knowledgeable people can´t figure it out themselves, without any clues from you?
Also I am not saying I have to keep it a secret so people can't figure it out, I have to keep it a secret because if I posted the details, then it would be patched (if this had been incorporated in the first place).
Oh thank you, I am flattered!What are you, some top notch hacker?
Buster I disagree. I welcome attention to Sandboxie from both good and bad guys. The most bad guys should be able to do is design their software to refuse to run if they detect Sandboxie. They shouldn't be able to circumvent the protection; and if they do, I would like to fix it rather than sweep any vulnerabilities under the rug like your approach suggests.
Having said that, the reason I don't add malware analyzing features is that it isn't just a small feature. It's an entire area of computer resecurity search, involving behavior/execution analysis, heruistics, and who knows what else. And in my opinion it is unrelated to Sandboxie. The way to go about it is to run both the specialized malware analysis tool, and the malware itself, within the sandbox.
Having said that, the reason I don't add malware analyzing features is that it isn't just a small feature. It's an entire area of computer resecurity search, involving behavior/execution analysis, heruistics, and who knows what else. And in my opinion it is unrelated to Sandboxie. The way to go about it is to run both the specialized malware analysis tool, and the malware itself, within the sandbox.
tzuk
-
- Posts: 216
- Joined: Sat Jan 14, 2006 11:08 am
Yes, but I think you got the wrong idea. Right now, SBIE is already blocking lots of stuff to keep the system safe, right? I´m just asking for a feature that would notify me about the suspicious (malicious) behavior that is blocked or virtualized, that´s all.Having said that, the reason I don't add malware analyzing features is that it isn't just a small feature.
On the other hand, there is also a problem, namely, in order for my plan to work, SBIE must monitor exactly the same, or even more than the HIPS who takes care of actions outside sandbox. So I think this feature should probably be implemented in the HIPS itself. Btw, EQSecure is already working on a sandbox based on virtualization, but it still needs lots of work, and I don´t really like it at the moment.
Last edited by Rasheed187 on Fri Mar 07, 2008 9:52 am, edited 1 time in total.
-
- Posts: 216
- Joined: Sat Jan 14, 2006 11:08 am
Perhaps, because I´m not that knowledgeable? No but seriously, I don´t see how this feature could be used by the bad guys, because that´s what you´re saying, no?Then why do you keep asking me Rasheed?
So now you want to hack SBIE?then it would be patched (if this had been incorporated in the first place).
Well, it was just a question, so don´t be.Oh thank you, I am flattered!
Last edited by Rasheed187 on Fri Mar 07, 2008 9:18 am, edited 1 time in total.
-
- Posts: 2690
- Joined: Tue Dec 26, 2006 5:44 pm
- Location: West Florida
Really? I thought that EQSecure was like SSM, but with basic sandboxing which is more like Geswalls version of sandboxing, then sandboxies version of sandboxing?Rasheed187 wrote:Btw, EQSecure is already working on a sandbox based on virtualization, but it still needs lots of work, and I don´t really like it at the moment.
Well, right now Tzuk is considering the flashing icon request that flashes the tray icon when any new program starts in a sandbox. That seems better to me, in that then it would be up to you to determine if it was suspicious. Rather than have sandboxie somehow keep up to date on everything that was deemed suspicious. 'Suspicious' is just too vague. IMO.Yes, but I think you got the wrong idea. Right now, SBIE is already blocking lots of stuff to keep the system safe, right? I´m just asking for a feature that would notify me about the suspicious (malicious) behavior that is blocked or virtualized, that´s all.
Last edited by MitchE323 on Fri Mar 07, 2008 9:23 pm, edited 1 time in total.
-
- Posts: 2690
- Joined: Tue Dec 26, 2006 5:44 pm
- Location: West Florida
-
- Posts: 216
- Joined: Sat Jan 14, 2006 11:08 am
Yes it was and is exactly like SSM, but now they have also added a sandbox to it, so perhaps I can ask them to implement my idea, it would make more sense to implement it in a mix between HIPS/Sandbox, than into a pure sandbox like SBIE. But like I said before, it´s not quite finished yet, and overall I don´t really like the app at the moment, but it does have potential.Really? I thought that EQSecure was like SSM, but with basic sandboxing which is more like Geswalls version of sandboxing, then sandboxies version of sandboxing?
I honestly don´t see the point behind this. You mean like in a drive by attack? I think it´s a better idea to simply deny apps from starting automaticly without user interaction. I think this is an area where sandboxes should become better, it should block child processes automaticly. But for now a nice workaround is to make a HIPS (like SSM) take care of this, and this means that almost every "drive by" attack would fail to do any damage, even in the sandbox.Well, right now Tzuk is considering the flashing icon request that flashes the tray icon when any new program starts in a sandbox.
Let me guess, you have never used a HIPS, or you didn´t like them, correct? If you know how to use a HIPS, there is nothing vague about it.'Suspicious' is just too vague. IMO.
Hey, You're the one that took it up a level on what a HIPS would cover. It is vague on what it is that Sandboxie would do over and above a HIPS.On the other hand, there is also a problem, namely, in order for my plan to work, SBIE must monitor exactly the same, or even more than the HIPS who takes care of actions outside sandbox.
This is also vague in that are you asking for Sandboxie to actually stop all child processes or to sandbox those child processes? Why would you want to stop them, or are you not aware that Sandboxie already does sandbox them? Every sandboxed drive-by attack already fails to do any damage, so you’re stating that as a concern indicates that you are not aware of that.I honestly don’t see the point behind this. You mean like in a drive by attack? I think it’s a better idea to simply deny apps from starting automatically without user interaction. I think this is an area where sandboxes should become better, it should block child processes automatically. But for now a nice workaround is to make a HIPS (like SSM) take care of this, and this means that almost every "drive by" attack would fail to do any damage, even in the sandbox.
You're asking for a notification from Sandboxie on some type of behavior that occurs in the sandbox, yet an alert on all new startups makes "no sense to you"? I understand what you are saying, what I am saying is that Tzuk has already turned that down. That is offered as an alternative for you to consider. I guess you are right, I just do not understand.
PS; btw Mr. Elitist HIPS know-it-all guy, what happened? Finish your first semester last month? http://www.wilderssecurity.com/showthread.php?t=197717
-
- Posts: 2690
- Joined: Tue Dec 26, 2006 5:44 pm
- Location: West Florida
Hmm, all I can say is this, you might not think so Rashbleed187, but the flashing icon idea would have been great the other day, why?
Well summed up shortly, I had been looking around at some "bad sites" which also led to more and more "bad sites" as well..
Well I hadn't known this, but at one point one of those sites had opened IE in the background, in a hidden window, and it was downloading one after another trojan, keylogger, spyware etc..
Now thankfully, I had IE set to be forced so it was all contained inside the sandbox (even though some people don't think so), however though, I was experiencing a major slowdown in speed (due to all the downloading) Sandboxie was a little (more?) sluggish, and it turns out that due to the site(s) that had installed all that junk, I had spyware, adware, trojans and even keyloggers, running in the background without me knowing!
Thankfullly, I just happened to open Sandboxie Control and noticed the IE and all the malicious processes running, and I also hadn't entered in any confidential information of mine while those programs were running, but point is, I could have gone to a banking site, or just some forum or my email inbox, and not even know that all that crap was downloading/recording stuff, however, if Sandboxie alerted me on new processes, then I wouldn't have had this problem, as I would've immediately seen that these new processes had started and then I'd just terminate them real quick!
Well summed up shortly, I had been looking around at some "bad sites" which also led to more and more "bad sites" as well..
Well I hadn't known this, but at one point one of those sites had opened IE in the background, in a hidden window, and it was downloading one after another trojan, keylogger, spyware etc..
Now thankfully, I had IE set to be forced so it was all contained inside the sandbox (even though some people don't think so), however though, I was experiencing a major slowdown in speed (due to all the downloading) Sandboxie was a little (more?) sluggish, and it turns out that due to the site(s) that had installed all that junk, I had spyware, adware, trojans and even keyloggers, running in the background without me knowing!
Thankfullly, I just happened to open Sandboxie Control and noticed the IE and all the malicious processes running, and I also hadn't entered in any confidential information of mine while those programs were running, but point is, I could have gone to a banking site, or just some forum or my email inbox, and not even know that all that crap was downloading/recording stuff, however, if Sandboxie alerted me on new processes, then I wouldn't have had this problem, as I would've immediately seen that these new processes had started and then I'd just terminate them real quick!
-
- Posts: 2690
- Joined: Tue Dec 26, 2006 5:44 pm
- Location: West Florida
Oh forgot to mention, I had IE set as the only process to connect to the net, and I also had IE forced into its own sandbox (something you wouldn't know about), so when it launched in the background, it launched into it's own sandbox though, away from the sandbox I was doing my browsing in, so it couldn't communicate with my other sandbox.
Furthermore, anything it did capture couldn't have been sent off to anyone, so I guess I was always safe all along, even if I didn't terminate the programs.
Still though, it would have been nice to atleast know they were running though...
Furthermore, anything it did capture couldn't have been sent off to anyone, so I guess I was always safe all along, even if I didn't terminate the programs.
Still though, it would have been nice to atleast know they were running though...
Who is online
Users browsing this forum: No registered users and 1 guest