Make Sandboxie log suspicious behavior
-
- Posts: 216
- Joined: Sat Jan 14, 2006 11:08 am
Make Sandboxie log suspicious behavior
Hi,
I just wonder if you could add an option to make SBIE show what it has blocked, so let´s say if an app tried to access memory, it would be nice if it could log this. And perhaps it could also precisely show all file system and registry modifications via a nice GUI?
I just wonder if you could add an option to make SBIE show what it has blocked, so let´s say if an app tried to access memory, it would be nice if it could log this. And perhaps it could also precisely show all file system and registry modifications via a nice GUI?
Are you asking for an embellished version of Sandboxie Trace?
http://www.sandboxie.com/index.php?SandboxieTrace
It's pretty easy to set up Sanboxie Trace to see what is blocked. Just change these settings in sandboxie.ini to:
FileTrace=D.
PipeTrace=D.
KeyTrace=D.
IpcTrace=D.
GuiTrace=D.
Then run debugview.exe anytime you want to see what is blocked. I agree the debugview GUI is a bit lacking, but I don't know what additional information could be gleaned programmatically which could be added to a new debug GUI. And the information contained is only as useful as the user's ability to interpret it.
http://www.sandboxie.com/index.php?SandboxieTrace
It's pretty easy to set up Sanboxie Trace to see what is blocked. Just change these settings in sandboxie.ini to:
FileTrace=D.
PipeTrace=D.
KeyTrace=D.
IpcTrace=D.
GuiTrace=D.
Then run debugview.exe anytime you want to see what is blocked. I agree the debugview GUI is a bit lacking, but I don't know what additional information could be gleaned programmatically which could be added to a new debug GUI. And the information contained is only as useful as the user's ability to interpret it.
Dan
-
- Posts: 216
- Joined: Sat Jan 14, 2006 11:08 am
OK thanks, never really payed attention to these settings, but would be cooler if SBIE could show all this stuff via a GUI based log, just like most HIPS do nowadays. Same goes for tracking file and registry changes, right now there is no easy way to find out what an app exactly tries to do. I do sometimes get alerts from my HIPS, but I´ve noticed that it can not spot everything, probably because the process is controlled by SBIE.
Sandboxie takes what you are doing and isolates it away from your OS. That's it. Sandboxie has proven out to be remarkably flexable and it's beauty is in how users can shape it to their own needs. For every item that you force Sandboxie to do, a decision is taken away from you. I agree that a lot of users would be happy with that. But I would also add that a lot of users would not. I appreciate the fact that I can form/shape the program to my needs. Also the price might go up.
-
- Posts: 2690
- Joined: Tue Dec 26, 2006 5:44 pm
- Location: West Florida
I completely agree. I dont want to see Sandboxie become something it wasn't intended to be in the first place, as mitch said, it is meant to seperate junk from your HD through the use of a Sandbox, thats it, why incorporate this or that to the point where Sandboxie becomes as bloated as Norton software (burn!), adding some tweaks to the program to make the program better and/or easier is one thing, but trying to add other stuff to the program to make Sandboxie become totally different software is another thing. H.I.P.S software usually keeps track of file and/or registry changes because thats there job, just like anti-viruses jobs are to detect stuff, so maybe we should also add detection capabilities to Sandboxie since other software (A/V's) have that capability (sarcasm). See the point, certain software has stuff that it can do that other programs dont/cant do, that doesnt mean you should try to incorporate those capabilities all into one program, cause then the lightest software (Sandboxie) would become the heaviest, most bloated software ever. In other words, leave the program alone.
Windows 7 SP1 x64, Sandboxie v3.70 x64 with Experimental Protection, GnuPG, OTR (Off-The-Record), Sticky Password, My Brain.
-
- Posts: 216
- Joined: Sat Jan 14, 2006 11:08 am
-
- Posts: 2690
- Joined: Tue Dec 26, 2006 5:44 pm
- Location: West Florida
I didn't mean just your logging system would make Sandboxie bloated, I was merely talking about the future too, i meant that if people keep requesting Sandboxie to do this just like AppX or do that just like AppZ, then yes, it will bloat Sandboxie.
Windows 7 SP1 x64, Sandboxie v3.70 x64 with Experimental Protection, GnuPG, OTR (Off-The-Record), Sticky Password, My Brain.
-
- Posts: 216
- Joined: Sat Jan 14, 2006 11:08 am
Hi,
I still think this could be a nice new feature, I explained why at the Wilders Security Forum:
I still think this could be a nice new feature, I explained why at the Wilders Security Forum:
So what do you all think of it? It would make SBIE a nice malware analyzing tool, if I´m correct.Btw, there is some discussion going on about malware that is actually able to recognize if it runs in a sandbox or not, this way it can try to act legit or will refuse to run at all. But I can also see advantages, for example, if a tool won´t run sandboxed, this might be an indication that something is wrong.
And what if SBIE could actually monitor the possible dangerous behavior that a process tries to invoke (just like GeSwall)? Of course it would stay quite when "sandbox aware" malware will run, but your HIPS will not stay quite when the malware runs on your real machine! This way you would immediately know that it´s most likely to be malicious.
-
- Posts: 2690
- Joined: Tue Dec 26, 2006 5:44 pm
- Location: West Florida
-
- Posts: 216
- Joined: Sat Jan 14, 2006 11:08 am
No, you´re missing the point. The idea behind this, is to first run a tool inside the sandbox and see what kind of behavior is blocked by SBIE.
But malware who are able to fool SBIE (so SBIE won´t have to block a thing, so you think, OK this tool is safe), will most likely try exploit the system as soon as they are launched on the real machine (so outside the sandbox). Normally speaking your HIPS will alert you about this, and this way you would instantly know that you´re probably dealing with malware.
But malware who are able to fool SBIE (so SBIE won´t have to block a thing, so you think, OK this tool is safe), will most likely try exploit the system as soon as they are launched on the real machine (so outside the sandbox). Normally speaking your HIPS will alert you about this, and this way you would instantly know that you´re probably dealing with malware.
-
- Posts: 2690
- Joined: Tue Dec 26, 2006 5:44 pm
- Location: West Florida
-
- Posts: 216
- Joined: Sat Jan 14, 2006 11:08 am
I think this feature would make SBIE a nice tool to analyze malware, you can let code run and see what it tries to do. And SBIE has the advantage that it can virtualize file/registry modifications, so you won´t have to block anything yet, just let the malware do what it wants to. Of course, when it´s trying to invoke dangerous things (like direct memory access, driver loading etc.) it will be immediately blocked. Basically, SBIE already does all of this, but you won´t actually know in detail what a process tries to do. For example, GeSwall (a sandbox who sucks *ss IMO) has got an "attack detection" feature.
Can you explain? What other uses?SnDPhoenix wrote:Ok then yeah, I guess it's a good idea, though I could think of other uses for that!
-
- Posts: 2690
- Joined: Tue Dec 26, 2006 5:44 pm
- Location: West Florida
If I am not mistaken, didn't GesWall go out of development?For example, GeSwall (a sandbox who sucks *ss IMO) has got an "attack detection" feature.
Well if I told you, I'd have to kill you!Rashbleed wrote:Can you explain? What other uses?Ok then yeah, I guess it's a good idea, though I could think of other uses for that!
-
- Posts: 216
- Joined: Sat Jan 14, 2006 11:08 am
No, they just recently (a month ago or so) launched a new version, but this app has never worked for me, and IMO the concept sucks.If I am not mistaken, didn't GesWall go out of development?
Well, I guess I will have to take the risk, but no seriously, what do you mean?Well if I told you, I'd have to kill you!
-
- Posts: 2690
- Joined: Tue Dec 26, 2006 5:44 pm
- Location: West Florida
Yeah, you're right, I am thinking of Greenborder which is equally as sucky IMO...Rasheed187 wrote: No, they just recently (a month ago or so) launched a new version, but this app has never worked for me, and IMO the concept sucks.
Ok, I'll give you a hint, it involves coding malware.Rasheed187 wrote:Well, I guess I will have to take the risk, but no seriously, what do you mean?Well if I told you, I'd have to kill you!
Who is online
Users browsing this forum: No registered users and 1 guest