Make Sandboxie log suspicious behavior

[Rasheed187]

Hi,

I just wonder if you could add an option to make SBIE show what it has blocked, so let´s say if an app tried to access memory, it would be nice if it could log this. And perhaps it could also precisely show all file system and registry modifications via a nice GUI?

[dlguild]

Are you asking for an embellished version of Sandboxie Trace?

http://www.sandboxie.com/index.php?SandboxieTrace

It's pretty easy to set up Sanboxie Trace to see what is blocked. Just change these settings in sandboxie.ini to:

FileTrace=D.
PipeTrace=D.
KeyTrace=D.
IpcTrace=D.
GuiTrace=D.

Then run debugview.exe anytime you want to see what is blocked. I agree the debugview GUI is a bit lacking, but I don't know what additional information could be gleaned programmatically which could be added to a new debug GUI. And the information contained is only as useful as the user's ability to interpret it.

[Rasheed187]

OK thanks, never really payed attention to these settings, but would be cooler if SBIE could show all this stuff via a GUI based log, just like most HIPS do nowadays. Same goes for tracking file and registry changes, right now there is no easy way to find out what an app exactly tries to do. I do sometimes get alerts from my HIPS, but I´ve noticed that it can not spot everything, probably because the process is controlled by SBIE.

[MitchE323]

Sandboxie takes what you are doing and isolates it away from your OS. That's it. Sandboxie has proven out to be remarkably flexable and it's beauty is in how users can shape it to their own needs. For every item that you force Sandboxie to do, a decision is taken away from you. I agree that a lot of users would be happy with that. But I would also add that a lot of users would not. I appreciate the fact that I can form/shape the program to my needs. Also the price might go up.

[SnDPhoenix]

I completely agree. I dont want to see Sandboxie become something it wasn't intended to be in the first place, as mitch said, it is meant to seperate junk from your HD through the use of a Sandbox, thats it, why incorporate this or that to the point where Sandboxie becomes as bloated as Norton software (burn!), adding some tweaks to the program to make the program better and/or easier is one thing, but trying to add other stuff to the program to make Sandboxie become totally different software is another thing. H.I.P.S software usually keeps track of file and/or registry changes because thats there job, just like anti-viruses jobs are to detect stuff, so maybe we should also add detection capabilities to Sandboxie since other software (A/V's) have that capability (sarcasm). See the point, certain software has stuff that it can do that other programs dont/cant do, that doesnt mean you should try to incorporate those capabilities all into one program, cause then the lightest software (Sandboxie) would become the heaviest, most bloated software ever. In other words, leave the program alone.

[Rasheed187]

I don´t see how adding a logging system would make SBIE bloated. I´m not talking about some super advanced logging system, but a simple log that will show which suspicious/dangerous behavior SBIE blocked. About file/registry monitoring, I can imagine that this is a bit more difficult to add.

[SnDPhoenix]

I didn't mean just your logging system would make Sandboxie bloated, I was merely talking about the future too, i meant that if people keep requesting Sandboxie to do this just like AppX or do that just like AppZ, then yes, it will bloat Sandboxie.

[Rasheed187]

Hi,

I still think this could be a nice new feature, I explained why at the Wilders Security Forum:

Btw, there is some discussion going on about malware that is actually able to recognize if it runs in a sandbox or not, this way it can try to act legit or will refuse to run at all. But I can also see advantages, for example, if a tool won´t run sandboxed, this might be an indication that something is wrong.

And what if SBIE could actually monitor the possible dangerous behavior that a process tries to invoke (just like GeSwall)? Of course it would stay quite when "sandbox aware" malware will run, but your HIPS will not stay quite when the malware runs on your real machine! This way you would immediately know that it´s most likely to be malicious.

So what do you all think of it? It would make SBIE a nice malware analyzing tool, if I´m correct.

[SnDPhoenix]

Well, I haven't read all the posts, but isn't this something SSM can do itself? I thought SSM could log everything that a program/file has done on your system? Right?
I haven't opened the app in a long time so I might be wrong?

[Rasheed187]

No, you´re missing the point. The idea behind this, is to first run a tool inside the sandbox and see what kind of behavior is blocked by SBIE.

But malware who are able to fool SBIE (so SBIE won´t have to block a thing, so you think, OK this tool is safe), will most likely try exploit the system as soon as they are launched on the real machine (so outside the sandbox). Normally speaking your HIPS will alert you about this, and this way you would instantly know that you´re probably dealing with malware.

[SnDPhoenix]

Ok then yeah, I guess it's a good idea, though I could think of other uses for that!

[Rasheed187]

I think this feature would make SBIE a nice tool to analyze malware, you can let code run and see what it tries to do. And SBIE has the advantage that it can virtualize file/registry modifications, so you won´t have to block anything yet, just let the malware do what it wants to. Of course, when it´s trying to invoke dangerous things (like direct memory access, driver loading etc.) it will be immediately blocked. Basically, SBIE already does all of this, but you won´t actually know in detail what a process tries to do. For example, GeSwall (a sandbox who sucks *ss IMO) has got an "attack detection" feature.

Ok then yeah, I guess it's a good idea, though I could think of other uses for that!

Can you explain? What other uses?

[SnDPhoenix]

For example, GeSwall (a sandbox who sucks *ss IMO) has got an "attack detection" feature.

If I am not mistaken, didn't GesWall go out of development?

Ok then yeah, I guess it's a good idea, though I could think of other uses for that!

Can you explain? What other uses?

Well if I told you, I'd have to kill you!

[Rasheed187]

If I am not mistaken, didn't GesWall go out of development?

No, they just recently (a month ago or so) launched a new version, but this app has never worked for me, and IMO the concept sucks.

Well if I told you, I'd have to kill you!

Well, I guess I will have to take the risk, but no seriously, what do you mean?

[SnDPhoenix]

No, they just recently (a month ago or so) launched a new version, but this app has never worked for me, and IMO the concept sucks.

Yeah, you're right, I am thinking of Greenborder which is equally as sucky IMO...

Well if I told you, I'd have to kill you!

Well, I guess I will have to take the risk, but no seriously, what do you mean?

Ok, I'll give you a hint, it involves coding malware.