Sandboxie vs Invincea Endpoint

[Rasheed187]

Hi,

I just wondered what Invincea developers and SBIE users think about integrating a behavior blocker into SBIE? I don't really need it, because you can combine SBIE with HIPS and anti-exploit, but it's still interesting that Invincea Endpoint is designed not only to contain, but also to block and kill malware running inside the sandbox.

https://www.invincea.com/use-cases/atta ... s-attacks/
https://www.invincea.com/use-cases/atta ... downloads/

[Syrinx]

Interesting thought but I'd have to say not only is it unlikely but also I'm not very fond of the idea of adding it to Sandboxie directly. Sandboxie can already be fairly complex for the average user, adding something like that would only make it that much more difficult to troubleshoot programs running inside.

On the other side, they already have the code written for their endpoint solution so I almost wondered if it would be possible to wrap it into a dll or something and offer it as a consumer edition upgrade/purchase for those SBIE users who are interested but then I realized that some (if not most) of the protections are likely handled by a driver so once again it doesn't seem likely.

I sure would like to take it for a test drive but alas I'm not in a position to purchase volume licenses.

[Craig@Invincea]

Endpoint is highly customized. Uses custom resources.

And it is configured based on the client. While it does use "containers" (sandoxing) it only applies those containers to certain required file formats/programs that the client would want to protect.

Unlike SBIE, where it's everything in a SB (and can run any browser for the most part) and highly customizable from within in the template, the Invincea product is the total opposite. It also has "detection" built in and you are locked down..... And it has other abilities baked into it or in the pipeline.

Stuff obviously I can't get into...nor do I fully grasp it. LOL

There is a lot LOT more coming with the Endpoint product. Exciting things that won't require a container per se.

Can that be combined into SBIE. Um....No. I don't think that would ever happen.

The Invincea product is ever evolving with new technology that cannot be applied into SBIE. Very CUTTING edge stuff. I've seen a demo, and I was blown away. Our Labs' Engineers have been working OT with our Engineers at Corporate.

Plus, there just isn't demand for that...at least for the "home/small biz" market. For the resources it would take, the $ isn't there. Obviously, we have to pay Curt once in a while.

Now, Do some of the things that are reported here apply to the Invincea product..sure. As they share a general "sb container."

The Invincea product went from a VM type protection solution, to a container sandbox...and now...we move ahead. With a sb container? Unknown. Most likely combining the best of containment/SB with the future technology that is being proven every day in the Labs. Again, it also depends on the needs of the client. The Market. Everything.

But again, Invincea product is moving far and fast ahead. Will a container be a part of that? Maybe. The "container" may be more of a additional "layer" highly customized for specific threats.

[Syrinx]

@Craig I think your response only heightened my desire to at least test the endpoint product. I can understand that the customer support costs could be an issue and a valid reason not to have a home version but is there anything else that stops you guys from making it available to the general public? I'm no IT guy but I'm not exactly the average user either. I'd love to be able to take it out for a run.

[Rasheed187]

Interesting thought but I'd have to say not only is it unlikely but also I'm not very fond of the idea of adding it to Sandboxie directly. Sandboxie can already be fairly complex for the average user, adding something like that would only make it that much more difficult to troubleshoot programs running inside.

Yes correct, but I was thinking about a dumb downed version, without requiring any user configuration.

The Invincea product is ever evolving with new technology that cannot be applied into SBIE. Very CUTTING edge stuff. I've seen a demo, and I was blown away. Our Labs' Engineers have been working OT with our Engineers at Corporate.

Plus, there just isn't demand for that...at least for the "home/small biz" market. For the resources it would take, the $ isn't there. Obviously, we have to pay Curt once in a while.

OK I see, so it wouldn't be simple to port a "dumb downed" version to SBIE. And thanks for the info about Invincea. But the reason I asked is because SBIE only contains, so in theory certain malware would still be able to do damage inside the sandbox. And that's why Invincea decided they needed to add a behavior blocker/HIPS to Invincea Endpoint, because you need a way to mitigate malware running inside the container. But like I said, it's not a big deal because you can simply combine SBIE with other security tools like HIPS, that is what's so cool about SBIE.

[Craig@Invincea]

@Craig I think your response only heightened my desire to at least test the endpoint product. I can understand that the customer support costs could be an issue and a valid reason not to have a home version but is there anything else that stops you guys from making it available to the general public? I'm no IT guy but I'm not exactly the average user either. I'd love to be able to take it out for a run.

Hi Rasheed.
I don't know are the actual particulars about getting a demo type of look at it. However, I'm under the impression it's much more of an "experience" type of thing. And there is a lot of behind the scenes stuff that happens.

However, I can def ask around (Curt probably would know as well as he's part of that Much bigger team)

Here is some info on its detection (this is being vastly improved too) And this is all public from various Social resources

https://www.invincea.com/products/cynom ... ign=buffer

Threat detection trial
https://www.invincea.com/invincea-advan ... ATDP_12_15

[Rasheed187]

Hi Rasheed

I don't know are the actual particulars about getting a demo type of look at it. However, I'm under the impression it's much more of an "experience" type of thing. And there is a lot of behind the scenes stuff that happens.

Actually, it was another member (Syrinx) that wanted to test Invincea Endpoint (IE), I was simply wondering about if the behavior blocker/HIPS could be ported to SBIE, that's all. It's probably best not to do so, because it's quite complex, at least that is my impression. But is it true that IE uses a hypervisor for container isolation?

[Craig@Invincea]

But is it true that IE uses a hypervisor for container isolation

I've heard different things; but I don't directly work with that product or teams. So, I can't give you a YES or a NO answer.

[Rasheed187]

But is it true that IE uses a hypervisor for container isolation

I've heard different things; but I don't directly work with that product or teams. So, I can't give you a YES or a NO answer.

OK I see. I read about it in an article from 2010, but perhaps things have been changed. BTW, I also found a positive review for IE from 2015, see link.

But back to the topic, the reason why I asked is because I was wondering if banking trojans can still do any damage inside the sandbox. Have you guys ever tested that? And if ransomware is running sandboxed, it will still be able to encrypt files in the sandbox. So sometimes, containing is not good enough. That's why I always advise people to combine SBIE with other tools, like HIPS and anti-exe for example.

http://www.scmagazine.com/invincea-adva ... view/4423/

[Craig@Invincea]

SBIE is only designed to isolate/contain. Nothing has been found to break out of the sandbox (knock on wood) at this time, when known, not matter how impossible that may be or exist, we address that. Is anything 100% safe when online. Of course not. Nothing is. SBIE mitigate that risk? Absolutely.

Like I mentioned, we had a bounty with people who do and attempt to do just that..and they could not. ((knock on wood)) And we have 100s of thousands of SBIE users, and you guys in the forum who I know...Especially when a new Beta is announced, Bo is usually the one to mention it in Wilders. We know you guys test and look over each and every bit. We want that.

And every day, we do look out for clues or exploits that are in the wild.

Now, banking..err storing things in your SB. Certainly anything is possible. But by default, nothing should get to your host. If you're invoking templates, printing..etc. that "allow" things to get out, sure..you run that risk. You run that risk anytime you're willingly storing know bad actors.

Sure, ransomware can grab and encrypt your data in your sb. That's known. Again, SBIE wasn't designed to detect that. It's Isolation. I would proffer this is where user and usage consideration would come into play. Don't keep sensitive things in your SB that could be hijacked and don't allow the outside access to your sensitive locations and data on your host. Delete that SB routinely.

And in speaking with the the IE Guys, detection won't be added to SBIE. The $, need, resources are not there. And that's not what SBIE was ever designed to do. If that is wanted/needed, the IE product would be the progression. But that's aimed at Enterprise, and not a home type of user.

[Rasheed187]

SBIE is only designed to isolate/contain. Nothing has been found to break out of the sandbox (knock on wood) at this time, when known, not matter how impossible that may be or exist, we address that. Is anything 100% safe when online. Of course not. Nothing is. SBIE mitigate that risk? Absolutely.

Like I mentioned, we had a bounty with people who do and attempt to do just that..and they could not. ((knock on wood)) And we have 100s of thousands of SBIE users, and you guys in the forum who I know...Especially when a new Beta is announced, Bo is usually the one to mention it in Wilders. We know you guys test and look over each and every bit. We want that.

And in speaking with the the IE Guys, detection won't be added to SBIE. The $, need, resources are not there. And that's not what SBIE was ever designed to do. If that is wanted/needed, the IE product would be the progression. But that's aimed at Enterprise, and not a home type of user.

Cool to know that bounty/bug hunters are testing SBIE. And yes, I understand it would cost time and money to add such a feature. Like I said, it's best to combine SBIE with other tools, SBIE is doing the isolation, others are doing (most of) the blocking, so that malicious code can't run. About Wilders Security, we had this huge discussion about if it makes sense to protect Chrome with SBIE, end conclusion: yes it makes sense.