An unjust criticism of Sandboxie

[yabbadoo]

As a 10 year veteran and super devotee of Sandboxie, I was shocked to read a post written by a 10,000 poster who has adopted the mantle of Super Security Genius Extraordinaire on a Forum I am a member of.

It wrecks everything which I believe and the fundamental principles that Sandboxie stands for. Would some of our geeks please answer the points made so as to compose a logical and informative thread. I will then give this bumhead of an ignoramus the link and he can read your comments himself. His post is as follows :-

===START
Sandboxie provides absolutely no security against most of the issues Windows Update fixes and I find it both ironic and hypocritical that their slogan is "Trust no program" yet they're expecting you to trust it.

And not only is it useless with anything other than web browsing in a glorified incognito mode, the claim of confining threats to the sandbox environment and restricting everything to a virtual environment is a load of rubbish. In a few minutes mucking around with it I've managed to create persistent drive mappings outside the sandbox from inside the 'protected' browser, share the PC's entire hard drive to the world, as well as access any and all personal data of the user running it. And I'm not even a hacker.

Any web browser's built-in sandboxing architecture is far better than this already. Snake oil IMO.
===FINISH

[bo.elam]

Hi yabbadoo. Trust no program. To me, those words are in essence what Sandboxie is about. When we run programs sandboxed, programs run untrusted. So, the message that I get out of those words is that we, Sandboxie users, ought to run all kind of programs and applications sandboxed. By doing so, we ll keep our systems, programs, files and registry intact. To me, its really a simple but powerful message. Those words can mean different things to different people but it didn't take me long after I started using SBIE, to apply the message that I get out of the slogan in how I use Sandboxie.

So, I sandbox just about any program and file that runs in my computer. I pretty much have a rule. If a file its going to run in my computers, its going to run sandboxed until the day it gets deleted. The only question really is in which sandbox its going to run. Usually, that depends what kind of file it is or where the file its located in the computer. I am flexible so sometimes I break my rule but its rare.

That guy with the 10000 posts sounds like a Chrome fanboy who thinks of SBIE as a browser in a sandbox. He knows little about Sandboxie. Is obvious that he doesn't know that sandboxing the browser is for most SBIE users, the starting point when we first start using Sandboxie. But then, we move from that point. Sandboxing the browser is our first taste of what we can do with Sandboxie but then many of us, eventually, move on to also sandbox Office programs, PDF, video players, etc, and not only that, also sandbox, our CD and DVD dives as well as USB drives. Sandboxie is a package.

I used Sandboxie now for 6 years, to this day, I never had anything escape the sandbox. That to me is proof that this little program called Sandboxie is the real thing. It really works. If he searches for real world sandbox escapes, he wont find any. Thats huge.

Bo

[Curt@invincea]

This guy's statement is full of distortions:

"Sandboxie provides absolutely no security against most of the issues Windows Update fixes " No sandbox (including Chrome's) provides protection against kernel exploits. Are these "most of the issues Windows Update fixes"? Not even close. They are a tiny fraction.

As for the rest of his statement, the default installation of Sandboxie does not hide anything on the user's system. However, this can easily be achieved by closing off whatever you desire. If he has some way to "create persistent drive mappings", he can tell us how to do it.

As for browser sandboxes being better, what happens when you download malware in your webmail, and run it? Does the browser protect you here?

[Mr.X]

For me that "guy" statements are either of an ignorant person or a professional troll to discredit Sandboxie's superiority.
Any case, like in any other scientific endeavor, he must give proof, a solid evidence of what he's talking about, otherwise is pure anecdotal, biased and obscure group of claims which can vanish into thin air, easily.

[Curt@invincea]

There are a bunch of Sandboxie videos on youtube. Here's the one on Cryptolocker. https://www.youtube.com/watch?v=aMtyGNviiRY

Does this look like "the claim of confining threats to the sandbox environment and restricting everything to a virtual environment is a load of rubbish."?

[yabbadoo]

There are a bunch of Sandboxie videos on youtube. Here's the one on Cryptolocker. https://www.youtube.com/watch?v=aMtyGNviiRY

Does this look like "the claim of confining threats to the sandbox environment and restricting everything to a virtual environment is a load of rubbish."?

Curt, your every word is always a treasure to read. The guy is a conceited self opinionated arsehole.

I have given this thread link to the cretin so he can read all your comments for his further education.

[Curt@invincea]

I found the original post. It looks like some Scottish guy that just wants to pick a fight. My heritage is Scottish, so I know how it is. But my ancestors had to leave over 200 years ago because the food over there is just terrible.

[yabbadoo]

I found the original post. It looks like some Scottish guy that just wants to pick a fight. My heritage is Scottish, so I know how it is. But my ancestors had to leave over 200 years ago because the food over there is just terrible.

Curt,

I am amazed how you traced the original post.

Anyway, I hit him right up the kilt by posting the Sandboxie link to this thread for all to see and asked him to tackle you direct and Make your day. The fight has gone out of him like a burst balloon. Not heard a word from him since. I think he is sulking that somebody has actually challenged his balmy waffle and dented his bronze star award and 10,000 posts for being a self appointed Guru on PC security.

[Mr.X]

@qasdfdsaq
If you are seeing this thread, I have something for you. Direct from the horse's mouth, the one who writes and maintain Sandboxie's source code:

Actually, I was not making an analogy. I was trying to point out that we are arguing over semantics. "rely" according to dictionary.com means "to depend on". That definition is highly subjective. All I am saying is that Sandboxie has many safeguards that have nothing to do with built-in Windows security. That's why you can run apps as admin, yet it still can't delete files outside the sandbox. If we "relied" on Windows security, then an admin can do anything he wants.

I quoted Curt's statement if you have some doubts/wrong assumptions about Sbie efficacy due the Windows Kernel bug thing you've already pinpointed quite a lot.

[yabbadoo]

@ Curt and all readers

In 10 years of Sandboxie, I have never seen a bad word aimed at the program. Nothing but compliments.

My own case is also that I have never had a serious infection over that period. Any slight infections that have occurred are almost certain to have been the result of occasions when I simply have to go on the web unsandboxed for specific reasons. Never to surf, just visit trusted sites. I do an AV manual sweep twice each week and never pick much up, just rare insignificant "infections". My present condition is clean and has been for a very long time, thanks to Sandboxie.

But the thread I give below appears to have attracted a glut of anti-Sandboxie idiots. My opinion is that these unintelligent arseholes have paid for some constantly outdated AV and don``t like the thought of having wasted their money.

If you want to ruin that beer you are drinking, have a look at this :-
http://www.cableforum.co.uk/board/38/33 ... ction.html

Honestly, I never imagined that so many dumb-clucks existed.

[bo.elam]

yabbadoo, I think the thing with some of the people in that thread is that they just don't know Sandboxie. Its hard to believe that anyone with thousands of post in internet forums dont know a thing about SBIE but it can happen. You might want to post the links below over there and ask them to listen to Episode 172 of Security now, Leo and Tzuk start talking about Sandboxie at about minute thirty something. And also ask them to watch this video at YouTube. The guy that made the video was unfamiliar with Sandboxie when he made it and looks clumsy but I think, what he says about Sandboxie, is right on the money.
https://www.grc.com/sn/past/2008.htm

https://www.youtube.com/watch?v=GueXMq-Vyi8

When I first discovered Sandboxie and was looking for information about the program, I discovered those links and they kind of got me enthus about Sandboxie. Six years later, I can say that all I heard in the podcast and the video is true.

In case any of your friends at the English forum is reading this thread, I ll tell you, the perfect way, the recommended way of using Sandboxie is to use it along an antivirus. But I can tell you, you can use SBIE on its own if you want to. I have done so for more than four years. For my personal case use, thats the best way of using SBIE. But that doesn't mean that you either use Sandboxie or an antivirus. It doesnt have to be that way. And that is and should be the message that you get when you read the FAQ.

Bo

[Curt@invincea]

They seem to have gotten off the "Sandboxie is rubbish" claim and are now focusing on your 1 sentence about not using Windows update. Of course we recommend people use Windows update. But there is still a lot of incorrect information and wrong assumptions being written in that thread. Of course, I am biased. But facts are facts. Our Freespace product is geared toward enterprise and it is built on top of Sandboxie. Right from the invincea.com homepage: "Trusted by more than 11,000 organizations to combat advanced malware..." Freespace is also branded as Dell Protected Workspace and comes pre-installed on Dell enterprise systems.

Sandboxie has always been geared more toward the home, power-user. However, Sandboxie itself (raw, not Freespace) is also used in many enterprise settings. To say Sandboxie is not used by corporations and does not come pre-installed with any systems is just not correct. And the incorrect assumption that Sandboxie will not block/hide anything on the user's system from the sandbox is being repeated in that thread. You can block drives, folders, files, registry keys, IPC, etc.

As a side note, the TrueType Font vulnerability that is linked in that thread links to MS Security Bulletin https://technet.microsoft.com/library/security/MS15-010. That page and some other MS pages make it sound like MS will not be fixing this in an XP patch. I thought they were still going to be releasing critical fixes for a while. But, if MS is not going to fix this, you can use Sandboxie to completely block T2EMBED.DLL. That is the DLL that leads to the kernel exploit.

[bo.elam]

But there is still a lot of incorrect information and wrong assumptions being written in that thread.

Like that below, written by qasdfdsaq.
http://www.cableforum.co.uk/board/35764985-post43.html

Wrong. Advanced antivirus programs sandbox Windows itself.

Thats a terrible statement. And it shows that guy there don't know a thing about sandboxing and how Sandboxie or antimalware programs that have a sandboxing feature, like Avast, Comodo, do their work. Sandboxing programs don't sandbox Windows, they sandbox programs, files.

Bo

[Curt@invincea]

It is not even possible for a sandbox to sandbox Windows itself. That requires a Virtual Machine. That is the reason sandboxes are vulnerable to kernel exploits -- They can't sandbox Windows.

[Nix]

its another one of those threads!

For someone with years of experience using sandboxie Wittman doesn't know SBIE limitation well enough, making claims of SBIE being impregnable, suggesting not updating MS, nor having an AV(which even Tzuk advice one should have), etc... if not for such claim that conversation wouldn't have dragged on. As for the other guy he did made some point, as do others occasionally pointing out flaws and some of which even POC of a bypass in SBIE which Invincea handled well in fixing.