Advice Request AppGuard + ERP + Sandboxie = A Strong Combo?

[Wraith]

As the title suggests will these three make a strong combo? People here at MT recommends this setup and calls it bullet-proof. Recently Sandboxie seems to be having issues with Chrome and Windows 10.

 

[JM Safe]

A strong combo for sure. If Sandboxie gives you problems just download the Beta version.

 

[Deleted Member 3a5v73x]

AppGuard with hardened policy without ERP. Sandboxie doesn't hurt, just keep an eye for the latest updates.

Research about LOLBins and make most out of the AppGuard.

 

[Duotone]

It's still a solid combo only problem is with updates on chrome, windows, etc... SBIE will surely have some issue, but there is always the beta.

With regards to Appguard like @davisd says you can either go hardened policy, and/or use ERP if you want to add vulnerable processes, but I prefer AG+OSArmor for ease of use.

NOTE:

hjlbx
While you can add those processes to User Space in AppGuard, that means they will always be blocked - with no way for the user to Allow - unless you go to User Space tab and select No.

From a practical standpoint, it is better to add them - if you wish - to NVT ERP's vulnerable process list and run in Alert Mode. This way, if one of the processes is executed, NVT ERP will generate an alert from within you can select Allow or Block.

P.S: hardened policy @ locked down blocks a lot of stuff.

 

[Andy Ful]

It is that kind of security like wearing three kinds of bulletproof vests. Some parts of your body will be very, very safe, but some will not be covered at all.

Pros.

1. Good for learning different kinds of security (SRP, Anti-Exe, Sandboxing).
2. Can be tweaked to be very, very strong against drive-by attacks.
3. Flexible, highly configurable.
4. Can stop most malware samples in the home environment.

Cons.

1. Low ratio of security advantages to compatibility/stability issues (especially on Windows 10).
2. Pretty much redundant.
3. Much effort has to be put in finding the reasonable settings.
4. Not usable for most people.

The setup does not cover in-memory fileless attacks from the network, or many similar attacks when the payload is run via Windows Registry, .NET DLLs or reflective DLL injections, etc., but they are not important in the home environment.

 

[Deleted member 178]

My "bulletproof" combo is Appguard + OSA or ERP + HMPA + REHIPS or sandboxie.
All vectors are covered.

If you don't have HMPA, learn to tweak Windows Exploit Guard.

 

[shmu26]

ReHIPS is like ERP + Sandboxie, and it has less compatibility issues -- Windows updates and browser updates do not affect ReHIPS, in my experience.
If you have AppGuard + ReHIPS, and you know how to configure and use them, you have a very strong setup.
It is true that ERP has stronger anti-exe than ReHIPS does (ReHIPS is first and foremost for sandboxing), but AppGuard has you covered there, as long as you configure it properly.
In truth, each one of these apps is a bulletproof vest, when configured and used properly, as @Andy Ful said. I would be interested to hear what Andy suggests for covering the other parts of the body...

 

[Deleted member 178]

@shmu26 yes it is why i love Rehips way more than Sandboxie.

 

[Wraith]

Yes you are all right about configuring these apps. AppGuard once configured properly, beats out ERP and Sandbox. Many people at MT seem to Recommend the combo that I mentioned in this thread. But IMO I think that Appguard is sufficient alone if set up properly. I personally use AppGuard with SpyShelter Premium and ESET Internet Security. It has been running smoothly and consumes less resources too, although I have a strong feeling that with AppGuard even SpyShelter Premium is not needed.

 

[Andy Ful]

Yes you are all right about configuring these apps. AppGuard once configured properly, beats out ERP and Sandbox. Many people at MT seem to Recommend the combo that I mentioned in this thread. But IMO I think that Appguard is sufficient alone if set up properly. I personally use AppGuard with SpyShelter Premium and ESET Internet Security. It has been running smoothly and consumes less resources too, although I have a strong feeling that with AppGuard even SpyShelter Premium is not needed.

Either Eset + ApGuard or Eset + SpyShelter would be enough. More important is a proper configuration (attack surface reduction) than adding another security applications.

The cautious users are pretty much safe if they can:

• open the unsafe files (from the Internet or removable sources) in the properly restricted environment or blocks them (if not needed, like scripts);
• disable SMB protocols, and remote services;

It is not especially important if SRP or Anti-Exe, or Sandboxing, is used for that. That is usually, also a strong anti-exploit prevention, because the exploit is unarmed in the restricted environment or cannot be executed, or if executed, then cannot run/download something else.
Things are more complicated with the kernel exploits, but fortunately, Windows Updates can provide the sufficient protection, so far.

In-memory attacks (from the network) are dangerous for organizations and for the people, who use the public networks. In the second case the strong firewall should be sufficient.
In the case of organizations, the ATP features will be required, which are
based on: Memory Isolation + Memory & Network Monitoring + Machine Learning & Artificial Intelligence + Credential Protection + Data Encryption, etc.

 

[Andy Ful]

I would be interested to hear what Andy suggests for covering the other parts of the body...

Probably nothing in the home environment.

 

[shmu26]

In-memory attacks (from the network) are dangerous for organizations and for the people, who use the public networks. In the second case the strong firewall should be sufficient.

Thanks, Andy. What in your opinion constitutes a strong firewall? Is Comodo such a firewall?

 

[Andy Ful]

Thanks, Andy. What in your opinion constitutes a strong firewall? Is Comodo such a firewall?

Yes, also Windows 10 Firewall Control (Sphinx Software).

 

[Deleted member 178]

Thanks, Andy. What in your opinion constitutes a strong firewall? Is Comodo such a firewall?

Comodo FW has nothing special, SEP one however is in another league.

 

[JM Safe]

@shmu26 yes it is why i love Rehips way more than Sandboxie.

Umbra come on, enter in the Sandboxie club! (but I must admit I also like tweaking so...)

 

[Deleted member 178]

Umbra come on, enter in the Sandboxie club! (but I must admit I also like tweaking so...)

Using it on my leisure system, because I don't want waste my lifetime license. Lol

 

[JM Safe]

Using it on my leisure system, because I don't want waste my lifetime license. Lol

Then that's right bro

 

[shmu26]

SBIE has certain advantages over ReHIPS. The configuration is more flexible in some ways. But I have found that an app is more likely to work in ReHIPS isolation than in SBIE sandbox.

 

[JM Safe]

SBIE has certain advantages over ReHIPS. The configuration is more flexible in some ways. But I have found that an app is more likely to work in ReHIPS isolation than in SBIE sandbox.

Hey shmu, I think ReHIPS permits some more tweaks than SBIE. SBIE can be tweaked also but less.

 

[Wraith]

You guys are flso full of praise for ReHips that I actually downloaded the software and gave it a try. The demo version has a limit of 10 processes that I can see. So it's not gonna help Chrome. But aside from that it can isolate IE and Office easily in my PC. Also it's relatively easy to configure so far. I just put in on learning mode, launched the apps that I use, then set to Expert mode with lockdown and bingo it's working like a champ.