Advice Request AppGuard + ERP + Sandboxie = A Strong Combo?

Please provide comments and solutions that are helpful to the author of this topic.

Status
Not open for further replies.

Wraith

Level 13
Thread author
Verified
Top Poster
Well-known
Aug 15, 2018
634
As the title suggests will these three make a strong combo? People here at MT recommends this setup and calls it bullet-proof. Recently Sandboxie seems to be having issues with Chrome and Windows 10.
 

Duotone

Level 10
Verified
Well-known
Mar 17, 2016
457
It's still a solid combo only problem is with updates on chrome, windows, etc... SBIE will surely have some issue, but there is always the beta.

With regards to Appguard like @davisd says you can either go hardened policy, and/or use ERP if you want to add vulnerable processes, but I prefer AG+OSArmor for ease of use.

NOTE:
hjlbx
While you can add those processes to User Space in AppGuard, that means they will always be blocked - with no way for the user to Allow - unless you go to User Space tab and select No.

From a practical standpoint, it is better to add them - if you wish - to NVT ERP's vulnerable process list and run in Alert Mode. This way, if one of the processes is executed, NVT ERP will generate an alert from within you can select Allow or Block.

P.S: hardened policy @ locked down blocks a lot of stuff.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
It is that kind of security like wearing three kinds of bulletproof vests. Some parts of your body will be very, very safe, but some will not be covered at all.

Pros.
  1. Good for learning different kinds of security (SRP, Anti-Exe, Sandboxing).
  2. Can be tweaked to be very, very strong against drive-by attacks.
  3. Flexible, highly configurable.
  4. Can stop most malware samples in the home environment.
Cons.
  1. Low ratio of security advantages to compatibility/stability issues (especially on Windows 10).
  2. Pretty much redundant.
  3. Much effort has to be put in finding the reasonable settings.
  4. Not usable for most people.
The setup does not cover in-memory fileless attacks from the network, or many similar attacks when the payload is run via Windows Registry, .NET DLLs or reflective DLL injections, etc., but they are not important in the home environment.
 
Last edited:

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
ReHIPS is like ERP + Sandboxie, and it has less compatibility issues -- Windows updates and browser updates do not affect ReHIPS, in my experience.
If you have AppGuard + ReHIPS, and you know how to configure and use them, you have a very strong setup.
It is true that ERP has stronger anti-exe than ReHIPS does (ReHIPS is first and foremost for sandboxing), but AppGuard has you covered there, as long as you configure it properly.
In truth, each one of these apps is a bulletproof vest, when configured and used properly, as @Andy Ful said. I would be interested to hear what Andy suggests for covering the other parts of the body...
 

Wraith

Level 13
Thread author
Verified
Top Poster
Well-known
Aug 15, 2018
634
Yes you are all right about configuring these apps. AppGuard once configured properly, beats out ERP and Sandbox. Many people at MT seem to Recommend the combo that I mentioned in this thread. But IMO I think that Appguard is sufficient alone if set up properly. I personally use AppGuard with SpyShelter Premium and ESET Internet Security. It has been running smoothly and consumes less resources too, although I have a strong feeling that with AppGuard even SpyShelter Premium is not needed.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
Yes you are all right about configuring these apps. AppGuard once configured properly, beats out ERP and Sandbox. Many people at MT seem to Recommend the combo that I mentioned in this thread. But IMO I think that Appguard is sufficient alone if set up properly. I personally use AppGuard with SpyShelter Premium and ESET Internet Security. It has been running smoothly and consumes less resources too, although I have a strong feeling that with AppGuard even SpyShelter Premium is not needed.
Either Eset + ApGuard or Eset + SpyShelter would be enough. More important is a proper configuration (attack surface reduction) than adding another security applications.

The cautious users are pretty much safe if they can:
  • open the unsafe files (from the Internet or removable sources) in the properly restricted environment or blocks them (if not needed, like scripts);
  • disable SMB protocols, and remote services;
It is not especially important if SRP or Anti-Exe, or Sandboxing, is used for that. That is usually, also a strong anti-exploit prevention, because the exploit is unarmed in the restricted environment or cannot be executed, or if executed, then cannot run/download something else.
Things are more complicated with the kernel exploits, but fortunately, Windows Updates can provide the sufficient protection, so far.

In-memory attacks (from the network) are dangerous for organizations and for the people, who use the public networks. In the second case the strong firewall should be sufficient.
In the case of organizations, the ATP features will be required, which are
based on: Memory Isolation + Memory & Network Monitoring + Machine Learning & Artificial Intelligence + Credential Protection + Data Encryption, etc.
 
Last edited:

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
In-memory attacks (from the network) are dangerous for organizations and for the people, who use the public networks. In the second case the strong firewall should be sufficient.
Thanks, Andy. What in your opinion constitutes a strong firewall? Is Comodo such a firewall?
 
  • Like
Reactions: Wraith and bribon77

JM Safe

Level 39
Verified
Top Poster
Apr 12, 2015
2,882
SBIE has certain advantages over ReHIPS. The configuration is more flexible in some ways. But I have found that an app is more likely to work in ReHIPS isolation than in SBIE sandbox.
Hey shmu, I think ReHIPS permits some more tweaks than SBIE. SBIE can be tweaked also but less.
 

Wraith

Level 13
Thread author
Verified
Top Poster
Well-known
Aug 15, 2018
634
You guys are flso full of praise for ReHips that I actually downloaded the software and gave it a try. The demo version has a limit of 10 processes that I can see. So it's not gonna help Chrome. But aside from that it can isolate IE and Office easily in my PC. Also it's relatively easy to configure so far. I just put in on learning mode, launched the apps that I use, then set to Expert mode with lockdown and bingo it's working like a champ.
 
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top