Need your input for NEW zero config application sandbox

[Windows_Security]

To all

In december I have a meeting with Florian the owner/developer of Excubits to discuss some ideas of zero config sandboxes. The DISadvantage of zero config sandboxes is that you can not make granular rules. When the rules are tight and narrow you run into exceptions and have to create specific rules to allow these exceptions.

Still for the average user the attack surface can be restricted significantly without reducing the functionality. To tackle this two sided sword I would like to have your input and thoughts. When your ideas or suggestions are used you will be rewarded with a lifetime license.

General hardening rules

1. Restrict ACL access holes in Windows folder
   No execution access to the ACL (Widows Access Control List mechanism) user writeable subfolders in the Windows directory holes. This is a tweak which has been on the internet for ages, so this should not give any conflicts.
   
   
2. Restrict access to risky Windows commands
   No execution access to risky commands like 16 bits DOS, cmd.exe, cscript, wscript and powershell from protected programs. These risky commands are also not allowed to be started from user folders.
   
   
3. Limit execution to 'safe' folders for protected programs.
   When you open an attachement in a mail program like Thunderbird, the file extention triggers an installed program to start. To prevent extension of drive by's, double extension ore other malicious code execution the 'protected' program is only allowed to execute programs from UAC protected folders (Windows, Program Files and Program Files (x86).
   
   
4. Limit write access to UAC protected folders (Windows, Program Files) to update service only
   It makes no sense for daily use of application programs (like Thunderbird) to write to 'safe' UAC protected folders. Only the update services of the protected programs would be allowed to write to their default installation folders. Together with rule 3 this effectively puts protected programs in a Limited User sandbox (LUA-box).
   
   
5. Limit write access of internet facing software to Download folder and Desktop
   By simply restricting write access to the download folder and specific AppData files/folders for internet facing software (subset of protected programs), the operating room for malware (e.g. ransomware) is restricted.
   
   
6. Limit execute access of Download folder (and Desktop) to 'safe' parents
   To limit drive-by infection risk only 'safe' parents like Windows Explorer are allowed to execute from Download folder (most programs update using temp folders, so this should not interfere with other updates).
   
   
7. Block executables (MZ-header) located in user folders
   Block executables from running dropped in all public folders and specific user folders like Documents, Music, Video's and Picture folders. Because Appdata is not included for compatibility. This still leaves an Appdata 'hole' in the deny execute, but in combination with safe execution of protected programs (rule 3) and write protection of internet facing (rule 5) the attack surface is reduced substantially.
   
   
8. Generic priority whitelist for windows update and restore
   For zero config and intended user base, it is better to be safe than sorry, so always allow some critical Windows functions.

Usage drawbacks

1. Software should be installed in default directories
   Average users normally just click to install. Since this zero config sandbox is targetted at average users, this limitation should be low in practice. Remember that this new sandbox combines the goodies of Bouncer, MemProtect, Pumpernickel, MZ Write scanner, Command Line Scanner which are all ini-file managed programs (directed at power users).
   
   
2. User must be made aware that internet facing software can only save files in downloads
   The excubits products have a tray warning, maybe this could be used specifically for rule 6 to warn and guide the user t save something in the download folder. With this addition this limitation hopefully does not limit the usefulness of this Excubits program.
   
   
3. Exception feature is always needed to deal with unexpected conflicts
   Some sort of exception should be available for problem solving and user assistance in case of conflicts. So this zero config sandbox, should still have a mechanism to overrule the default rule set to deal with unexpected conflicts/incompatibilities. A simple screen showing ON-OFF switches per protected program allows the user to turn off protection in case of conflicts for specific 'protected' programs.

What programs to protect?
I was thinking of Office, Internet Explorer and Windows Media Player to target organisations on Windows 7 and Office 2007 not seeing the necessity or having the budget to upgrade to Windows 10/Office 365. For average home users I was thinking of Firefox (has a lot of users), Thunderbird (still a popular email client on desktops), VLC media player (as alternative to WMP) and Libre Office (as alternative to Microsoft Office). Chrome can't be omitted, so will be included also (as Adobe PDF reader thx to @Umbra ).

What pricing and license fee structure is competitive?
This zero config sandbox blend of Excubits programs can be best compared with AppGuard. It also enforces a LUA-sandbox for protected programs (like AppGuard). With MemProtect it probably has stronger exploit protection than AppGuard (probably even stronger than MBAE and HMPA). The user folder protection is simpler (AppGuard's privacy has more configuration options) but in default setting is probably stronger (only allowing write access to Download folder by internet facing software). The deny execute in user folders is more specific (for protected programs and shared folders only) and less restrictive (for user documents/music/photo/video folder) than the generic deny execute of unsigned of AppGuard's default setting.

Excubit's current pricing model is 12 euro for a lifetime license. Other Excubits programs are all controlled by user defined ini-config files. A zero config program needs updating of the configuration files centrally. Compared to AppGuard a lifetime license fee of 10 euro's is a bargain with mandatory first year support of 2 euro. This would total first years license costs to 'only' 12 euro (10+2). To receive configuration file updates an annual fee of 2 euro's is asked. Would that sound reasonable?


PLEASE FEEL FREE TO POST SUGGESTIONS AND IDEAS

 

[Deleted member 178]

And there is an option to facilitate portable apps deployments?

I mostly use portable apps and it saved me from lot of issues.

 

[Windows_Security]

And there is an option to facilitate portable apps deployments?

I mostly use portable apps and it saved me from lot of issues.

Portable program users are usually installed by 'educated' PC users, so they would be outside the targeted user group. So my first reaction would be no, on the other side portable programs should be easy to sandbox, so which portable do you have in mind?

 

[Deleted member 178]

I would protect Torrent clients, media players; pdf readers, notepad++ , all kind of commonly targeted apps.

 

[Deleted member 178]

Not saying i never save to the default locations (simply said , i dont put any of my files on C).
so if the developer allow some "advanced user" mode , it will be more than welcome.

 

[Windows_Security]

Torrent clients, Notepad++ for average user? Most browsers handle PDF's so why need PDF reader? Adobe is installed on many corporate PC's and probably the most common PDF reader. so Adobe and Foxit would be candidates.

 

[Deleted member 178]

My question was more like:
1- can i simply set and protect any kind of portable apps with this software? (i.e: navigate to the executable location and add it to the list of protected apps)
2- if not, will be an "advanced mode" to do it?

About the price it is more than correct.

A zero config program needs updating of the configuration files centrally

i guess online updates ?

I think comparing it with Appguard as Home user solution is irrelevant now, since Appguard officially moved away from home user market and its price is way above yours, which is good for you

 

[Windows_Security]

Umbra,

Florian did not want to build a complex user interface for this 'experiment' he is considering. Adding a program using file/folder select is not the problem. Testing and adding exception rules for that 'added' program is the problem. When a program has an option, some people are going to use it. When they run into problems they 'cost' manpower for support and possibly generate bad reviews when they lack the knowledge to configure it. Therefor an advanced mode for 'stable' production version is not an option.

For development we need to find some enthousiast with sufficient knowledge (like WildByDesign and your for example) who have sufficient knowledge to define rules and sufficient backup knowledge and tools to recover from disasters. The 'power user/debugging' version would have an ini file configuration simular to existing Excubits products. This configurable version would not have a user interface either. Managing ini-files requires knowledge close to writing scripts and simple programming logic. This knowledge hurdle should prevent this power user development version to be used by people without sufficient knowledge.

So you would qualify for a version with advanced mode capabilities, but average end user would not be able to get or download one (power user by invitation only).

Well Office 2007 end of life and BlueRidge stopping with home user market are opportunities AppGuard developed into a tool with to many user options. Because it is a great product, their user base acted as referrers to other users. This attracted users for which AppGuard was too complex, which generated to much cost for user support (at least that is my Guess). When a competitor leaves the playing field and a new player wants to enter it, there has to be something the new player has to do differently: The zero config with no advanced mode is what Excubits would do differently.

What do you think about the license structure: life time license for 10 with annual config support (and config updates) for 2 euro's?

 

[Deleted member 178]

Umbra,

Florian did not want to build a complex user interface for this 'experiment' he is considering. Adding a program using file/folder select is not the problem. Testing and adding exception rules for that 'added' program is the problem. When a program has an option, some people are going to use it. When they run into problems they 'cost' manpower for support and possibly generate bad reviews when they lack the knowledge to configure it. Therefor an advanced mode for 'stable' version is not an option.

noted, i just asked about Portable apps because some average users i know, use them.

For development we need to find some enthousiast with sufficient knowledge (like WildByDesign and your for example) who have sufficient knowledge to define rules and sufficient backup knowledge and tools to recover from disasters. The 'power user/debugging' version would have an ini file configuration simular to existing Excubits products. This configurable version would not have a user interface either. Managing ini-files requires knowledge close to writing scripts and simple programming logic. This knowledge hurdle should prevent this power user development version to be used by people without sufficient knowledge.
So you would qualify for a version with advanced mode capabilities, but average end user would not be able to get or download one (power user by invitation only).

Indeed , more adapted for us

Well Office 2007 end of life and BlueRidge stopping with home user market are opportunities AppGuard developed into a tool with to many user options. Because it is a great product, their user base acted as referrers to other users. This attracted users for which AppGuard was too complex, which generated to much cost for user support (at least that is my Guess).

Correct guess
i won't say AG was too complex, but some users took it as an anti-exe and tried to nullify its alerts by creating rules which reduce security. Alerts which are normally expected and welcomed.

When a competitor leaves the playing field and a new player wants to enter it, there has to be something the new player has to do differently: The zero config with no advanced mode is what Excubits would do differently.

i think it is a huge opportunity or Excubits, there is almost no contenders on this area, most are anti-exe which are less restrictive than this project (a nice and easy to remember name would be welcome )

What do you think about the license structure: life time license for 10 with annual config support (and config updates) for 2 euro's?

10+2 is a good pricing plan, very cheap and affordable to me, i guess those annual config are for adding/updating the list of softwares ?
If that pricing plan can cover the development/marketing/support , it is perfect.

 

[Freki123]

For me it would be nice when it could also sandbox programms on other drives. Since my sdd is my system disk and some other programms are on a hdd i would like to protect them also. Programms i liked protected are winamp, vlc, sabnzb, vivaldi, opera. In short more browsers please and more mediaplayer and other office products (like libre office, ashampoo office and so on). Maybe take a look at the voodooshield protected list.
For me 2 Euro after the initial buy sounds fair.

 

[Windows_Security]

Idea is to get some power users involved who could become product advisers, so they get some return out of their time and involvement. Thorough testing of config files is crucial to minimize support cost. having many power users would also allow to increase the number of protected programs. @Umbra the 2 Euro is indeed for updated config list. Existing users would benefit when more programs are covered. So getting power users involved would be critical success factor to scale up the number of programs protected like @Freki123 suggests.

Another idea to reduce marketing costs would be rewarding user referred sales. I have not figured that out yet (legal and tax consequences). But an option could be that when someone buys a license and uses customer ID number of an existing customer as referral, the existing customer would be granted a year support worth 2 euro. Besides referral a demo version would be available. The demo would not block anything, but log when sandbox would have blocked something. This would make the demo version a nice intrusion detection addition for many users (which should generate traffic).

 

[Freki123]

@Windows_Security Never forget even novice users use torrent and they are the once then which often gets the problems with viruses. Yourmovie.avi.exe Seems legit its "avi" in it Donload file click next next next and you just installed whatever. Also please remember often novice users got family members that help them with their pc stuff and they could try to avoid adbode pdf as an reader or editer and install other pdf readers/editers to minimize vulnerability.

 

[Windows_Security]

@Freki123 when YourMovie.avi.exe is downloaded to downloads folder or My movies the execution would still be blocked by rule 6 and 7. But I get your point. For a 'Go 2 Market' it is important to start with a basic set. With more power users, more config files can be tested. So that is reallly determing the pace/tempo of programs covered.

EDIT: qBitTorrent would be the best candidate considering it is open source and contains no ads

 

[Andy Ful]

For home users on Windows 8+, I would not block execution of EXE and MSI files (the other MZ files should be blocked) related to points 3,6,7 but would make use of obligatory SmartScreen Application Reputation check. If so, then the restrictions for EXE and MSI files related to point 5, may be narrowed to UAC protected folders.
This will make the Sandbox more usable, without losing much security.
.
Edit.
Malware can download files, which normally are not recognized by SmartScreen Application Reputation as coming from the Internet. That is why the SmartScreen Application Reputation has to be directed by the Sandbox to consider those files.

 

[Windows_Security]

@Andy Ful Thanks I have to look into your trick to force application reputation check

 

[Andy Ful]

@Andy Ful Thanks I have to look into your trick to force application reputation check

It is very simple. The Sandbox can monitor the dropped files (like MZWriteScanner), and before execution, it should add the simple NTFS alternate stream to it, similarly to what web-browsers usually do. Some problems have to be overcome because the parent process (malware) can try to block access to the dropped file.
.
Edit
The execution may be blocked next by the Sandbox if the EXE, MSI file triggers SmartScreen alert.

 

[overdivine]

rules
1,2,3,8 ok
4 i want program settings that i change to be remembered when i start the program again
5,6 should add desktop folder, a lot of people save files on desktop mostly docs and exes
7 except desktop

drawback
1 ok
2 if adding desktop folder is out of the question i guess it's ok the way it is

programs to protect
top browsers , windows media player, top pdf readers, utorrent, office

if i have 5 pcs at home i pay 5x12+5x2(for each year) ? or 5x12+2(for each year) because the config is the same

maybe add an option to pay let's say 40 (10+2)+(2x20years)-discount so you never have to worry to renew

 

[Andy Ful]

Many things, that this Sandbox (with obligatory SmartScreen) can offer, are implemented in Hard_Configurator, except the very good idea of protected programs and extended write access restrictions. Furthermore, the Sandbox will use kernel mini filter, that is much stronger than Windows built-in SRP on the post-exploitation stage. So I think, that such Sandbox will be more comprehensive than free Hard_Configurator.
The price is very attractive. Thanks for sharing this idea with MalwareTips members.

 

[Windows_Security]

@overdivine

I initially discussed micro licenses per device (say 1,95 euro) but that is not possible now (because there is no large user base yet) when looking at the cost and manpower to combine existing drivers and software into one application. The number of devices is a good question. I have listed your question and will discuss this with FLorian,

Thanks for bringing this up (and also for the desktop suggestion).

 

[overdivine]

also if you can add a switch for User Account Control: Only elevate executable files that are signed and validated it would be awesome