Need your input for NEW zero config application sandbox

[Danielx64]

My thoughts,

Rule 1: what happens if a program needs to write to the temp folder?

A new rule could be defined: Only allow signed software to run. This would cut down on the amount of malware that could be run (not all malware needs admin access and how many of them would be signed?) This would be a simple on/off switch. This is different to what was said above though.

 

[Andy Ful]

From the anti-malware point of view, the 'blocking of the unsigned' rule is very good. The similar, less restrictive setting is incorporated in UAC (blocking elevation when unsigned). But, the average users do not like the anti-malware point of view, and strongly prefer usability over security, so do not use such settings. Microsoft saw this and discovered SmartScreen Application Reputation.
But even in the case of SmartScreen, its potential was reduced only to checking files downloaded through web-browser, One Drive, and Windows Store. Why? For usability of course. So, any malware downloader can bypass this (for example PowerShell script).
The well-balanced solution between security and usability is adopting obligatory SmartScreen Application Reputation to check any EXE, MSI, SCR, COM, CPL, JSE, VBE, BAT, CMD, DLL, OCX files on the run, in the user area.

 

[Andy Ful]

If I could make the Sandbox with obligatory SmartScreen, I would incorporate a local hash base for executables in the user area, that were accepted by SmartScreen. So, the user could use the programs avoiding unnecessary checking (Microsoft servers will be happy), and also when the computer is not connected to the Internet.
.
Edit.
Anyway, the 'blocking unsigned' switch could be useful when the computer is not connected to the Internet for securing against the new files (from pendrive, USB disk, memory card,...).

 

[Windows_Security]

@Overdine Maybe this UAC setting request is faster implemented when asking this github project: GitHub - securitywithoutborders/hardentools: Hardentools is an utility that disables a number of risky Windows features.

 

[Cch123]

Is using hardware virtualization (VT-x, AMD-V) part of the considerations of the feature set? It is far more secure than using kernel drivers to enforce separation of processes. Since the program is for average users, it is unlikely that they'll be using another program which uses these registers at the same time to cause conflicts. Most modern workstations have them available too.
If this is implemented it'll be unique for a product geared towards the home user.

 

[Danielx64]

Is using hardware virtualization (VT-x, AMD-V) part of the considerations of the feature set? It is far more secure than using kernel drivers to enforce separation of processes. Since the program is for average users, it is unlikely that they'll be using another program which uses these registers at the same time to cause conflicts. Most modern workstations have them available too.
If this is implemented it'll be unique for a product geared towards the home user.

A better idea maybe is to have both options so that power users who use VMware player etc can still use this product as well.

 

[Duotone]

For browsers will this include an option to automatically delete its content upon closing the program for privacy, without interfering with extension/bookmarks/browser being updated?!

Also is it possible for browser to have only specific folders they can access, or if a file is to be sent an option in context menu is to be added to allow temporary access permission to that file .

 

[Andy Ful]

@Overdine Maybe this UAC setting request is faster implemented when asking this github project: GitHub - securitywithoutborders/hardentools: Hardentools is an utility that disables a number of risky Windows features.

It may be a problem with it. Hardentools makes reg tweaks (for usability) only in HKU or HKCU registry keys, so they are active only for the concrete account. This is useful but not especially strong hardening, because those registry keys can be modified by the malware running as standard user. The 'Block unsigned elevation' UAC setting is related to HKLM registry key, and can be modified / bypassed only with administrative rights.

 

[Windows_Security]

For browsers will this include an option to automatically delete its content upon closing the program for privacy, without interfering with extension/bookmarks/browser being updated?!.

A sandbox is ambiquous and clouded definitions. AppContainer integrity level is for instance called a (policy) sandbox, but a virtualisation program like Sandboxie is also called a (application) sandbox. This new sandbox is more a policy sandbox, to prevent confusion lets call this new policy hardening sandbox, not a sandbox but a JAIL.

Also is it possible for browser to have only specific folders they can access, or if a file is to be sent an option in context menu is to be added to allow temporary access permission to that file .

Browsers have only read access to all data, except for a few specific folders, like your download folder and desktop and some of their own AppData folders (where they store extensions and bookmarks)

 

[Duotone]

Thanks for the clarification...

Browsers have only read access to all data, except for a few specific folders, like your download folder and desktop and some of their own AppData folders (where they store extensions and bookmarks)

So something like limiting read access to desktop, and other drives is not possible?!

 

[Duotone]

Could AutoCAD, winrar be also included the list of program? So this sandbox would be like policy sandbox/anti-exploit thing?!

To receive configuration file updates an annual fee of 2 euro's is asked. Would that sound reasonable?

Sounds reasonable... my only problem would be the conversion factor.

 

[Windows_Security]

@Umbra mentioned it earlier, this new program needs a catchy easy to understand name. So bare with me:

This new application prevents 100% of the vulnabllities of the programs it protects (blocking all exploits), additionally it makes life hard for script based atttacks, drive-by infections and helps to prevent shoot in the foot errors (unintended program start) by users effectively closing the operating room for ransomware. Except for the exploit jail, most of the hardening rules are not a 100% protection (because it needs to be easy to use), but the compliation of the different rules makes it very unlikely for any kind of malware to intrude or damage the system.

Because Florian mentiones MemProtect an exploit cage and a iinux policy sandbox is named FireJail and a scripts sandbox on Windows is called MalwareJail, I would opt to use JAIL also. So please members, be creative suggest names containing JAIL in it, like ExcubitsJAILbox, BadBitsJAIL, anything as long as it contains JAIL.

 

[Windows_Security]

Thanks for the clarification...



So something like limiting read access to desktop, and other drives is not possible?!

Pumpernickel (one of the Excubits drivers this program is based on) has the option to block read access. Read access requires tweaking so this would not be suitable (I think) for zero config JAILbox.

 

[Windows_Security]

Is using hardware virtualization (VT-x, AMD-V) part of the considerations of the feature set? It is far more secure than using kernel drivers to enforce separation of processes. Since the program is for average users, it is unlikely that they'll be using another program which uses these registers at the same time to cause conflicts. Most modern workstations have them available too.
If this is implemented it'll be unique for a product geared towards the home user.

The program is based on existing Excubits software see: Excubits - IT Security Solutions for Windows so no hardware virtualization yet, I know from Avast that they returned from using hardware virtualization because it gave to many problems. So HW virtualisation would not be my choice for a zero config program.

 

[Duotone]

Actually been interested in Excubits softwares but I'm not good at .ini-manage files... always consider my self as average user, though I've been using AG for quite some time.

 

[Deleted member 178]

Because Florian mentiones MemProtect an exploit cage and a iinux policy sandbox is named FireJail and a scripts sandbox on Windows is called MalwareJail, I would opt to use JAIL also. So please members, be creative suggest names containing JAIL in it, like ExcubitsJAILbox, BadBitsJAIL, anything as long as it contains JAIL.

- ExeJail

simple, easy to remember , sum it all

 

[Duotone]

AppJail/er.... or ExcubitTurnkey

 

[Andy Ful]

- ExeJail

simple, easy to remember , sum it all

anti-exe --> jail-exe

 

[Andy Ful]

Maybe it would be possible to adopt online base of preconfigured settings for protected programs. That base could be actualized by the community. The SandBox will monitor protected programs according to this base.
.
Edit.
Members of this community could use Excubits demo programs (Bouncer, MemProtect, Pumpernikel) to create / test the appropriate settings.

 

[paulderdash]

With the demise of personal AppGuard, this sounds like a very exciting idea for a user with some standard applications.

But as @Umbra has also mentioned, I run a host of portable apps from (in my case) e.g. C:\My Portable Applications and C:\PortableApps.com etc. so 'ExeJail' may unfortunately be a non-starter for me? . Unless these can somehow be defined as 'system space'.

I love the idea though, combining the power of Excubits apps - with zero config.