Need your input for NEW zero config application sandbox

Danielx64

Level 10
Verified
Well-known
Mar 24, 2017
481
My thoughts,

Rule 1: what happens if a program needs to write to the temp folder?

A new rule could be defined: Only allow signed software to run. This would cut down on the amount of malware that could be run (not all malware needs admin access and how many of them would be signed?) This would be a simple on/off switch. This is different to what was said above though.
 
  • Like
Reactions: Handsome Recluse

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592
From the anti-malware point of view, the 'blocking of the unsigned' rule is very good. The similar, less restrictive setting is incorporated in UAC (blocking elevation when unsigned). But, the average users do not like the anti-malware point of view, and strongly prefer usability over security, so do not use such settings. Microsoft saw this and discovered SmartScreen Application Reputation.:)
But even in the case of SmartScreen, its potential was reduced only to checking files downloaded through web-browser, One Drive, and Windows Store. Why? For usability of course. So, any malware downloader can bypass this (for example PowerShell script). :(
The well-balanced solution between security and usability is adopting obligatory SmartScreen Application Reputation to check any EXE, MSI, SCR, COM, CPL, JSE, VBE, BAT, CMD, DLL, OCX files on the run, in the user area.
 
  • Like
Reactions: Handsome Recluse

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592
If I could make the Sandbox with obligatory SmartScreen, I would incorporate a local hash base for executables in the user area, that were accepted by SmartScreen. So, the user could use the programs avoiding unnecessary checking (Microsoft servers will be happy), and also when the computer is not connected to the Internet.
.
Edit.
Anyway, the 'blocking unsigned' switch could be useful when the computer is not connected to the Internet for securing against the new files (from pendrive, USB disk, memory card,...).
 
Last edited:
  • Like
Reactions: Handsome Recluse

Cch123

Level 7
Verified
May 6, 2014
335
Is using hardware virtualization (VT-x, AMD-V) part of the considerations of the feature set? It is far more secure than using kernel drivers to enforce separation of processes. Since the program is for average users, it is unlikely that they'll be using another program which uses these registers at the same time to cause conflicts. Most modern workstations have them available too.
If this is implemented it'll be unique for a product geared towards the home user.
 

Danielx64

Level 10
Verified
Well-known
Mar 24, 2017
481
Is using hardware virtualization (VT-x, AMD-V) part of the considerations of the feature set? It is far more secure than using kernel drivers to enforce separation of processes. Since the program is for average users, it is unlikely that they'll be using another program which uses these registers at the same time to cause conflicts. Most modern workstations have them available too.
If this is implemented it'll be unique for a product geared towards the home user.
A better idea maybe is to have both options so that power users who use VMware player etc can still use this product as well.
 

Duotone

Level 10
Verified
Well-known
Mar 17, 2016
474
For browsers will this include an option to automatically delete its content upon closing the program for privacy, without interfering with extension/bookmarks/browser being updated?!

Also is it possible for browser to have only specific folders they can access, or if a file is to be sent an option in context menu is to be added to allow temporary access permission to that file .
 
Last edited:
  • Like
Reactions: frogboy

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592
@Overdine Maybe this UAC setting request is faster implemented when asking this github project: GitHub - securitywithoutborders/hardentools: Hardentools is an utility that disables a number of risky Windows features.
It may be a problem with it. Hardentools makes reg tweaks (for usability) only in HKU or HKCU registry keys, so they are active only for the concrete account. This is useful but not especially strong hardening, because those registry keys can be modified by the malware running as standard user. The 'Block unsigned elevation' UAC setting is related to HKLM registry key, and can be modified / bypassed only with administrative rights.
 
Last edited:
  • Like
Reactions: Handsome Recluse

Windows_Security

Level 24
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 13, 2016
1,298
For browsers will this include an option to automatically delete its content upon closing the program for privacy, without interfering with extension/bookmarks/browser being updated?!.

A sandbox is ambiquous and clouded definitions. AppContainer integrity level is for instance called a (policy) sandbox, but a virtualisation program like Sandboxie is also called a (application) sandbox. This new sandbox is more a policy sandbox, to prevent confusion lets call this new policy hardening sandbox, not a sandbox but a JAIL.

Also is it possible for browser to have only specific folders they can access, or if a file is to be sent an option in context menu is to be added to allow temporary access permission to that file .

Browsers have only read access to all data, except for a few specific folders, like your download folder and desktop and some of their own AppData folders (where they store extensions and bookmarks)
 

Duotone

Level 10
Verified
Well-known
Mar 17, 2016
474
Thanks for the clarification...

Browsers have only read access to all data, except for a few specific folders, like your download folder and desktop and some of their own AppData folders (where they store extensions and bookmarks)

So something like limiting read access to desktop, and other drives is not possible?!
 

Duotone

Level 10
Verified
Well-known
Mar 17, 2016
474
Could AutoCAD, winrar be also included the list of program? So this sandbox would be like policy sandbox/anti-exploit thing?!

To receive configuration file updates an annual fee of 2 euro's is asked. Would that sound reasonable?

Sounds reasonable... my only problem would be the conversion factor.
 
Last edited:

Windows_Security

Level 24
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 13, 2016
1,298
@Umbra mentioned it earlier, this new program needs a catchy easy to understand name. So bare with me:

This new application prevents 100% of the vulnabllities of the programs it protects (blocking all exploits), additionally it makes life hard for script based atttacks, drive-by infections and helps to prevent shoot in the foot errors (unintended program start) by users effectively closing the operating room for ransomware. Except for the exploit jail, most of the hardening rules are not a 100% protection (because it needs to be easy to use), but the compliation of the different rules makes it very unlikely for any kind of malware to intrude or damage the system.

Because Florian mentiones MemProtect an exploit cage and a iinux policy sandbox is named FireJail and a scripts sandbox on Windows is called MalwareJail, I would opt to use JAIL also. So please members, be creative suggest names containing JAIL in it, like ExcubitsJAILbox, BadBitsJAIL, anything as long as it contains JAIL.
 
Last edited:
  • Like
Reactions: Handsome Recluse

Windows_Security

Level 24
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 13, 2016
1,298
Thanks for the clarification...



So something like limiting read access to desktop, and other drives is not possible?!

Pumpernickel (one of the Excubits drivers this program is based on) has the option to block read access. Read access requires tweaking so this would not be suitable (I think) for zero config JAILbox.
 
  • Like
Reactions: Handsome Recluse

Windows_Security

Level 24
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 13, 2016
1,298
Is using hardware virtualization (VT-x, AMD-V) part of the considerations of the feature set? It is far more secure than using kernel drivers to enforce separation of processes. Since the program is for average users, it is unlikely that they'll be using another program which uses these registers at the same time to cause conflicts. Most modern workstations have them available too.
If this is implemented it'll be unique for a product geared towards the home user.

The program is based on existing Excubits software see: Excubits - IT Security Solutions for Windows so no hardware virtualization yet, I know from Avast that they returned from using hardware virtualization because it gave to many problems. So HW virtualisation would not be my choice for a zero config program.
 
  • Like
Reactions: Handsome Recluse

Duotone

Level 10
Verified
Well-known
Mar 17, 2016
474
Actually been interested in Excubits softwares but I'm not good at .ini-manage files... always consider my self as average user, though I've been using AG for quite some time.
 
  • Like
Reactions: XhenEd
D

Deleted member 178

Because Florian mentiones MemProtect an exploit cage and a iinux policy sandbox is named FireJail and a scripts sandbox on Windows is called MalwareJail, I would opt to use JAIL also. So please members, be creative suggest names containing JAIL in it, like ExcubitsJAILbox, BadBitsJAIL, anything as long as it contains JAIL.

- ExeJail :)

simple, easy to remember , sum it all ;)
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592
Maybe it would be possible to adopt online base of preconfigured settings for protected programs. That base could be actualized by the community. The SandBox will monitor protected programs according to this base.
.
Edit.
Members of this community could use Excubits demo programs (Bouncer, MemProtect, Pumpernikel) to create / test the appropriate settings.
 
Last edited:

paulderdash

Level 6
Verified
Well-known
Apr 28, 2015
271
With the demise of personal AppGuard, this sounds like a very exciting idea for a user with some standard applications.

But as @Umbra has also mentioned, I run a host of portable apps from (in my case) e.g. C:\My Portable Applications and C:\PortableApps.com etc. so 'ExeJail' may unfortunately be a non-starter for me? :unsure:. Unless these can somehow be defined as 'system space'.

I love the idea though, combining the power of Excubits apps - with zero config.
 
Last edited:
  • Like
Reactions: Deleted member 178

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top