Need your input for NEW zero config application sandbox

[Andy Ful]

I agree with @Peter2150 according to companies market.
There will be a strong competitor = AppGuard. Additionally, the companies have administrators who will like a flexible and configurable version with GUI, no 0-config variant.
Home users could like a usable 0-config version, but in my opinion, that will be possible on Windows 8+, when using obligatory SmartScreen.

 

[Andy Ful]

Maybe, for Windows 7 users, it is better to prepare less restrictive Sandbox = only preconfigured protected programs + folder protection + blocking scripts (PowerShell via System.Management.Automation.dll). Adding folders and excluding protected programs could be managed from the system tray.

 

[paulderdash]

2. Also I see comments Appguard is dead for personal. It's not really.

I suppose you mean if one is prepared to pay for the Business version?

 

[Windows_Security]

Come on guys, back to reality. Without a GUI, there won't be any income. How many users here and at Wilders use Excubits drivers. And that in itself is the problem. They are drivers, there is no software. I've learned to use them, but I'd never but them on any friends machines. Let me say it again. No GUI, no income.

The zero config should generate the extra income, because it circumvents the need for GUI.

Possible development calendar of ZERO CONFIG could be (when license earnings of ZERO CONFIG, NOT THE DRIVER-ONLY PROGRAMS IT IS BASED ON, would justify this):

• zero config with default folders
• zero config with folders scan (for more flexibility) and GUI supported exception rules
• use experience of GUI exception rules to launch a PRO version with
  • GUI (point is that you have to keep it simple) and
  • central library where rulesets can be downloaded per program.
• Add a corporate market admin tool for PRO version where exceptions and ruleset application can be centrally managed and deployed

 

[Windows_Security]

For new devs focusing on home users, i believe MT is better than Wilders, you will have more feedbacks and less "technical" critics about this or that not doing like software X or Y.

And if you officially represent Excubits, it is your job to make it visible ; i will tell you, if your product is worthy, you won't have much difficulties to make it visible .

I agree about the MT advantage (posted that myself, so should be strange when I would disagree on that), repeat the question: compare number of devs choosen for Wilders or MT is say last 5 years. That illustrates my point on visibility of thread. But I will stop complaining about it.

 

[Freki123]

I would also prefer an Gui. Everytime i look at the Exubits stuff and see no GUI i think i will wait till he does some It's 2017 i expect things to click not type or make extra typos and fxx all up. When you wanna go against appguard i guess their Homeland Security Award is what you need to beat for the US market to get companys.

 

[Freki123]

Guy let's not start drama here im out of popcorn*duck*
@danb The users that accept deny by default are the ones that read security news i would think. The other users would be annoyed if keygen.exe doesn't work for their new videogame. And they would expect to have there programs running whatever they have installed. So you have to protect lots of different offices or emailreader and so on. Just my guess which could be totaly wrong.

 

[Freki123]

Depends if i like him/her or not and if im willing to spend some time with his pc. Avast hardened and VS (since it doesn't scan large files afaik). Or maybe just use linux *duck*

 

[overdivine]

default deny would work great in enterprise environment where pc user must have access to a determined number of software.
for average user it will be hard. hell they remove antiviruses for patch/keygen to work

 

[klaken]

A GUI that if for the moment only a modifiable file (like block of note(note pad++)) for the creation of list of folders in white list and protected outside the pre-established rules ..

It would be easy to export.
This ensures that users with knowledge can modify it ..
In addition home users would not use a denial program by default or without GUI

What if a file can only modify elements of its same location (eg folder) .. so they could be updated among others.

 

[Andy Ful]

Hehehe, wrong (once again). The issue is that most users are not willing to accept deny-by-default.

I have been saying this for years, but very few people get it... either way the computer should be locked when it is at risk.

I agree. So, maybe we define what is the risky situation. I think that it is there, when the user runs any protected program (web-browser, office, media player, pdf reader). But, if those programs are restricted/sandboxed, then the user is protected.
Adding the point 7 (Block executables (MZ-header) located in user folders) has more cons than pros in daily work. Malware usually drops payloads into locations other than Download or Desktop folders, and thankfully those two folders are most popular when running/installing programs chosen by the user.
Anyway, some people would like adding the point 7 to the setup, so it could be available as a switch ON/OFF option.

 

[Peter2150]

Depends if i like him/her or not and if im willing to spend some time with his pc. Avast hardened and VS (since it doesn't scan large files afaik). Or maybe just use linux *duck*

I think that is what this thread is about, not Avast, or VS, but a way to use Excubits to accomplish securing a computer without much user interaction.

 

[Windows_Security]

I agree with @Peter2150 according to companies market.
There will be a strong competitor = AppGuard. Additionally, the companies have administrators who will like a flexible and configurable version with GUI, no 0-config variant.
Home users could like a usable 0-config version, but in my opinion, that will be possible on Windows 8+, when using obligatory SmartScreen.

I disagree. System administrators don't want end users messing with security. So a zero config foro a single focus appplicaton (extend life for Office 2007) is a no-brainer. The only real threshold would be when protection expands from Office 2007 to other programs, that would require central management (with a GUI).

But you are making a point here. I will discuss this on the 11th. Two downlads, one zero config only focusing on Office 2007 with a volume pricing schedule and the home user version we are discussing here with lifetime license version with possible attractive options to allow a multi, (say 3) device install. This would effectively make the zero config JAIL cheaper than a big mac per device. But Florian is the one who decides on this, so don;t pin me down on this blog post (as a MT forum member I am also representing your interests )

 

[Andy Ful]

I disagree. System administrators don't want end users messing with security. So a zero config foro a single focus appplicaton (extend life for Office 2007) is a no-brainer. The only real threshold would be when protection expands from Office 2007 to other programs, that would require central management (with a GUI).

System administrators will configure the Sandbox from the location not accessible to the end users. That is the standard practice in Enterprises. Most end users will never see this program.

 

[Windows_Security]

System administrators will configure the Sandbox from the location not accessible to the end users. That is the standard practice in Enterprises. Most end users will never see this program.

See we agree

 

[Andy Ful]

I am confused a little about the way that an average home user will install the new programs. That will be not possible from the Download folder. So, will it be possible from the Desktop?

 

[Windows_Security]

Some clarification on how these rules work together:

Limit write access of internet facing software to Download folder and Desktop
Should prevent malware dropping binaries or changing user data (except own AppData and Download and Desktop folder)

Limit execute access of Download folder (and Desktop) to 'safe' parents
Close down holes where malware is allowed to drop executables

Block executables (MZ-header) located in user folders (documents, photo's, video, music)
Should prevent script based malware (e.g. hidden in office documents and media files) to execute binaries in user folders, allow Downlod

As said no rule in protects 100% protection (except exploits),, but the combination makes them effective while remaining easy to use.

 

[Windows_Security]

I am confused a little about the way that an average home user will install the new programs. That will be not possible from the Download folder. So, will it be possible from the Desktop?

No Download and Desktop will be allowed when triggered by safe parents.

 

[overdivine]

to be honest i think support for office 2007 (it's been 10 years) or software past its lifecycle it's counterproductive.
there are already a lot of free alternatives, even online ones.
you should develop for the future or the present not for the past

 

[Andy Ful]

to be honest i think support for office 2007 (it's been 10 years) or software past its lifecycle it's counterproductive.
there are already a lot of free alternatives, even online ones.
you should develop for the future or the present not for the past

That is not so simple in companies. They have to use one program office in all sub-companies, and they do not change the software because of backward compatibility. When you install the free office suite, the documents loose the formatting and usually, the document conversion sucks. So, it will be important to companies keeping Office 2007 and secure it with additional software.