Need your input for NEW zero config application sandbox

[Andy Ful]

As said rules are not 100% (except exploit prevention), but it is the combination: how is the loader.exe started in this scenario and how does it circumvent dangereous commands restrictions?

Generally, it is an interesting project.
If I understood properly, it works as follows (0-config version):

1. Sort of strong anti-exploit for some popular predefined applications (Word 2007, Adobe Acrobat, etc.).
2. Can mitigate many other software exploits (but not so strong as point 1 <--- parent check bypass, no risky commands blocking).
3. Can protect against double-extension malware (like *.pdf.exe, etc).
4. Can mitigate many 0-day malware loaders, ran accidentally by the user, when they drop payloads in user's folders (except AppData 'hole').

Usefulness

1. Users can install most software from Desktop and Download folders.
2. Users can run portable applications from the predefined folder (and subfolders).
3. 0-config.
4. No user dependent alerts.
5. Very good additional protection against malware in the wild, as a combo with AV.
6. Well balanced between usability and security.

Warning
I suspect some potential compatibility issues with AV suites (HIPS, Sandbox, Anti-exploit modules).

 

[Duotone]

Pretty much a strong Anti-exploit/App-sandbox...

Warning
I suspect some potential compatibility issues with AV suites (HIPS, Sandbox, Anti-exploit modules).

Although its still on planning stage how can one find out if its causing an issue being 0-config. Correct me if I'm wrong no GUI, equals no pop-up?!

 

[Andy Ful]

Pretty much a strong Anti-exploit/App-sandbox...



Although its still on planning stage how can one find out if its causing an issue being 0-config. Correct me if I'm wrong no GUI, equals no pop-up?!

Mostly due to MemProtect driver.

 

[Duotone]

Mostly due to MemProtect driver.

I see, lets say the JAIL is already out in the market and an App/soft(JAILED) cause some compatibility issue with a particular AV suite, etc.. as an average user how can one determine whats the cause being a 0-config?!

Ex: like AG a blinking icon notifies me of a block or a certain issue.

 

[Andy Ful]

I see, lets say the JAIL is already out in the market and an App/soft(JAILED) cause some compatibility issue with a particular AV suite, etc.. as an average user how can one determine whats the cause being a 0-config?!

Ex: like AG a blinking icon notifies me of a block or a certain issue.

That is a problem for all security combos. So, people discovered support forums to share the issues with other people and developers. The rest depends on how all this works in practice. For example, Comodo support forum has not especially good opinion.
.
Edit1.
This Sandbox should work well with free AVs, that have not got advanced modules usually (HIPS, Anti-Exploit, Sandbox).
.
Edit2.
Bearing in mind the good reputation of the developer, he can manage to deal with this problem.

 

[Peter2150]

@Andy Ful

I am just curious. Which one of the Excubits drivers do you use?

 

[Andy Ful]

@Andy Ful

I am just curious. Which one of the Excubits drivers do you use?

Non at the moment. Yesterday I installed Bouncer and modified the ini file to check if Run("explorer.exe malware.exe") command can bypass the parentcheck (it could). Some time ago I tested MZWriteScanner, Pumpernickel, and MemProtect. Bouncer had problems with Zemana Antilogger DLL paths, but worked after manual ini corrections.

 

[Peter2150]

Okay, I was curious.

Just a couple of major thoughts on this.

1. It might be natural to think in terms of Windows 10 features, but we should be thinking the opposite. The market for this product will be Win 7 users who for whatever reason don't want to upgrade to 10. That would include me. I have tested a significant number of malware sample to test my security. And they all are on Win 7, so I know I am relatively safe. This is the market for this product.

2. All of the ideas being shared including the rules in the original post are centered on protecting the system. If you all knew his drivers you'd know Florian already is an expert in doing this.

3. But here is the problem. I use Pumpernickel and MZwritescanner. I'd love to use both Bouncer and Memprotect, but the cause BSOD's on my system so I'd have to remove the offending software, and totally switch to those programs. And that's the rub. To set up Memprotect and Bouncer would have a huge learning curve and would take a huge time investment to get it up and running. Simply not worth it.

So the challenge for Florian is to find a way to make all this user friendly.

So let me lay out my thought about a plan for Florian

A) Working Gui's for the current drivers. Without them, I think it's' a nogo

B) The challenge. Read the log files after install, and from the log files generate rules. This absolutely requires the system be clean.

C) Once B) is done, then start combining into one program.

THis is going to be a tough achievement

 

[Andy Ful]

Okay, I was curious.

Just a couple of major thoughts on this.

1. It might be natural to think in terms of Windows 10 features, but we should be thinking the opposite. The market for this product will be Win 7 users who for whatever reason don't want to upgrade to 10. That would include me. I have tested a significant number of malware sample to test my security. And they all are on Win 7, so I know I am relatively safe. This is the market for this product.

2. All of the ideas being shared including the rules in the original post are centered on protecting the system. If you all knew his drivers you'd know Florian already is an expert in doing this.

3. But here is the problem. I use Pumpernickel and MZwritescanner. I'd love to use both Bouncer and Memprotect, but the cause BSOD's on my system so I'd have to remove the offending software, and totally switch to those programs. And that's the rub. To set up Memprotect and Bouncer would have a huge learning curve and would take a huge time investment to get it up and running. Simply not worth it.

So the challenge for Florian is to find a way to make all this user friendly.

So let me lay out my thought about a plan for Florian

A) Working Gui's for the current drivers. Without them, I think it's' a nogo

B) The challenge. Read the log files after install, and from the log files generate rules. This absolutely requires the system be clean.

C) Once B) is done, then start combining into one program.

THis is going to be a tough achievement

I agree with your thoughts. For now, the Sandbox should be naturally directed to Windows 7 users, because Windows 10 is much stronger against all kinds of exploits and is still not popular. Yet, in the next two years, Windows 10 will be probably a much more attractive market, so developers should be opened to the new possibilities.
As I can see on Malware Hub, free AV protection is quite efficient, so I do not think, that the most popular home security model (only antivirus) will change soon.

 

[Andy Ful]

Okay, I was curious.
...
I'd love to use both Bouncer and Memprotect, but the cause BSOD's on my system so I'd have to remove the offending software...
To set up Memprotect and Bouncer would have a huge learning curve and would take a huge time investment to get it up and running. Simply not worth it.
...

I think that the actual default settings for Bouncer (with parent check whitelisting), are pretty safe and should not cause BSOD's. Also, the MemProtect with the 'default allow' setting is OK when applying @Windows_Security simple strategy.
The problem is rather in the user's natural tendency to maximize the protection, and this usually ends in software/system instability (I know it well from my own experience).
.
Edit
Personally, I do not need any GUI for those drivers. But, it probably follows from my experience with DOS many years ago.

 

[Windows_Security]

@Andy Ful

Thanks for answering I am really busy this week. I thanks for the answers while understanding the idea behind and guessing possible implementations (because we are still talking about plans here, your guess is as good as mine)


@Peter2150
Florian is thinking of combining drivers, thus might be a solution to your BSOD with drivers. I also have some gut feeling that Windows 7 should be a first focus.

@ Others thanks for all the input.
Florian has confirmed the appointment, so your input might lead to a new program.

 

[Peter2150]

.
Edit
Personally, I do not need any GUI for those drivers. But, it probably follows from my experience with DOS many years ago.

Okay, take both Wilders and MT and how many users could even get the drivers installed. I also have no issue with no GUI, but how many of us are left. For Florian's current goals it's fine, but with what WS has described as what he wants to do that's a different horse.

Pete

 

[Peter2150]

@Andy Ful

Thanks for answering I am really busy this week. I thanks for the answers while understanding the idea behind and guessing possible implementations (because we are still talking about plans here, your guess is as good as mine)


@Peter2150
Florian is thinking of combining drivers, thus might be a solution to your BSOD with drivers. I also have some gut feeling that Windows 7 should be a first focus.

@ Others thanks for all the input.
Florian has confirmed the appointment, so your input might lead to a new program.

Well whatever he is up to, I for one want to play.

 

[Andy Ful]

Okay, I was curious.
...
1. It might be natural to think in terms of Windows 10 features, but we should be thinking the opposite. The market for this product will be Win 7 users who for whatever reason don't want to upgrade to 10. That would include me. I have tested a significant number of malware sample to test my security. And they all are on Win 7, so I know I am relatively safe. This is the market for this product.
...

I looked at some statistics about Windows 7 and Windows 8+ (Desktop Operating System Market Share - January, 2015 to September, 2017). It seems that the ratio is about 2:1 to the advantage of Windows 7. But for Steam gamers, the ratio is about 1:1.
I am not a casual gamer, but the security scenario: Sandbox + 'AV turned off when gaming', can be also interesting for the gamers. But the Sandbox should be very light then. It is probable, that built-in Windows security (SRP, blocked scripts, disabled dangerous or unused services, etc.) can be much lighter for gaming, than realtime Excubits drivers.
.
Edit.
The gamers would be happy to have the very light Sandbox for 'gaming + browsing + watching media'. And gamers will likely spend some money for it.

 

[Peter2150]

I looked at some statistics about Windows 7 and Windows 8+ (Desktop Operating System Market Share - January, 2015 to September, 2017). It seems that the ratio is about 2:1 to the advantage of Windows 7. But for Steam gamers, the ratio is about 1:1.
I am not a casual gamer, but the security scenario: Sandbox + 'AV turned off when gaming', can be also interesting for the gamers. But the Sandbox should be very light then. It is probable, that built-in Windows security (SRP, blocked scripts, disabled dangerous or unused services, etc.) can be much lighter for gaming, than realtime Excubits drivers.
.
Edit.
The gamers would be happy to have the very light Sandbox for 'gaming + browsing + watching media'. And gamers will likely spend some money for it.

Well I play the train simulator in steam. I don't try it Sandboxed(SBIE), but Appguard is on, as are Pumpernickel and MZwritescanner. I also have EAM onboard and it doesn't interfere with anything.

 

[Andy Ful]

Well I play the train simulator in steam. I don't try it Sandboxed(SBIE), but Appguard is on, as are Pumpernickel and MZwritescanner. I also have EAM onboard and it doesn't interfere with anything.

Casual gamers are seeking for every free resource, because some games are very demanding. It is good to see, that Pumpernickel and MZwritescanner drivers do not slow down your computer. I am curious what will be the impact of all four drivers when playing a resource demanding game.

 

[Peter2150]

Casual gamers are seeking for every free resource, because some games are very demanding. It is good to see, that Pumpernickel and MZwritescanner drivers do not slow down your computer. I am curious what will be the impact of all four drivers when playing a resource demanding game.

I can't say for sure, but I suspect there won't be any.

 

[Andy Ful]

I can't say for sure, but I suspect there won't be any.

Usually, Pumpernickel + MZwritescanner, and even MemProtect (default allow) have not much to do. But, Bouncer (default deny) checks many DLLs, and as we know from NVT SOB and SRP with DLL checking, this can slow down the system.
.
Edit.
Yet, Bouncer should be faster because it is a kernel driver.

 

[Mr.X]

if the developer allow some "advanced user" mode , it will be more than welcome.

+1

Also me, as a portable apps user, would like to see that advanced user mode as well. My apps are sitting on a driver other than system drive as well.

 

[WildByDesign]

Usually, Pumpernickel + MZwritescanner, and even MemProtect (default allow) have not much to do. But, Bouncer (default deny) checks many DLLs, and as we know from NVT SOB and SRP with DLL checking, this can slow down the system.

Generally, Florian takes quite a bit of pride and pays more attention (more than I would expect) with regard to performance, efficiency, and also taking into consideration the cleanliness and organization structure to his kernel-level coding within the drivers' code base. He seems to always be finding ways to refine those details and obsesses over a tidy code base and proper coding structure.

That being said, the one and only aspect which would have somewhat of a performance hit is when (if) any of the drivers are utilizing the SHA256 hashing. For example, if you manually disable SHA256 on Bouncer (and I believe MZWriteScanner as well) there is quite literally zero performance penalties.

However, depending on what @Windows_Security and Florian and planning here, SHA256 may have some importance for certain aspects of protection.

Lately I have been using just MemProtect on it's own, utilizing it's recently built-in DLL Module filtering as a significant layer of protection with regard to specific application whitelisting bypasses as well as things such as LSASS.exe protection and much more. That MemProtect driver alone is powerful beyond words.

Last night I took the time to read though every single post here throughout these 6 pages in this thread. I am absolutely thrilled and excited to see these ideas come to fruition. Florian is a hard code, low level, kernel programmer. He's obviously not proficient with regard to GUI development. However, I have always dreamed and imagined what can be possible with combining all of Excubits' drivers into one security program. That would be nearly unstoppable. Think of it as multi-layered Matrix-like (Matrix-Jail-like) protection that attackers would gets caught within any of the stages of protection mechanisms. Possibly it could be called something such as Kernel-Matrix, Matrix-JAIL, Kernel-JAIL, SpiderWeb-JAIL, etc. I am not very good with names.

Kernel-Matrix Security - a highly efficient, sophisticated, low-level, multi-layered JAIL architecture for the Windows kernel...

Anyway, I am more than happy to donate my time for creating and testing some pretty intricate rule sets. It's been something like 6-months to a year since I last logged in here at MalwareTips, so it will take me some time to get caught up. My biggest struggle here at MalwareTips has been getting familiar with all of the many categories and sub-threads and so on. But I will put some effort into familiarizing myself here more at MT and possibly less so at Wilders.