Sandboxie should be avoided in 2019 and above

Status
Not open for further replies.

Deleted Member 308817310

Level 2
Thread author
Jun 26, 2019
75
There is nothing wrong with Excubits's MemProtect but be aware it can be bypassed if the person doing the code injection spawns the process they want to inject into.
Actually, there is one issue with it.

The Excubit's MemProtect driver is parsing the configuration file in kernel-mode when it should be doing this in user-mode for safety reasons. Too many people have been hit with exploits by doing things like this, albeit normally with parsing PE files. Still, it's unsafe to do that. It's fine because the product isn't a target - it's unknown outside the forums and even a minimum use it that are on the forums.

You should be keeping everything that doesn't require execution of privileged instructions / kernel APIs outside of the kernel.
 
  • Like
Reactions: Parsh and upnorth

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
It does it excessively. Sandboxie chose to use a bad design. Third-party AVs use the same techniques all the time but usually it's only for a few APIs and they are improving for compatibility with modern exploit techniques, so things will get better.
...

It's not a rootkit method. It's an officially supported and documented mechanism which Microsoft introduced to reduce the need of hooking kernel APIs for process/thread handle creation or duplication.
...
If I have understood you correctly, the bad opinion of Sandboxie follows from:
  1. Bad design
  2. Excessiveness of user-mode hooking, which is related to point 1. The bad design causes Sandboxie to use aggressive user-mode hooking to be an effective sandbox.
  3. This can cause incompatibility issues with other security software (Google Sandbox, Antiviruses, Windows built-in security, etc.).
But, what are the rootkit methods which are used by Sandboxie and are not used by AVs, MemProtect, and popular security software?
 

Deleted Member 308817310

Level 2
Thread author
Jun 26, 2019
75
But, what are the rootkit methods which are used by Sandboxie and are not used by AVs, MemProtect, and popular security software?
MemProtect isn't doing anything rootkit-like.

Third-party AVs occassionally use rootkit-like techniques in 2019 but not to the excess that Sandboxie does. There are times when there's no viable alternate to API hooking and the pro's outweigh the con's... but Sandboxie is excused because there are better designs it could be following. Third-party AVs have been taking a hit from companies like Microsoft, Firefox and Google anyway - needless to say, the rootkit-like techniques in third-party AVs are beginning to decrease as they are put under the microscope. Sandboxie could be hooking a guest environment but instead they are hooking the host environment, even when you're running hardware capable of handling all of the virtualization overhead without breaking a sweat.

For the record, many third-party AVs do a lot of stupid things. It's why I don't use any third-party AVs. Google and Firefox have a pattern of disliking third-party AVs due to the stupid things they often do.

It's over-kill to use a design like a hypervisor when you only need to monitor a few APIs, but when you need to literally isolate a program to prevent it from damaging the host, that'd be ideal for a hypervisor.

Sandboxie could use VirtualBox engine like Avast do and there's even the ability to reverse-engineer and leverage Hyper-V APIs (it's legal under interoperability purposes in the UK and U.S) but they aren't even trying any of this. They do not even need to do all of the work themselves to change the design to make it up to scratch with modern sandbox systems. Sandboxie is living a life of 2010 in 2019 and SOPHOS aren't going to do a thing about it, because Sandboxie is too dead for SOPHOS to care less.

It's clear that SOPHOS does not really care about Sandboxie either. Sandboxie does not have a lot of attention from them, it's left ditched on the side roads... and even the spokesman on the forum called Barbara doesn't know about many important things, like a proper channel for reporting critical vulnerabilities. That in itself is a big problem.

I do not know why SOPHOS bought Sandboxie in the first place.
 

Deleted Member 308817310

Level 2
Thread author
Jun 26, 2019
75
Sandboxie can do whatever they want to do. I cannot tell Sandboxie what to do. SOPHOS are in charge of it and it's their decision as to whether they will update Sandboxie's model or not. However, due to the reputation Sandboxie has, it'd be ineffective for SOPHOS to bother from a business perspective. The name of the product alone keeps people away because it doesn't sound enterprise-grade and there's a lot of obsolete and redundant information on how it works which are no longer true today - as we saw from the Sandboxie technical write-up Andy shared earlier on.

Things became harder for Sandboxie when Microsoft put an end to inline hooking on win32k.sys starting on Windows 8 or Windows 8.1. It doesn't help when Sandboxie's main user base evolve on MT and Wilders Security in 2019. There will be users outside the forum, but I predict it would be less than 500, which isn't much at all compared to how many customers SOPHOS will have across their normal home and business consumer goods.

It would be in SOPHOS's best interest to make a new project which is aimed at enterprise and uses a modern sandbox system design, vetted by professionals who have worked in the industry with companies like Microsoft, Google and VMware. SOPHOS can afford it. If it is successful and after a lot of penetration testing, slowly implement a mini version into the SOPHOS home consumer AV services and leverage the technology to tackle new malicious software.

In other words, a new sandbox system which isn't aimed for computer geeks on the forums. The issue with computer geeks is they constantly change their minds on what they want - the forums are even worse where people drop something from one bad test. Due to this, projects are dropping like flies because the market changes and people lose interest.

Literally everything is a factor when it comes to making sales and a product successful and failing. Everything from the name and logo of the product to the website, marketing, user interface and requirements for using the software. The software isn't friendly for non-technical people because of the issues that can be caused with it - novices cannot understand why issues occur and how to solve them. And... it isn't friendly for enterprise consumers either. Due to this, SOPHOS was left with a dead and failing business. In other words, SOPHOS wasted whatever money they spent on it.

SOPHOS's best bet is trying to sell the project off to anyone daring enough to actually buy it and give it a shot, and then start a fresh sandbox system project to integrate into their home and consumer existing services. However, due to how Sandboxie works and how the market has adapted over the years, I doubt they'd be able to find someone willing to pay that much for it.

That is what I would do if I was SOPHOS but it's up to them. I'm not SOPHOS. Only SOPHOS can decide what SOPHOS do.

Of course, this post is based on speculation regarding how Sandboxie's business is doing. There are no statistic references. It's opinionated.
 

upnorth

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,457
If I understand it correct, Sophos has already 100% dumped/sold Sandboxie. Done over a year ago. There last bread crumbs of support is ending last December this year.
 

Kubla

Level 8
Verified
Jan 22, 2017
355
What I love about Sandboxie is:
  • I can try new software (legitimate software by the way) without making changes to the system folder/app folder/registry.
  • I can do so without firing a full-blown VM.
  • Since it's not a full-blown VM, it means all my PC resources are available to the programs.
  • I can get rid of any programs completely by removing the sandbox.
  • In a way, the above points mean that you can make a lot of programs behave like portables programs and you can even detect ill-behaving portable programs that like to save settings in the Users folder.
  • I can have different sandboxes.
  • This means I can keep sandboxes for software I use infrequently.
  • I keep my PC without unwanted services installed on it.
  • I keep my PC without unwanted "upgrades/downgrades". For example, I have all of the Visual C++ Redistributables installed and up to date and I don't need/want games installing their version.
  • If it can't be installed and running smoothly in Sandboxie it usually means the program likes to really hook into the system and then I have to think twice about installing that said software. And yes, I know Sandboxie hooks nastily into the system, but I rather have just one software doing it than many.
Sadly there are no replacements for all this in another neatly-packed software. Also sad that performance has been getting worse: a couple of years ago I could run Adobe programs inside Sandboxie without much performance penalty, now the same versions don't work as smoothly so I have to deal with Adobe nasty services running amok.

I use it in Windows 10 Pro, what I like about it and use it almost exclusively for is my web browsers, I have it setup to auto start with the browsers, and delete the sandbox on exit of the browsers, it keeps them clean, no straggling cookies, no history, no nothing, and all with out lifting a finger.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
Yes. ReHIPS is the go-to program for reliable isolation of vulnerable apps.
The advantage of ReHIPS, Sandboxie, and similar application sandboxing solutions, is that one can use several sandboxes simultaneously, without using many resources. But, all these sandboxes use the same OS kernel so they are easier to bypass by exploiting the kernel.
The solutions based on hypervisors (like Windows Sandbox) contain the guest operating system for each virtual machine. The Windows Sandbox is a special solution, because the guest OS is not big (about 100 MB) and is linked to the original Windows OS installed on the computer.
Here is a nice article about Windows Container:
and about Windows Sandbox:
 

Deleted Member 308817310

Level 2
Thread author
Jun 26, 2019
75
If I understand it correct, Sophos has already 100% dumped/sold Sandboxie. Done over a year ago. There last bread crumbs of support is ending last December this year.
Thanks for letting me know. I didn't know about that. It's definitely interesting to say the least.
 
  • Like
Reactions: upnorth and Jack

Deleted Member 308817310

Level 2
Thread author
Jun 26, 2019
75
But, all these sandboxes use the same OS kernel so they are easier to bypass by exploiting the kernel.
There's often critical vulnerabilities to be exploited in the user-mode injected code as well. The best target would be a communication channel. Sandboxie has to communicate back to the Windows Service/kernel-mode software to indicate when certain things are happening. This can be abused as an entry-point to communicate with them yourself.

It might have changed since but in the document you linked to the other day, Sandboxie was exploited because they had an insecure IOCTL implementation - anyone could make IOCTL requests to their device as a standard user. Funnily enough, SOPHOS were hit with two exploits targeting IOCTL in HitmanPro.Alert by Cisco Talos a few months ago.

It seems that Windows Sandbox uses the same physical memory as the host system. This will be probably a target for future exploits.
It's only for the system binaries (e.g. Windows modules like ntdll.dll, kernelbase.dll, kernel32.dll, ...) and as far as I know, the guest environment isn't allowed to write to the pages in physical memory for it. No secrets are being shared with the guest either.

It means you do not need to have two copies of a Windows module in physical memory which keeps memory usage lower. Since the guest is using the same OS that is on the host environment, it means system binaries already loaded in physical memory are eligible for use in the VM as well.

because the guest OS is not big (about 100 MB) and is linked to the original Windows OS installed on the computer.
Another potential attack vector if Microsoft aren't verifying code integrity before taking the media, even if it'd require the host to already be compromised.
 

Deleted Member 308817310

Level 2
Thread author
Jun 26, 2019
75
As always, adding more usability to something makes it more vulnerable.:(
When there's a demand for something, corporations easily give in and meet that demand so they can satisfy existing customers and gain business from new ones. Even when adding a feature will cause more havoc in the end regarding security.

Simple truth is that most corporations do not even take security seriously when designing and developing a product. Only the big corporations take security into consideration to a reasonable degree, and even then they make numerous mistakes. All those "secure guidelines" go flying out the windows among most corporations and aren't cared about or are easily neglected.

Corporations will hire someone to do a job and not hire someone else who has more demanding requirements for a salary to do a better job by taking practices seriously. Corporations have to be willing to spend money.

The other issue is that sometimes no one knows how to make a design which is more secure than the previous and feasible to actually be developed and implemented into a commercial product. It's not just about whether something works as well, but performance too - I've seen many designs for things which were great except for the performance cost and it resulted in them being avoided over the less-secure designs for obvious reasons.

Last but not least, you have the backwards compatibility problems... because many corporations do not like to keep their systems updated to keep compatibility with other things. This forces the hand of corporations to do things which might be less secure than alternative options because the alternatives aren't compatible with the target market's systems.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
Demanding usability, even at the cost of some security is generally true both for Enterprises and home users. That is how people change the world. :unsure:
The next step will be IoT devices (already started).
 
Last edited:

Azure

Level 28
Verified
Top Poster
Content Creator
Oct 23, 2014
1,712
If I understand it correct, Sophos has already 100% dumped/sold Sandboxie. Done over a year ago. There last bread crumbs of support is ending last December this year.

The response to that was "The previous end of sale notification you are referencing only applied to Invincea, not Sandboxie."
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
The design of Sandboxie can cause compatibility issues with some security features of other applications. In many cases, Sandboxie tries to deactivate these features in the sandbox, so for example, some AVs cannot operate properly in the sandbox to check files on execution. There should not be problems when checking files on access.
I am curious which AVs can work flawlessly in the Sandboxie Sandbox?
 
Last edited:
  • Like
Reactions: oldschool

jetman

Level 10
Verified
Well-known
Jun 6, 2017
470
If I open Firefox using Kaspersky Safe Money am I browsing inside a sandbox ? Is this a better sandbox than Sandboxie for this purpose ?
 

Freki123

Level 15
Verified
Top Poster
Aug 10, 2013
737
Before using the windows sandbox they first have to get it stable :D
Look at known issue for example
Microsoft verschlimmbessert neue Windows Sandbox mit jedem Update Just look at the number of errorcodes 0x80072746, 0xc0370106, 0x8007001515, 0x803b002a und 0x80070002.
 
Last edited:

Deleted Member 308817310

Level 2
Thread author
Jun 26, 2019
75
If I open Firefox using Kaspersky Safe Money am I browsing inside a sandbox ? Is this a better sandbox than Sandboxie for this purpose ?
If you have Kaspersky then you don't need Sandboxie. Use the Safe Money.

Microsoft verschlimmbessert neue Windows Sandbox mit jedem Update Just look at the number of errorcodes 0x80072746, 0xc0370106, 0x8007001515, 0x803b002a und 0x80070002.
Microsoft have a very large user base and thus it would be unrealistic for you to not expect anyone to have issues with it.
 

Ink

Administrator
Verified
Staff Member
Well-known
Jan 8, 2011
22,361
I don't recommend Windows Sandbox or Windows Defender Application Guard for Edge, as neither are practical enough for Pro SKU users.

Windows Sandbox
  • broken*
  • may not start
  • may experience no internet access
  • not straight forward to configure

WDAG for Edge
  • relies on using MS Edge (non-Chromium build)
  • may experience no internet access

With a slight learning curve, Microsoft Hyper-V is better than the above. Otherwise check out VirtualBox with Linux (of choice) and run Firefox in seamless mode.

** Make sure your hardware meets the system requirements for running a VM (Virtual Machine), has plenty of system storage and RAM (Memory) **
 
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top