Solved

Web Threat Shield not working with Sandboxie


Userlevel 2
I just did a test today with both malwaretips.com and malware domain lists. When I use Chrome with Sandboxie, the Web Threat Shield does not block infected URLs. But when I use only Chrome, it does block them (very well I might add). I tested this on two different PCs with WSA. Anyhow, possible bug or is this normal that Sandboxie is not allowing Chrome to access WSA Shields?
icon

Best answer by Rakanisheu Retired 21 March 2013, 13:19

View original

12 replies

Userlevel 7
Are you testing malware using Sandboxie? If so I would be very careful as I have had infections leak out of a sandboxie enviorment. If your going to test malware I would at the very least be running the malware in a Virtualised enviroment.
 
I have tested the website shield in Sandboxie and I can confirm your findings. However I dont think this is a failing on WSA part as Sandboxie is doing what its supposed to (i.e blocking any external program for modifing/communicating with a sandboxed program). The process below is a rough explanation of what I mean. With Chrome/FF/IE running in a sandboxed enviroment WSA cant protect it as its being blocked from interacting with the browser.
 
Normal enviroment
 
Chrome->Website ->Website checked by WSA filtering ->bad site->   blocked with alert
                                                                                                    ->good site->proceed
 
Sandboxed Chrome
 
Chrome ->Website-> bad site ->proceed
                                  -> good site ->proceed
 
I hope the above makes sense, if not reply and I can give more info.
Userlevel 7
Hello Roy!
 
Thanks for your explanation for which I was waiting because I was also pondering to install Sandbox but to be honest I wasn't hundred percent decided. I heard the good things about Sandbox but also bad things. As per your chart, BTW I love charts because they're self explanatory, I understand that if a browser is sandboxed, WSA is put aside and cannot protect the browser. That's definitelly not what I am interested in, so I will rather have WSA fully up and running with all the shields in power than a sanboxed browser. OK won't install Sandbox, not at least now.
 
Have a great day!
Userlevel 7
Sandboxie is decent program that I use the odd time myself but I would run it in a VM and not have it on your primary system as I have seen some more intelligent infections breech the sandbox. I use Firefox myself with a number of plugins and WSA and I havent had any issues.
Userlevel 2
Thanks for the info!
Userlevel 7
Great explanation, thank you!  I have not used Sandbox as I do not know as much about it.. Very glad to have more information regarding it.
 
Thanks!
I asked Webroot about this issue with Sandboxie and they replied: "WSA will block malware coming from a browser protected by Sandboxie (if something slips through) and it will protect the browser from identity stealing malware, but Sandboxie blocks too much of the communication for the Web Threat Shield to function fully." And about compatiblity with Sandboxie: "When Sandboxie 4.0 gets closer to a final release, I'll have our internal QA team take a look to see what changes might be necessary on our side."
 
The information you are getting from Rakanisheu the 'Threat Researcher' about Sandboxie is not reliable. It is absurd to say that Sandboxie should only be run in a VM and not on your primary system. Anything that WSA doesn't catch is still contained within Sandboxie, unable to infect the computer and is flushed easily. As for 'intelligent infections breeching the sandbox' it just doesn't happen. I started a thread at Sandboxie about his comments, and they suggest that Rakanisheu post there about which malware he saw get out of the sandbox, but they don't think he'll have anything. But if he did, the way things work there is the developer Tzuk would be on it immediately and the problem would be fixed.
 
A thread was started at Wilders Security (a site for security professionals and hobbyists) a few months ago asking what is the one security program you can't do without: http://www.wilderssecurity.com/showthread.php?t=325585
Take a look at how many times Sandboxie is chosen. It was named the most often for good reason. Once you learn how to use Sandboxie, nothing gets by it and it can even be enough security on its own.
 
I've used Sandboxie for 3 years, most of that time without a real-time antivirus and I've had no malware issues at all. That is the experience of people who know how to use it. I now have purchased 2 years of WSA because I like Webroot's approach to security (especially adding Prevx) and because of how light it is on my system.  Sandboxie and WSA are a great combination for me, about as close to ideal as it gets.
Userlevel 7
My reply was based on my years of Malware Removal/Testing and I stand by my statement that a person unfamilar with malware should not be testing it on a primary PC. As for my Sandboxie issue It was over a year ago that I had an experience of a Malware breech in Sandboxie (I wouldnt known what infection was it was as it was that long ago). I quite like the program and use it the odd time when testing malware. My original statement about the issue reported was in fact correct.
 
I am well aware of Wilders (I am a lurker on that forum) and I dont know what you mean by 'Threat Researcher' in your post. In anycase the original question has been answered. If you have a question please feel free to drop me a PM.
You give an interesting reply Rakanisheu, let me see if I can do it justice.
 
You say you don't know what I mean in referring to you as a Threat Researcher. Two things, the title I see under your name on the left, I'm assuming given to you by the forum and not by yourself. But also it refers (maybe with a little bit of sarcasm) to the stance of authority you take in your posts, including in this last one: "My reply was based on my years of Malware Removal/Testing and I stand by my statement that a person unfamilar with malware should not be testing it on a primary PC."
 
The interesting part comes after you give your credentials there. Of course most people should not test malware on their primary PC. That is smoke hiding what was clearly being objected to, which was you saying "Sandboxie is decent program that I use the odd time myself but I would run it in a VM and not have it on your primary system as I have seen some more intelligent infections breech the sandbox." So as an expert you are warning people off using one of the most powerful security tools available. And that it's powerful is not just my opinion, that's the experience of many people at Wilders, as can be seen in that poll that I linked to. I suggest that you de-lurk at Wilders and claim to be an expert while saying that Sandboxie should only be run on a Virtual Machine and see what response you get.

 
When warning people off Sandboxie, you said you've had "infections leak out of a sandboxie enviorment" and "have seen some more intelligent infections breech the sandbox." "Infections", plural. Now it's "I had an experience of a Malware breech in Sandboxie" and "I wouldnt known what infection was it was as it was that long ago." "A Malware" and "infection", singular.  But even if it was plural, I don't doubt you that it happened. From what I've read it happens very rarely. You could have had a real breech, but more likely there was a software conflict, or you didn't have Sandboxie configured correctly for what you were doing. That is why they would have liked the details at Sandboxie so that if it was a real problem it could be fixed. Again I believe you when you say that you can't tell them because it happened so long ago.
 
Anyway, if anyone cares at this point, my own experience is that Sandboxie fits well with Webroot SecureAnywhere, it's super-light for such powerful security.
 
edit: In case someone happens to read this and want to try Sandboxie, I should say that whatever happens in a program that is sandboxed can be lost when closing the program. It is important to learn how to configure Sandboxie so that it saves what you want and flushes everything else. 
Userlevel 7
Interesting read. I have a very little to enter into your arguing discussion because I never used Sandboxie even if I am very interested in the sandbox concept. Though, just a few comments ...

I have to agree that the most users use Sandboxie on their primary PCs. This is the known fact being observed across the interent. I too don't see a reason to run it only on a VM. However I think that the majority of problems stem due to wrong set up of Sandboxie thus ending up often in conflict with other solutions. You will surely agree that Sandboxie isn't an application ranked among those "install & forget". You have to tweak it to work properly, efficiently and nicely along with other security solutions and applications. Therefore I think that the question is not an environment in which Sandboxie runs (a VM or live OS) but how a user is capable (technically skilled) to set up it.

Concurrently I am taken aback of the sarcasm towards Roy. He just said his experience with Sandboxie, so no reason to diminish the weight of his words.
Funny you should say that pegas, while you were posting that I was just editing my last post to put in a word of warning about Sandboxie. You are right it's not install and forget. I am not a security tech by any means, and it took me a bit of study, watching tutorials, and asking questions on Wilders before I learned what it could do. But after getting it configured correctly, it really doesn't require much attention, mainly just clicking on a box to confirm that I want to download into a sandboxed folder. As I learned I gradually dropped other security programs until I wasn't even running real-time anti-malware for months at a stretch. I haven't had a security problem in the 3 years I've been running Sandboxie, and I'm on the internet half the day at all kinds of sites and do a ton of downloading. Webroot SecureAnywhere is the first AV I've run in a long time, but it is so light and covers so much area that I can't justify not running it. And I always had a soft spot for Prevx.
 
Sorry for any sarcasm in my post, it was meant lightly, but it's true that sarcasm can undermine the value of the argument being made. A weak moment on my part. On the other hand, he wasn't just giving his experience and asking for other's opinions. He presented himself as a security expert while warning people away from one of the most respected programs among actual security pros. I had to say something. 
 
Yet again I think of the classic xkcd cartoon 'Duty Calls': http://xkcd.com/386/
Userlevel 7
I only replied based on my opinion and past experience which I thought was the idea of the community forum.We all have opinions about how each person should run there PC again I gave my view. If you dont believe me about what happened to me then thats your call I have nothing to gain by making it up. I still however stand by original response, and I also think this thread has run its course.
I believe you were honest about what happened, I just think you came to the wrong conclusions about what it meant and what to do about it, and wrong about the advice you were giving to people based on those conclusions. Yes it's the idea of a community forum to give your opinion and experience, I hope you think I have the same right even though it's at odds with yours. That's how these things work isn't it, give and take and people decide for themselves.

Reply