Mis-understandings about Sandboxie

The following is a post as part of a dicussion on Wilders (be careful what you read on Wilders - there is a lot of mis-information there...but I guess most forums suffer from this issue) about running both Sandboxie and Shadow Defender:

http://www.wilderssecurity.com/showpost.php?p=1665752&postcount=7862

I don't think there is a case of one being better than the other. Personally I don't like "sandbox" type programs like Sandboxie, but that is just a matter of preference.

My point was that if you are in Shadow Mode with SD, then Sandboxie seems redundant to me. Any changes done to the system won't be kept anyway, so you don't really need Sandboxie in that case. I think running both is not needed and a waste.

Firstly, you can indeed make a case that Sandboxie is redundant if you are always in Shadow Mode with respect to the virtualisation mode of protection (although this can be easily argued against by stating that Shadow Defender got bypassed a couple of times in the past where Sandboxie held strong).

Secondly, there appears to be a failure of TheIgster to understand Sandboxie's full protection scope. Not only does Sandboxie individually virtualise your chosen application(s), but it also acts as an "anti-executable" (with start/run restrictions) and a "firewall" (with internet access restrictions). Furthermore, Sandboxie protects areas of your computer from being "spied" upon by your malware threat-gates (with Resource Access restrictions). Need I go on?

I'll mention one more aspect of Sandboxie that is not a feature of Shadow Defender - the ability to discard changes without restarting the computer.

As you can see, Sandboxie is not redundant at all, even when used with Shadow Defender, and is in fact a very unique application!

partially agreed with both points,if you don't require a high level security,just virtualisation mode of protection is enough and easy to use.
But these programs like SD were bypassed several times in the past like ssj100 mentioned,cause once drivers were loaded,there are unlimited possibilities to do anything including breaching virtualisation programs for sure.

Indeed. I also believe that once anything is able to be executed (if initial execution is allowed), then the possibilities are there to breach even classical HIPS and software like DefenseWall. That's why my main security arsenal is a combination of anti-execution (SRP) and containment (Sandboxie).

If anything is able to bypass (a tightly configured) SRP (never been a reported case of real-world malware that can do this), then it would still need to bypass Sandboxie's start/run restrictions and containment mechanisms.

There is an old Irish Proverb that says:
"Faith and reason are like the two shoes on your feet,you can go further with both,than with one."

I see neither ShadowDefender not Sandboxie as being in any sense redundant.
There are things I can not do on a granular level with ShadowDefender,
I can with Sandboxie,yet I feel the need for ShadowDefender for MY setup..

Regarding Iggster, the bottom line is :(His own words)
1:"Personally I don't like "sandbox" type programs like Sandboxie, but that is just a matter of preference."
2: A look at the tests he has conducted (since shut down by Wilders) proves he is a faithful blacklister/signature detection man.

Nothing wrong with that,but hardly objective about system or application virtualization.
nice enough guy though.(i like the Terry O'Quinn avatar!!


noor