Sandboxie Forum - Make Sandboxie log suspicious behavior (2048)

Rasheed187:

Thu Apr 03, 2008 5:33 pm

[quote:9df6eaf950]Well to an extent I guess, however, for me, a HIPS is something that offers you control over processes, nothing else. Example, SSM and Pro Security... [/quote:9df6eaf950] I agree, but at the end of the day SBIE is also HIPS, but we call it a sandbox because otherwise it becomes confusing. [quote:9df6eaf950]Hmm, true, I prefer virtualization, as it allows me to do everything within the OS, but without permanent damage, with hips, even though you still have control over processes, the viruses are still running on your real OS though, you know what I mean?[/quote:9df6eaf950] Yes I know what you mean, if some malware is able to install/load, it�s still trapped in the sandbox. [quote:9df6eaf950]Cool, has he done any HIPS/Sandbox testing yet?[/quote:9df6eaf950] No, at the moment he�s really into outbound firewall leaktesting and stuff. I also haven�t contacted him yet, I was busy with other stuff (and a bit lazy :x) but would be nice if he could test SBIE for bugs. The problem is that he doesn�t do it for free.

SnDPhoenix:

Thu Mar 13, 2008 2:22 pm

]]>Quoting Rasheed187: ]]>No, what I meant was that in fact, behavior blockers, sandboxes, firewalls and even scanners are all HIPS, after all, they all try to protect the host from intrusion right? ]]> Well to an extent I guess, however, for me, a HIPS is something that offers you control over processes, nothing else. Example, SSM and Pro Security... Something like Sandboxie or SafeSpace is more of an isolation program, or more accurately, a sandboxing application. I mean, after all, you wouldn't consider VMware a HIPS would you? It is more of an isolation program then it is a HIPS right? :P [quote:009b38389b]It depends on what you prefer, if you think that virtualization is important, you need SBIE or SafeSpace, if not, you can use other tools. You know what the thing is, we need someone who can test sandboxes and HIPS against lots of exploits and then we can say which tool is the best solution. Because right now, my opinion is based on limited exploit/malware testing.[/quote:009b38389b] Hmm, true, I prefer virtualization, as it allows me to do everything within the OS, but without permanent damage, with hips, even though you still have control over processes, the viruses are still running on your real OS though, you know what I mean? Also, I've done lots of malware testing with Sandboxie and it has never failed me. However, with HIPS, I did do some malware testing with them, and as far as I remember, it seemed to keep the OS safe, though I only tested about 10 different things... [quote:009b38389b]You know what? I will ask Matousek (professional software tester) if he can perhaps also start to test HIPS/sandboxes, right now he�s mostly into firewalls (with HIPS capabilities) and he has already found quite a few serious bugs. So at the end of the day, tools will only become stronger and more secure. :D[/quote:009b38389b] Cool, has he done any HIPS/Sandbox testing yet? :roll:

Rasheed187:

Mon Mar 10, 2008 2:49 pm

[quote:760b5db0d9]Ok then fine, he could incorporate it as long as it is something easily enabled or disabled. [/quote:760b5db0d9] Well, I don�t see it happening, and I guess it�s not a real big problem. [quote:760b5db0d9]Exactly, same here, to me something like SSM is a HIPS, not something like (old) Comodo FW... [/quote:760b5db0d9] No, what I meant was that in fact, behavior blockers, sandboxes, firewalls and even scanners are all HIPS, after all, they all try to protect the host from intrusion right? [quote:760b5db0d9]Im sorry, but I have never used a single HIPS out there that isolates better then Sandboxie does...[/quote:760b5db0d9] It depends on what you prefer, if you think that virtualization is important, you need SBIE or SafeSpace, if not, you can use other tools. You know what the thing is, we need someone who can test sandboxes and HIPS against lots of exploits and then we can say which tool is the best solution. Because right now, my opinion is based on limited exploit/malware testing. You know what? I will ask Matousek (professional software tester) if he can perhaps also start to test HIPS/sandboxes, right now he�s mostly into firewalls (with HIPS capabilities) and he has already found quite a few serious bugs. So at the end of the day, tools will only become stronger and more secure. :D

SnDPhoenix:

Mon Mar 10, 2008 2:04 pm

]]>Quoting Rasheed187: ]]>Now that�s funny! :) ]]> :D [quote:e250ee78a5]Of course all of this stuff should be optional. And to clarify, I think it would only make sense to block child processes from "forced apps", because they are the ones that are most vulnerable. But I also understand why Tzuk hasn�t implemented such a feature yet, because that�s not really how most sandboxes work. But as a workaround, people can perhaps add some HIPS with process control. For example, Haute Secure (IE/FF plugin) also tries to stop exploits inside the browser, the problem is that it might conflict with SBIE.[/quote:e250ee78a5] Ok then fine, he could incorporate it as long as it is something easily enabled or disabled. [quote:e250ee78a5]What do you mean? To clarify, to me, HIPS, Sandbox and Firewall are all HIPS, but when I say HIPS I mean behavior blockers like SSM/NG/PS etc.[/quote:e250ee78a5] Exactly, same here, to me something like SSM is a HIPS, not something like (old) Comodo FW... [quote:e250ee78a5]No, but what I meant to say was that I currently feel quite save even without SBIE�s virtualization feature. But you would think that when it comes to isolating apps, sandboxes would do a better job than HIPS, and they do it out of the box too.[/quote:e250ee78a5] Im sorry, but I have never used a single HIPS out there that isolates better then Sandboxie does... SSM or PS for example only offer control of all processes, file actions, executions, etc.. Sandboxie allows it all, true, but it is isolated in a sandbox, something those other HIPS can't do...

Rasheed187:

Mon Mar 10, 2008 12:55 pm

[quote:18a83575fd]Sorry, I was in a rush when I typed that cause mommy only lets me on from 6 to 9 in the evening... [/quote:18a83575fd] Now that�s funny! :) [quote:18a83575fd]I would rather this was just incorporated as an option you could turn on, not something hardcoded into the program, cause I wouldn't use it... [/quote:18a83575fd] Of course all of this stuff should be optional. And to clarify, I think it would only make sense to block child processes from "forced apps", because they are the ones that are most vulnerable. But I also understand why Tzuk hasn�t implemented such a feature yet, because that�s not really how most sandboxes work. But as a workaround, people can perhaps add some HIPS with process control. For example, Haute Secure (IE/FF plugin) also tries to stop exploits inside the browser, the problem is that it might conflict with SBIE. [quote:18a83575fd]Wth? Why do you keep saying this? Sandboxie is not a HIPS???! [/quote:18a83575fd] What do you mean? To clarify, to me, HIPS, Sandbox and Firewall are all HIPS, but when I say HIPS I mean behavior blockers like SSM/NG/PS etc. [quote:18a83575fd]So SSM, or PS could show me all the files and folders created by a program like Sandboxie can...[/quote:18a83575fd] No, but what I meant to say was that I currently feel quite safe even without SBIE�s virtualization feature. But you would think that when it comes to isolating apps, sandboxes probably do a better job than HIPS, and they do it out of the box too, with that I mean, you don�t have to configure them.

SnDPhoenix:

Mon Mar 10, 2008 5:30 am

]]>Quoting Rasheed187: ]]>WTF? I thought I was talking to some adults? What is this lame sh*t all about, you�re not like 12 years old are you? :) ]]> Sorry, I was in a rush when I typed that cause mommy only lets me on from 6 to 9 in the evening... [quote:86c8c7e157]This is exactly my point, with process control, this would have probably never even happened in the first place. Of course it�s cool that it couldn�t do any damage because of SBIE, but I rather have no malicious processes running at all.[/quote:86c8c7e157] Yeah but what your asking, is for every child process to be denied from executing, however, that would conflict to much in my case, I would rather this was just incorporated as an option you could turn on, not something hardcoded into the program, cause I wouldn't use it... [quote:86c8c7e157]Correct, I don�t know about all the ins and outs of SBIE, and that�s because I don�t really use it as a pure HIPS. But you�re right, it does give good enough protection, but don�t forget, you can also achieve this with regular HIPS like SSM.[/quote:86c8c7e157] Wth? Why do you keep saying this? Sandboxie is not a HIPS???! So SSM, or PS could show me all the files and folders created by a program like Sandboxie can? And then if I decided to remove the program, PS would let me delete the sandbox thus truly removing all traces of the program, just like with Sandboxie? HAHA!

Rasheed187:

Sun Mar 09, 2008 3:32 pm

[quote:452eb1dbe8]Rashbleed187[/quote:452eb1dbe8] WTF? I thought I was talking to some adults? What is this lame sh*t all about, you�re not like 12 years old are you? :) [quote:452eb1dbe8]Well I hadn't known this, but at one point one of those sites had opened IE in the background, in a hidden window.... and it turns out that due to the site(s) that had installed all that junk, I had spyware, adware, trojans and even keyloggers, running in the background without me knowing! [/quote:452eb1dbe8] This is exactly my point, with process control, this would have probably never even happened in the first place. Of course it�s cool that it couldn�t do any damage because of SBIE, but I rather have no malicious processes running at all. [quote:452eb1dbe8]Why would you want to stop them, or are you not aware that Sandboxie already does sandbox them? Every sandboxed drive-by attack already fails to do any damage, so you�re stating that as a concern indicates that you are not aware of that. [/quote:452eb1dbe8] See my answer above. [quote:452eb1dbe8]PS; btw Mr. Elitist HIPS know-it-all guy, what happened? Finish your first semester last month?[/quote:452eb1dbe8] I don�t see what you�re point is. That thread was about some guy trying to convince people that they don�t know how to use a HIPS. As a matter of fact, you two start to remind me of this guy, he also easily gets all worked up about this kind of stuff. :D [quote:452eb1dbe8]Let me guess, you have never used all the functions in Sandboxie, or you haven't paid for the registered version, correct? If you know how to use all Sandboxies functions in conjunction with each other, there is no need for HIPS.[/quote:452eb1dbe8] Correct, I don�t know about all the ins and outs of SBIE, and that�s because I don�t really use it as a pure HIPS. But you�re right, it does give good enough protection, but don�t forget, you can also achieve this with regular HIPS like SSM.

MitchE323:

Sun Mar 09, 2008 5:57 am

@Rasheed187 Let me guess, you have never used all the functions in Sandboxie, or you haven't paid for the registered version, correct? If you know how to use all Sandboxies functions in conjunction with each other, there is no need for HIPS. :D

SnDPhoenix:

Sun Mar 09, 2008 5:05 am

Oh forgot to mention, I had IE set as the only process to connect to the net, and I also had IE forced into its own sandbox (something you wouldn't know about), so when it launched in the background, it launched into it's own sandbox though, away from the sandbox I was doing my browsing in, so it couldn't communicate with my other sandbox. Furthermore, anything it did capture couldn't have been sent off to anyone, so I guess I was always safe all along, even if I didn't terminate the programs. Still though, it would have been nice to atleast know they were running though... :)

SnDPhoenix:

Sun Mar 09, 2008 4:55 am

Hmm, all I can say is this, you might not think so Rashbleed187, but the flashing icon idea would have been great the other day, why? Well summed up shortly, I had been looking around at some "bad sites" which also led to more and more "bad sites" as well.. Well I hadn't known this, but at one point one of those sites had opened IE in the background, in a hidden window, and it was downloading one after another trojan, keylogger, spyware etc.. Now thankfully, I had IE set to be forced so it was all contained inside the sandbox (even though some people don't think so), however though, I was experiencing a major slowdown in speed (due to all the downloading) Sandboxie was a little (more?) sluggish, and it turns out that due to the site(s) that had installed all that junk, I had spyware, adware, trojans and even keyloggers, running in the background without me knowing! :shock: Thankfullly, I just happened to open Sandboxie Control and noticed the IE and all the malicious processes running, and I also hadn't entered in any confidential information of mine while those programs were running, but point is, I could have gone to a banking site, or just some forum or my email inbox, and not even know that all that crap was downloading/recording stuff, however, if Sandboxie alerted me on new processes, then I wouldn't have had this problem, as I would've immediately seen that these new processes had started and then I'd just terminate them real quick!

MitchE323:

Sun Mar 09, 2008 2:48 am

[quote:459b7632ee]On the other hand, there is also a problem, namely, in order for my plan to work, SBIE must monitor exactly the same, or even more than the HIPS who takes care of actions outside sandbox. [/quote:459b7632ee] Hey, You're the one that took it up a level on what a HIPS would cover. It is vague on what it is that Sandboxie would do over and above a HIPS. [quote:459b7632ee]I honestly don�t see the point behind this. You mean like in a drive by attack? I think it�s a better idea to simply deny apps from starting automatically without user interaction. I think this is an area where sandboxes should become better, it should block child processes automatically. But for now a nice workaround is to make a HIPS (like SSM) take care of this, and this means that almost every "drive by" attack would fail to do any damage, even in the sandbox. [/quote:459b7632ee] This is also vague in that are you asking for Sandboxie to actually stop all child processes or to sandbox those child processes? Why would you want to stop them, or are you not aware that Sandboxie already does sandbox them? Every sandboxed drive-by attack already fails to do any damage, so you�re stating that as a concern indicates that you are not aware of that. You're asking for a notification from Sandboxie on some type of behavior that occurs in the sandbox, yet an alert on all new startups makes "no sense to you"? I understand what you are saying, what I am saying is that Tzuk has already turned that down. That is offered as an alternative for you to consider. I guess you are right, I just do not understand. PS; btw Mr. Elitist HIPS know-it-all guy, what happened? Finish your first semester last month? http://www.wilderssecurity.com/showthread.php?t=197717

Rasheed187:

Sat Mar 08, 2008 8:15 pm

[quote:68cbd4a62e]Really? I thought that EQSecure was like SSM, but with basic sandboxing which is more like Geswalls version of sandboxing, then sandboxies version of sandboxing?[/quote:68cbd4a62e] Yes it was and is exactly like SSM, but now they have also added a sandbox to it, so perhaps I can ask them to implement my idea, it would make more sense to implement it in a mix between HIPS/Sandbox, than into a pure sandbox like SBIE. But like I said before, it�s not quite finished yet, and overall I don�t really like the app at the moment, but it does have potential. [quote:68cbd4a62e]Well, right now Tzuk is considering the flashing icon request that flashes the tray icon when any new program starts in a sandbox.[/quote:68cbd4a62e] I honestly don�t see the point behind this. You mean like in a drive by attack? I think it�s a better idea to simply deny apps from starting automaticly without user interaction. I think this is an area where sandboxes should become better, it should block child processes automaticly. But for now a nice workaround is to make a HIPS (like SSM) take care of this, and this means that almost every "drive by" attack would fail to do any damage, even in the sandbox. [quote:68cbd4a62e]'Suspicious' is just too vague. IMO.[/quote:68cbd4a62e] Let me guess, you have never used a HIPS, or you didn�t like them, correct? If you know how to use a HIPS, there is nothing vague about it. :)

SnDPhoenix:

Fri Mar 07, 2008 2:28 pm

]]>Quoting MitchE323: ]]> Well, right now Tzuk is considering the flashing icon request that flashes the tray icon when any new program starts in a sandbox. ]]> Dude, that would have helped me so much the other day! :shock:

MitchE323:

Fri Mar 07, 2008 2:25 pm

[quote:ad509bf139]Yes, but I think you got the wrong idea. Right now, SBIE is already blocking lots of stuff to keep the system safe, right? I�m just asking for a feature that would notify me about the suspicious (malicious) behavior that is blocked or virtualized, that�s all.[/quote:ad509bf139] Well, right now Tzuk is considering the flashing icon request that flashes the tray icon when any new program starts in a sandbox. That seems better to me, in that then it would be up to you to determine if it was suspicious. Rather than have sandboxie somehow keep up to date on everything that was deemed suspicious. 'Suspicious' is just too vague. IMO.

SnDPhoenix:

Fri Mar 07, 2008 2:17 pm

]]>Quoting Rasheed187: ]]>Btw, EQSecure is already working on a sandbox based on virtualization, but it still needs lots of work, and I don�t really like it at the moment. ]]> Really? I thought that EQSecure was like SSM, but with basic sandboxing which is more like Geswalls version of sandboxing, then sandboxies version of sandboxing?

Rasheed187:

Fri Mar 07, 2008 2:16 pm

[quote:fde4ab51d2]Then why do you keep asking me Rasheed? [/quote:fde4ab51d2] Perhaps, because I�m not that knowledgeable? No but seriously, I don�t see how this feature could be used by the bad guys, because that�s what you�re saying, no? :? [quote:fde4ab51d2]then it would be patched (if this had been incorporated in the first place). [/quote:fde4ab51d2] So now you want to hack SBIE? :shock: [quote:fde4ab51d2]Oh thank you, I am flattered! [/quote:fde4ab51d2] Well, it was just a question, so don�t be. :roll:

Rasheed187:

Fri Mar 07, 2008 2:10 pm

[quote:6026bab05f]Having said that, the reason I don't add malware analyzing features is that it isn't just a small feature.[/quote:6026bab05f] Yes, but I think you got the wrong idea. Right now, SBIE is already blocking lots of stuff to keep the system safe, right? I�m just asking for a feature that would notify me about the suspicious (malicious) behavior that is blocked or virtualized, that�s all. :) On the other hand, there is also a problem, namely, in order for my plan to work, SBIE must monitor exactly the same, or even more than the HIPS who takes care of actions outside sandbox. So I think this feature should probably be implemented in the HIPS itself. Btw, EQSecure is already working on a sandbox based on virtualization, but it still needs lots of work, and I don�t really like it at the moment.

tzuk:

Thu Mar 06, 2008 12:01 pm

Buster I disagree. I welcome attention to Sandboxie from both good and bad guys. The most bad guys should be able to do is design their software to refuse to run if they detect Sandboxie. They shouldn't be able to circumvent the protection; and if they do, I would like to fix it rather than sweep any vulnerabilities under the rug like your approach suggests. Having said that, the reason I don't add malware analyzing features is that it isn't just a small feature. It's an entire area of computer resecurity search, involving behavior/execution analysis, heruistics, and who knows what else. And in my opinion it is unrelated to Sandboxie. The way to go about it is to run both the specialized malware analysis tool, and the malware itself, within the sandbox.

Buster:

Thu Mar 06, 2008 3:37 am

If you add malware analyzing features to Sandboxie you will get even more attention over Sandboxie, and the more attention from bad guys you get over the tool the more vulnerable will be.

SnDPhoenix:

Wed Mar 05, 2008 2:23 pm

]]>Quoting Rasheed187: ]]>LOL, do you really think that more knowledgeable people can�t figure it out themselves, without any clues from you? ]]> Then why do you keep asking me Rasheed? Also I am not saying I have to keep it a secret so people can't figure it out, I have to keep it a secret because if I posted the details, then it would be patched (if this had been incorporated in the first place). :roll: [quote:e9d6a8179e]What are you, some top notch hacker? :?[/quote:e9d6a8179e] Oh thank you, I am flattered! :lol:

Rasheed187:

Wed Mar 05, 2008 1:42 pm

LOL, do you really think that more knowledgeable people can�t figure it out themselves, without any clues from you? What are you, some top notch hacker? :?

SnDPhoenix:

Wed Mar 05, 2008 4:45 am

]]>Quoting Rasheed187: ]]> Do you really have to be so vague? Why not just tell exactly what you mean? I mean the feature has not even been implemented yet, so for what exactly are you afraid? :roll: ]]> Well it's not about being afraid, I just have to keep it a secret! :roll:

Rasheed187:

Wed Mar 05, 2008 3:16 am

[quote:85a489940a]Ok, I'll give you a hint, it involves coding malware[/quote:85a489940a] Do you really have to be so vague? Why not just tell exactly what you mean? I mean the feature has not even been implemented yet, so for what exactly are you afraid? :roll:

SnDPhoenix:

Sat Mar 01, 2008 2:11 am

]]>Quoting Rasheed187: ]]> No, they just recently (a month ago or so) launched a new version, but this app has never worked for me, and IMO the concept sucks. ]]> Yeah, you're right, I am thinking of Greenborder which is equally as sucky IMO... ]]>Quoting Rasheed187: ]]> [quote:fa6bbcfd94]Well if I told you, I'd have to kill you! ]]> Well, I guess I will have to take the risk, but no seriously, what do you mean? :)[/quote:fa6bbcfd94] Ok, I'll give you a hint, it involves coding malware. :wink:

Rasheed187:

Wed Feb 27, 2008 7:29 pm

[quote:f5d4b09d4b]If I am not mistaken, didn't GesWall go out of development?[/quote:f5d4b09d4b] No, they just recently (a month ago or so) launched a new version, but this app has never worked for me, and IMO the concept sucks. [quote:f5d4b09d4b]Well if I told you, I'd have to kill you! [/quote:f5d4b09d4b] Well, I guess I will have to take the risk, but no seriously, what do you mean? :)

SnDPhoenix:

Wed Feb 20, 2008 2:05 pm

[quote:0023dd1c8f]For example, GeSwall (a sandbox who sucks *ss IMO) has got an "attack detection" feature.[/quote:0023dd1c8f] If I am not mistaken, didn't GesWall go out of development? [quote:0023dd1c8f="Rashbleed"][quote:0023dd1c8f]Ok then yeah, I guess it's a good idea, though I could think of other uses for that![/quote:0023dd1c8f] Can you explain? What other uses? :?[/quote:0023dd1c8f] Well if I told you, I'd have to kill you! :lol:

Rasheed187:

Wed Feb 20, 2008 12:56 pm

I think this feature would make SBIE a nice tool to analyze malware, you can let code run and see what it tries to do. And SBIE has the advantage that it can virtualize file/registry modifications, so you won�t have to block anything yet, just let the malware do what it wants to. Of course, when it�s trying to invoke dangerous things (like direct memory access, driver loading etc.) it will be immediately blocked. Basically, SBIE already does all of this, but you won�t actually know in detail what a process tries to do. For example, GeSwall (a sandbox who sucks *ss IMO) has got an "attack detection" feature. ]]>Quoting SnDPhoenix: ]]>Ok then yeah, I guess it's a good idea, though I could think of other uses for that! :twisted: ]]> Can you explain? What other uses? :?

SnDPhoenix:

Mon Feb 18, 2008 12:54 pm

Ok then yeah, I guess it's a good idea, though I could think of other uses for that! :twisted:

Rasheed187:

Mon Feb 18, 2008 12:47 pm

No, you�re missing the point. The idea behind this, is to first run a tool inside the sandbox and see what kind of behavior is blocked by SBIE. But malware who are able to fool SBIE (so SBIE won�t have to block a thing, so you think, OK this tool is safe), will most likely try exploit the system as soon as they are launched on the real machine (so outside the sandbox). Normally speaking your HIPS will alert you about this, and this way you would instantly know that you�re probably dealing with malware. :)

SnDPhoenix:

Mon Feb 18, 2008 12:30 pm

Well, I haven't read all the posts, but isn't this something SSM can do itself? I thought SSM could log everything that a program/file has done on your system? Right? I haven't opened the app in a long time so I might be wrong?

Rasheed187:

Mon Feb 18, 2008 12:08 pm

Hi, I still think this could be a nice new feature, I explained why at the Wilders Security Forum: [quote:66d2165f68]Btw, there is some discussion going on about malware that is actually able to recognize if it runs in a sandbox or not, this way it can try to act legit or will refuse to run at all. But I can also see advantages, for example, if a tool won�t run sandboxed, this might be an indication that something is wrong. And what if SBIE could actually monitor the possible dangerous behavior that a process tries to invoke (just like GeSwall)? Of course it would stay quite when "sandbox aware" malware will run, but your HIPS will not stay quite when the malware runs on your real machine! This way you would immediately know that it�s most likely to be malicious.[/quote:66d2165f68] So what do you all think of it? It would make SBIE a nice malware analyzing tool, if I�m correct. :D

SnDPhoenix:

Mon Sep 24, 2007 8:36 pm

I didn't mean just your logging system would make Sandboxie bloated, I was merely talking about the future too, i meant that if people keep requesting Sandboxie to do this just like AppX or do that just like AppZ, then yes, it will bloat Sandboxie.

Rasheed187:

Fri Sep 21, 2007 7:31 pm

I don�t see how adding a logging system would make SBIE bloated. I�m not talking about some super advanced logging system, but a simple log that will show which suspicious/dangerous behavior SBIE blocked. About file/registry monitoring, I can imagine that this is a bit more difficult to add. :wink:

SnDPhoenix:

Sun Sep 16, 2007 9:33 pm

I completely agree. I dont want to see Sandboxie become something it wasn't intended to be in the first place, as mitch said, it is meant to seperate junk from your HD through the use of a Sandbox, thats it, why incorporate this or that to the point where Sandboxie becomes as bloated as Norton software (burn!), adding some tweaks to the program to make the program better and/or easier is one thing, but trying to add other stuff to the program to make Sandboxie become totally different software is another thing. H.I.P.S software usually keeps track of file and/or registry changes because thats there job, just like anti-viruses jobs are to detect stuff, so maybe we should also add detection capabilities to Sandboxie since other software (A/V's) have that capability (sarcasm). See the point, certain software has stuff that it can do that other programs dont/cant do, that doesnt mean you should try to incorporate those capabilities all into one program, cause then the lightest software (Sandboxie) would become the heaviest, most bloated software ever. In other words, leave the program alone.

MitchE323:

Sun Sep 16, 2007 9:23 pm

Sandboxie takes what you are doing and isolates it away from your OS. That's it. Sandboxie has proven out to be remarkably flexable and it's beauty is in how users can shape it to their own needs. For every item that you force Sandboxie to do, a decision is taken away from you. I agree that a lot of users would be happy with that. But I would also add that a lot of users would not. I appreciate the fact that I can form/shape the program to my needs. Also the price might go up.

Rasheed187:

Sun Sep 16, 2007 6:54 pm

OK thanks, never really payed attention to these settings, but would be cooler if SBIE could show all this stuff via a GUI based log, just like most HIPS do nowadays. Same goes for tracking file and registry changes, right now there is no easy way to find out what an app exactly tries to do. I do sometimes get alerts from my HIPS, but I�ve noticed that it can not spot everything, probably because the process is controlled by SBIE. :wink:

dlguild:

Mon Sep 10, 2007 12:11 am

Are you asking for an embellished version of Sandboxie Trace? [url]http://www.sandboxie.com/index.php?SandboxieTrace[/url] It's pretty easy to set up Sanboxie Trace to see what is blocked. Just change these settings in sandboxie.ini to: FileTrace=D. PipeTrace=D. KeyTrace=D. IpcTrace=D. GuiTrace=D. Then run debugview.exe anytime you want to see what is blocked. I agree the debugview GUI is a bit lacking, but I don't know what additional information could be gleaned programmatically which could be added to a new debug GUI. And the information contained is only as useful as the user's ability to interpret it.

Rasheed187: Make Sandboxie log suspicious behavior

Sun Sep 09, 2007 7:59 pm

Hi, I just wonder if you could add an option to make SBIE show what it has blocked, so let�s say if an app tried to access memory, it would be nice if it could log this. And perhaps it could also precisely show all file system and registry modifications via a nice GUI? :)