A few weeks back I bought a 64-bit win 7 PC (the price was right) and the first thing I did was set up
windows XP running sandboxie inside portable Virtualbox. That is how I have been running for a while
(while deciding my security setup for the 64-bit machine).

Your decision to also support 64-bit systems is a welcome step and makes my task so much simpler.

This is indeed a paradigm shift! Thanks.

Im sorry if my above post sounded negative , in no way am I discouraging your way of making a living tzuk. im merely putting forth some notable alternatives instead of making a weaker version of the impregnable SBIE. IMHO not being able to isolate services is a significant hole that cant be taken lightly. The suggestion to enable 'drop my rights', is not that great either as x64 users lose the ability to install apps sandboxed.

So tzuk can you please discuss the viability of my suggestions?

I read somewhere that invoking the debugger on x64 disables patchguard, www.codeproject.com/KB/vista-security/bypassing-patchguard.aspx
- a related article on the matter which you have probably read before. MS view on the matter: http://www.microsoft.com/whdc/driver/kernel/64bitpatch_FAQ.mspx and contact address for interfaces you need them to support: KPPinput@Microsoft.com

Yes, but wouldn't running as a Limited User in Windows itself be equivalent to having Drop Rights enabled? In fact, running as a Limited User provides system wide protection - something Sandboxie doesn't really provide (and never will).

Also, what do you mean exactly when you say "unless you trust the stuff..."? - for example, I trust my Firefox browser, but it's still potentially a malware "threat-gate". I always install Firefox outside of the sandbox (that is, on the REAL system), but I always force open "firefox.exe" sandboxed with start/run/internet restrictions configured as appropriate. Also keep in mind that all this is running in a LUA with SRP enabled system wide. How does keeping the Drop Rights option enabled benefit at all in this scenario?

Or are you saying that malware programs (and other untrusted programs) should only be installed/run with Drop Rights enabled in the relevant Sandbox on 64-bit? This makes sense, as if I wanted to test a program in Sandboxie in my LUA, I would need to use SuRun to give the program administrator rights. And giving the program administrator rights would mean that it would be able to target freely (write to) anything in Windows, including C:\Program Files, C:\Windows, the Master Boot Record etc. If I'm understanding you correctly, I would be able to do this with confidence (that any malicious activity would be blocked) on a 32-bit machine, but no longer on 64-bit machines (unless Drop Rights is enabled)?

If that is so, then pleasingly, I suspect I will still be very comfortable with using Sandboxie on a 64-bit machine. The reason is that I never test malware or programs from untrusted sources (or in fact, even trusted sources) on my REAL system - I always use (a sandboxed) VirtualBox for that, and I'm always working in a LUA with SRP enabled. In other words, I suspect Sandboxie 64-bit will still be able to provide the equivalent protection for me as with 32-bit.

Your thoughts and opinions (and anyone else who knows what the heck I'm talking about haha) are always appreciated.

EDIT: by the way, I hope someone will appreciate how powerful using Sandboxie in a LUA is. Furthermore, using SRP simply doubles the protection of Sandboxie's anti-executable function within the sandbox, and also provides a powerful system-wide anti-executable function (which Sandboxie lacks). Simply amazing, considering LUA + SRP will cause no conflicts, doesn't cause any slow-down, and is completely free (comes built into Windows). Sorry, just couldn't help with the LUA + SRP spew haha. However, if I'm understanding the 64-bit issues correctly, it is going to be even more important to use Sandboxie in a LUA for "100%" set and forget security.

Well, let me just squeeze in one important question...does sandboxie x64 protect ring 0? (the kernel,mbr etc)

hey ssj100 when you talk about LUA and SRP, is srp enabled by default? or does it need to be configured to a certain setting?

+1 and +1 Agreed

yes Tzuk should team up with Ilya Defense Wall and also xiaolin Malware Defender to try and get MS to help here.

Is it possible to disable patchguard? if so I agree Tzuk can make a 64bit sandboxie version with patchguard disabled and give instructions as to how to disable it.

I am using Windows XP. On Windows XP, SRP needs to be "activated" - very easily done, and I think it's very similar in Vista and 7:
http://www.mechbgon.com/srp/

To refresh our memory: http://www.sandboxie.com/phpbb/viewtopic.php?t=6606


Apparently not so easy:
http://www.wilderssecurity.com/showthread.php?t=250126 - see post #80 (pg. 4), and #236, 237, 244 (pg. 10)
http://www.sandboxie.com/phpbb/viewtopic.php?t=6234
http://www.sandboxie.com/phpbb/viewtopic.php?t=4633


You're quite the evangelist.

From my understanding, I don't think Tzuk is really settling for less:



As bolded above, Sandboxie 64-bit cannot guarantee that software in the sandbox does not connect to a service outside the sandbox. But wouldn't using programs in a LUA guarantee that software does not connect to a service anyway? Or even if it did connect to a service, it couldn't do anything right? The reason why I am fairly sure about this is that I can't even disable, enable or modify my Windows services while I am in my LUA (it requires administrator rights). Also, isn't a LUA limited at kernel level, thus providing this "kernel mode guarantee" of protection?

And isn't this the reason why Tzuk has enabled "Drop Rights" by default for 64-bit versions?

so is SRP enabled by default in windows 7?

any support for xp pro sp2 64 bit??

1
I think it is a wise decision, you have build so much reputation (ergo value) into the Sandboxie brand that it would be a shame to loose the existing customer base.

2
Tzuk does this mean that on application level a side by side intrusion of lowest rights is prevented, but on services levels a low (or lowest?) rights side by side intrusions are possible? Is it lowest rights which you invoke? If not could this be an option.

Reason for asking is: I am running Iron through psexec with lowest rights on a 'browsing' user with ACL rules enforcing a stronger than LUA environment on a Vistax64 box and can say the side by side intrusions on lowest level are no worry to me.

3
I have found some post on the internet where a programmer claimed he could invoke the regular Vista Virtualisation option of regsitry and files. I tried the sample code but could not get it working in LUA (only as pseudo Admin, now regretting I have removed these links from my favourites). Would it be an idea to Run Sandboxie with admin rights requiring Vista/Windows virtualisation, and have a Buster Sandbox analyser type of "On-SBIE-exit" process started to check any left overs of possible lowest rights process level side by side intrusions (analysing pre and post situation of v.i. virtualised registry entries of Vista/Win7?

Thanks

Kees


EDIT: Tried to run the x64 version on Vistax64, even when starting as admin the service would not start, problably due to restrictions enforced through the OS, so will leave it becasue it is not my play PC, but my Son's gaming PC

With respect, I have no interest to discuss any of these things again. You might want to re-read the 64-bit forum (hurry up, before I get rid of it. ). Anyway, I already said at the top of this topic, that I did not get the impression that anyone cares enough to want to do anything about the 64-bit situation, let alone actually do anything. I have accepted the constraints of the 64-bit platform, and am willing to work within these constraints.



I might not have specifically disabled support for versions of Windows before Vista SP1. So try it. But whether it works or not, XP 64 is not a platform that I intend to support.



I'm not saying you shouldn't run as a Limited User. But Sandboxie might run some services inside the sandbox, and these services don't run as a limited user. The drop rights option tells Sandboxie not to run services in the sandbox. There is however a downside in that the drop rights option might prevent actually installing stuff into the sandbox. For one thing, UAC elevation will not be possible.



I mean if you want to install some legitimate software into a sandbox, for whatever reason. You know the software isn't going to try to take over your machine, but you still want to keep it isolated. I think there are a lot of people who use this aspect of Sandboxe.

tzuk: IMHO I consider you were not enough clear or specific about what you expected from users or at least users didn´t get your message because you didn´t actively repeat it enough.

Maybe you are still in time of changing things for the 64 bits platform if you get enough pressure over Microsoft, but to get that pressure you would have to be more active in your demands. I was thinking in something like writing a manifest and asking people to mail to Microsoft telling they agree with the manifest.

I consider unrealistic expect to get enough pressure over Microsoft and reach a point where things will change just writing a comment in the 64 bits FAQ page. A mass must be guided in a direction by someone. Without someone guiding it, the mass will not go anywhere.

At the same time I feel like you don´t want to be that person and you prefer someone else takes the torch. If it didn´t happen, I doubt it will. So remember... no pain, no gain.