Sorry for the confusion, tzuk: That the PoCs were able to kill Lingoes.exe was related to the Sandboxie compatibility option for Lingoes (I think now I got you.).
Except of SSTS kill5. It's the real and only issue.

1. Ok message received, please bear with me and understand that I want only the best for you and SBIE.
2. The paper tiger analogy was aimed at describing the less secure 64bit SB, I in no way meant the 32 bit. - bottomline is : I know what Im
talking about.
3. Emailing them an waiting a response (this should have probably better been done by you, the developer, as you know what technical
limitations you'd like them to address more than anyone else does). Im all for filing an online petition also. Rather than just accepting the
situation as it is, Im trying to do something. I think that talking Ilya and Steve Gibson in helping out would be a good move.

Concerning patchguard; so your basically saying that the end user is forbidden to customize or tweak his machine or else MS sues them
. For users, disabling this should be no different than choosing to disable windows firewall or not using IE. Similarly, Microsoft seems to think that they are "great" security features that should not be replaced by thirdparty s/w, but the reality is that most experienced and competent pc users, choose to disable or disuse them and replace them with superior apps. As long as your new design of x64 doesn't automatically disable or tamper with patchguard, I don't see how MS can possibly lay a finger on you; delegate this problem to the end user which can freely disable patchguard himself. Make it so that, if SBIE detects the patchguard, it should refuse to install rather than mod anything that would cause BSODs.

Boy, you're being terribly persistent here haha! Some things that may be worth thinking about:
1. As nick_s has already stated/implied, what is stopping Microsoft from simply releasing a patch to re-enable patchguard or to make your life difficult (eg. loss of function) by not having patchguard enabled?
2. I get the feeling that Microsoft are not going to budge on their 64-bit stand-point, and that perhaps Tzuk has already "been there, done that".
3. Why are people choosing to use 64-bit? Are you all planning to run Virtual Machines with Linux Ubuntu, Mint, openSUSE, Windows 2000, XP, Vista and 7 open all at once, and allocate 2Gb of memory in each of them? Because I just can't see any reason why 99% of users would ever need more than 4Gb of RAM (within the next decade)?
4. How many people who use 64-bit instead of 32-bit Windows actually genuinely benefit significantly? For me personally, I barely use more than 500Mb of RAM (I have 2Gb total) on average, unless I open up a Virtual Machine. Do I run chess engines (eg. Rybka 64-bit) as a profession, and require maximum output? If I did, I would also be using something like a 16-core processor to maximise the chess engine's calculating power...right? How many of us require that?
5. Gaming. How many people who use Sandboxie are actually keeping up with, or are planning to play the latest and greatest computer games (which would benefit from 64-bit architecture)? Good luck running these latest and greatest games sandboxed (with Sandboxie) when you play online. And you'd want to run these games sandboxed because they are potential malware "threat-gates", and are connecting directly to the outside cyber world - those of us who are paranoid enough and want "100%" protection (and who are perhaps asking Tzuk to find a way to get Sandboxie 64-bit to provide the equivalent protection as 32-bit) would certainly want to run it sandboxed with start/run/internet access and "ClosedFilePath" restrictions. Will that be possible?

Julian, I checked and it is as I remembered. The kill5 overwrites the user-mode hook on EndTask API, replacing it with the original code, and then invokes that API it to close the main window of the application to kill. With 32-bit Sandboxie it doesn't matter because there is an additional kernel mode supervision on communicating the actual request to the csrss.exe process. But on 64-bit ... That's not possible. Well, I'm going to leave it like this for now.

RSecure, this is getting tedious, so I will try to be brief:
1. Have you actually done any reading on PatchGuard? I think something like 90% of the articles about it are positive, because everyone is buying the anti-rootkit party line. So.. Good luck with your petition.
2. There is no option to freely disable PatchGuard. The debugger thing is a bad idea and nobody is going to do it. Like I asked arran: Have you actually tried that at any point, or are you just assuming it's a perfect solution?

That would be irrelevant, whats to stop us from turning off automatic updates? or only selecting a few individual updates to install?

ok I take your word for it that the debugger may effect system performance I'll probably test soon when I get 64bit.

Also tzuk is it possible to install a 32bit version of sandboxie on a 64bit computer with it running in 32bit mode with patch guard disabled? Would it produce the same level of security?

You mean what is to stop us from turning off Windows updates all together? Well, what if an update was released to fix a bug/incompatibility or to improve performance etc, and in order to apply it, you need to have PatchGuard enabled normally? That would be a big downfall for sure right?

Do critical updates in windows 7's early days then when it is running stable then turn off auto updates all together and then disable patch guard. For XP I haven't done any updates since SP2 and it runs fine. how come u not post on wilders any more SSJ ?

ssj, Im not saying that I personally prefer or need 64 bit. I hate it very much in fact, and see it as a marketing ploy for the vast unknowledgeable users, who dont understand that its useless for the apps that they use. Only a handful of graphic designers and architects could really tap the power of 64 bit due to them usinf AutoCAD or photoshop. What really bugs me is how much of a roadblock KPG is for development of security products... in the sense that it makes it tougher for you to install real and effective protection on your system, yet it itself could be easily circumvented by determined malware writers. The problem is however is those greedy OEMs, everytime I go to my local Bestbuy store, or Walmart and Samsclub section, 32bit systems are nowhere in sight, so my next option was to keep looking for a win7 version with xpmode (pro and ultimate) which were not readily available till I did some customizing with dell.com online. Im worried, what if my current hardware fails?? I'll be doomed in using a handicapped 64bit OS that I can never fully secure



Again your statement simply misses the point as there is a documented and legit way that Microsoft approves of, to disable patchguard. Your statement implies that I asked Tzuk to deisgn sbie to circumvent KPG while its running -- I did not.

Debugging will disable it according to the microsoft homepage. For those of you that are following the topic and are willing to help this experiment, follow these instructions on debugging windows vista: http://www.microsoft.com/whdc/driver/tips/Debug_Vista.mspx

Again, You can of course disable PatchGuard in a DOCUMENTED, STABLE and EASY manner, by running the following commands in a root-shell and restarting the PC afterwards:







I'll be testing out with debug mode and will report my findings. If anyone esle is interested, please feel free to help out Tzuk Im sorry of this annoys you but I think we all owe it to you to improving sandboxie. You have created an addictive and indispensible program!

RSecure I look forward to hearing from you as to how well you OS will perform with debugging. If this works this will really be our only option to give sandboxie kernel access. we will all have to move to 64bit eventually.

I understand where you're coming from, but I still think that it's still clearly a disadvantage regardless. Who knows when exactly Windows 7 will be "running stable" for everyone? How long did it take for Microsoft to release SP2 for Windows XP? I think it took about 3 years.

Also, I think the best and most fundamental way to protect against direct Windows exploits is by patching. No third party security software provides theoretically "100%" protection, particularly because it depends on what the user does. For example, probably the most frightening Windows exploit I've seen are those .wmf exploits - and ultimately what was the best defense against them? Installing the patch via Windows updates! Those exploits are now completely dead because of a simple patch released by Microsoft.

The way I see it, a fully patched system with programs updated to their latest versions is always going to be safer (and thus get closer to that "100%" protection) than a system that isn't, regardless of what third party solution you're using.

Oh, and haven't you heard? I got permanently IP/country banned from Wilders for no reason and with no warning - I know many people from my work and throughout the country that can't register and post on Wilders now. Apologies to them haha, but I'm still not sure what I did wrong.



Thanks for the clarification!

I disagree that patching provides better security than 3rd party software. lets take your browser for example fire fox and other browsers are always releasing updates with patches to patch security holes, but a browser inside sandboxie covers all zero day attacks. Just like your OS with an anti executable and OS with deep freeze provides zero day attacks. This is why I don't bother with latest updates there is just no need to.

Sorry to hear about being banned from wilders even with my Ranting and attacks I still considered you a valued member and enjoyed reading your views and opinions. Banned with no warning that seems wrong to me.How many other people know about this? hmm I wonder why is wilders giving themselves a bad reputation with this? It kinda makes me wonder why our friend Easter not come on wilders either, I so miss Easter.

No, I didn't say that patching provides better security than 3rd party software. What I meant was that, all things equal, having everything up to date with the latest patches is the best way to go, in order to get as close to "100%" protection as possible. As we know, Sandboxie is pretty much "100%", but it has been "bypassed" before.

And thanks for your support. Yes, many people have also offered me a lot of support (mostly via PM). I also "enjoyed" our rants against each other!

the 1 out of 100 or so samples that bypassed Sandboxie only bypassed Sandboxie because it was allowed to execute and run. PS I sent you pm.

anyway we need to get back on topic sorry Tzuk.

Sandboxie 64bit discussion continued.

Sounds good. Still pretty happy running SBIE in Virtualbox XP, but might try it in Win7 mode in a few days. Still, I see way too many PCs come in at the shop (fix PCs for if you call it a living) and when tzuk says he still has a few reservations concerning 64-bit Sandboxie due to Patchguard issues, that still gives me pause.

Well I did try it afterall and promptly uninstalled it since I get MSIServe error and something to do with reduced rights (sorry; forgot the exact error but now I will wait til a more official release comes by). Again, Virtualbox XP is fine with me. I already have set shares between my VM and my host so I pass files as needed anyway. My only issue is the long delay for SBIESrv to load at initial boot (not that long; around 40 or so seconds) but I don't have to boot my VM that often (will now since I'm about to reboot the host since uninstall is requireing it and I chose to delay that until I typed here; lol). Still, it is cool that you decided to support 64-bit OS, even if it isn't the full support that you would like (maybe the folk over at Microsoft might listen to you and give you what you need to make it better).