Hello. In the old, very first version of the program, there was such a function as a “sandbox”. Later, this name was changed to “restriction of rights”. I can’t judge how effective this function was in Spyshelter, but as a user who has been using the program of the same name (Sandboxie) for a long time (before the developer changed there), I can say that this function is very useful.
He is best known for this feature of the Comodo Internet Security antivirus, it seems at the bottom it is called a “container” or something like that. I did not use this antivirus, but I watched a lot of tests of this product, and in many ways it was only thanks to the sandbox (container) that Komodo protected the system.
The question is: will such a function be returned to the Spyshelter again (perhaps in some kind of redesigned, modified form) or will there no longer be such a function at all? It would be nice if Spyshelter offered to run all unknown/little-known programs, as well as programs without a digital signature or with a digital signature of an unknown/little-known publisher in a limited environment - in a sandbox, or with strict rights restrictions.
In this case, malware that has a digital signature (except for those that were signed with a hacked digital signature of a well-known trusted publisher) will have less chance (or no chance at all) to harm the system, decorate information, etc.
Thanks for your feedback, and thanks for bringing up this idea. Now Microsoft has a free built-in “Windows Sandbox” that’s good, plus there are other free open source sandbox tools. Also, I’ve noticed these things use major resources, so we don’t plan to try to compete with them.
However, the idea of limiting what apps can do is an important part of SpyShelter. One item we’re working on is preventing processes from launching other processes. We plan to add more and more controls on applications over time, so if you could call this a “sandbox” then yes, we’re working on many more app controls for the Rules tab.
Such a small program as OSArmor has progressed very well in this direction. It contains many different rules that can be disabled and enabled (3 modes of operation), there is a mode for creating your own additional rules (exceptions) in addition to those that the program offers. Look, maybe something (some individual rules) from the set of rules laid down in this program can be adopted in the Spyshelter. It is always useful to get acquainted with the experience of others.
We will take a look, thanks for your feedback.
FYI: Windows Sandbox is resident in Pro and Enterprise only. There are ways to install it on Home systems if one trusts the online instructions.
I’ve been using the Protected Files feature in the File Integrity Control Protection. A sandbox of sorts.
I stash my KeePassXC kdbx files in there, the app has no trouble opening them.
Good catch. I thought it was built in to all Windows versions.
I believe that OSArmor isn’t really a sandbox, it’s a HIPS focused on process execution blocking.
I would also like to see this feature in SS 15, so instead of blocking ALL new processes, it should only be focused on system processes that are often abused by malware. Same goes for the anti-exploit feature, SS 15 should be able to block often attacked apps like the browser or PDF reader from loading unknown child processes.
Examples of true sandboxes are Sandboxie and Shade. Certain AV’s like Comodo also offer this feature. It basically virtualizes the system, so all writes to the file system, registry and interprocess communications are redirected. Which means that malware can not modify the real system. But I believe this is out of SpyShelter’s scope.
https://www.softpedia.com/get/Tweak/Browser-Tweak/Sandboxie.shtml
https://www.softpedia.com/get/Security/Security-Related/Shade-Cybergenic.shtml
Yup. I think that’s too much of a unique feature for us to add. I know Sandboxie is popular and works well.
Yes, the old Restricted Apps feature in SS Classic wasn’t as advanced as Sandboxie and was also quite unhandy to use.
But what do you think about my other comment? I would rather see that SS 15 is focused on blocking suspicious process execution (of so called LOLBins) instead of acting like a systemwide whitelisting tool, where it will block all unknown tools. I mean my AV (Windows Defender) already decides what is malware or not, so I don’t need SS for this, know what I mean?
We decided to add some basic threat protection for our free users that checks executables for threats, but I do understand your point and we aren’t trying to be an antivirus. SpyShelter focuses on visualizing what’s going on with your PC, then letting you make system wide rules on what can run.
If I am not understanding 100% I apologize.
I appreciate your feedback though and will share with our team. Thanks!
Baiscally, a lot of malware will use system processes to do any damage, this is what we call LOLBins. So if SS could alert about this stuff it would be nice.
On the other hand, it might be a bit complex to develop this stuff and it might also result in false positives. So perhaps on second thought, it’s probably best not to implement this.
I will ask our team to read your comments on LOLBins and see if there is something we can do.
Yes, so basically it should alert about untrusted processes that are trying to launch the so called LOLBins which are system processes that are being abused.