Government Security
Network Security Resources

Jump to content

Photo

Integrity Levels Vs. Sandboxie

sandboxie security windows malware
  • Please log in to reply
No replies to this topic

#1 exus69

exus69

    Private

  • Members
  • 3 posts

Posted 10 June 2013 - 03:49 AM

Hello,

I just read about Windows IL and following is what I've understood about it. Please correct me if I am wrong.

Windows IL mechanism helps to protect processes and files/folders from
malwares by restricting access (read,write or execute) by running the
vulnerable process (for eg. browser) with Low IL so that it cannot
access (read, write or execute) those processes or files/folders running
with medium IL or higher.

If my above understanding is correct then let's take a real world
scenario of IL and try to fit in the role of Sandboxie in the same.

Assuming that I am running Firefox (5 tabs open) with Low IL and a malware hits it.

- The malware can access data on other tabs.

- The malware cannot access Office applications, Adobe Reader, Chrome, files/folders on my D: since they all have Medium IL


According to the above scenario, if I visit a genuine site for work
which is clean and I need to read a pdf/word/excel file then how can I
read it ? Is downloading it and then opening it separately the only
option ? Or lets suppose I open gmail.com using Firefox (Low IL) and I
need to attach some pdf/word/excel files (Medium IL). How can I do it ?
In the latter scenario, one thing I can do is give those pdf/word/excel files Low IL as well but
then it will defeat the very purpose of Integrity Levels.

After reading about ILs I was wondering if Sandboxie was doing anything
different ?? You can give the same kind of restrictions that ILs give in
SB. In fact, SB does it all in virtual environment unlike ILs.
Additionally, ILs is an inbuilt Windows feature so I guess the bad guys
would be more interested in bypassing it than SB. Agreed more security
softwares increases the attack surface but SB has been pretty solid over
the years with its developer quickly closing any holes.

So is it necessary to configure ILs if you have a well configured SB ?







Also tagged with one or more of these keywords: sandboxie, security, windows, malware