Coexistence among Security Apps within 'Limited User' Accounts

[Concerned User]

Quote:

Originally Posted by jclarkw

Yes, I've seen SuRun mentioned elsewhere on your site, and it sounds great. I read through the on-ReadMe file last night, however, and noticed a statement that gave me pause:

"SuRun... appends "Start as Administrator..." ...to the system menu of **every application that does not run as administrator** [emphasis mine]."

Does this imply, as it appears, that some software can be initially installed to run as administrator, independently of the privileges of the users that is logged on? If so, then (going back to my original issue with ZoneAlarm Extreme Security) why didn't ZoneAlarm just set up its software to always run as administrator, even when a Limited User is logged on?

Well, in Windows XP, you would have to log off your standard account and log in to your admin account to do admin tasks (install/uninstall programs, etc.). This is a bit of a pain.

With surun, that will be cut down a bit, for example, you try to install a program and it gives a popup saying "you require admin privileges to install this program", you can simply right click on it and choose "run as administrator" with surun. Yes, even if you're a standard user, surun can make you admin temporarily.

Not just that, it has a whole lot of other useful options. You can right click on the desktop and open the control panel as admin. You can also configure which user actually has access to surun . It gives you a "UAC" like functionality in XP.

I prepared a tutorial for surun some time back (it's a bit long!).

You could read through the entire tutorial and if interested, you could install the program.

Here:

http://www.techsupportalert.com/cont...ty-your-pc.htm


Regarding EMET, since you're on XP, it can only offer you DEP protection. However, you can give it a try since it enables DEP for programs which you select.

This is a very non-intrusive program from Microsoft. Does not interfere or bloat your system. Trying it right now in Windows 7 and it's okay.

However, as has already been mentioned, you should check whether your hardware supports DEP.

[Terarus]

Quote:

Originally Posted by jclarkw

Thanks, Terarus. If the two approaches are effectively equivalent, it appears from the Sandboxie on-line "Getting Strated" guide that SRP may be considerably less bother than Sandboxie (which I haven't bought yet -- so far only downloaded the free version). Do you agree?

There is some tweaking required for sandboxie if you want to achieve a higher level of protection but it isnt particularly troublesome nor time consuming; especially if you ask around in this forum. SPR can be annoying when you want to install or update something without having to change users everytime (though that is probably the "recommended" way) And since sandboxie has the ability to run things in a LUA environment, you can essentially just stick with an admin account and be able to update and install things faster while using sandboxie to open your browser, pdfs, documents, media etc etc etc.

SPR is free and convenient to setup - but must be implemented with LUA
Sandboxie costs a little, though you can put it on any no. of pcs u already own and can protect versions of windows that doesnt support spr (home premium) - something that you can take into account when you get new laptops/pcs in the future. And since its a lifetime licence, its a gd deal.

If so, can you guide me to a more complete descripton of setting up the recommended SRP. As mentioned to Concerned User, I cannot immediately see how to set up both sides of the recommended policy.

The instructions at mechbgon is what i'll recommend. The only thing that I needed to add when i used their method was the addition of certain programs that weren't located in Program Files and had to be manually excluded.

[jclarkw]

Quote:

Originally Posted by Concerned User

...Windows XP SP3...
I've used both MSE and Sandboxie in a LUA (XP) with great success...
I also used a program called "surun" which was like a mini UAC for Windows XP. Works great and does not bloat your system. You might want to try that...

Dear Concerned User -- I just tried adding SuRun to the above configuration as you suggested. Then Sandboxie won't run right -- complains about not being able to start its service (or perhaps it's Sandboxie that's actually causing problems for SuRun). I looked on the SuRun forums and found that Kay had proposed a solution, with the VERY disquieting additional comment, "What I don't know is if the elevated program can then break out of the sandbox." (See his reply dated 2010-03-28 in topic, "How to use Sandboxie with Surun? I have yet to search the Sandboxie forum for SuRun issues...)

I wonder if you or others on this forum have had problems of this sort and found viable solutions. -- jclarkw

[Odinbc]

One other tool to consider is, PC Tools ThreatFire. Runs in the background, low on resources, very compatible with other security solutions.

[bo.elam]

Quote:

Originally Posted by jclarkw

I just tried adding SuRun to the above configuration as you suggested. Then Sandboxie won't run right -- complains about not being able to start its service

I think post#20 has the information for what you need to do to make SBIE and Surun work well in your computer.
http://www.wilderssecurity.com/showthread.php?t=307848

I have never tried out Surun but it seems to me that doing as suggested will make SBIE and Surun compatible. Only a few programs are known to conflict with SBIE. This is a list of some of them.
http://www.sandboxie.com/index.php?KnownConflicts

Bo

[jclarkw]

Quote:

Originally Posted by bo.elam

I think post#20 has the information for what you need to do to make SBIE and Surun work well in your computer.
http://www.wilderssecurity.com/showthread.php?t=307848...

Dear bo.elam -- From that referenced post: "I have stumbled upon what appears to be a solution to that problem: in the SuRun settings, go to the "Execution Hooks" tab and click the "Blacklist" button, then add the path to "Sandboxie\Start.exe" to the blacklist. "

That sounds like the perfect solution -- much simpler than the one suggested on the SuRun forum. Thanks! I will try it and report back (eventually). -- jclarkw

[jclarkw]

P.S. to Previous Message: For what it's worth, further research on the SuRun forum has turned up a totally different solution to what appears to be the same problem here (http://forum.kay-bruns.de/thread/317). On the other hand, bo.elam's suggestion has also been advocated here (http://www.sandboxie.com/phpbb/viewtopic.…?t=9198&hi…).

Briefly, these two solutions can be summarized as follows:

1) From Kays's post:
"Sandboxie blocks the communication between SuRun and the SuRun service.
So you cannot run programs with elevated rights.
You need to set "full access" to the named pipe of SuRuns service (\Device\NamedPipe\SuperUserRun).
This ca be done in Sandboxie.ini:
OpenPipePath=\Device\NamedPipe\SuperUserRun"

2) From peterk62's post:

"...because SuRun would try to run inside the sandbox.
I have stumbled upon what appears to be a solution to that problem: in the SuRun settings, go to the "Execution Hooks" tab and click the "Blacklist" button, then add the path to "Sandboxie\Start.exe" to the blacklist."

I confess that I don't really understand the implications of either "solution." Can anyone shed any light on which would be more appropriate in what situations?

[jclarkw]

More information from Kay Bruns in response to questions of mne (see http://forum.kay-bruns.de/post/3731;nocount):

"Both options do the same for YOU, they make SuRun work with SandboxIE.
My suggestion would enable SuRun's hooks inside SandboxIE while peterk62 would prevent them to work (and to eventually be risky).
I'd suggest you use peterk62's solution...
"peterk62's suggestion is not risky, mine is, potentially, because in my suggestion SuRun gets into the game, in peterk62's SuRun is out and thus less risky."

I THINK this means that, as long as you don't want to elevate a program's privileges INSIDE SandboxIE (e.g. to install and test new software), you're better off with the simple blacklist solution.

In any case, this solution seems to work for me. Again, comments are invited. -- jclarkw

[bo.elam]

Quote:

Originally Posted by jclarkw

I confess that I don't really understand the implications of either "solution." Can anyone shed any light on which would be more appropriate in what situations?

Hi jclarkw, as I understand it, if you use Kays solution, you ll have to allow full access to the Surun service. Allowing full access to anything is kind of dangerous because you ll be allowing programs that are downloaded or installed in the sandbox to have access to files located OUTSIDE the sandbox. Thats exactly what I don't want and the main reason why I use Sandboxie. Personally, I would not allow "full access" to any file in order to get a program to work with SBIE but thats me.

If you use the blacklist solution, SBIE will do the work on its own with no interference from Surun since it wont come into play.

If it was me, I would use the blacklist solution as I am totally confident that SBIE is more than capable to handle the systems security on its own. I am running nothing but SBIE for security so my confidence on Sandboxie comes from my personal experience using the program. You should be OK by using the blacklist solution.

Bo

[Concerned User]

@ jclarkw: Like bo.elam said, the blacklist solution should work fine (it worked for me when I used surun with Windows XP). If you do face any further problems, please post back to this thread.