Malware broke through Sandboxie

Yes, too bad. And too bad it would not work properly for some of us. I really wanted to see how it would proceed after allowing the re-direct to TCP port 8080

 

The second link worked for me. But, I couldn't go any further than letting AVG LinkScanner block it, though.

I'm using a secondary laptop, because the HDD of the main one broke a few weeks ago. The secondary laptop is weak, and no chance to run VMs.

I'd be interested to know what exactly would happen as well.

 

I have a sample of the malware still. Attempting to run it on a clean x64 install with nothing configured or installed results in nothing. No error. Nothing. Process starts and exits immediately Avast! only detects it as a PUP so maybe it's a new variation or something. Either way it doesn't appear to work on x64 machines.

RCGuy can you run an F-Secure Live CD on your machine and post what it comes out with?

 

I have tried those links, the first does nothing. The second appears non mailicious. I think , you should not make statements, like " Malware broke through Sandboxie" without proof. You obviously have no concept about the program, you do not even know how to access its settings.
You mentioned infected emails, were you running your email program sandboxed ?
I seriously doubt your claims.

 

I thought the exact same thing... that this thread title is now "out there" to be crawled by every search engine and read (often without further investigation) by people looking for info on Sandboxie.
A more responsible thread title would have read as a question...
Did malware break through Sandboxie?
Maybe the OP can edit the title in the spirit of fairness.

 

I agree with mick, and not knowing some sandboxie settings by the op,makes me think email was read outside the box,just saying.

 

can malware break through if SB is/was badly configured

 

I think its more likely that malware can get out at defaults,rather then a tightly restricted sandboxie.Small holding cell vs maximum lockdown.

 

Badly handled, perhaps.
If I recall correctly.... if immediate recovery is invoked (of downloaded process) and the Sandboxie user then allows the action in the subsequent popup dialog, that could be a problem.
I am unsure if immediate or quick recovery are default settings.
I believe immediate is not default and quick is.
Hope I've got that right.

 

There was also the question of whether all programs should be allowed to run in the sandbox or just certain ones. Wouldn't the safest be the default of allow all to run inside? Then if something becomes infected and an app is called to run (like Windows Media Player for eg.), it won't be outside the sandbox??

 

By default the sandbox keeps what happens within it segregated from the real OS. If a malware ran, which could be allowed, it would still remain within the sandbox without user intervention.

User intervention would come in the form of opting to "recover" things placed at either MyDocs or Desktop, the default locations. This would not be a likely cause for infection of the real system.

User intervention would also come in the form of special settings, such as allowing direct access. Most of the pre-existing settings SBIE includes deal with profiles for applications, like keeping bookmarks. I don't recall seing one to choose that allows anything insecure.

User intervention would also come in the form of the user manually choosing to "recover", but not by the default recovery assistant pop-up.

Running the email app outside of the sandbox sounds like the most logical conclusion, but depending what version is being used, it might be the account creation bug that is a known exploit but that is also supposed to be fixed.

It could also be, theoretically, that the malware actually exists within the sandbox and because there are no restrictions, it is free to operate almost as normal.

But one thing is for sure, my time with SBIE has shown me that at straight up defaults, nothing should get into the real OS without the user intervening somehow.

Sul.

 

All internet-facing programs (browser, email, pdf reader, media player) should be sandboxed. Then, restrictions can/should be set inside each box that allow only certain programs to run. If no restrictions are set in the browser sandbox, for example, then everything that comes into your machine via the browser is allowed to run (in the sandbox). If, on the other hand, just chrome.exe or iexplore.exe (or whatever browser you use) is permitted in the sandbox, then a keylogger or other piece of malware cannot start (in the sandbox). Point being, until a user enters some program's name into the restrictions list, all programs are allowed to run (in the sandbox). I don't want keyloggers to run, so I only give internet and start/run access to the programs I want to run in that particular sandbox.

 

The safest is to allow only the necessary apps to run. If WMP is not allowed
to run and is called upon, then WMP wont do nothing as it will not start or
run in or out of the sandbox. If using default settings, WMP would run inside
the sandbox if called upon by malware.

Bo

 

99.99% chance of error in using the program.

If the guy can not even access the settings of the program, meaning it may have run the malware out of the box by "Fast Recovery (I do not remember the name right)" and it infects your system.

Topic useless.

 

Not entirely useless. It's a reminder that you need to learn how to use SBIE properly, and not assume it's an 'install it and forget it' application like an anti-virus.

 

But to set it there are trillions of other threads about it.

And, once properly configured, this is an application "install and forget".

 

Totally disagree! For me it's a flag for users to take care that they know SBIE's settings, capabilities, and limitations. Regardless of OP's expertise, or lack thereof, with SBIE, it raises the question of whether SBIE is the silver bullet out-of-the-box that some seem to think it is or whether there is a minimum knowledge level required to get the protection you think you're getting.

ETA: Yeah, scoobs beat me to it. Among the trillions of threads, this one stands out to me as a sanity check, at least while it's near the top of the thread list.

 

Very well said. You wouldn't give SBIE to your granny/children/[insert average computer user] and expect them to never get infected.

 

Why would you expect granny to trust SBIE if she did not understand what to do? It is good enough for granny, but only if she has a certain level of comprehension about SBIE.

It is no silver-bullet unless you desire it to be, but that is true of any software. I can make it bullet-proof if I choose to. But then, I have a certain intention about what I want it to do.

If you leave it at defaults, and understand what it will or will not do, then it is bullet-proof for its intended purpose.

But this is all not important really, as it goes without saying that you should understand it to use it properly. More importantly, is it STILL a silver-bullet? Or, is this exploit factual, and thus threatens the users who actually know how to use SBIE?

Sul.

 

You're definitely right that it is not a silver bullet out-of-the-box, but I question who is saying that it is?
When I first purchased SBIE, I was overwhelmed by what I perceived to be a very steep learning curve, and I asked the developer for my money back. He refunded it, but then I relaxed a bit and decided maybe I had overreacted. I took a calmer, more studied approach to it and soon determined that I could make sense of it all. Point being, there certainly was no out-of-the-box magic happening for me!

 

And once you took the time to learn about the software you wanted to use, and then went further and configured it for what you desired it to do -- is it now bullet-proof? Does it become something you trust so much you would like it if granny used it?

I think SBIE is pretty easy to use, but many don't. I have set it up on many machines, and people just don't know what it will do, which seems to make them not interested in learning. Pity really, but that is the way it is. I know one guy who calls me up about once every 2-3 months with a new problem, and SBIE has been on his machine since he got it. He could have saved himself problems if he had just started the browser sandboxed, even at default settings. But, he gives it no thought, so I take his money when he offers and buy some beer.

Maybe I am crazy to even suggest people use it, since it is hot and beer is good

Sul.

 

I don't think anyone can say I believe that malware broke out of Sandboxie or that Malware didn't break out of Sandboxie.

As I previously told user wat0114, whatever happened is now with the gods, as there's no way of reproducing this situation.

All I can do is give the benefit of the doubt. And I give the benefit of the doubt, having under consideration a recent past with Sandboxie. It's something I already mentioned.

Some time a user mentioned at Sandboxie forum that an application he/she installed inside Sandboxie was able to break out of Sandboxie and create a user account in the real system. I have my doubts the application's developer(s) did it purposefully.

That report went unnoticed for a long time.

Quite some time after, some other user came with a PoC that would purposefully exploit a bug in Sandboxie, and create a user account in the real system.

So, sometimes, even if something wasn't developed to intentionally bypass something, it may unintentionally do it.

And, some folks are talking about hardening Sandboxie. Yes, that true, the sandboxes should be hardened.

BUT, don't forget one thing... And, that thing is that one of Sandboxie features, and it's stated at the official website is:

Source: http://www.sandboxie.com/

Unless the application is going to be installed to user space, the user will have to install it, by giving Administrative privileges to the installer.

As it happened before, it may happen again that due to a bug in Sandboxie, this installer will be able to break out of Sandboxie.

It happened already folks, so let's not say that it can't. And, when it comes to installing apps in Sandboxie, there's no hardening the sandbox. DropRights doesn't come into play, as we need it disabled, and so we need to have other access available for the application to install properly inside a sandbox.

So, a hardened sandbox doesn't really come into play, if something will break out of Sandboxie, intentionally or unintentionally. I say this, again, because it's a feature in Sandboxie.

And, I'm not writing what I'm writing to bash Sandboxie. I'm a proud paid user.

A user related something about malware. It could have been about an application that was installed in a sandbox, but managed to break out and modify the real system, and for some reason corrupt the system, due to the application installer being buggy or even conflicting with some other application.

 

From this thread, post #6:

https://www.wilderssecurity.com/showthread.php?p=1842262#post1842262

RCGuy, I don't think you should necessarily be blaming SBIE for these troubles if you are using it like this. The computer may have been loaded with malware even before this "incident" happened. Formatting was a good idea but if nothing changes in methodology the same thing could very well "happen" again.

Trust completely no web site, including this one.

Also I know you've heard this before, but a good imaging program would help you with these issues and save you the hassle of formatting when things go wrong.

 

Hi Sul
I don't think it is bullet-proof, but I feel it is stronger protection than anything else I have ever had on my machine, with the possible exception of DefenseWall... which I may go back to for a 2nd look.

As for Granny, I think she would have a tough time with Sandboxie.
I think she would not understand the pop-ups.