Sandbox Question?

I am fairly sure that you do not want to continue down that road and so I will stop it here. Suffice it to say; that was a very early version of the product. I am willing to concede that there may be some unknown vulnerability that arises in SandboxIE at some time in the future. But I will not concede that vulnerabilities from the past, that have been solved - still somehow exist. The program was hardened more towards one direction - out. This vulnerability arose from within. The program no longer allows that type of exploit. In other words I guess that logic can be correct, SandboxIE was ineffective the day before it was invented. I think in terms of today and what is present bad, and what is present good, period.

 

No one argues with this MitchE323,

My point is well exposed in my previous posts... I am not "Downplaying" sandboxie but I am advancing the concept that selective virtual applications type of systems have holes in it that will allow infections to occur given the right combination of events or circumstances... I am a perfect example of this.

I have seen this as being true of every single technologies I have ever examined, or worked with, and that is why I strongly advise having a backup scanner that can "Catch" things up when the user is off guard for some reasons. Unfortunately for me in the present case, even those precautions have failed (It has repeatedly worked perfectly in the past however).

That is why I strongly stand behind having a few layers: ie the HIPS and other fail safes, just in case as these have proven themselves to me much too often... Unfortunately this time it as failed... Only proving there is a need for even more "relevant" protection in combination with such technologies as sandboxes.

 

Bear with me please if this question has been answered in one of the many sandbox threads, but I'm a little slow.
I download massive amounts of freeware and articles permanently onto my harddrive. It would be awful to have each one scanned online.
Am I correct in assuming that a sandbox alone may be more for those who do most of their computing online?

Thanks

 

Actually yes and no...

Sandboxes are great either way. The only problem is if you download an executable for any reason (Legit ones like a new Antivirus trial for example) it is only protected while kept within the sandbox, so as soon as you release it to the primary system it could infect your system if it happened to be malware in disguise. Of if you failed to use the sandbox under certain circumstances and activated an executable you would be unprotected.

The sandbox does not scan it for viruses or spyware or to see if a rootkit is present... However It will contain it within the sandbox in the advent you activate the executable. The problem is every users will have the need to "move" executables they downloaded from the sandbox to the primary system. There lies the issue...

As for those who do all their transactions exclusively online... Well it would prove the ideal scenario albeit unlikely...

 

Just a correct Mitch, the trojan was called the "Prueba" virus, and it was not breaking out of the sandbox, the way it worked, was that something outside of the sandbox (SSM in this case) was pulling the virus out of the sandbox, and then SSM was executing the virus and SSM also couldn't defend the OS from the virus either once it was executed as Prueba seemed to bypass SSMs protections. Tzuk didn't have to fix anything though, it was SSM that had to offer an update to their product so that it wouldn't go rooting around inside another products sandbox! Oh, and that only happened to about 3 reported people, all using SSM...

Well thats all fine and dandy. I don't care if you recommend using "layers", nor do I mind if you use them yourself, it is your PC and you can do whatever you want with it to keep it safe. The problem though, is that you bash other members who you feel aren't running adequete protection cause it's not set up to your likings. Then you even continue on calling these people idiots, stupid, ignorant, and that they must have this mindset as if they are invincible, all because you don't approve of their security setup?
I'll respect your setup, but I sure as hell know you wont respect anyone elses...

 

A lot of that depends on what these files are and what you are looking to accomplish. All of the standard methods of handling your situation are well known such as scanning and A/V protection and such. All I can add to what is already here is a couple of hopefully helpful reminders and if they fit in your scheme, then great. One thing I would mention is a setting within SandboxIE for 'ForceFolder' - you can use a sandbox like that and any exe files that you download are saved in that folder. If they start up either by you or the bad guys - they will be sandboxed. The other item I would alert you to concerns your 'articles'. I imagine they are primarily .doc and .pdf. They can open with a few things but as an example I will use Word and Foxit Reader. If you have the Word and Foxit Reader programs installed as normal but forced to run sandboxed - then all of your doc and pdf files system wide will open sandboxed. The third item I would include is that you can right-click any file and chose to 'Run Sandboxed'. It's a few options that you will need to figure out like I said - what you want to do and how you want to do it.

 

Gotta put your trust in people man. You wanna talk about what 'could' happen? Where else can this happen?
http://sandboxie.com/phpbb/viewtopic.php?t=2845

 

Actually I think you are speaking of yourself here not me my friend!
Perhaps you felt challenged by some of my views, to which you then made some rather direct challenges to which I responded. so be it!
You attacked me, my writing and my web site without even reading it... Read back and you will see. that shows ignorance.

However I still made my point politely... I still do. You did manage to piss me off, but somehow I realized it and cooled my verbiage. I hope we can agree to disagree in a civil and respectful manner...

 

to answer your question. You wont know, that is why you need your AV to hopefully tell you. Then if you need another layer for recovery, Returnil or Shadow Defender would work. Rule of thumb, if you are not sure it is safe, it more then likely isnt.

 

Many thanks, MitchE323.
Very clear answer.

 

No thats not it at all. You had been mis-informing people about Sandboxie and how it can/does work. Then you started to get smart-alecky, after that, I then posted my first response to you, which had been a post pointing out 3 things you can do with Sandboxie to keep safe from Sandboxie, thats all, no attacks or anything, I then kept my mouth shut.
Yet you came back, still kept mis-informing people about Sandboxie, started calling other members names, getting an attitude, being impolite, fighting with that Mitch guy, dissing peoples setups, etc..
So then after 3 pages, I responded again, and it wasn't directed towards you, it was clearing up all the confusion between different members on that thread. Then you came and bashed some of the stuff I said, I then bashed what you said, and then it proceeded to where we are at today!

Im willing to just shut up, cause I don't really care, but you keep adding more fuel to the fire!

 

Members, respect Peter2150's please.

I'll now turn this thread in a totally 360 direction to squash such useless squable.

I have a HD i picked up today and i challenge any file/app or anything else anyone feels can circumvent or otherwise compromise SandboxIE if they exist so feel free to PM me with anything your confident in that can bypass SB.

I have no concern if the test file ruins anything on this HD, and indeed welcome any that someone feels would expect SandboxIE to fail.

I intend to take SandboxIE's protection to the very limits of it's ability, ALONE!
No other security apps to shore it up with. This is bare metal testing so bring anything on.

Any takers?

EASTER

 

I don't really think you can come up with anything that gets out of the sandbox by itself. You'll need something outside the sandbox moving or copying it from the sandbox.

 

Its my opinion that everything can be destroyed,even SB but thats not the problem,its in howfar and how fast developer can fix it. It will always kinda ratrace to stay on top of each other.

 

I'm trying a similar approach, using SSM HIPS, Sandboxie and a firewall. Last night I deliberately surfed a dangerous sight with IE7 sandboxed. It was as if Sandboxie was mocking the site Nice little app.

 

Not true AFAIK, it was a conflict between SBIE and SSM, and tzuk needed to fix it. This was a good example why running multiple real time security tools is not always a smart thing to do. Also, I´m not sure about the latest SBIE version, but v 3.00.15 can´t protect against SSDT Unhookers (wiping out SBIE´s hooks), seems like tzuk missed this.

 

Tell him !

 

SandboxIE isn't designed to watch what's going on outside it's sandboxes. As long as the "unhookers" aren't doing it from inside the sandbox, it's none of SandboxIE's business.

 

Well, I first need to test the latest SBIE version on a "clean" VM, because currently it freezes when I run the malware, so I´m not sure if it passes or not. But the failure of the old version was proof that even SBIE is not bulletproof and could be bypassed, so basically developers need to stay on point. People need to realize that virtualization alone is not enough, at the end of the day it comes down to the behavior/attack vectors that are being monitored, as seen in this topic:

https://www.wilderssecurity.com/showthread.php?t=197356

Yes I know, but as soon as I select "run sandboxed", it is SBIE´s business, and it should try to stop the malware from making any modifications to the real system. From what I´ve seen on my VM, it couldn´t stop it from wiping out the hooks. A whole lot of other HIPS also failed against this technique.

 

I don't know nothing about how this could happen but maybe it has something to do how you configure Sandboxie,maybe you give SB app. low level access or have to many openfilepath on it.I guess SB will withstand anything if all path closed[closedpath] and thus protecting his own hooks,afterall SBIE.exe and config. is outside the sandbox.

 

I done a test on a drive today with SandboxIE with stealthMBR, virii.exe. and a whole host of malware. Didn;t matter if the drive got compromised or not because this was a purely test drive, and SandboxIE shut them all down PERIOD.

This was without HIPS too or any other security app except firewall, it's made a firm believe of me i'll tell you. Some of the crap i run sandboxed would have crippled and/or BSOD'd, but nothing of the such happened, so like i said i'm sold. Tzuk is done a remarkable work on this program IMO.

I challenged any malware or leads to them to continue to test it's ability.

 

Yeah, after having a third look at sandboxing (second with Sandboxie) I'm pretty much sold on it. This does not mean I will eliminate my firewall, HIPS and antivirus, but I will keep the av running as on-demand only until I see something that convinces me to do otherwise.

Sandboxie seems especially beneficial for kid's/teen's computers where careless, care-free surfing is most likely to occur That said, I can see its value for other purposes such as testing software.

 

No, this has got nothing to do with it, it looks like SBIE simply didn´t protect against this technique. And I must say that it´s kind of disappointing that it stayed like this for months without it being fixed, surely developers must be able to do better.

 

Although i enjoyed positive results trapping malware in SandboxIE and emerging unscathed, i highly subscribe and fully support Hermescomputers suspicions that a sandbox alone should not be counted on alone. For that matter although Faronic's DEEP FREEZE is also most formidable itself, the fact remains we are depending on SOFTWARE, coded linking of a collection of files where with some if even one is adversely affected could set off a chain of events possibly rendering our protection void.

This is reason enough i believe to keep supporting apps grouped along with a Sandbox/Virtual program just for such a possibility. We all know too well things can happen negatively on a moment that we least expect, and even if we're equipped with a backup image to resort to, time & effort is required to rebuild or return the system back to normal operating order again.

I could gloat over the fact i've not yet experienced a single failure with the likes of old Power Shadow 2.6, an app thats rarely made mention of anymore for a variety of reasons, but it still works as claimed for me, but then i would never consider depending on it alone, the same applies to Returnil, SandboxIE and the like in spite of their special abilities to snapshot the system and return it again back to square one on a simple reboot.

Although i don't consider a sandbox in the same light, you make a good case and point. Once the executable is released to the system disk then it is free to interact. Only thing that concerns me is that there are coders sharp enough to fashion apps that could possibly keep themselves recognizable as safe knowing they are in the confines of a sandbox, only to carry out something malicious once they been released from it and can write to disk.

I know some of this seems to border on just drawing for straws, but i feel it's still worth noting nonetheless, and simply because even though the odds have grown stronger in favor of user security courtesy the efforts of these security vendors efforts, it doesn't hurt to look over every conceivable possibility the opposite makers might attempt in an effort to regain some lost ground. And malware makers/distributors have lost considerable ground IMO over the past 2 years.