Sandboxie technical tests and other technical topics discussion thread

Mr Brian, you can create and use more than one sandbox in the free version, you just cant use more than one at the same time. When you are using the free version, this allows you to create a new sandbox for sensitive browsing and restrict it more than when you are only using one and where all programs are allowed to run, connect, etc.

But anyway, the recommended way to do sensitive browsing using Sandboxie is not to have programs running in more than one sandbox when you are doing it.

Sandboxie control>Sandbox>Create new sandbox

Bo

 

Right. I need to use two sandboxes with programs running at the same time in order to test cross-sandbox keylogging. If someone tests this, also please list the operating system used.

 

Thats a no no with Sandboxie. Tzuk specifically advises not to do that. Almost at the end of this link, he said:

"Note that if you don't like to regularly delete your sandbox, you can set aside one sandbox for trusted browsing, and delete just that sandbox before carrying out the trusted activity. But it is still important to first stop all sandboxed activity in all sandboxes, for maximum protection."
http://www.sandboxie.com/index.php?DetectingKeyLoggers#defend

Bo

 

Right, but I hypothesize that with Sandboxie v4.x with all default settings on Vista+ (but not XP), with Anti-Keylogger Tester 3.0 in one sandbox, and typing in Notepad in another sandbox, Anti-Keylogger Tester will be unable to keylog Notepad with any of its methods. Maybe someone can test this?

 

For the people who are interested, this is a nice article which explains "Usermode Sandboxing" as used by SBIE.

http://www.malwaretech.com/2014/10/usermode-sandboxing.html

 

I did some testing on my Win XP SP2 machine, and it's now 100% certain that SBIE does indeed NOT block code injection from one sandboxed process to another. It DOES block code injection to processes running outside the sandbox.

I'm not sure if there is real risk involved with it, from what I've read, almost all banking trojans need to inject code into "Windows System" processes, besides the browser. So if you run some banking trojan inside the sandbox, it probably can not hijack the browser.

 

Thats exactly how I see them.....the cake being the sandbox. I said earlier in this thread :

Bo

 

That's exactly how it is designed and how it was explained by Tzuk in the past many times.
- Sandboxie protects everything outside the current Sandbox from contents but all what is inside the SAME sandbox can access each other.
- Thatswhy the recommendation to use seperate sandboxes and/or, empty sandbox before critical activities and so on.

Beside that ReadFilePath=C:\Windows\ is quite a useful setting

 

Can somebody please test the following in a real (i.e. non-virtual) machine on Vista or later with a sandbox having all default values:

Notepad - not sandboxed
Anti-Keylogger Tester - sandboxed

My results: keys were logged on 0 of 6 keylogging tests.

A person has privately reported to me different results than what I got.

 

The same individual has privately reported to me that a retest in fact did get the same results as I got.

 

He proves that it workes how it should work. It find this quite nice to show how effective sandboxie is.
Most keyloggers which run sandboxed can't read keystrokes from system. That is how it should work. Nice test.
What not works: Some keyloggers can read keystrokes from within the same sandbox. By design.

 

I'm very happy MrBrian and others are testing what SBIE does as opposed to what people decide it is or should be.

For example, people DO use Sandboxie for banking, and you'd have thought people would want to know the actual behaviour of keyloggers in those circumstances, whether inside or outside the box.

I am also concerned about risks of user-mode malware running in the sandbox (not even needing escalation, and possibly memory only and stealth) and exfiltrating data from sensitive parts of my disk - that's exactly why I block paths to some areas and/or restrict internet access.

 

I second (third?).
Definately "How it works" is different from "How it should work".
Obviously what MrBrian want to know is former so there's no point to accuse him IMO.

 

I tested, but it's just from my point of view and limited by my skill/knowledge.
Others have other view, interest and background.
Even if I never use a product in such a way, knowlegde of how each product works sometimes help me to solve unexpected issue.

 

Personally I trust no application - including Sandboxie! Or people who test it. On the other hand, I use the balance of probabilities, and what seems plausible given my current knowledge. I don't see what else is possible given our time constraints.

And I'm actually more satisfied with these sorts of reports than I am about the situation with something like Heartbleed where "we" were lulled by the "many eyes" hypothesis.

Plus, all I'm trying to do is stack reasonably effective controls (as far as I can ascertain) to get multi-layer combining of probabilities, and avoid being low-hanging fruit.

 

Yes correct, but to clarify, I was just trying to figure out if it can be a risk in theory, pure from a technical point of view. Code injection is one of the most dangerous techniques that's used by malware. Of course you can mitigate the risk by using separate sandboxes, or by using HIPS.

 

Sandboxie with default settings does the following with respect to keyloggers:
1. Blocks 100% of driver-based keyloggers in a sandbox, because Sandboxie doesn't allow installation of drivers in a sandbox. Source: http://www.sandboxie.com/index.php?DetectingKeyLoggers.
2. In one of the scenarios (A.3) that I tested, no keylogging was allowed by any of the tested methods on one tested operating system (Win 7 x64), but these results did not hold for the other tested operating system (Win XP x86).

 

BTW, I was testing Avant Browser (with Chrome engine), but it would not run sandboxed. I've also read that Google Chrome and other browsers like Opera 25 often give problems inside the sandbox.

So I was thinking, if these problems are perhaps caused by the design of the Chrome sandbox, perhaps it's an idea to add a feature to SBIE, which will make it virtualize only the file-system and registry (perhaps also IPC). So it will leave the "usermode sandboxing" part to Chrome itself. Does this make any sense?

http://www.malwaretech.com/2014/10/usermode-sandboxing.html

 

Are we comparing "apples to apples"? Windows 7 may have different results than Windows XP.
Sandboxie default settings may have different results than non-default (changed) settings.

A fair test would encompass the same settings on the same OS would it not?

 

I did use the same Sandboxie settings (all defaults) on both operating systems that I tested.

 

You can't compare results between Windows 7 and XP because they are 2 different OSs. You can compare results
individually (Windows 7 & Sandboxie) (Windows XP & Sandboxie)