Sandboxie technical tests and other technical topics discussion thread

Discussion in 'sandboxing & virtualization' started by MrBrian, Oct 17, 2014.

  1. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590

    Couple of thoughts here. First I am amazed at all the people that jumped on Windows 10 without giving a chance to mature a bit. Frankly I've been playing with it for a will, and it's still a beta in my mind. A lot of people who wouldn't touch beta software jumped on. Not the smartest move in my book.

    Secondly remember when Tzuk started SBIE, there was only 32bit XP. Now they have to support XP thru Win 10 both 32 and 64 bit. That was beyond Tzuk's ability to do. Invincea was smart rather then try and match it, they realized it would actually be cheaper to by Tzuk out, and SBIE is the core of their enterprise products. That alone answers question as to why there is no good competition. To difficult and expensive. I for one am grateful Invincea is maintain SBIE for use little guys and working hard to make it work.

    Pete
     
  2. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,144
    Location:
    Nicaragua
    Hi Rasheed. This is why Sandboxie should not be used for testing software to figure out if the software is clean or not. Sandboxie doesnt hide itself and malware can easily tell when its running sandboxed.

    In the past, I asked myself, Why doesn't malicious software run and try to infect users when it detects that its running sandboxed? The answer I come up with is that malware writers know that the chances of malware breaking Sandboxies sandbox are about 0, that's why most of the time, malware in the sandbox don't even try to run or break the sandbox and instead it become dormant. :D

    In all the years I used Sandboxie, I never seen anything that acts like malware....running. Probably, NoScript has a lot to do with that but I am sure, I must of had something malicious downloaded automatically into the sandbox at least a few times. But never ran.

    Bo
     
    Last edited: Aug 27, 2015
  3. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,794
    Location:
    .
    lol in other words they got FEAR...
     
  4. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    This principle of not running in the sandbox is the idea of HMPA's vaccination. It makes malware think it's Sandboxed.
     
  5. RJK3

    RJK3 Registered Member

    Joined:
    Apr 4, 2011
    Posts:
    862
    Yep, same with many trojans!

    Which reminds me, I always intended to see if anyone had adopted this into a passive defence - choosing to simulate static features of VM/sandbox environments in order to fool malware into not running.
     
  6. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Correct, but a lot of malware will not check if they run sandboxed. That's why the SBIE + HIPS combo is such a great one. I always run apps first in the virtual container to see if HIPS give any warnings about suspicious behavior. If not, I run them on my real machine. And let's say that malware tried to fool me, then the HIPS will still alert me about dangerous behavior, and you already know for sure that you're dealing with malware.
     
  7. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Correct, a lot of malware will either not run correctly or not at all. Not only because they are sandbox aware, but simply because of the isolation and restrictions. Back in the days I often tested malware inside the sandbox.

    It's more because they want to make the life of malware analyzers harder. And they know the malware won't work anyway.
     
  8. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Can someone perhaps check if it's possible to inject code (DLL injection) from outside the sandbox, into a sandboxed browser?

    You can do it with this tool: securityxploded.com/remotedll.php

    EDIT: I currently don't use a VM, so that's why I can't do the test myself.
     
  9. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    I might have time to try it tonight. I have to leave in a moment, but will be back later tonight.
     
  10. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    I tried 3 different methods of injection, and they were all successful. I injected into Firefox.exe which was Sandboxed by Sandboxie. I verified that the dlls were actually injected using process explorer. I could have tried other methods of injection, but I did not see any sense in it after the first 3 were successful. It seems Sandboxie does not prevent process injection outside the sandbox if my testing methods were correct. I don't use Sandboxie so if I injected into the wrong process, or something then let me know.

    Edited 9/2 @4:55 pm (changed failed to successful)
     
    Last edited: Sep 2, 2015
  11. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    Relating to injecting dlls and other manipulation of protected applications, there is some info on their FAQ site:
    from http://www.sandboxie.com/index.php?DetectingKeyLoggers.

    from http://www.sandboxie.com/index.php?FrequentlyAskedQuestions#KeyLoggers

    Both are describing key-loggers, but the same can be said for other malware also. SBIE is not designed to protect sandboxed applications in already compromised system.
     
  12. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Thanks for your testing efforts. At least now, we can put this one to bed.
     
  13. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,247
    Yes, Sandboxie does actually fully protect against all forms of keyloggers, but only when you use and tightly configure both internet access restrictions and start/run restrictions!
     
    Last edited: Sep 3, 2015
  14. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    I tried Sandboxie default settings when I conducted my injection test. I will see if there is anything in the settings that might prevent the process injection. I have rarely used Sandboxie so I don't remember the options available in the settings.
     
  15. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    From keyloggers running outside of sandbox? So keylogger is running outside SBIE, monitoring everything you type in application that is run under SBIE protection, let's say Firefox. It records all keystrokes and sends them to some server. How do you think SBIE will protect against this if it doesn't have keylogger under it's supervision?
     
  16. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    I don't know of any Sandbox that will protect against any threat outside the Sandbox. If it does then it's a hybrid of other mitigation methods, and not just a sandbox. If you want to Sandbox the entire user-space then you would have to use something like AppGuard which is also an Antiexecutable.

    Edited 9/3 @1:21 pm
     
  17. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,144
    Location:
    Nicaragua
    Sandboxies protects the system from programs that run in the sandbox. If a computer is infected, the malware runs outside the sandbox and SBIE wont do nothing about it. The key for successfully using SBIE is to install it in a computer that is clean to begin with. If you do that and run most of your programs in the sandbox all the time, SBIE will keep the computer clean, otherwise, the infection that's already in the system, might even help other malware break out of the sandbox.

    Bo
     
  18. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,247
    Keyloggers running outside of sandbox-I thought the whole time that in this test keyloggers are running inside the sandbox, my bad!
    Forget about protection than-this is a total defeat and the winners are keyloggers.
     
  19. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,794
    Location:
    .
    LOL sometimes I read so fast (and bad) I can easily get confused too.
     
  20. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    Yes, that is the same point I was making. I think some users expect protection outside the scope of a Sandbox.
     
  21. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,794
    Location:
    .
    Uff! This is a very bad misconception from some users then. Hope user can read these previous posts of your guys.
     
  22. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    The other huge misconception is people expect malware running in a sandbox will be prevented from running. It may not be prevented from running, but it sure will be prevented from infecting the system.
     
  23. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,144
    Location:
    Nicaragua
    I was backing up what you were saying. And making sure new SBIE users who come to this thread understand that programs that run out of the sandbox, do not run under the supervision of Sandboxie. The results of your test were to be expected, that didn't put nothing to bed (as someone else said).:)

    Bo
     
  24. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,144
    Location:
    Nicaragua
    Yes, sometimes I see non Sandboxie users bashing Sandboxie because the program doesn't do what its not supposed to do. I personally dont want Sandboxie to do more than what it does now. But that's me.:) Sometimes I feel that Tzuk tailored SBIE specially for me, I don't want more. Sandboxie works perfectly as it is now for my personal case use.

    Bo
     
  25. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,144
    Location:
    Nicaragua
    You know Pete, when I first installed Sandboxie, I said I give it 6 moths and see the results. Six months went by and nothing got infected and then a year and two went puff and now, almost 7 years later, since discovering SBIE, zero infections despite doing basically the same things and visiting the same sites than when I used to get infected.

    Bo
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.