Sandbox Question?

[chinook9]

My computers are well secured with antivirus, firewall and assorted other protections but I am considering trying Sandboxie. One thing I'd like to understand.

If I download a file into the Sandbox (i.e. .jpeg, mpeg, .avi, .exe), except for scanning with antivirus and antispyware, how do I confirm there is no malware in the file so I can move it out of the Sandbox and use it?

Is it feasible to just leave it in the Sandbox?

Any clarification or recommendations would be appreciated.

[Peter2150]

Quote:

Originally Posted by chinook9

One thing I'd like to understand.

If I download a file into the Sandbox (i.e. .jpeg, mpeg, .avi, .exe), except for scanning with antivirus and antispyware, how do I confirm there is no malware in the file so I can move it out of the Sandbox and use it?

Is it feasible to just leave it in the Sandbox?

Any clarification or recommendations would be appreciated.

What you can do is invoke the file in the sandbox and observe what it does. Even if you recover the file from the sandbox you can right click on it and run it sandboxed.

I don't even bother with an AVAS anymore. I do run two hips programs, Online Armor, and System Safety Monitor. So say I download a jpg file. I'll run it sandboxed, and shouldn't expect anything from either hips program. Should they alert to something, I'd be very suspicious and would delete the file and empty the sandbox.

Pete

[innerpeace]

Hi, you could also upload the file to be scanned by online scanners. Virus Total and Jotti are two that you could use if the file is under 10MB.

This link has more scanners listed that vary from full scans to single file scans. http://wiki.castlecops.com/Online_antivirus_scans

Edit: Please keep in mind that you may receive false positives with any scanner. Then it's a judgment call with what knowledge you have or you can submit the file for expert analysis.

[demoneye]

Quote:

Originally Posted by Peter2150

What you can do is invoke the file in the sandbox and observe what it does. Even if you recover the file from the sandbox you can right click on it and run it sandboxed.

I don't even bother with an AVAS anymore. I do run two hips programs, Online Armor, and System Safety Monitor. So say I download a jpg file. I'll run it sandboxed, and shouldn't expect anything from either hips program. Should they alert to something, I'd be very suspicious and would delete the file and empty the sandbox.

Pete

i am with you on that 100%.... i dont use no AV for ages....no needed... use DEEPFREEZE +SANDBOXIE(which ownz )

cheers

[chinook9]

Thank you. I have Sandboxie installed and running fine.

[Hermescomputers]

Quote:

Originally Posted by chinook9

My computers are well secured with antivirus, firewall and assorted other protections but I am considering trying Sandboxie. One thing I'd like to understand.

If I download a file into the Sandbox (i.e. .jpeg, mpeg, .avi, .exe), except for scanning with antivirus and antispyware, how do I confirm there is no malware in the file so I can move it out of the Sandbox and use it?

Is it feasible to just leave it in the Sandbox?

Any clarification or recommendations would be appreciated.

I would not just run Sandboxie by itself... Too risky.

Read this post: http://www.wilderssecurity.com/showp...2&postcount=81

[Terror_Eyez]

Quote:

Originally Posted by Hermescomputers

I would not just run Sandboxie by itself... Too risky.

Read this post: http://www.wilderssecurity.com/showp...2&postcount=81

So you quoted yourself? Saying that you worked on 2 systems that got infected, both which were running multiple programs (labled as "layering") and the systems still got infected..
Then you said here in this quote:
http://www.wilderssecurity.com/showp...1&postcount=87
That the layering infact didn't work, and that you are disappointed in the layering and the tools installed...
Yet you turn around and recommend layering after it was proven to fail?
Then you say that running Sandboxie alone is too risky, even though people in this thread as well as people over at Sandboxie.com run only Sandboxie, and they never get infected..?

I'll agree with Peter, that Sandboxie (or any tool) in a morons hands aren't going to do crap for you, but someone who knows what they are doing, can run just one security program (like Sandboxie) and be just fine.
Hell, I've been known to run an OS without any protection, and still not get infected with anything...
You just have to know what you are doing..

[Chuck57]

Quote:

Originally Posted by Terror_Eyez

So you quoted yourself? Saying that you worked on 2 systems that got infected, both which were running multiple programs (labled as "layering") and the systems still got infected..
Then you said here in this quote:
http://www.wilderssecurity.com/showp...1&postcount=87
That the layering infact didn't work, and that you are disappointed in the layering and the tools installed...
Yet you turn around and recommend layering after it was proven to fail?
Then you say that running Sandboxie alone is too risky, even though people in this thread as well as people over at Sandboxie.com run only Sandboxie, and they never get infected..?

I'll agree with Peter, that Sandboxie (or any tool) in a morons hands aren't going to do crap for you, but someone who knows what they are doing, can run just one security program (like Sandboxie) and be just fine.
Hell, I've been known to run an OS without any protection, and still not get infected with anything...
You just have to know what you are doing..

I think you're right on, Terror_Eyez. I've used Sandboxie for a while now along with Returnil. I've tried other similar programs but always come back to Sandboxie and Returnil as being the best combination. Neither has ever failed me. And, DeepFreeze is always there if they do.

[Hermescomputers]

Quote:

Originally Posted by Chuck57

I think you're right on, Terror_Eyez. I've used Sandboxie for a while now along with Returnil. I've tried other similar programs but always come back to Sandboxie and Returnil as being the best combination. Neither has ever failed me. And, DeepFreeze is always there if they do.

Are both you and terror eye's... missing the inconvenient truth about the both sandboxie and returnil being on a system where we discovered an inconvenient ROOTKIT?

Hahaha...

[Drew99GT]

Did you miss the inconvenient truth that perhaps both weren't enabled? By the looks of it, from your website and the posts you make, you deal with customers who don't know jack about computer security.

[WSFuser]

Did you see the post where EraserHW said its probably a false positive?

[Peter2150]

Quote:

Originally Posted by Hermescomputers

Are both you and terror eye's... missing the inconvenient truth about the both sandboxie and returnil being on a system where we discovered an inconvenient ROOTKIT?

Hahaha...

Yeah, but were they being used. Returnil, will protect from lots, but it has to be on. Same with Sandboxie. If you didn't set up forced programs you could open your browsers without them being sandboxed. Thats why I was curious how the machines were infected.

I've tested sandboxie against some live nasties and it contained them all.

[Chuck57]

If a rootkit manages to sneak through both Sandboxie and Returnil, I'm sure on reboot DeepFreeze will take care of it when I shut down for the night.

Good point, Drew99GT. Our neighbor is a fine example. She recently purchased a Dell computer that came with Norton. It wasn't installed but the trial was available. She thought because the Norton icon was on the desktop that she was protected.

[muf]

I'm not a pc security expert but i'm fairly clued up about things so that I can keep my pc clean. I have Sandboxie set up to alert whenever firefox or IE are launched unsandboxed. I have to confess that a few times in the last couple of weeks that i've clicked the icon on my desktop for IE and got the message that IE was launched outside the sandbox. It's easily done and I suspect this is what your Rootkitted user did. Sandboxie isn't going to stop jack if you run your browser unsandboxed.

muf

[LUSHER]

Hmm interesting

[Hermescomputers]

Quote:

Originally Posted by Peter2150

Yeah, but were they being used. Returnil, will protect from lots, but it has to be on. Same with Sandboxie. If you didn't set up forced programs you could open your browsers without them being sandboxed. Thats why I was curious how the machines were infected.

I've tested sandboxie against some live nasties and it contained them all.

Actually they are both used but obviously not all the time... Besides many users will download something in the sandbox and scan the executable with an av before allowing it to install in the primary system... If the AV fails you have the stated result.

I have read somewhere that some Trojans did manage to escape sandboxie in the past... Just not sure what it was that did... someone might want to comment on this one...

[Peter2150]

Quote:

Originally Posted by Hermescomputers

I have read somewhere that some Trojans did manage to escape sandboxie in the past... Just not sure what it was that did... someone might want to comment on this one...

That might have been the case with a much older version, but I don't believe so recently.

[Pedro]

You have to tell us what they said.
Was it SBIE free? Then what muf said is the probable answer.
If it was paid, it either was badly configured (1), the user intentionally recovered the files from the sandbox(2), or they simply feel SBIE is a hassle to use, and don't(3).

SBIE being broken is the last scenario imo.

[Terror_Eyez]

Quote:

Are both you and terror eye's... missing the inconvenient truth about the both sandboxie and returnil being on a system where we discovered an inconvenient ROOTKIT?

Hahaha...

Are you missing the inconvenient truth that perhaps the people you deal with are morons <removed personal comment>, and either do not use the tool(s) they have installed, or don't have it set up correctly?
Maybe the rootkit is already there do to the fact that your articles inspired them to surf without protection cause they were falsely led to believe that their PC being setup to your standards would keep them safe?

Hahaha...

Other than that, everything else has already been said by everyone else.

Quote:

Actually they are both used but obviously not all the time... Besides many users will download something in the sandbox and scan the executable with an av before allowing it to install in the primary system... If the AV fails you have the stated result.

So now you are admitting they most likely didn't use the tool(s) all the time, and thats why they got infected!
Hahaha...

Quote:

I have read somewhere that some Trojans did manage to escape sandboxie in the past... Just not sure what it was that did... someone might want to comment on this one...

Wrong, your thinking of something else.
Go check Sandboxie.com, there have been no trojans breaking out of Sandboxies protection, or is Wilders the only site you know about?

[Peter2150]

Please refrain from personal comments about posters, and just discuss the subject.

Pete

[Pedro]

Quote:

Originally Posted by Terror_Eyez

Wrong, your thinking of something else.
Go check Sandboxie.com, there have been no trojans breaking out of Sandboxies protection, or is Wilders the only site you know about?

I think there was 1 that could (with earlier version), it was discussed here somewhere. Perhaps someone can confirm.
But the problem here is how comfortable is SandboxIE for the "average" person. Education still is the no.1 tool.

[MitchE323]

Yes there was one a while back. I do not like being less than complete and I have searched within the SandboxIE forum for the thread, but I can not find it. SandboxIe had isolated a file (something like pueblo.exe or pweblo.exe - I do not recall). But there was another security product involved with that. That 'security product' was able to yank the bad file out of the sandbox and then the malware was able to thwart that programs quarantine. A lot of time was spent trying to figure out how that bad file was able to escape before it was realized that the weakness was actually involved with the security product and not with the bad file itself. And when that was finally discovered - the next mornings upgrade was issued and Tzuk had it fixed. I apologize for not being able to be more exact in that, but the forum is right there for anyone that wants to dig deeper.

[Hermescomputers]

Aaaah.... Finally some truth... Thanks!

Now here is the kicker... you guys are saying only "Relatively slow" users with the IQ of a flea on crack might of got that rootkit? right?

Not so! One of those system was mine, and I have an awful lot of experience with those products as I use them regularly, as a side note I have over 15 years experience as a technical Janitor, and I must confess this one had me dumbfounded... Besides I'm as paranoid as it gets as far as security on my system...

But please assuming that only inexperienced idiot could get infected is obviously wrong... and oh... by the way, I make most of my income by cleaning rootkits and Trojans from infected systems where their security effectively failed... As this rather unpleasant event shows "We" the tech types are not immune no matter how much protection or how skilled we think we are given the right circumstances, and a single moment of distractions and we can get hit just like everyone else...

I stand by my recommendations as I do not have the pretension to know anything for sure, other than eventually even the best equipped ones will still get hit.

Something to ponder!

[Pedro]

Prueba? I think there was one with that name.

EDIT: http://www.wilderssecurity.com/showt...ght=prueba.exe

[aigle]

Quote:

Originally Posted by Chuck57

I think you're right on, Terror_Eyez. I've used Sandboxie for a while now along with Returnil. I've tried other similar programs but always come back to Sandboxie and Returnil as being the best combination. Neither has ever failed me. And, DeepFreeze is always there if they do.

Hmmm....DeepFreeze and Returnil together. Not need IMO. Either one should be sufficient.