Interesting HIPS test- Delete Volume

Hi Terry, I did make an attempt or two at starting DropMyRights first, but I couldn't figure out how to do it or Sandboxie just won't run that way. I'm also not an expert at this.

1. This is my normal way of starting a sandboxed browser and the test file. Sandboxie Control runs with admin rights while everything else limited user. With the test file, the volumes were deleted.

"C:\Program Files\Sandboxie\Start.exe" /boxefaultBox "C:\Program Files\DropMyRights\DropMyRights.exe" "C:\Program Files\Mozilla Firefox\Firefox.exe"

2. I tried this and volumes were deleted: (substitute the test file location for firefox)

"C:\Program Files\DropMyRights\DropMyRights.exe" "C:\Program Files\Sandboxie\Start.exe" /boxefaultBox "C:\Program Files\Mozilla Firefox\Firefox.exe"

3. and this which didn't help: (again, substitute the test file for firefox)

"C:\Program Files\DropMyRights\DropMyRights.exe" "C:\Program Files\Sandboxie\Start.exe" "/boxefaultBox" "C:\Program Files\Mozilla Firefox\Firefox.exe"

4. What did work and prevented the deletion of the volumes was just starting the test file with DropMyRights.
"C:\Program Files\DropMyRights\DropMyRights.exe" "C:\Program Files\Mozilla Firefox\Firefox.exe"

 

Hi Innerpeace

My drop My Rights folder is different to yours as below

TARGET

C:\DMR\DropMyRights.exe "C:\Program Files\Mozilla Firefox\firefox.exe" /Prefetch:1

START IN

C:\DMR

In addition mine looks to be set up different to yours even if you ignore the DMR folder location. Do you think its worth a try this way?

ps you need sandboxie set up so that Firefox launches automatically when you click on the Firefox icon. This way DMR launches first.

Terry

 

Online Armor passed the test - sweet!

 

Nope, Windows limited account passed the trick, since all OA's Run Safer does is to invoke reduced rights for that file. OA's HIPS did nothing to stop this test, and I doubt they can either.

 

@ Nebulus, I meant the technique used by this POC, not the POC itself, which seems to be annoying but harmless. But I´m not sure why I got to see an alert about svchost.exe trying to modify stuff. Btw, on my real machine, when I run it with DMR, it crashes and isn´t able to unmount the drives.

 

Hi Terry,

I'm not sure that the location of DropMyRights.exe really matters. Yours is in C: while mine is in program files. I'm also not sure about what the /Prefetch:1 does. I could try a little more experimenting.

I just thought of something. Sandboxie has a service that can start with Windows or manually when you first start a sandboxed program. This could be why Sandboxie won't start as a LU. Somebody would have to provide more info as I'm not that familiar with LUA's and Services.

 

interesting, Just wondering have you tried this death virus with safe space does safe space block it??

because this is 2 now that I know of that sandboxie fails with Delete Volume and Death.exe

 

just a fast ? is this key HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices\* the only one that has to be added to Comodos FW v3 protected reg.. or are they a number of key's.

 

I can't test SafeSpace because i don't have that one. I am however looking more deeply into this what i thought was an outdated virus, whether or not it is indeed a file infector because a curious thought just cropped for me over my test with it. Suppose a virus dropper had a way to infect only CHKDSK so that whenever the system runs it, like in my case, CHKDSK always wants to run when a new USB Removable Pen Drive OR a Slave drive is hooked up, then CHKDSK would proceed to corrupt the entire file system.

Scary Thought, but seem now thats exactly what i experienced because i recall walking away from the PC on a reboot after i added a Slave Drive and when i got back CHKDSK was in full swing, even though i aborted it, afterwards that Storage Slave Drive was a completely scrambled mess.

 

I don,t see chkdsk running each time on a new USB pen drive. If it,s happening on ur system then somethimg might be wrong with ur system.

Also it was ur mistake to abort chldsk. Why one should do this?

BTW can u PM me the virus u said was able to break through SBIE. To be honest, I don,t believe so.

 

regardless, I still have all the faith in Sandboxie.

 

I made a record of this corruption only a few days ago. Mind you this happened to the Slave drive which is non-bootable and only purpose is for storage and moving apps in and out of it.

This is the result of what i found shortly after running the virus sample and also after a reboot whereby CHLDSK was run automatically. Anyone ever experience this before? Needless to say for safety i deleted and then wiped that volume with D0D overwrites times 3 with verification.

This caught me completely by surprise. Executables were renamed and affected too, not just folders.

 

Easter can you PM me with a link to the Death.exe malware, and I'll test SafeSpace against it?

Thanks.

Kris.

 

The author of Sandboxie has released a beta that should cover this exploit.
Quote tzuk:

SB forum link to exe

 

I relise you made this post a couple of weeks ago but Ive just seen theiis thread.

because EQ secure didn't have that reg key set in by default there fore EQ secure in reality failed this test, because had this test been a real virus then it would have stuffed up your pc.

The idea of these tests should be too see if your current security set up passes the test in first place without making modifications afterwards to make it pass. because we don't have that luxury of being able to make modications when it comes to real malware.

 

Yeah, i know.

It's always like the dog chasing after a new cat in the hood. Untill one shows up they just go about their normal routine not knowing a thing.

I think for a fully free coverage classical HIPS that EQS is pretty strong ONLY as long as all bases/areas are covered, but like any other software security program there remain gaps yet undiscovered. Thats just a fact of reality every program user had better expect, and is a chief reason to keep handy backup images in case of disaster or other corruption.

Personally i use FD-ISR snapshots, so even if something did evade capture to plow right thru all front-line defenses and into FD-ISR itself, like i've already tested on myself before with a mean gene file infector, it was no time at all to return again back to zero with a clean system state and everything 100% intact.

It's the classic Layered Approach that prevents against total destruction.

 

did you or any one else end up testing Death inside safespace??

 

I've not been able to get hold of it

 

I tried death.exe against GesWall and CFP, nothing unusuall. It could not excape anywhere. I am sure it can,t escape SafeSpace.

 

aigle,
What does death.exe do? Is it a file infector?

 

I just tried safe space for the first time its not as good as I thought, Browsing has become much slower, firefox 3 is hopelessly slow that they are not compatible and keyscrambler plugin no longer works,and admuncher doesn't work inside safe space, so Ive gone straight back to Sandboxie.

Its a pitty Easter found that sandboxie doesn't stop Death.
can any one else confirm that sandboxie doesn't stop Death??

also Easter have you tried Death inside the new EQsecure sandbox program??
because I would hate to think that Death bypasses Sandboxie and Eqsecure.

 

I'm afraid it bypasses software completely.
Unless it runs on health care computers..

 

Tidyup

Pls check your PM

EASTER

 

Easter, could you pm me a sample please.
Prevx - What we know about "Death.exe"

 

please pm it to me as well, I have another hard disk for testing.