Interesting HIPS test- Delete Volume

Thanks for the samples Easter.

Robodog wouldn't or couldn't run Sandboxed.

Death.exe did start sandboxed which seemed to be contained.I terminated after about 10 meg of data was created.

Also ran everything else in the samples with all of them either not being able to run sandboxed or contained.

Deleted the sandbox and everything seemed fine.Sandboxie Beta ver 3.25.02.

 

Thanks Franklin
updated also to latest,waiting for next weakness. no problem with Tsuk at your fingertips.

 

Thanks easter for the download link.

tried it on my other old hard disk. the ones sandboxie was unable to block eqsecure blocked them all. also antivir nails them with that enabled. I guess this is why we have multiple security layers so if sandboxie fails then either your hips or av blocks them.

 

I ran DeleteVolume too, but I unfreezed my system partition first to have a normal computer.

Test-1
1. During unzipping Online Armer Free Firewall gave me a warning with the choice "Allow" or "Block".
2. So I clicked on "Block" and that was the end of Test-1. Nothing happened.

Test-2 : Online Armor Free Firewall = disabled.
1. During unzipping Anti-Executable gave me a warning without a choice, which means "Block".
2. That was the end of Test-2. Nothing happened.

Test-3 : Online Armor Free Firewall = disabled and Anti-Executable = disabled
1. During unzipping no warning anymore, so I clicked on DeleteVolume.exe
2. After that all volumes disappeared A, D and F, except C.
3. After reboot, the same situation. Time for a valium pill and Plan B.

Plan B : Volumes A, D and F are still gone, except C.
1. I opened FDISR and clicked on "Freeze Previous", which refreezes my system partition in a previous state and rebooted.
2. All volumes are back to normal. So Plan C and Plan D weren't necessary.
End of Tests (EOT)

In this case plan B (= boot-to-restore) fixed the situation, which surprised me.
KillDisk cannot be fixed with plan B and requires Plan C+ (Plan C is not enough) or Plan D+.
I don't have KillDisk to test it myself. The same for Robodog.

I can imagine that many average users would keep on staring at their screen for a long time, when all volumes are gone, except C. No diskette drive, no CD drive and in my case no second HDD anymore, which is a real panic situation.

 

I would have kept online armor and anti executable going and clicked allow to unzip. and then click on DeleteVolume.exe to see if Online Armor or Anti-Executable would have given you another popup warning for when DeleteVolume.exe was being executed.

 

There is no DeleteVolume.exe (only .zip) when OA or AE is active. The .zip file is not unzipped, so no deletevolume.exe eitheir, only the unzip-folder was created, but was empty.
AE never allows to run an unzipped, unauthorized executable (good or bad), at least not on HIGH security.

 

arran I found that Sandboxie blocked them all from accessing the real system and those that did run sandboxed it was a simple matter of terminating all processess then deleting the contents.

Which ones did you find that bypassed SB?

 

I think there was none like that.

 

when I tested death inside sandboxie, eqsecure kept on prompting me to block most of them I can't remember which ones. But if eqsecure had to come into action wouldn't this mean that sandboxie wasn't doing its job?

 

No, u r interpreting it wrong.

EQS will propt even on many actions that are contained inside SBIE.

 

Don,t remember exactly now, not a file infector though. It creates executables in Windows, system 32 folder which inturn execute to carry out other malicious actions etc etc.

 

So it's a dropper.

 

Hi EASTER,

Sorry for the late reply, but I have checked it out, and I also didn´t see the behavior that you described, death.exe didn´t manage to escape the sandbox, and I didn´t even see it modifying files, so I´m not sure if this is in fact a file infector.

 

BTW I just remember that did got alert that it was modifying an exe on my non-OS partition but the exe was not infact modified as I checked later, so I am not sure whether it,s a file infector or not?

Easter! what were ur findings about this?

 

well my eqs promps said that it was trying to modify files which are located outside of sandboxie.

 

Yes but the file will not be modified infact due to SBIE.

 

I've since updated SandboxIE with tzuk's latest release and not experienced any similar problems, BUT, i can attest to the fact from real experience that when i ran Death (Run Sandboxed) and then also clicked Supervise.exe i was totally unaware anything had penetrated my non-O/S partition. At the time it looked as everything was under control, but on later review i noticed some .exe's on that partition that were obviously corrupted since their icons took on a faded look. I further found that when i clicked those "infected" exe's to further examine any malicious behavior, it was like they also were launching Supervise or at least calling on it.

For me that's pretty certain a file infector is in play here.

I'll look into this further, because theres more to it than meets the eye or what shows up at Jotti or Virus Total i suspect.
I would also suggest some solid proof to this from anyone who might know better how to investigate these type of malicious codes infestations.

 

A more less destructive virus which is indeed a file infector but one that i have witnessed NOD32 clean with high percentages of success is the Parite Virus, but as with any destructive virus should anyone decide to research it then prepare first an alternate HD to conduct your tests, not a production environment because of their unpredictability. There are several samples available at offensivecomputing database, but i think if any or all of our security programs can effectively neutralize such an infector minus any AV at all, that might better show the differences between the POWER of HIPS compared to other security apps.