Is there malware that can beat sandbox programs?

I have played with sandboxie in the early days. Like GeSWall, DefenseWall those occasional bypasses, never forced me to restore an image. There are bypasses where you can touch thing swhich should not be possible and there are bypasses where you own the system. I can't recall any of the latter (with DW or SBIE).

Regards Kees

 

I have been trying to be infected going to malwaredomainlist and loading many of the latest malware there. Everytime I shut down sandboxie, everything that as been loading has been deleted.

I like sandboxie and I will keep it. The one ting that I am not sure about is if I should stick with MSSE or move to a security suite with a firewall. I am using my computer on different networks(wireless) and I am thinking maybe I should have a firewall. But this is probably something to discuss on another thread!

Cheers guys!

 

How about you post any findings like these on the Sandboxie site forum where you will not be banned but appreciated for alerting helping Tzuk find any holes in his program. Otherwise dont post baseless acqusations without your specific type of proof. The case could be that you forgot to run your browser sandboxied etc.

Sure Sandboxie has been bypassed before, but that was due to it letting a type of sandboxed program requests slide (ones concerning shared service memory if I recall) Also you keep talking about how an annoying joke program "supposedly bypassed" SBIE, well it doesn't modify files or the registry outside. It also doesn't inject code. Anyways, this annoyance has been mitigated in the current Beta release of Sandboxie. Bear in mind guys that this all one developer's work and this is a beast of a program that provide VM grade security, - if not even more

 

Subgud this is by far a great technique you are using to test Sandboxie's capabilities against malware in general and specifically drive bys. But I gotta ask, do you have start/run restriction enforced or not? If your mission is to test this software then try having your browsing session done in a defaultbox which should still block anything. If you ever find a breach be sure to let us know at http://sandboxie.com/phpbb/

 

i never said anything about a joke program
if it happens again i'll put it in sandboxie forum
browser was sandboxed as it is now
you want proof a link would be against the tos
call it a baseless accusation if you want but it ain't
it is what happened to me
like it or lump it
i still use sandboxie + returnil2008

 

Yea I meant the former, where you restrict the sandbox to only running your browser for example.

 

Imho, the question should never be if it can be bypassed, but how likely is it to be. The answer to question number one is, yes, it can. Everything can be bypassed. Just because there is no Proof of Concept, doesn't mean it can't. However, that leads us to question two, being how likely is it to be bypassed. That answer is, very unlikely.

Malware can't just "show up" and own your system, there have to be open windows for malware to climb through, be that un-patched browser holes/improper settings, downloading files and running them without scanning them with a good security program first, in which case you deserve to be infected, and lack of any security on the system.

If you close all the windows, you're 99% safe, never 100%. The reason for that is simple, the fight between the good guys and bad guys is never-ending. Sometimes the bad guys get the upper hand, it's called life and as long as imperfect humans create anything, there will always be that slight risk. Secure your system as best you can, and go sleep peacefully.

 

Hi!

When I tested it, I used internet explorer 8 in a default sandbox and with default settings. I have not tweaked sandboxie in any way. And that is what is so nice about it. Using it straight out of the box and it is really good. The only thing I have done with sandboxie is that I force IE8 and Chrome to run in the default sandbox.

I must say that I am not a tester in any way. My data skills are far from that point. I tested this for my own knowledge and understanding.

 

in that way u achieve less protection (maybe 85%), u must tweak SB (which is easy when u learn how) in order to make it 99.999999%

 

I dont know how to tweak sandboxie. I only know how to use it with default settings. Is there a easy way to tweak it?

 

It's easy enough to tweak Sandboxie.Just open up the SBIE control panel,click on the 'sandbox' tab,highlight the sandbox you wish to modify and click 'Sandbox Settings'

You'll then see the screen pictured where you can adjust numerous settings.

 

I have been making some adjustments to the settings. Not much though. Forcing all browser to run sandboxed, deleting the content of the sandbox when shutdown.

I dont see anything else I should "tweak". But I dont know more than that.

 

Take a look here ; a number of optimising threads listed

 

Do you mean you only have sandboxie and MSE, no av firewall etc?

 

In regard to sandboxie, when I come across an MPG file I want to download, sandboxie doesn't give me an option to save it in the sandbox. It only opens a window where I have to select C:/users/mozart/downloads

So how do I tell sandboxie to save files inside itself?

 

I'm not sure I follow exactly what you mean because any file that you download from a sandboxed browser will be automatically sandboxed itself unless you choose to recover it to one of the designated locations.

 

Ok let me give an example.. When browsing through IE sandboxie, and I visit a website which has an MPG file. I need to right click on that file and choose "Save as". So I then need to scroll to the C:/Sandboxie/ folder and save it, right?

Isn't there a way to tell Sandboxie to automatically save everything into the Sandbox?

 

If you want to know how Sandboxie works there is a
lot of information on the Sandboxie site.

I get the feeling that you are thinking it works differently than it does.

Go through the Help file slowly

Main page
http://www.sandboxie.com/

Forum
http://www.sandboxie.com/phpbb/

Help
http://www.sandboxie.com/index.php?HelpTopics

 

The point is that anything you download using a sandboxed browser will be automatically saved within that sandbox unless recovered to an area designated in the settings or by manually recovering it.All disk writes will be redirected to the sandbox.

 

Hi Mozart. If you are in a sandboxed session, then everything you do while in that session, including copying a jpg image or downloading a file, is automatically sandboxed (unless you have changed that sandbox's default setting to permit direct or full access to part of your real system). When you click "Save as" (while sandboxed) and then select the location to save the file, it is being saved to a virtual version of that location. You don't have to scroll to the C:/Sandboxie folder to save the file in a sandbox.

Example:

The below picture is on How To Geek's web site. If I am browsing that web site while sandboxed and want to save that picture, I will right click it and select Save Picture As.



As a practice, I save all such downloads to my desktop, so that's what I select next, as shown here.


But bear in mind, since I'm sandboxed, the picture is being saved to a virtual version of desktop...not my real one.

Immediately after clicking Save, Sandboxie will issue a pop-up asking if I want to recover the file (picture) to my real desktop. I can choose to do so, or I can choose not to, depending on whether I believe the file to be safe. If in doubt, I usually decline the recover option and then upload the file from the sandbox to VirusTotal to be scanned. Then I can more confidently recover the file my real desktop after the scan if it all checks out clean.

 

That's very true but in my experience many of these reported breaches are not quite as they seem when scrutinized.They're often the result of an artificial set of circumstances that wouldn't be replicated in the real world.

That's not to say that these products are 100% safe,they're not of course.After all they're just code and code can contain flaws.The writers think they have every eventuality covered but that's only until some enterprising individual discovers a new method of infection,not previously thought of.

In practical terms these products do offer close to complete protection simply because there isn't a huge market for such groundbreaking malware.The bad guys go for the highest profits and the easiest targets as illustrated by the huge rogue explosion where no great innovations are required,just a suficient number of people willing to install them by their own volition.

 

Great post Doodler, now I understand. Thanks.

BTW, does anyone know if I decide to save a MPG file to my REAL desktop, can an infection from the sandboxie "jump out" of the sandbox into my real desktop? Or it just saves the MPG and MPG files cannot contain any virus or malware can it? I then play the MPG files with VLC, can it release an infection if the MPG file is infected?

 

Yep, that makes sense, thanks Peter.

 

FYI, the DW bypass that you are referring to that was reported on 1-15-10 at Kafan has been fixed by Ilya several hours ago.

It has been my personal experience that security applications such as HIPS, behavioral anti-malware, sandboxes and virtual programs receive the bulk of scrutiny by way of penetration testing for good or bad intentions. Not surprisingly, the more public or private testers and/or regular users that a particular security application has naturally results in the quicker uncovering of vulnerabilities. In the end, the most important thing is that the developer addresses these issues in a timely manner. To that end, Ilya of DW and Tzuk of Sbie can be commended for their efforts.


Peace & Gratitude,

CogitoErgoSum