MBR rootkit under a sandbox + Returnil

Discussion in 'Returnil releases' started by lolpop, Jul 22, 2010.

Thread Status:
Not open for further replies.
  1. lolpop

    lolpop Registered Member

    Joined:
    Jul 15, 2010
    Posts:
    9
    I wonder if an MBR rootkit is executed in a sandbox program like Sandboxie,
    will it bypass Returnil or not?

    I don't have any sample of MBR rootkits so I can't try it out by myself.
     
    lolpop, Jul 22, 2010
    #1
  2. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,981
    Location:
    USA
    RVS/RSS all include MBR protection that is activated automatically when you turn on the virtualization.

    Mike
     
    Coldmoon, Jul 23, 2010
    #2
  3. andyman35

    andyman35 Registered Member

    Joined:
    Nov 2, 2007
    Posts:
    2,336
    It won't even escape Sandboxie let alone bypass RVS ;)
     
    andyman35, Jul 23, 2010
    #3
  4. Dark Star 72

    Dark Star 72 Registered Member

    Joined:
    May 27, 2007
    Posts:
    778
    These screenies show RSS 2011 detecting Eicar and Trojan Simulator still in Sandboxie's sandbox:
     

    Attached Files:

    Dark Star 72, Jul 23, 2010
    #4
  5. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,738
    Empty your sandbox then, Returnil has a built-in antivirus.

    Edit:
    Actually one of them points to a .part temporary file used by most browsers. It's not executable unless you change the file extension.
     
    J_L, Jul 23, 2010
    #5
  6. cheater87

    cheater87 Registered Member

    Joined:
    Apr 22, 2005
    Posts:
    3,291
    Location:
    Pennsylvania.
    You mean one of those .ex files? :p
     
    cheater87, Jul 26, 2010
    #6
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...