MD's File and Folder rules an alternative to sandboxie?

Discussion in 'other anti-malware software' started by arran, May 21, 2009.

Thread Status:
Not open for further replies.
  1. metalforlife

    metalforlife Registered Member

    Joined:
    Mar 29, 2009
    Posts:
    96
    It is the same for all types of security softwares.

    No, you are supposed to allow the execution alert. If the HIPS throws up consequent alerts, it means that the test was passed, if not, then it failed.
     
  2. metalforlife

    metalforlife Registered Member

    Joined:
    Mar 29, 2009
    Posts:
    96
    Read up the "Some Tests" thread. Sandboxie fails all the POCs listed in that thread.
     
  3. metalforlife

    metalforlife Registered Member

    Joined:
    Mar 29, 2009
    Posts:
    96
    As ssj100 said, Sandboxie won't help you if a safe application is hijacked by malware. Whereas a HIPS would detect such alterations by doing file signature checks.
     
    Last edited: May 27, 2009
  4. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    I participated in that thread. Sandboxie's virtualization was not compromised. What was written to disk? What change persisted in the OS after a system reboot?
     
  5. metalforlife

    metalforlife Registered Member

    Joined:
    Mar 29, 2009
    Posts:
    96
    The tests weren't written to write something to the disk, nor were they written to make permanent changes to the OS. They were written to freeze the explorer, lock the mouse etc. and that is what they managed to do.
     
  6. metalforlife

    metalforlife Registered Member

    Joined:
    Mar 29, 2009
    Posts:
    96
    All that is unrelated to the fact that Sandboxie is bypassed.

    The only question that needs to be answered is whether the malware requires to communicate with the real system to do what it does.
     
  7. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    And when did they manage to do that?

    When they were allowed to execute when using a hips or when using a default settings sandbox?
    https://www.wilderssecurity.com/showpost.php?p=1458628&postcount=11
     
  8. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857

    My deny SRP also protects me from it: Not true, it just prevents me from coming into that situation. DefenseWall 2.55 protects against it out of the box, no hassle. That is clear, starting to discuss settings and the actual harm done, that is fuzzy.
     
  9. metalforlife

    metalforlife Registered Member

    Joined:
    Mar 29, 2009
    Posts:
    96
    I did not get your question. Are you saying that Sandboxie was able to block the execution and hence it passed?

    OK, so you are saying you run a test by not allowing it to run?

    About the HIPS applications which were tested against the same files, yes, they failed too. But all those applications were patched by their respective developers, so they don't fail anymore.
     
  10. metalforlife

    metalforlife Registered Member

    Joined:
    Mar 29, 2009
    Posts:
    96
    I agree there. Nothing gets you closer to 100% security than an anti-executable type app. I always felt that anything more than an AE + firewall = for "just in case" scenarios.
     
  11. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    Sandboxie didn't need patching with the pocs being blocked with available settings that have been there for a long time.
     
  12. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,156
    answered by pm.

    What specifically is utter nonsense?

    I didn't say that, where did I say that? Given MD's wide range of areas it covers I can't see why it wouldn't be able to control their behavior. pm me your droppers as well.

    Hmm I don't have enough time atm to quote all the other posts so I will keep it brief.

    metalforlife is 100 percent CORRECT when he says "The tests weren't written to write something to the disk, nor were they written to make permanent changes to the OS. They were written to freeze the explorer, lock the mouse etc. and that is what they managed to do"

    Fact remains that programs running in sandboxie can communicate outside of the sand box and shut down your pc. PERIOD

    Think about it logically all malware needs to do is communicate outside of the sandbox give instructions to another program like a browser and tell it to connect to a remote server to download more Malware which will be downloaded OUTSIDE of the sandbox.

    There is some people here finding it hard to accept this Reality.

    This is the reason why I use Defense Wall instead.

    If only I had a sample of that virus I got a few years ago which caused my pc to keep on shutting down every time I booted up. going round and round endlessly in circles.

    ssj100 I notice that you have been contradicting yourself by saying

    I like to test and play around with a lot of stuff inside sandboxie and at the same time you are saying that you shouldn't let any thing unknown run in sandboxie.

    EDIT

    also too like I said before according to MD's logs ff is able to create files outside of the sandbox when running in the sandbox. and with the registry test that we talked about in the some test thread there were 1 or 2 persons claiming on the sandboxie forums that the registry test was able to modify registry keys outside of the sandbox, So using MD and some registry tools I am going to investigate this.
     
    Last edited: May 27, 2009
  13. demoneye

    demoneye Registered Member

    Joined:
    Dec 30, 2007
    Posts:
    1,356
    Location:
    ISRHell
    @ arran wrote

    "Fact remains that programs running in sandboxie can communicate outside of the sand box and shut down your pc. PERIOD

    Think about it logically all malware needs to do is communicate outside of the sandbox give instructions to another program like a browser and tell it to connect to a remote server to download more Malware which will be downloaded OUTSIDE of the sandbox."


    yoo yoo:mad: u aren't on "listen mode" man , u just need to configure your SB correct like allow only FF to run + allow only FF to axx net !
    so how can u get any server hijack installed mano_O
    how can it communicated with net if FF ONLY ALLOW TO AXX NETo_O

    better drop all this lamest and read in SB forum how to deal with SB before spreading stupid things like u do for some time on SB :mad:
     
  14. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,156
    no u don't understand. I was only using browser as an example it cauld be ANY program outside of the sandbox.

    For example.

    you configure sandboxie so as FF is forced to run inside the sandbox and that only FF can axx to net. Right so that's all good this is what most people would do.

    BUT what if the malware gives instructions to another program that has not been configured to forcibly run in sanboxie??
     
  15. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,156
    so going by this it would be fair to say that it is not safe to run any thing Unknown inside sandboxie, that it is better to stop it from getting in and running in the first place.
     
  16. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    1 - I pm'd you quite a few samples to test now can you give me just that one virus from years ago that bypassed Sandboxie and infected the real system.If not then it stays as utter nonsense.

    2 - No I won't pm the droppers but I will pm you an exe that drops heaps and see how you go harvesting them all and no cheating in using Sandboxie..

    3 - Think about it logigicallyo_O Anything communicated from within the sandbox and if a download or a call for your browser to start stays in the sandbox.
    Sheeeessshhhh, like pulling teeth!!!
     
  17. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,156
    again, it is not safe to TEST RUN anything inside sandboxie, so yes you are right
    best not to let any thing unknown run at all in sandbox.
     
  18. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    Ya fell off a certain make of bicycle because you had no idea how to ride it now you're telling everyone not to ride that kind of bike mainly due to your own ineptitude.
     
  19. andyman35

    andyman35 Registered Member

    Joined:
    Nov 2, 2007
    Posts:
    2,336
    I confess to never having tried MD so I'm not really in a position to form an opinion on the usability of your ruleset,my comment on it being overly restrictive was in the terms of an average user.For the technically minded it may well not have a negative impact on functionality.I myself have partly gone down your route by configuring permissions in Defence+ and Mamutu,but it was quite time consuming (good job I have no social life lol).
     
  20. demoneye

    demoneye Registered Member

    Joined:
    Dec 30, 2007
    Posts:
    1,356
    Location:
    ISRHell
    what "other program" ??

    what u configure under SB will run under it , what will append if a malwre try format your pc? or what ever he does... what that to do with SB?? use anti virus for total system protection! SB is for what u set not a general pc anti malware protection ....
    most malware come from the net i hope u agree on that , so if u set SB restricted (and smart) like i explain shortly up , the malware will never come out from SB 'fault" only from your own fault , what we call human mistake

    cheers
     
  21. andyman35

    andyman35 Registered Member

    Joined:
    Nov 2, 2007
    Posts:
    2,336
    There seems to be some confusion as to how SBIE actually works.If we assume that it's been correctly configured,for example only Firefox to run,if FF is somehow hijacked and is able to communicate outside of the sandbox by utilising a method not covered by SBIE.The newly compromised Firefox is still only able to operate within the rules of the original Firefox that have been pre-configured (file access,read/write permissions etc).Even though the sandboxed infected FF has partially bypassed SBIE it is still running from a virtualised state,it can't make FF non-sandboxed.At the very worst the malware could perform a few limited functions but still be unable to cause real damage to the system.
     
    Last edited: May 27, 2009
  22. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Until you provide specific's the answer is no.

    Note that Sandboxie is not intended to intervene with malware unless it tries to install a service or driver. So you may see some of the behavior of the malware. But it didn't leak, in that if you reboot, the behavior is gone, and if you empty the sandbox everything about the malware is gone.
     
  23. andyman35

    andyman35 Registered Member

    Joined:
    Nov 2, 2007
    Posts:
    2,336
    Yes I was just trying to point out that a correctly configured sandboxed browser operates in a similar way to a LUA/SRP ;)
     
  24. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,156
    I have already said I don't have a sample, it was back in the days when I was a Newbie. I fail to see why you wouldn't believe me? True I not have evidence but at the same time you don't have any evidence to say other wise either.

    I have already responded to this in a previous post.

    not really it was a reply to one of ssj100 posts.

    It could be ANY program outside of the sandbox. Malware does not limit itself to just using a browser to do its dirty work. there are many windows system services that make outgoing connections by default, and you can't make system services run in the sandbox can you.

    yes I agree most malware come from net. My point that I was trying to make is due to the fact that Malware can communicate to programs outside of the sandbox it is not safe to let malware execute and run in the sandbox.

    I can't see how Prevx would run properly without its drives installed?

    Malware does not limit it self to just infecting ff browser or using a FF browser to do its dirty work. it could be any program outside of the sandbox.
     
  25. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,156
    OK back on topic.

    I have been pm'd some links so I will soon be going thru them with my MD file rules within a few days, and I will post screen shots. So hopefully the thread won't get locked before then.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.