Sandboxie Acquired by Invincea

I think you are misunderstanding, I'm talking about so called "Fileless Infections" who operate in memory (see link), anti-exe and sandboxing won't stop this type of malware from running, because they can not stop memory corruption.

https://blog.malwarebytes.org/exploits-2/2014/09/fileless-infections-from-exploit-kit-an-overview/

 

A Google search for "Angler-EK-malware-payload" will lead one to a malware analysis site that has analyzed around 30 instances of Angler Exploit Kit. I didn't give a link because the malware analysis site also offers password-protected malware samples for download.

 

In addition, there's disk-based DLL injection, which some anti-exes may not stop.

 

I'm a bit confused, is that different than the one served by Angler?

Yes but we are talking about stopping it from running at all. Of course sandboxes and HIPS will indeed make it difficult for this type of malware to do its job.

 

DLL & Script Execution blocking

 

The first paper in post #881 covers both on-disk and in-memory DLL injection methods. The second paper in post #881 covers a sneakier in-memory method than the first paper.

 

Follow-up: the instance of Angler analyzed here can use either the sneakier in-memory technique, or it can use a DLL on-disk method.

 

Yes, it does Pete. The setting to get it done is available. According to Tzuk:

http://forums.sandboxie.com/phpBB3/viewtopic.php?t=9794

Bo

 

But it is representative of the vast majority of users on computers. I don't get this continuous back and forth about SBIE, there's really nothing more to add.

 

Everyone can learn if they want to, in the beginning of using SBIE, I actually knew nothing about, absolutely nothing, zero, nadda, nothing, and yet I learned because I wanted to learn, and I consider myself average joe, they could easily visit Sandboxie forums for questions, if they really wanted to, I'm also the type of a guy with a set and forget solutions, and very simple ones.
But if you want to use something, learn something more about it, sure people will they don't have time and patience to go all through this, big deal neither do I, actually most of the time, I don't even use my home computers, because everything I surf is from the job itself, only on weekends, and very rarely inside the week, I open my home computers.
I'm just too lazy to go through hell of the entire process and there are faar more important things in life than a mere computer security.
If people want to be secure they simply have to give some time and spend it to get more security, if that's their concerned, nothing is for free, and nothing goes easy, especially not security.
Actually, for many years I have been without any kind of protection except router and windows xp firewall, not even usb protection, I just didn't care-easily set and forget person.
Yes, there were times I was actually infected to a point nothing could help, and than reinstall the whole system from scratch (many times), but than I started to think is it worth all that or simply buy and learn more about how to protect myself.
This is when I heard about SBIE, and I decided to use it.
If you really want something to use you should always visit their forums, and learn.

 

If you didn't see, there is more that you did not read (credits to Bo):
https://www.wilderssecurity.com/threads/sandboxie-acquired-by-invincea.357312/page-39#post-2418018

Obviously, SBIE4 can both block all dlls and all scripts.

 

I think I understand now, but it's not the job of anti-exe to stop code injection, their job is to stop the payload from running at all. Because if malware can't run, it also can not inject the .dll file from disk.

Now I'm confused again, isn't SBIE supposed to block code-injection, even if both apps are running inside the sandbox?

 

Version 4.14 was released a little while ago.
http://www.sandboxie.com/index.php?AllVersions

Version changes.
http://www.sandboxie.com/index.php?VersionChanges#v_4_14

Bo

 

Exactly, on default level SBIE4 is pretty hollow, but once harden it and use all of the restrictionsand blocked accesses to everything, SBIE4 shows the real power and effectiveness.

 

Default level, huge difference.

 

Thanks Bo. That should be what this thread is focused on.

How does SBIE still detect Avira which I've uninstalled from my computer?

 

Totally agree J_L. Also thanks Bo for the update.

 

What J_L said.
Thanks for keeping us up to date, Bo. 4.14 now running on one 7x64 computer, and soon to install on a 2nd when some system maintenance completes on there.

 

Being an antivirus, probably it is still being detected because of a leftover. You should run the Avira registry cleaner.. After getting rid of the leftovers and rebooting, Sandboxie should show you the option to Delete the obsolete setting.

Bo

 

Page, Wolfrun, I also agree with J L about what this thread IS about.

Bo

 

4.14 now running on both 7x64 machines. Easy upgrade as always. Nothing else to report.
I am really enthused to see Invincea maintaining SBIE this way.
I honestly did not believe they would do it.