Sandboxie Has A Security Hole??

Has any one esle tried regtest and advanced process termination inside sandboxie??
http://www.ghostsecurity.com/registrytest/
http://tds.diamondcs.com.au/advancedseries/apt.php

well they can both successfully shut down your pc and terminate other programs running outside of sandboxie.

I allways thought that anything running inside sandboxie can't communicate with anything outside of sandboxie, Obviously that is not the case.

Some people here will argue that you can use the setting
"Start Run Access" so nothing else can run except the programs you allow.

But what if you run mp3 video files or jpg picture files inside sandboxie with a
malicious code attached. many mp3 and jpf files come with malicious code attached to them. So because you have to give permission to allow run access for your jpg and mp3 files the malicious code executes and does the same thing that regtest and advanced process termination can do.

 

That is quite a concern. However, allowing sandbox to run only certain applications will certainly help here. Audio and video files with malicious payload shouldn't be a concern, unless you download from shoddy websites and/or P2P.

 

In fact, .jpg and .mp3 doesn't have malicious things inside by default. The only thing may be there are internal structure manipulations that cause buffer overflow errors within certain software.

But there are .wma and .wmv files that contains an internal link to the "codec" need to play those files. Windows Media Player, by default, will download and run it. Ans- yes, that files may be malicious this case if this "codec" is, in fact, malicious software.

 

Well I gave I run it sandboxed with Drop my rights and it was also untrusted by defensewall also prevx edge trial pick up on it and when I deleted contents from the box it was gone even from Defensewalls untrusted list.It looke like DW and Prevx would have handle it just Fine.I have to try it just Sandboxie and shut down other apps.Here is prevx had to say and would have stopped with paid version.I trusted it still got nothing to happen I assume from being untrusted from DW.

 

Being discussed in the sandboxie forums since last month (year?):
http://sandboxie.com/phpbb/viewtopic.php?t=4665

 

So far I'm not seeing anything that's making me shiver in my boots. It'll get fixed if it's deemed that big of an issue, and so far it really isn't. I think this is yet another case where someone found some test somewhere that claimed to do this and that, and decided to test it out on their favorite "indestructible" app. And, when it didn't get a 100% "no chance in hell is this going to happen" pass they were looking for, suddenly there's panic and the app goes from "Try to stop me now!"-good to "This app is useless".

Please note Arran that I am NOT attacking you for posting this, all I am saying is that this kind of situation is starting to become an all too common occurrance.

 

I agree, and I think it is good that the OP posts what he has, Sandboxie along with Returnil are my favorite security software, so I have nothing against Sandboxie, quite the contrary, but when running software such as this, which is exceptionally good at protecting your computer, it's nice to be reminded that common sense still has a place in your security approach, no matter how good a security app is, sooner or later it will be defeated by something, even if only for a short time until patched.

 

Hi dw426. I know that there is allready a thread on the sandboxie forums, I have allready read it. The reason why I posted it here is because here there is a whole bunch of guys allways testing security Products. And I just wanted
to see a wider range of opinions.

I still think sandboxie is a great product and there is no way I am going to stop using it.

I just want to find out if malicious codes attached to files you run in sandboxie can achieve the same thing as regtest and advanced process termination? But no major problem, Sandboxie is allways getting better, it wasn't long ago we got an update with a rule Restrictions "Start Run access" which was excelent.
Perhaps later on there will be another new rule added in Restrictions called
something like "Running apps cannot communicate or do code injection to apps running outside of the sandbox" ??

 

Hi Ilya,

I was not aware that Windows Media Player could download/install something without a prompt.

Can you provide the titles of those files, and the web sites where they were encountered? If the sites are still active, then just something that gives an idea as to what types of sites they are.

thanks,

----
rich

 

There may well be a way to prevent WMP from downloading without a prompt, but I have frequently seen, when starting a media file that is connecting to the web to retrieve a codec to play the particular file if it does not already have that codec

 

Don't ask me for the details, but my Windows Media Player (latest version, version 11?) does not download/install anything without a prompt.

I think it has something to do with configuring the WMP (lots of things can be customized, it's easy to get lost in that menu) and maybe improving all your IE 7 security settings to above average. I have increased the security settings of 'trusted zones' to the settings for the internet.

Maybe outbound firewall control is also an issue ?

Btw, I do NOT use Sandboxie.

 

I found this in the "Known Conflicts" section of Sandboxie's website:

"With Sandboxie 3.28 and later, updates to Rising Anti-Virus may partially disable the protection of Sandboxie."

Does anyone know what Rising Anti-Virus disables in Sandboxie's protection and how it is able to do so? I didn't find any further information on it at the Sandboxie site.

 

I believe you disable automatic downloading by un-checking the "download usage rights" box in the Options menu.

 

Isn't a codec an executable file? In that case, it can't download without permission, if you have good security.

----
rich

 

It must be the following setting. I use the german version of Windows Media Player 11, but I think with the pictures you can easily find the setting in the english version too.*

*) Edit:
I found it in the meantime in English too:
Tools ---> Options ---> Player ---> there you have to uncheck the box "Download codecs automatically"

 

Thanks, Peter, I find that Option in my WMPlayer also.

Does anyone have a link to a file -- preferably a small file -- that requires a codec so I can watch it download?

thanks,

rich

 

There is a malware ITW that modifies .mp3 into .wma, but I don't remember its name. I just know it's possible and no more. Sorry.

 

Few days ago i found this malware (EXP/ASF.GetCodec.Gen) on my pendrive's friend.
Saved as mp3, more details from VirusTotal: ~Link removed per Policy.~
Info about this malware: http://www.avira.com/en/threats/section/fulldetails/id_vir/4350/exp_asf.getcodec.gen.html

 

http://www.kaspersky.com/news?id=207575664

 

Another "hole" for sandboxie would be if I set to view compressed files as folders in windows, set a specific folder as forced folder and place a zip file there. Doubleclicking on the zip file spawns an unsandboxed window of the zip file's contents and you can run the contents without Sandboxie's supervision.

Minor annoyance for me and easily resolved by using an archive program to handle zip files instead of windows zip support

 

If that were the case, then I wouldn't call that a "minor" annoyance. After all, the archive is outside of Sandboxie's control.

I'd have to try this when I get home; I'd have to experience it myself before I fully believe it.

 

Please be so kind and tell us your findings... ATM I have very little time to play with my computer...

 

I've got a quick question for you. When you said compressed files, did you mean NTFS compressed or an archive (ZIP, RAR, etc)?

 

I meant ZIP file and was pertaining to windows' built in zip utility.
For XP:
1. Start > Run > regsvr32 %windir%\system32\zipfldr.dll

2. Set a specific folder as Forced Folder in Sandboxie config.

3. Zip a file (test.txt for instance), and place the ensuing zip file in the forced folder.

4. Double click on the zip file. Double click on test.txt.

Works only if there is no archive program such as 7zip or Izarc set to handle .zip files (edit:or if the archiver is not the default handler for *.zip)

 

After performing the steps bman412 outlined, I can confirm bman412's findings. Other items that I copied into the forced folder ran inside Sandboxie (i.e. text document, executables, etc); the zip file wasn't sandboxed (using Vista's ZIP utility).

Thanks for the heads up, bman412.