Sandboxie technical tests and other technical topics discussion thread

No problem everyone. Yesterday our good friend Peter called me (we talk often) and walked me thru the process ... perfect. Thanks to all and Peter. It is now such a secure feeling to be able to scan downloads while STILL INSIDE THE SANDBOX before finally allowing them onto my real system. This Sandboxie is even better than I thought, and that statement comes after already having used it for many years.

Acadia

 

Guys, downloading and executing a file by hand is as much a drive-by download as shooting yourself in your own car is a drive-by shooting.

 

From what I could see and detect it wasn't the Google Chrome sandbox itself that was bypassed back than, it was one of his weak points, flash player or one of the plugins.

 

When the browser runs under Sandboxie, anything and everything that runs from the browser....runs sandboxed. That includes, Java, plugins, extensions, PDF reader, etc. CWS, thats what running sandboxed under a sandbox program is all about.

Bo

 

I think SBIE is designed to be easy to use with almost no knowledge at all but at the same time, you never stop learning about it. I am constantly learning something new about it. For me, that makes the program exciting.

Bo

 

Chrome's has its own flash player plugin which runs in the same restricted context as the renderer.

 

I agree, Fleischmann, but some drive by downloads happens without ones knowledge. And some happens by knowingly clicking here or there in order to watch a video or do something, use Java, install an addon, active x, etc. Thats were SBIE comes into play. If the browser is sandboxed, the infection is gone when the sandbox is deleted.

Bo

 

Yes I know, but it depends on the user, some may want to download and install apps. And it can also be easy to lose track of files that are saved, it's probably best to give direct/full access to certain folders. These kind of things I need to consider.

 

BTW, does anyone know how to make FileBox eXtender work inside the sandbox?

http://www.hyperionics.com/files/

 

For friends. If you are gonna give Direct access to folders, to make it easy for them to keep track of downloaded files, I think its best to give access to only one folder. For safety, you don't want to give Full access to any folder. For what you want to do, its not needed anyway.

Bo

 

In a few words, tell me the purpose for using this program and I ll try it later.

Bo

 

@ bo elam

It will automatically resize file dialog-boxes and auto sort columns. Plus it will give quick access to certain folders and give you a "stay on top" button.

 

I ll check it out later. Have you tried running the program sandboxed?

But I tell you, if you have the program installed in your system, probably all you have to do is run it sandboxed and then run in the same sandbox the program or programs that you use it with.

Bo

 

That's unlikely, real exploit against Chrome is so far not reported.

How could you know that? Honestly I doubt you or your friend can spot flash exploit, I think he just was tricked any of social engineering, as Simplicity suggested in file-less malware thread.

Drive-by download is invisible unless he deployed HIPS with proper settings (but then, he wouldn't be infected). And when infection was found, it's too late for you or your friend to determine if it was by flash exploit, unless you or him has good forensics knowledge.

 

Well, that was in 2012, so I presume it was flash player or it had to do with plugins (since Chrome, those were vulnerable parts), yes I did forget about social engineering, that seems far more likely. No, he did not have HIPS back than, now he does have HIPS, just in case.
However, there was no user interaction, if he clicked something wrong, it did not ask him like: do you want to save or run this file-no, that was never the case, he was saying this to me, like 100 times, even though I thought for a very long time that he was not aware what he was doing, however, just by clicking something you shouldn't you can infect your computer with malware without user interaction, now I know that, back than I did not know that.
However, since than when he was started using Sandboxie there were not such cases anymore, no infections, no matter what he clicks.
Infections/malwares obviously installed themselves without asking him anything, that's the point.

 

Yes, your friends are the lucky ones, it's no just about not clicking something, it's also how lucky you're about not clicking something that you shouldn't click, no matter how experienced you're you still make mistakes and you can and you will eventually get infected by clicking something you shouldn't click or doing something else that you shouldn't do.
It also heavily depends what websites (if these websites are dangerous containing all form of malicious activities and drive-by downloads and malwares and etc.) you visit as well and how often do you visit these websites.

The same goes for your friends who did not get infected, it depends what they surf and what they click, and how much do they trust websites they visit as well, if there not much clicking or actually no clicking at all, than they are not in danger.

I somehow don't believe your friends would be able to prevent Cryptolocker from installation, since there would be no user interaction (like do you want to save, run or cancel this file's installation).

 

Drive by malware doesn't have to exploit Chrome to infect Chrome users, Yuki. All it has to do is find the hole in a plugin (like Java or Adobe reader) and the user gets infected.

Let me ask you, if one of our friends visits an infected webpage and our friend is using a one year old version of Java and launches an infected applet, his AV don't say nothing, is Chrome going to do something about it or is his system going to get infected?

On the other hand, same user, same situation, only difference being that he is running the browser under Sandboxie and deletes the sandbox at the end. After deleting the sandbox, is his system clean or not?

Bo

 

Unless you keep clear memory from that time even into details, that memory hasn't changed, and your friend and you correctly understood things, there're still many possibility, impossible to hunt down, even considering Chrome didn't have plug-in sandbox in 2 years ago by default.
Just as an example, he might just click and view a "document" or an "image" which is actually executable. Such malware, after execution, can delete themselves after lateral movement and instead put a genuine document or image to hide their existence. It's just an example, I don't want to list up all possible scenario which is nearly infinite.

I don't agree, except for anyone can make mistake part.
As long as bo or his friend correctly use SBIE, what website they visit or what link they click don't matter, also user interaction doesn't matter.
Surely there can be quite minor threat such as FBI Tor exploit or kernel exploit, but how likely we can come across? I know most people even don't come across common exploit in a year.
Only practically possible infection scenario is they mistakenly recovered malware from sandbox and execute it in real environment.
Or if one get infected in sandbox and he still continue to banking or shopping w/out clearing his sandbox, his credentials are in danger.
Both of them are what SBIE user always have to keep in mind.

 

In old Chrome, he will get infected. In recent version, he will receive prompt that plugin want to access your (out of sandbox) PC. I still think many people will just disable Chrome sandbox and get infected.

You know the answer.

 

Luck has nothing to do with keeping your computers clean.

CWS, for me, its not only using Sandboxie that keeps me clean. I think learning to use NoScript is huge as well as getting rid of all plugins that I don't use on a regular basis. Like in my W7. In W7, I hardly ever require a plugin so I don't keep any plugins installed in that computer. If I require one, like Flash, I install it temporarily in a sandbox and after using it, I delete the sandbox.

In Xp, the only plugin that I have installed is Flash for Firefox. For IE, I don't install any at all in either computer. I think doing this sort of thing helps. Java, I got rid of Java long before it became the in thing to do. When I started learning security, I felt it was the right thing to do and I did it.

And software in general. I do as I do with the plugins. I don't use it on a regular basis, I uninstall it. And don't put it back or look for something else. I don't install anything just because it sounds like a nice software. I mean, I could be a 100% of the time SBIE user and still get infected if I installed the wrong program out of the sandbox. But I don't do that. I know what to install and what not to.

Something that I don't do is trust any site. I treat all sites the same way. To me, there are no dangerous or safe sites, I see all sites the same way. I took the Sandboxie Trust no program thing a little further and apply it to browsing and it has worked for me.

Bo

 

You know that's what happens with most of "our" friends. But if the click happy friend has come to realize that browsing with SBIE works, he is always going to browse sandboxed. And only get infected when he installs the wrong program out of the sandbox.

Bo

 

I don't think so, let's see 2 weeks ago I was infected with 2 Trojans, you see I have on demand scanners HitmanPro and MBAM free just in case, and that day I was surfing the web with Mozilla Firefox (with Adblock plus and NoScript) without Sandboxie-now, let me say this I did not click anything, I did not download anything I even had MBAE premium, and yet I still got infected-I know this for sure because after every net surfing I always check with MBAM and HitmanPro if I was infected, and not it wasn't some false positive, now how exactly I could get infected, the only websites I visit are youtube, science and technology, comics websites and of course Wilder security forums.

This is what I'm talking about, none of your friends can't be sure if they are infected or not, unless they run a scan with MBAM, Hitman Pro or any other anti-malware/antivirus/anti-spyware/anti-adware and etc. I'll rather leave Sandboxie to protect everything, plus on-demand scanners MBAM and HitmanPro, which detected nothing as soon as I installed Sandboxie back again.

 

So, are Google Chrome's plugins sandboxed or not in the end? And how can you still get infected, if flash player and plugins are under Google Chrome's sandbox protection/supervision?

And these many examples you mentioned here are main reasons why it's security and protection advantage to have Sandboxie on top of Google Chrome.

My friend was not that naive, he still did have a lot of net-surfing experience at that time and also had equally a lot of computer experience, so he did know what to click and what to not click, he has never downloaded anything, so SBIE thing and downloads are not worth mentioning here.

 

I actually thought that Google Chrome, by now, has both flash player and plugins under its sandbox protection, but it looks like I'm wrong after all.