Sandboxie technical tests and other technical topics discussion thread

It seems to me that is no use to explain you that theories mean nothing without evidences-that is my crucial point here, if it was in your case we would still live in Dark Ages and believe everything what others tell us without any form of any concrete evidence.
I will stop now, this not a time or a place for such a debate, besides, we are going in circles.

 

Hi Yuki, here is what you want. From Sully. Look for the registry keys around the middle of post#2.
https://www.wilderssecurity.com/threads/sandboxie-templates_local-great.253382/#post-1556098

Bo

 

There are some locations within the Windows folder that accounts with non-admin privileges can write to unsandboxed, so doing this might cause some programs to fail.

 

Currently can't find particular problem, but maybe.
However, I guess that's bad manner and not many program do this, tho I may be wrong.

 

Wow, I didn't know there's already such extensive setting post!
Thanks for the link!
Is Sully still active in this forum? I haven't seen him at least after I entered Wilders. Can I see such info in somewhere?

[EDIT] looks like they are for XP. Some thing are same or can easily be translated to Vista, 7 or 8, but others not. It seems MS changed many of those things. I'll look into those things on my Win7x64.

 

I think some of the settings in that thread are perfect for the extra paranoid, like you, Yuki.

I can tell you, in my XP, I use the ones for the registry and the ones below. Never an issue or a message from Sandboxie. But never tried any of them in W7.

ReadFilePath=C:\AUTOEXEC.BAT
ReadFilePath=C:\boot.ini
ReadFilePath=C:\Config.sys
ReadFilePath=C:\IO.sys
ReadFilePath=C:\MSDOS.sys
ReadFilePath=C:\ntldr
ReadFilePath=C:\NTDETECT.COM

Yuki, I discovered Sandboxie on my own, not in a forum or anyone telling me about it. I found Wilders while I was searching for information about Sandboxie. And when I first landed here, there was Sully talking about Sandboxie. He went away some time ago and I surely miss his posts. If he is still reading Wilders, he probably loves reading your posts like most of us do.

Bo

 

Thanks, as to difference with new Windows I added in previous post.
That's too bad, surely we could learn much from him if he was still here. But thanks for kind words!

 

Hi Mr Brian, I have never used the Read only setting for Windows. But I know there are many SBIE users who do use that setting. I think its probable that using the setting would work in almost all sandboxes. Read only files can still be used by sandboxed programs. The only difference is that Read only files can not be modified within the sandbox.

Edit: I just tested with a program that's easy for me to test, Flash. I don't have Flash installed in my W7. So, when I tried to install Flash in a sandbox with Windows set as Read only, the installation fails.

And if I install Flash in the sandbox and after installing Flash, I set Windows as Read only, Flash does not show up in the Firefox plugins window. So, with Windows as Read only, things work as if Flash was not installed.

Bo

 

My feeling is that any application program that wants to write to the Windows directory can go ... away!

 

Except for Sandboxie I guess you missed to say! LOL

 

Huge exception.

Bo

 

At least all programms that install drivers must do so. Of course, they mostly can't be installed in Sandboxie.

 

And I do my best to keep them to a minimum, particularly given the scandals around the subversion of code certificate signing.

 

For those making folders "Program Files", "Windows" etc. read-only in a sandbox: another thing that should be tested is if doing so interferes with UAC Virtualization.

 

Can anyone please confirm or beat this argument from malwaretips.com written by Littlebits:
"As I have said before software level of security can be bypassed much easier than OS level security. That's why UAC is much better than HIPS, behavior blocking and sandboxing, etc. Just make sure you have UAC enable at defaults and utilize its protection, avoid downloading suspicious files and visiting unknown sites. Pay attention to Windows digital file warnings when running files and you should be safe.

There is not a single type of security protection that can't get bypassed.
However software level is the most easier for malware to bypass, next OS level then last BIOS level which is most secure.

There has been malware known to bypass all levels, but not as common and widespread.

Sandboxie has been bypassed before in the past but I believe the issue was fixed by the developer. Sandboxie is the best in its category but all software have vulnerabilities and malware writers look for them and eventually will find them and exploit them. Even though UAC and Windows OS has had vulnerabilities as well, it is much more difficult for malware writers to find a way to exploit them. Even system BIOS has vulnerabilities but it is so hard for malware writers to find a way to get exploit them which makes them extremely rare. They are usually used as attacks on large businesses.

Malware that is most common for home users doesn't even use vulnerabilities just simple fake alert sites that trick users into manually running infected files."

First question: is this all true or false (which parts are true and which parts are false)?
And second question: this is they bypass Littlebits is talking about: you have to be logged in to see this thread:
http://forums.sandboxie.com/phpBB3/viewtopic.php?t=9812&sid=6c7a98e7a8a4e768f990a8d817732cf7

However. what I have noticed that all Sandboxie bypasses and pocs were because DropMyRights feature was not enabled/checked, so what would protect more UAC (maximum settings) or DropMyRights feature of Sandboxie, it seems to me that you get the same results and equal protection level?
Also, UAC is some sort of virtualization, so it could cause conflicts with Sandboxie and its enabled DropMyRights feature if you use both UAC on maximum level and Sandboxie with enabled DropMyRights feature, right?

 

Yeah, I mean enough is enough. But apparently they seem to think differently.

This is nonsense, it's just silly to compare UAC to HIPS and sandboxing. UAC can't give the same level of security.

 

Can't confirm but I would agree completely. At least I would say they are more common, if not easier to bypass than the O/S is. Malware attacks are more likely to use code that exploits some kind of vulnerability on existing software running on the O/S. One need look no further than Java and Flash exploits for some evidence.

 

I can't either, but one thing I might highlight is that Windows releases every Patch Tuesday several updates regarding OS security vulnerabilities and for me this means Windows is as vulnerable as any other software, maybe more.

 

What about the following Littlebits claims:
"My understanding is that one of the main much quoted benefits of Sandboxie , is that by sandboxing the browser, drive by download attacks due to browser vulnerabilities, can be prevented.
I quote findings from joint research by three eminent universities in Usa ,France & Austria:
"Drive-by downloads work by exploiting vulnerabilities in web browsers, plugins or other components that work within browsers,Drive-by download attacks are among the most common methods for spreading malware today. These attacks typically exploit memory corruption vul-nerabilities in web browsers and browser plug-ins to execute shellcode, and inconsequence, gain control of a victim’s computer. Compromised machines are then used to carry out various malicious activities, such as joining botnets, send-ing spam emails, or participating in distributed denial of service attacks."

I presume this part is true.

What about this part:
"Drive by downloads no longer exist if you are using an updated browser and plugins. Internet Explorer, Firefox and Google Chrome already blocks drive by downloads by default, the user has to click to download files and execute them. I haven't seen a drive by download since about 2007 because browsers now have better security to block them. Even if one happen to get by it will still be blocked by UAC, the user would have to approve it in order for it to be successful infecting your system.

All downloads require user actions to manually download and execute unless you are using out-dated browsers, Java plugin, Adobe Flash, Shockwave or PDF plugins.

Keep your browsers and plugins updated and disable Java and you will probably never see any drivebye downloads. If you happen to encounter one that slips by keep UAC on default settings and make sure to check the file before approving it. If the file is not digitally signed by a trusted publisher then it could be malicious, UAC will let you know if the file is digitally signed."

True or false?

Also, Littlebits wrote:
"I never sandbox my browsers or web applications, it is not necessary if you always download files from safe sources and never execute files without checking them first. If you use Internet Explorer never select "Run" on a download always select "Save" because you can check it before running it. That is the most common way users get infected.

All known malware that infects users today requires the user to manually download and manually execute the malicious file. I think only paranoid users actually sandbox their browsers and web applications or users that just don't know how to safely download files.

If you download a file that appears to be suspicious then you can add VirusTotal right click menu "send to VirusTotal" then right click and select "Run Sandboxed" on the suspicious executable file and it will run in Sandboxie.

If you are an advanced user you can see what the suspicious executable file does by opening the Default Box by selecting "Explore Contents". Windows Explorer will open sandboxed and you can view files that the suspicious executable created safely.

I never use the Recover Files on Sandboxie, if the executable is verified to be safe then I will just run it out of the sandbox on my system if it is something that I want to run or install.

The only benefit of using the Recover Files is if parts of the executable file has mix content of both safe and malicious files created. This however is very rare, either the executable file is malicious or it is safe most of the time. Some installers have forced adware because this can benefit advanced users that want to install a software without any adware included, but this is also rare, most installers now days has opt-out opinions if you pay attention the adware can be bypassed easily."

What do you all think?

 

OK, I understand now, Peter.

 

I need info about something regarding Sandboxie:
My configuration is:
ClosedFilePath=C:\WINDOWS\system32\t2embed.dll
ClosedFilePath=C:\WINDOWS\system\
ClosedFilePath=C:\WINDOWS\system32\kernel32.dll
ClosedFilePath=C:\WINDOWS\system32\win32k.sys
ClosedFilePath=C:\WINDOWS\system32\drivers\

Which of drivers, processes, dlls and etc. are unblockable, as far as I know, kernel32.dll and win32k.sys are unblockable, right what other drivers, processes, dlls and etc are unblockable by Sandboxie?
If they are unblockable can they be configured so they are write-protected/read-only so even file-less memory exploits and file-less malwares in general cannot write to Windows drivers, processes, dlls and etc.?
So, if nothing can write to them (only read), than you are 100% protected: right or wrong?

 

ClosedFilePath settings have no effect.
You cannnot block a driver with ClosedFilePath in Sandboxie.

ClosedFilePath=C:\WINDOWS\system32\drivers\
ClosedFilePath=C:\WINDOWS\system32\win32k.sys

 

Read my entire post above, please, again, you did no respond what I asked; is it possible for those drivers, processes, dlls, sys and etc. to be write-protected/read-only so malware, exploits and etc. cannot write anything the way it wants to that driver, process, dll, sys and etc.?