Sandboxie technical tests and other technical topics discussion thread

I'm simply curious, because as far as I know, if any form of malware and exploit or anything else is forbidden to write/read-only (this is not the same as blocking), than it can do any form of damage at all (not even the slightest).

 

AppGuard perhaps?

 

Yes, I also meant on AppGuard as well, but the fact is Sandboxie can be configured as read-only those drivers, processes, dlls, sys, bat and etc. since they cannot be blocked/access to these drivers, processes, dlls, sys, bat and etc. cannot be blocked that the same way.

 

How it can be configured? I'm a bit lost.

 

Oh, trust me, I have my own configuration and I'm stick with it, some of that configuration I have stolen from Bo and that's about it.

 

I presume you mean on Sandboxie, because this is what I meant.

 

Those are protected directories, so unless malware elevates, it can't write to those locations anyways. That's why one of the most basic and prudent steps to computer security is to run as a Standard user. Of course with newer Windows you can run with UAC enabled (preferably at maximum) and that will restrict your administrative account with Standard rights.

You will so often see in Microsoft Security Bulletins:

 

Yes you presume right.

 

I'm curious if malware can write to these locations when Sandboxie on default level, I have DropMyRights enabled, I guess this covers those locations?
But I was talking about read-only thing, specifically.

 

Go resource access-file access-read-only, and also resource access-registry access-read-only (check out Bo's link to Sully's Sandboxie configuration thread on previous page).

 

I don't see how it could unless it's elevated, although someone with more knowledge about Sandboxie might know. Attached is a list of Windows directories that are not protected. Typically if I run an anti-executable of HIPS, they are the ones that are monitored. hopefully I didn't miss any.

 

Thank you.

 

Microsoft IIRC had a fix for t2embed.dll vulnerability and Sandboxie blocking that dll would have
prevented access AFAIK.

ClosedFilePath=C:\WINDOWS\system32\t2embed.dll

Sandboxie blocking an exploit from affecting users system is contained within the sandbox
Not saying it stops malware from running inside the sandbox, but is contained and once
sandbox is deleted your good to go.

As mentioned it's good idea to run as Standard/limited user and apply restrictions to the
sandbox for better protection.

Test Sandboxie with Read-Only Access to a Windows file and see what happens.

My Question is - Why are you blocking win32k.sys and the drivers folder in Sandboxie?

 

On default, the whole system is Read only to sandboxed programs. Sandboxed programs can not write to unsandboxed files unless you allow it, with default settings or not. The Read only setting in Sandbox settings has to do with what sandboxed programs are allowed to do within the sandbox with files that are outside the sandbox. Unsandboxed files and folders that you set as Read only, can be accessed/used by sandboxed programs but they can not be modified within the sandbox.

I personally have never set windows or anything within Windows as Read only. It has never even crossed my mind to do it. Just the other day, when I tested Flash in a sandbox with Windows set as Read only, I couldn't use Flash. In my opinion, setting Windows or anything within Windows as Read only is not convenient and unnecessary.

The files and registry keys that Sully set up as Read only are OK and make sense. Those are files and keys that sandboxed programs have no reason to change at all. Thats why you can use those settings and your sandboxed programs still work great.

Bo

 

Thanks Bo.

 

If you tried installing Flash inside sandbox then yes you would get install error if you
set C:\WINDOWS to Read-Only Access in Sandboxie.

If you installed Flash inside sandbox minus the C:\WINDOWS Read-Only Access setting then
it will install correctly and your able to play Youtube videos.

If you installed Flash outside sandbox (on real system) and set C:\WINDOWS to Read-Only
Access you can still play youtube videos. Plugin-container.exe if not disabled would
need Start/Run Access in Sandboxie as well.

I do use Read-Only Access settings in Sandboxie. I don't want certain files and/or folders being modified.

 

That is what I was testing. Same result.

That is how I handle Flash in W7. I hardly ever need Flash in W7 so I don't keep the program installed in the system. In this computer, I temporarily install Flash in a sandbox when its required for something and delete the sandbox after using it.

Bo

 

What I was trying is to make these locations read-only so that even sandboxed (inside/under Sandboxie) malware cannot write anything.

 

Locations like win32k.sys and kernel32.dll needs to be protected from modifying it-maybe you can't block access to them but you can block exploits, file-less exploits/malware from writing and modifying them with Read-only option inside Sandboxie-that was my point, read-only option is the perfect protection from writing/modifying win32k.sys, kernel32.dll and all other locations on Windows from memory file-less exploits their payloads, file-less malware, drive-by downloads, user intervention and etc., that includes unblockable locations like win32k.sys and kernel32.dll, maybe you can't block access to them but you sure can prevent their modifications using read-only option-that was my point here, I'll wait others to confirm these claims or to disprove these claims!?
Anyone?

Again, I'm asking you what would happen if I disable writing/which means enable read-only to win32k.sys and kernel32.dll?
So you see this is not about blocking access to those locations right now, it's about read-only without ability to write anything to wins32k.sys and kernel32.dll and all other locations?
Read-only is not the same ClosedFilePath-completely/entirely different things.

Just for the record, what would happen if I block win32k.sys and kernel32.dll (ClosedFilePath, not Read-only) and all other similar unblockable locations, to be honest I'm too scared to do it, would my computer freeze, so I would need entire re-installation from scratch?

 

I would say and repeat what Pete already told you CWS. Relax, you have Sandboxie and AppGuard as your protection.

Myself I don't much bother myself with trying to tweak SBIE too much. It is probable you can make your computer totally unresponsive etc. if you try. But most times it will come only if you try go too far with forced programs and try make them only run sandboxied.

Next step of course is for you to go try some hips program, to be in "total control" and then you are not running your computer to enjoy but instead running your security apps trying to make your PC work

 

@ CoolWebSearch
I was having second thoughts and are you kidding us? With all due respect a person with your knowledge level is supposed to know about Imaging/backup system partition precisely to recover from disasters of any nature.
Of course you can test those templates in SBIE and screw your system up but there's no need to re-install from scratch as long you have a system image.

 

I'm only going by what you had posted.(#998 ) You have win32k.sys and drivers folder listed
as blocked (ClosedFilePath) not Read-Only (ReadFilePath) unless you changed the settings.
As stated before ClosedFilePath would have no effect. You can't block a driver with
that setting in Sandboxie and yes I'm aware of difference between the two settings.
Also remember blocked access setting takes precedence over other file access settings
you may use.

It also may depend on what programs you have running in the sandbox and the OS your using.
What works for me might not necessarily work for you, although there will be common ground.
Some app for example might not work with a user when "Drop Rights" setting is enabled in Sandboxie
where it may work for me.
If I set win32k.sys and kernel32.dll to Read-Only Acccess nothing happens.(sandboxed browser)
Usually a Sandboxie message pops up when something is configured wrong or doesn't
work, but I can't say that will happen all the time.

If your uncertain about particular Sandboxie settings then you could post at Sandboxie
forum to devs.

NOTE: When I do testing,installing or change settings in Sandboxie it's done on virtualized
system as a pre-cautionary measure. Especially if any HIPS program is involved. Freezes/lockups
can and have happened because of a changed setting(s) or compatibility issue. I would be very
careful about changing certain Sandboxie settings without some type of backup in place.