Sandboxie test with eicar file

This is just an experiment to discuss the testing of detection using Sandboxie to narrow down what is and what isn't happening so that I and maybe others can understand. This is with the eicar test file, but could be relevant to other files as discussed recently in relation to Spyblaster/Spyware Cease.

I'm using Sandboxie 3.38. I created a sandbox called Software and downloaded the eicar test file then put it into that sandbox.

If I right-click the Software folder, eicar is detected as one would expect. If I go into the folder and scan the eicar file itself, it's not detected, but extra items are created in that sandbox when the scan takes place.

These are a Reghive and corresponding log and a user folder containing a csidb.csi file a few folders in. Even with those files/folders created, the eicar test file is not detected with Prevx. On reflection, this also occurred on my previous scans with Spyware Cease, but didn't notice them as much because of so many other extra files.

I'm just wondering if Prevx should be detecting further into the sandbox folder than it is. If this is not how it works, then the answer is to scan the sandbox folder anyway as we know it does detect that way assuming the cache is clear.

 

I suspect that not scanning the sandbox is a non-issue (being that Sandboxie does the job of protecting it anyway), but the creation of csidb.csi is an issue - could you see if Prevx itself is being sandboxed? csidb.csi is the scan database which is required to be in C:\ProgramData\PrevxCSI\ (or C:\Documents and Settings\All Users\Application Data\PrevxCSI).

Also, it would be worth checking if these drivers/services are loaded:

pxsec
pxscan
CSIScanner

 

I re-created the above scenario with a Test sandbox just to be doubly sure, and added the eicar.com file in there. When I right-click scan on that file within the sandbox, the other files are added as per the screenshot:



None of the other files you mention are in there. Prevx does not alert.

However, if I right-click the Test folder, I get a detection as evidenced here:

 

Could you run in a command prompt:

sc query pxsec

then

sc query pxscan

and then

sc query csiscanner

and let me know what it says? They should all say "RUNNING".

 

They're all running. That's what the status says anyway:

 

Same for me here with one difference:

If i try to right click scan the eicar Testfile in the sandbox windows asks me if i want to execute the file?!
If i click on "execute" nothing happens. The file is not executed but not detected anyway.

If i try to execute the Testfile in the sandbox by double clicking it windows asks me if i want to execute the file. If i click "execute" PrevX detects and blocks it.

The files RegHive.log and some other RegHive{123456-CLSID}.TM.blf are created.

 

I get that anyway, in or out of the sandbox; I think a .com file is considered to be an executable so if the publisher is unknown, you should get that warning asking if you want to run it.

I hadn't tried that as was concerned with scanning the file without executing it; I do agree though that Prevx alerts when double-clicking the file, and Windows throws up a 'cannot access device/path/file' message, certainly on XP anyway.

 

PrevxHelp, the Prevx blog entry A puzzle called SafeSys seems to suggest that sandbox approaches to security have limitations and flaws. Can you elaborate?

Do these same considerations apply to virtual machines (e.g., VMware Workstation)?

Thank you.

 

I suggest you go back and read it again, it does not refer to or mention anything to do with Sandboxie's. It is referring to virtualization/rollback apps such as Returnil, Shadow Defender, Deep freeze etc.

If you read this:

https://www.wilderssecurity.com/showthread.php?t=247937&highlight=safesys

you will see that Sandboxie, DefenseWall and GeSWall, anti-executables etc were all able to contain this.

PS: Not wishing to seem rude but if you wish to start one of your endless dialogues with Prevx Help please start a new thread and don't hi-jack this one.
Thank you.

 

I notice when I click a Sandbox and explore contents, I am unable to use Prevx to scan any folders, a no restriction rule sandbox (access to internet for all/start run for all). No Prevx scanning instance appear and close in taskmanager.

I added some extra rights to the box to see if any helped.

Added Prevx.exe to: • Direct access file path • Full access file path, but still no go.

If I open the eicar dos test inside the same no restriction sandbox Prevx doesn't alert me, OA is alerting the execution.

Do you reckon it's worth seeing if Tzuk could fix it? It would seem to be more of a Sandboxie restriction.

 

Dark Star 72, thank you for the clarification. (My bad.)

 

I suspect there are a few issues here - OA alerting on the execution will most likely prevent Prevx from scanning the file, but based on everyone else's comments, I'm going to sit down with Sandboxie and our QA dept. today to see what's going on.

I'll report back as soon as I get something definitive - thanks for all of the input!

 

before sitting down make sure you prepare a strong colombian coffee

 

So after drinking the Colombian coffee, what was the prognosis?

 

We still have yet to investigate it - we will get to it ASAP, however