sandboxie v4 out Jan 10, 2013

Would Sandboxie contain the Sinowal worm within the sandbox? There's a discussion in the inofficial Shadow Defender thread where SD does not protect the user against the worm through virtualization. Would this be the case with Sandboxie as well?

 

Excellent Question?

+1

Best regards,

 

Sandboxie has protected from this malware in the past. I've seen several tests confirm it and my own experience is either Sinowal fails in the sandbox because I strip admin rights or with admin it just fails in the sandbox or simply doesn't start (perhaps because it is sandbox aware?)

However this thing constantly morphs and changes so I don't know what the most recent variances do. I do know though that start/run restrictions should prevent it running inthe first place but if you let it out, well.......

SBIE is more than virtualisation it is also restriction. I've yet to see or hear if an in the wild non-POC bypass.

Cheers

 

Yes, but what if I started it within a sandbox without Drop My Rights activated? Would it espace the sandbox just as it escaped the protection of SD? As you said, I'm also yet to see or hear if a wild variant bypasses Sandboxie. That's partially why I'm asking.

 

I've installed the lastest beta version (I skipped the first two), and all is going well.

I checked Process Explorer and Sandboxie now makes process under its supervision to run with an Untrusted/AppContainer integrity level (Windows 7).

That's cool. I really like what he's achieving! It actually made want to sandbox apps that I don't usually sandbox.

So, even though Sandboxie breaks Internet Explorer Protected Mode, it actually makes both the broker process and renderer processes run as Untrusted/AppContainer (AppContainer appears after applying an AppLocker hotfix).

I really like version 4!!!

 

At this time no one really knows if the 'Backdoor Sinowal' trojan can be contained in the sandbox. Whatever you hear now is just speculation (until valid tests are conducted).

TS

 

Thank you, your answer is much appreciated.

I and I think the rest of the Wilders would like to know ASAP if Sandboxie is vulnerable. So far no malware ever has escaped Sandboxie when used correctly as far as I know. It'd be extremely interesting to know if this piece of malware evades Sandboxie as well... at the same time, I understand why no one would want to test on their own machines. I would if I only had a sample of the new variants. But as it is now, all the malware I'm getting (thousands a day) are mostly unclassified.

 

In a restricted sandbox, I have never seen anything that is not allowed to run, actually run even when Drop rights is disabled.

Bo

 

Exactly. But these new variants of Sinowal might pass Sandboxie. No one knows at the moment. I and certainly many others here at Wilders surely want to know.

 

What makes you feel Sinowal is any more of a threat to break out of the sandbox than other trojans? It seems to be a typical dropper that puts files in selected directories, some of them userspace, some of them protected. As long as they're sandboxed, why would they break out?

BTW, running Sandboxie b4.01.03 in XP Pro. Very nice so far

 

Perhaps for the same reason it is able to break-out of SD's virtualized environment (Shadow Mode)?

Cruise

 

By the way, I asked TestZabezpieczeń as well as someone else, to test SBIE against this malware. He said, he ll check it out soon. I guess, you ll have your wish.

Look in the comments

-http://www.youtube.com/watch?v=N-Cku8V4TiQ-

Hi Cruise, there is no reason to believe that SBIE would not do as it has in the past when it gets tested. Take a look at this test, also done by TestZabezpieczeń in May of last year.

-http://www.youtube.com/watch?v=U0bTvPLkIBw-

Bo

 

Well that's just it, I'm having a hard time finding anything conclusive in the SD thread with mixed test results in a VM with different combinations of host/guest O/S', with VM's not being the best test environment, and very fast playing, hard-to-follow youtube videos. Being pressed for time when I looked, maybe I missed a definitive result?

 

Bo, I didn't intend to imply that SBIE would not contain Sinowal/TDL4, I just meant that we shouldn't assume anything until it is tested under the same conditions as the aforementioned tests (I don't see either Sinowal or TDL4 in the test you referenced above).

Cruise

 

If I understand you correctly, the SD Malware Test in question displays a very conclusive finding (readable in English) to the effect that SD v1.2.0.370 is unable to contain the Backdoor Sinowal trojan (the infection persisted after the system was restarted)!!! Furthermore, I didn't see anything to make me believe that this test was conducted in a VM.

Cruise

 

Then could you kindly explain what VMWare was used for in the video? Testing using host/guest combos is mentioned several times as well in the SD thread, which is why I brought it up in the first place.

 

Cruise, I know you didn't imply that SBIE would fail against Sinowal/TDL4. I believe SBIE would handle this malware just like it does any other file that's in the sandbox, I got no reason to believe differently.

Bo

 

Surely that is what most of us think as well. But the news of the trojan bypassing SDs' defense, albeit SDs' development was on a halt for two years, is disturbing.

It's only natural to think that if it bypasses one similar security application, it could bypass another (in this case Sandboxie). As someone already mentioned, Sandboxie is also about restrictions while in a virtualized environment, so it's potentially stronger than SD.

Be that as it may, I'd like to see some tests done!

 

Maybe about to see one now. Wouldn't be like Buster to start this thread if he wasn't pretty sure.
http://www.sandboxie.com/phpbb/viewtopic.php?t=14972

 

Oh my, a couple of weeks ago I was shocked to learn of a rootkit that can bypass Shadow Defender! ...and now Sandboxie?

Wendi

 

Anyone running v4.01.03 with IE9 (W7)? I'm finding that IE will stop responding quite often (when running under SBIE v4.01.03).

Cruise

 

Updated to beta v4.01.04

http://www.sandboxie.com/phpbb/viewtopic.php?t=14453

 

Thanks

Forced Folder issue resolved for me but new one related to Excel 2010 on Win 8 x64.

 

Great news. My issue in XP related to forced programs, according to Tzuk, its also fixed in version .04. Tonight, when I am in my XP, I ll try .04.

By the way, other than the forced programs issue that I have in XP when Drop Rights is enabled, I also have a problem launching Excel and Word sandboxed. I have a couple of ideas to try tonight, if they work for me, I ll let you know what they are for you to try.

Bo

 

Great to see you using the sandbox again.

Sandboxie missed you.

Bo