Sandboxing

I sort of understand the theory behind sandboxing and it appears to be a very useful tool. I have looked at Sanboxie and GESWall (not sure that this is a sandbox?) Could anyone explain to me the benefits and differences between the two products please.

Best wishes.

 

Davidpr,

Sandbox technology basically redirects file, registry calls and/or memory access to a safe location on disk or memory. Typically they utilize kernel mode API hooks to redirect IO to a safe location.

Sandbox technology and VM technology both have one significant flaw. Malicious code can detect their presence and behave until they are no longer running in or near them.

A very simple example to check for Sandboxie:

A malicious program can detect Sandboxie by using "OpenService" and then "QueryServiceStatusEx" for the service name of "SbieDrv" which is the driver name for SandBoxie. If the service is running then the malicious program does nothing bad and you assume the program is safe until you run it on another PC. There are a number of better ways of doing the same task but I hope this makes sense.

I will look as GESWall tonight and discover how they compare and get back to you with my findings.

~interact

 

Thank you for this. So if a nasty does nothing bad once you close the sandbox then the malware gets wiped fromthe PC?

 

Yes.

 

Davidpr - Any malicious activity would be contained in the sandbox so when it's closed down any changes the malware did would not be stored directly on your live O/S. The problem occurs when the malware detects the sandbox, behaves itself and you then assume it's safe to use on your "live" environment.

~interact

 

My understanding is that a sandbox isolates the malware.
1. So the installation of the malware is not a problem anymore, because it will be removed by the sandbox.
2. The EXECUTION of the malware might be a problem.
2a. If its evil job only affects your harddisk, than it won't hurt anything.
2b. If its evil job is to steal your data and it is able to do this even when isolated, than you have a problem.

DefenseWall treats your browser as an untrusted application and its my understanding that your browser and all applications opened via your brower (like Adobe Reader) will be very limited in their execution or no execution at all.

If I'm wrong correct me. I'm also trying to understand how these softwares work in practice.

 

I guess there are many ways to deal with this problem. I believe I know how you deal with it Eric . I don't have the ability at this moment to create any image except to my 1 and only hard drive. My burner just won't burn for me either. I think I can get within 99% of not letting data get stolen though.

1. Start a clean browser/sandbox session. You may have to empty the sandbox manually. That is the way I have Sandboxie set at the moment. In other words don't visit questionable sites then decide you need to do your online banking.

2. Make sure your computer is clean to begin with. There are many methods to achieve this, or get close.

3. Run real-time security applications while running sandboxed/virtualized. This is good advice period unless of course you collect malware. Sandboxie is good for collecting malware as you and pluck files from the sandbox as needed.

I am very new to Sandboxie and I already feel exposed when not using it. The same feeling that I had when running my browser as a limited user with dropmyrights. Now I'm using both and feel 99% confident as to my safety. The other 1% or less, lets just say ignorance is bliss.

The only downsides I see to Sandboxie is it using 4 processes not including Firefox. I'm not hurting for Ram so the trade off is the warm and fuzzy feeling of safety. I guess that there is also the possibility for something bad to "leak" out of the sandbox into your system. Again, what are the chances of that happening? Sandboxie is just another layer of security for me.

 

In fact, the main idea of any sandbox HIPS is isolation of the threat-gate applications and malware came thought it from the sensitive areas of your system. This could be based on policy restrictions or virtualization. SBIE is mostly rely on virtualization, DefenseWall - on policies, GeSWall- somewhere in the middle.

 

Yes, but which one stops the execution of malware. I know Anti-Executable does, but still not sure about DefenseWall, Sandboxie and GesWall.

 

I don't see how this is a flaw at all. The sandbox has succeeded in preventing any malicious payload from delivering in this case, and achieved its purpose perfectly.

 

That's interesting, I was not aware of this, good to know.

 

The flaw would be that people may use the sandbox to test unknown programs, by running windows installer inside the box and installing the program to see if it is malicious, say for example some novelty game that has a downloader tucked away in it to download lots of nasties to your machine, if it detects the sandboxie as interact says, then it simply does what it looks like it should do, behaves as a game. You then satisfied that nothing bad happened install it on your real machine, and now detecting it is free of the sandbox the downloader springs into action.

 

What? How so? Are you saying, even if the disk is totally zeroed, since you have archives/snapshots/images stored someplace other the the hard drive that got toasted, you are go to go?

Mike

 

While it's an interesting conjecture, the SbieDrv service is active whether or not a program is running inside the sandbox; and querying the service status doesn't sound like a very smart way for a program to detect if it's running inside or outside the sandbox.

Does interact have any other ideas how a program may verify whether it's running in a virtualized or live environment?

 

No, that's not what I mean.
My assumption is that when a malware executes itself in a sandbox and this malware only changes something on my harddisk, those changes will be removed, when the sandbox is closed. Otherwise I don't see the purpose of a sandbox.
If the sandbox doesn't do that for some reason, my boot-to-restore will clean it up.

I'm not worried about changes on my harddisk, I'm worried about the execution of a malware, which is the worst part of malware. A malware on your harddisk without execution is harmless.

I only need security softwares that stop the execution of any infection between two reboots, after reboot everything is gone, because I replace my system partition with a clean one.

 

I am sure mine and your boot-to-restore will clean normal files/folders.

I am worried about changes on my harddisk... I mean the secret hidden data changes. I am sure mine and your boot-to-restore will not remove those... only zeroing a disk will.

Mike

 

Erik,

I was wondering if you'd explain your definition of execution to me, because on reflection it doesn't seem to be the same concept for you as it is for me. It seems somewhat strange for me to be obsessed over whether a malware executes or not, yet be so flippant about what payloads it delivers.

 

If an infection destroys your harddisk, that's called execution.
If an infection steals your data, that's called execution.
If an infection hijacks your browser, that's called execution.
If an infection disables your AntiVirus, that's called execution.
An infection that is waiting for a trigger to execute itself, is not called execution, until it's triggered.
I guess you know now what I consider as execution.

Installation and execution are two different things.
When a malware installs itself doesn't necessarily mean it has done its evil job. Some malware executes themselves immediately after the installation, but not all of them.

 

solcroft - I have posted a URL in another thread in regards detecting execution in Virtual Machines.

Detecting the driver for Sandboxie is quick and easy I agree In the real world users don't run applications within a sandbox 24/7 they use them to check if a program is OK.

The definition in Wikipedia is this : In computer security, a sandbox is a security mechanism for safely running programs. It is often used to execute untested code, or programs from unverified third-parties, suppliers and untrusted users.

My technique is simply exploiting their defined use so when a company uses a Sandbox to test programs before rolling them out onto a corporate network. My malware behaves while being tested in the Sandbox then causes havoc when executed on users PCs. It might be a crude method but in the above example it would have been effective.

A more complex method is to Detect the API hooks (I have posted this URL to a presentation in regards removing kernel mode API hooks in another thread) but here it is again:

http://www.packetstormsecurity.org/hitb04/hitb04-chew-keong-tan.pdf

~interact

 

interact,

I'm already familiar with those PDFs, thank you very much anyway.

It'd be a stretch to imagine that companies would use SandboxIE, of all things, to test for malicious software though. SandboxIE is a poor testing ground to watch for malware activity, simply because so many API calls within the sandbox are restricted or blocked altogether. It was designed to contain malware, not provide them with an (entirely) unrestricted space to carry out their activities. If a file appears safe in SandboxIE, only someone who doesn't know how the sandbox works would declare it clean, much less roll it out across a "corporate network".

 

I don't think many users are interested in these secret hidden data on their harddisk. Your thread :
https://www.wilderssecurity.com/showthread.php?t=175658
didn't get much attention.

 

solcroft,

I think the problem is that users can be convinced that VM and Sandbox technology are 100% safe. I hope our feedback has given some balanced feedback into this thread.

~interact

 

Interact, yes very interesting. Sandboxing seems to be a very useful additional layer of protection when using the internet. I am still not sure of the differences between Sandboxie and GESWall so I will try both.

 

As far as I understood Sandboxie isolates all good and bad objects of a sandboxed application, but doesn't see the difference between good and bad objects and the user has to decide which objects he wants to keep. If the user isn't knowledgeable enough he might keep the bad objects also.
If that is true then Sandboxie isn't a security software, but a recovery software.
The same counts for PowerShadow.

 

The question that stands out most in my mind to what Ilya pointed out in differences of techniques, is which is most vulnerable. Windows Policies are a good method, CoreForce used them in it's AIO program, but if the legit workers can manipulate policies for good, the bad ones can also force onto those same policies and make trouble, right? Again, how vulnerable is using Windows Policies compared to using Virtualizations like Sandboxie etc.

It's already a given that any program but moreover yet, windows core systems structure, are subject to some weakness. But is it to a greater degree than a virtualization/sandbox scenario?

Great Discussion Guys, i'm still learning too. LoL