You are right. If the ransomware is run in the sandbox you are safe. If you leave files in the sandbox folder and the ransomeware runs outside SBIE, bye bye files, assuming that is all the protection you have.
No, that's not correct. If ransomware runs outside the sandbox, all files are at risk. If ransomware runs inside, only files inside the specific sandbox plus the files that are directly accessible by SBIE are at risk.
What about with such scenario... - you run sandboxed app like internet browser, pictures browser, pdf reader and you want operate with data collected on cloud disks... -there is some ransome in snadbox so data on remote disks are also visible for him... -as we know every reachable disks can be encypted no matter if they are local or online... - so...do we could have infection inside cloud disk or not?
I think you guys are missing how sandboxie works. Say a ransomware program operates in my sandbox and it can reach my data. The program encrypts it, BUT, with sandboxie it writes out the encrypted files within the sandbox, not in the original program, hence your data is protected. Deleting the sandbox contents and encrypted files go bye bye
I am not familiar how cloud disks work but Sandboxie gives you the settings to set the sandbox in so many ways that you should be able to find the perfect setting for your case use, look under "Resource access>File access>Direct access" in Sandbox settings. http://www.sandboxie.com/index.php?ResourceAccessSettings#file For example, if cloud disks are accessed via browser and things work like with regular folders in the PC, then you could do something like in the picture below. In this example below, I am making Firefox the only sandboxed program that have access , can read and write, to folder BoDownloads. Bo
Hi Ichito I'm not really familiar with the term cloud disc but if it means online storage that dynamically updates as you change your locally held data then most have a local client that monitors file changes (real time or on demand) and uploads new versions rather than the browser initiating that. They also hold multiple iterations of files so might offer some Ransomware protection by letting you revert to an older version of the damaged file. As far as SBIE is concerned the client normally initiates online storage update modules and it will look to the real file location not the sandoxed version so an encrypter running inside the sandbox encrypting what amounts to copies of the real files wouldn't cause any issues as the cloud storage client would ignore the changes as they aren't taking place in the location they monitor, no? At any rate as bo says SBIE has a myriad of settings to help prevents anything running in the sandbox seeing folders you specify so if your cloud disc client is actually triggered by the browser and therefore runs sandboxed it wouldn't be able to see the change let alone upload them. My comments about direct access still stand. I understand what peter2150 says when he questions who would allow that access but nevertheless SBIE allows it so worth mentioning. Regards
For protecting your cloud disks from being tampered when you login, SBIE can restrict which processes are allowed Internet access or even allowed to run! Sandbox > DefaultBox > Sandbox Settings > Restrictions But if your browser process is somehow hijacked... Then you'll probably need extra software unless SBIE supports hash whitelists.
Here are a couple of nice descriptions of how Sandboxie works, written by a fine member of these forums: Sandboxie Basics - the sandboxed file system Sandboxie Basics - the virtual environment
I'm sorry but it seems like you're the one who is misunderstanding. Like I said, SBIE will only virtualize (and thus protect) files outside the sandbox. But files inside the sandbox (downloaded via the browser for example) are all at risk once ransomware is launched inside the sandbox.
Interesting, never saw this post before, probably because I wasn't active from 2010 to 2012. Seems like a great post.
So What. The files on your system aren't at risk. Even if it has the name on your system, the file on your system isn't encrypted. A downloaded file can always be downloaded. Bottom line running in the sandbox protects files on your system. Rather then a lot of talk, try testing it. I have and your are safe.
@Rasheed187 : That's why I specifically stated restrictions as a possible solution. @Peter2150 : Not if you're dealing with files stored on a different server (i.e. cloud).
Just tested. If I open explorer I can see files on my other computer(server). However if I open explorer in my Sandboxes, and open explorer Sandboxed, then I can't see the files on the other computer(server). So Ransomware running in the sandbox can't touch them. Admittedly it isn't a default setting, but I tested using my normal settings.
Peter, what setting did you use to come to that outcome? If I run explorer sandboxed, I can still access my network drives and open relevant files. They are sandboxed though.
If you like to block all sandboxed programs from having access to a drive, add the drive in Sandbox settings>Resource access>File access>Blocked access. If you would like to block all sandboxed programs but explorer.exe from having access to a drive, Sandbox settings>Resource access>File access>Blocked access, Click Add program, add explorer.exe, Click !, Click Add, add the drive. Bo
What do you mean with so what? You seem to be completely missing the point. I often download files inside the sandbox, and I don't always immediately move them to the real system. And SBIE also has direct access to certain folders for convenience. So all of those files are at risk as soon as ransomware runs, this is something that users need to be aware of. Seriously, I don't know what's hard to understand about that. Or simply use some form of HIPS like anti-exploit, anti-executable or anti-ransomware.
Thanks all...it was very enlightening discussion for me I don't use Sandboxie so my question might be consiedered to obvious, but in common discuss about anti-ransom protection I wanted to have a bit more knowledge and understanding for uncommon methods/ideas.
It's hard to understand because it doesn't make sense. 1. It doesn't matter where the files are if you run ransomeware unsandboxed. They will be attacked. 2. Even if the files are in a sandboxie folder, if the ransomware is run sandboxed they WILL be protected. The highlighting above is mine. True SBIE has access to certain folders, BUT if the ransomware is run sanboxed those files are SAFE. If it is not the argument is like saying I got infected even though my AV was turned off.
Rasheed, whenever you allow access to a file or folder, you can be specific with the program that is allowed the access. When you do that, only this program and programs that are installed out of the sandbox have the access. This is the way it works by default via Sandbox settings, when you allow to get out of the sandbox something like bookmarks or the Firefox update for the phishing database. And you can set it up that way when on your own you allow access to a folder like your downloads folder or whatever. Bo
I know most will know this but think I might have caused some confusion when I mentioned the risks from Direct Access. There are some if configured badly but never fear the talented Mr Tzur never allowed holes to be poked in his software without giving you options to mitigate any associated risks. You could use start/run to ensure only the apps you want can run etc but you can also use the file restrictions to help. If you take Direct Access as an example. Say I was trying to give my browser, Cyberfox, access to my Desktop (not saying it is a good idea just an example). I could just add to the sandbox: OpenFilePath=%Desktop%\ That would allow all apps in the sandbox to write directly to the desktop so to tighten that I could write: OpenFilePath=cyberfox.exe,%Desktop%\ That would mean only a program already installed on my system called cyberfox.exe can directly access my Desktop from that sandbox. I could tighten that further by adding: ClosedFilePath=!cyberfox.exe,%Desktop%\ That would stop anything running in the sandbox other than Cyberfox even seeing the Desktop let alone writing to it. In relation to this thread the first setting is vulnerable to Ransomware, the others allow you the advantages of Direct Access without the Ransomware risks. Remember the closed file path can be replaced with read file path if you want apps to see a folder but not write to it (even the sandoxed version) and it works with multiple folders, Process Groups, in conjunction with start/run or other restrictions. Tzuk is a genius and has created the most configurable program I've ever used. Invincea are improving it's compatibility all the time. That means you can have convenience and security. What else can you want? You can do this all through the GUI of course but I'm old school I'm afraid Cheers
OK thanks, will check it out. About 1, that's a no brainer. About 2, I believe you're incorrect about that. Ransomware will be able to encrypt these files, and they will be lost if you haven't made a back up. Can anyone confirm?
Rasheed I tested it before I posted. Put a txt file in your c:\Sandbox folder. Then open explorer sandboxed. Edit the text file. Check in in the sandboxed folder, then check in un sandboxed explorer. Finally exit and delete the sandbox
