SBIE against ransomware

I asked this question at the Sandboxie forum.

Re: MBARW(compatibility)
http://forums.sandboxie.com/phpBB3/styles/prosilver/imageset/icon_post_target.gifby w0lfrun » Mon Feb 01, 2016 7:23 pm

@Curt and Craig. Do we actually need an "anti-ransomware" program to be running within Sandboxie to be protected from ransomware? Will Sandboxie on it's own be enough, for protection against ransomware. And if so, what settings are best recommended in Sandboxie to prevent such. There is much discussion over at Wilders about this and I think we best hear from the tech experts themselves here to put this discussion to rest.

The answer was replied here. http://forums.sandboxie.com/phpBB3/viewtopic.php?f=17&t=22423&start=15

Pretty much the same as what Peter is stating.

 

They can be accessed multiple ways, whether it's integrated with Windows explorer, FTP, or even a website. Malware can infect it all, as long as they have your password or simply access to the cloud folder.

Unless you set the proper restrictions or access rights, SBIE wouldn't make much of a difference unless they're the type to shut down when virtualized to escape detection.

 

Have you forgotten the main point, which is online server or cloud? I don't see how it can be any less clear.

You get infected within the sandbox. They steal your password or access your Dropbox folder. Then they infect your online files.

Without restrictions or access blocking, those files are in danger. Simple as that.

 

You guys should up a video demonstrating your point... and your SBIE settings for that matter of course.

 

I don't get it, what is supposed to happen? I did do another much simpler test, I deleted and renamed files inside the c:\Sandbox via the browser. As expected, the files were modified. Then I did the same with files outside c:\Sandbox. And as expected, the real files were not modified, they were only modified in the specific sandbox. So I hope it's now clear that ransomware will be able to touch files inside c:\Sandbox, and they will be lost.

What about child processes of the browser? Will they also be denied access to the desktop?

 

Yes, you ll get an access denied to the Desktop type of message. Look at the picture.

Bottom line about that, Rasheed. Overtime, you should not keep sensitive files inside the sandbox. Doing that is a bad idea. Not only you might lose them but they can be accessed by anything running in the sandbox. If you download something that's important, save it, and forget about it.

I don't use direct access to any download folder and usually I delete all my sandboxes when I finish using them. It is rare for me to keep contents in a sandbox over night. I avoid doing that. I usually download files and then in the next few minutes or maybe an hour, before deleting the sandbox, I manually recover whatever I am going to recover.

Bo

 

OK cool, because normally ransomware will run as child process of the browser, after it has been exploited.

Yes, but that's what I'm trying to explain to Peter2150, he seems to think that files inside the sandbox are safe from modification, while they are not. Once in a week I do move all files to the real system. But it's highly unlikely that malware will be able to run inside the sandbox because of my combo of SBIE + anti-exploit. I also don't run any untrusted apps manually inside my dedicated browser sandbox.

 

It's a quite common scenario, I'm sure that a lot of people download files into the sandbox (via the browser) without instantly moving them to the real system. So that's why people need to be aware of this.

 

I agree, Pete. Sandboxie gives us the settings to make the sandbox as tight or loose as we want it. Is up to us on what we do with them. To me personally, whatever happens inside the sandbox doesn't mean anything. My only concern is with files that I recover, specially the ones that I am going to run unsandboxed (if any, cause this is very rare for me).

Bo

 

I use a Ram Disc for my SBIE container so Direct Access is good for me but I cut down the potential for escapes by using start/run restrictions and limiting the direct access to either a single app or a process group of trusted apps (using OpenFilePath=trustedapp, type settings) and cutting off access to others through the ClosedFilePath=!trustedapp,) type settings).

Any folders I allow direct access to are forced to run sandboxed. The settings for those are very tight - limited start/run, no internet access, no access to data partition, no quick or instant recovery etc. That way you can get a look at them before they go onto the real system comfortable they are completely contained meantime.

This thread has been more interesting than I thought it would be but it only proves to me how flexible SBIE is with multiple ways to cut off ransomware before it does damage. Default settings are is fine for the bog standard drop a file in appdata or wherever an execute approach some ransomware uses but you can still use additional settings to cover any variances you need for your own personal convenience or requirements or cover off more sophisticated attack approaches.

Win/win really.

Cheers.

 

In my personal opinion, ransomware has no chance in my computers. Its not even fair to the ransomware. If I go to a site and the site downloads that kind of malware, it wont run, I wont even know that I was in a close encounter. If I recover an attachment infected with ransonware, it would work the same. If the attachment is an Office file, the file is gonna run in a sandbox where only Office exes are allowed to run. Like you, Elwe, they ll run in a sandbox with no internet access in which sandboxed programs dont have access to personal files and folders. With other programs like video players or PDF readers, I do the same, I use a dedicated sandbox and tailor it according to the program or the purpose for creating the sandbox.

Bo

 

About friends and family who are using Sandboxie. None and I mean none of my friends are using a restricted sandbox. All of them use a default settings sandbox in which the only changes I made for them are the ones related to saving files out of the sandbox, saving bookmarks and setting the sandbox to delete on closing automatically. All are using MSE or Windows defender and none gets infected anymore. Note: I believe none of them know that there is a section in the GUI that is called Sandbox settings . ....thats the power of the default settings sandbox.

The default settings sandbox is a beauty, sometimes misunderstood and seen as being weak by some here, like our good friend J L, but the reality is that it is well balanced (security and convenience) and was created by Tzuk with first time users in mind.

Bo

 

I have a setup pretty much the same as Bo. I don't use direct access at all. My download folder is a forced folder and use quick recovery to it. Will try to run the download while in the forced folder with Sandboxie explorer and scan with MBAM and Hitman pro. If clean will go on to real system. I also use quick recovery for ublock.squlite to extension-data folder and not direct access. If no changes, just delete the sandbox. If an update, quick recover then click move and replace. Anyway, after 5 years of using Sandboxie and no problems thats good enough for me. Ransonware be damned.

 

I don't actually find it weak, just imperfect and not the holy grail as some would describe it. Anything can be hardened IMO.

 

That's nonsense, there is nothing wrong with storing files inside the sandbox, as long as you're confident that malware won't be able to run in the virtual container. That's why I always advise to combine SBIE with some form of HIPS.

And besides, it's not about you or me, it's about answering the question. So yes, SBIE does protect against ransomware, but keep in mind that files inside the sandbox and folders with direct/full access are still at risk. So either harden SBIE settings, or combine it with HIPS.

 

Well, I can't argue with that, of course it's a smart to move files to the real system, but I'm just saying that if people choose not to do so, it's not automatically foolish. Because as long as you know what you're doing there is hardly any risk. But that isn't even what this misunderstanding was about.

 

I agree about sensitive files. We shouldn't leave them inside a sandbox and then use the sandbox for regular browsing. When we do sensitive browsing or download something personal/business that's important, we should do it in a fresh browsing session, and delete the sandbox when we finish, before going back to regular browsing.

Bo

 

@bo_elam @Rasheed187

I thought you once posted that you had different sandboxes for everything and kept a sandbox for your mail in which you kept your mail.

So the idea of Rasheed is not as akward as you (Peter and Bo) suggest (keeping mails for ever in a seperate sandbox).

To be honest at the time of DefenseWall and GeSwall I allways kept my mail as untrusted, so I never changed them from untrusted to trusted.

Regards Kees

 

@Peter2150

On a second thought GeSWall, DefenseWall are policy based sandboxes. With policy sandboxes this may be different because they are seamlessly integrated in the real system. You use AppGuard as a policy sandbox (running vulnarable/threat gate programs in a LUA-box with a default deny execute in user space), backed up with an anti-executable, so with two layers behind sandboxie there is little need for keeping anything in SBIE's sandbox.