Some test ;)

well it also bypassed Sandboxie as well because from other comments in this thread Sandboxie wasn't able to Control its Behavior.

has anyone tried EQS?

Is there any product that can control its behavior without patches?

 

Another one who would like a PM for the download link for this test.
MTIA

 

Hi,

aigle, tried this test against OA beta 11

This executable is whitelisted by OASIS : http://www.tallemu.com/oasis2/file_hash/F7C1165CF580DC47D7D449C10879D5B1 so deactivated OA Whitelist and OASIS realtime check.

First test : OA silently blocked child process (notepad) launch

The three next tests were failed by OA

Will check this with Tall Emu staff (had logged with Procmon, PCSecurityTest.exe activity)

Regards,

MaB

 

Thanks MaB69. Pls keep us updated.

 

Which test u want?

Link are there already.

 

Hi again,

Something really strange : tried this test sandboxed in Sandboxie 3.36.01 but this time OA intercepted many more behaviour. This sandbox is set by default

Test 1 :

Program Guard,25/04/2009 15:07:01,Allowed,C:\Program Files\AxBx\PC Security Test 2007\PCSecurityTest.exe(1236) wants to write memory in \KnownDlls\psapi.dll(4)
Program Guard,25/04/2009 15:07:48,Allowed,C:\Program Files\AxBx\PC Security Test 2007\PCSecurityTest.exe(1236) wants to write memory in \KnownDlls\appHelp.dll(4)
Program Guard,25/04/2009 15:07:51,Allowed,C:\Program Files\AxBx\PC Security Test 2007\PCSecurityTest.exe(1236) wants to write memory in \KnownDlls\CLBCATQ.DLL(4)
Program Guard,25/04/2009 15:07:53,Allowed,C:\Program Files\AxBx\PC Security Test 2007\PCSecurityTest.exe(1236) wants to write memory in \KnownDlls\COMRes.dll(4)
Program Guard,25/04/2009 15:07:54,Allowed,C:\Program Files\AxBx\PC Security Test 2007\PCSecurityTest.exe(1236) wants to write memory in \KnownDlls\iertutil.dll(4)
Program Guard,25/04/2009 15:07:55,Allowed,C:\Program Files\AxBx\PC Security Test 2007\PCSecurityTest.exe(1236) wants to write memory in \KnownDlls\urlmon.dll(4)
Program Guard,25/04/2009 15:07:56,Allowed,C:\Program Files\AxBx\PC Security Test 2007\PCSecurityTest.exe(1236) wants to write memory in \KnownDlls\wtsapi32.dll(4)
Program Guard,25/04/2009 15:07:57,Allowed,C:\Program Files\AxBx\PC Security Test 2007\PCSecurityTest.exe(1236) wants to write memory in \KnownDlls\WINSTA.dll(4)
Program Guard,25/04/2009 15:07:57,Allowed,C:\Program Files\AxBx\PC Security Test 2007\PCSecurityTest.exe(1236) wants to write memory in \KnownDlls\SETUPAPI.dll(4)
Program Guard,25/04/2009 15:07:58,Allowed,C:\Program Files\AxBx\PC Security Test 2007\PCSecurityTest.exe(1236) wants to start C:\WINDOWS\system32\notepad.exe

Test 2:

still no notification

Test 3:

Program Guard,25/04/2009 15:09:40,Allowed,C:\Program Files\AxBx\PC Security Test 2007\PCSecurityTest.exe(1236) wants to write memory in \KnownDlls\WINTRUST.dll(4)
Program Guard,25/04/2009 15:09:41,Allowed,C:\Program Files\AxBx\PC Security Test 2007\PCSecurityTest.exe(1236) wants to write memory in \KnownDlls\CRYPT32.dll(4)
Program Guard,25/04/2009 15:09:42,Allowed,C:\Program Files\AxBx\PC Security Test 2007\PCSecurityTest.exe(1236) wants to write memory in \KnownDlls\MSASN1.dll(4)
Program Guard,25/04/2009 15:09:43,Allowed,C:\Program Files\AxBx\PC Security Test 2007\PCSecurityTest.exe(1236) wants to write memory in \KnownDlls\IMAGEHLP.dll(4)
Program Guard,25/04/2009 15:09:44,Allowed,C:\Program Files\AxBx\PC Security Test 2007\PCSecurityTest.exe(1236) wants to write memory in \KnownDlls\MSACM32.dll(4)
Program Guard,25/04/2009 15:09:44,Allowed,C:\Program Files\AxBx\PC Security Test 2007\PCSecurityTest.exe(1236) wants to write memory in \KnownDlls\midimap.dll(4)
Program Guard,25/04/2009 15:09:45,Allowed,C:\Program Files\AxBx\PC Security Test 2007\PCSecurityTest.exe(1236) wants to write memory in \KnownDlls\mcicda.dll(4)

Test 4 :

No notification

Regards,

MaB

 

I think the problem is OA had a potential to catch it, but in different cases outcome was different, so the results were not consistent. The patch goal was to make the outcome consistent. This is just what I think about it trying to bring all the facts we have together

 

Things can change when u launch something inside SBIE.

 

Sandbox preventing monitoring would be something more logical but i'm surely wrong

Good night all

Regards,

MaB

 

Even tho this malware test was unable to make any permanent changes ie change/modify/add files etc. I still do think its important for Sandboxie to be able to control its behavior and prevent it from communicating outside of the Sandbox. Reason being not only it is an annoyance but what if the malware terminated and shut down all your security apps including Sandboxie, which is very possible seen how Sandboxie can't control its behavior and prevent it from communicating outside of the sandbox. Then after all your security apps have been shutdown the malware would actually be able to start writing and creating new files to the harddisk and even download more malware.

 

arran, I believe your definition of failing to control behavior is a little different than what is actually occurring with Sandboxie. Executables htaaa.exe, htaab.exe, htaac.exe (sandboxed) are all unable to end the process of any program outside of the sandbox including explorer.exe. However, Sandboxie's failure to control some behavior was shown in htaac.exe's ability to "disable" the taskbar while running despite being sandboxed. Note that while the taskbar has disappeared, explorer.exe is still running.

 

Not to forget that a common sence makes 80% of the job if you have it, but ... this is something you cannot buy

 

That is some stretch. Based off this obscure test, now a program running within the sandbox can terminate Sandboxie itself? Use Run/Access which is provided right within the program, before saying that the program can not stop it.

 

Even tho this test here cannot terminate shut down sandboxie it is not a big stretch for other malware to do it. It is very possible. here is the evidence.

have you guys here tried the Reg Test ??

get it from here and have a go
http://www.ghostsecurity.com/registrytest/
and you will see if you run it inside sandboxie your pc gets shut down.

Even tho malware can terminate other apps from inside sandboxie, it doesn't even need to do all of that to infect your system, all it needs to do is disable your firewall and make and out going connection to download and install other malware.

 

You are acting as if Explorer.exe is the same as Firewall.exe or AnythingElse.exe ....... Just because some program puts out a logoff or shutdown command it doesn't mean it can terminate other running processes. And you are also assuming just the basic default setting in Sandboxie. That is like saying .. "Hmmm I got wet in the shower this morning so I should carry an umbrella today" - even though it is a perfectly sunny day.

 

Can some one please pm me this test?

 

If u care to read the thread, the links are there.

 

I don't know about that...I can think of 3 at the moment that would easily block this from a web site.

I put htaab.exe on my web site and used an old IE drive-by exploit to trigger the download. It doesn't even get onto the computer, much less execute:

​

These things are no-threats unless the user stupidly installs something that is not from a reliable source. Then, all bets are off.

----
rich

 

That's for sure! Lots of business these days...

I'm going write a post about that soon... but another thread so as not to get off topic here.

----
rich

 

after finally getting hold of this test thanks to a nice person who pm me.

I have tested

Comodo
Sandboxie
Process Guard
EQS
Defense Wall
Malware Defender.

Over all Defense Wall performed the Best at controlling the behavior of these
executables. It only failed with Stop2, but so did all the others, no product I tested can control Stop2. To be honest I am impressed with Defense Walls performance here.


Comodo would have to be the worst performer, when I clicked the stop tests
everything became frozen instantly before comodo even had a chance to throw up a pop up to ask permission if stop can be executed or not in the first place.. Comodo is just to slow at intercepting, So Comodo is history as far as I'm concerned.

Sandboxie, failed all, everything bypassed Sandboxie.

Process Guard and EQS failed the Stop2 and htaac and maybe 1 or 2 others I can't remember which.

Malware Defender only Failed on htaac and stop2 test. however with htaac, even tho explorer.exe gets terminated it fails to terminate malware defender and malware defender is still running. with malware defender screen still open you can terminate htaac and restart explorer.exe without having to restart your pc.

Malware defender does have a good self defense, in terms of performance I rate it as 2nd best after Defense Wall.

 

The reason why I class Comodo as the worst performer is because not only it can't control the behavior of the executables, but also MOSTLY BECAUSE

Comodo fails to intercept stop.exe and stop2.exe from executing and running in the first place. before things lock up.

Edit.

what should happen when you click on stop.exe and stop2.exe2 is that comodo should throw up a pop saying to let stop run or not but instead it doesn't happen.

 

Yea I am saying comodo isn't doing its job properly, because all HIPS at least should be able to prevent things from executing and running in the first place. where as in the case comodo is just to slow at Intercepting and preventing stop.exe from running when you click on it.

Regarding Sandboxie because this test is mainly about controlling the behavior of the executables I ran them all in default sandboxie settings.

If I ran them in hardened settings with start run options etc then they probably wouldn't have been able to execute, I didn't test this. But correct me if I am wrong? if they still can ran with hardened start run options? then Sandboxie would be a more worse performer.

 

So if a program pops up a warning and asks you if so and so can run, allowing you to choose "no", then that is a pass, correct? But if Sandboxie provides a Run/Access whitelist setting that you can preconfigure ... and you choose not to preconfigure it ... it is a fail? None of these executed at all in my sandbox. And tomorrow when 4 new malwares hit the scene, and all of these products scamble to produce fixes, and you scamble in your testing, my sandbox will stop those as well.

 

Yes that is correct, and most hips do this. With regards to comodo not showing a pop up I found that out that by accident, I was expecting comodo to show a pop up when I clicked on the Stop tests but never happened. I was actually a bit surprised with comodo not showing any.

Sandboxie passes the test with being able to prevent them from being executed if start run access is preconfigured. However the test in this thread
is about controlling their behavior once executed.

No I won't be scrambling in my testing because I also have measures in place to prevent unknown things from executing in the first place.

While I agree that it is good to prevent things from executing and running in the first place, I also believe that it is better to have a second security layer in place which is being able to control the behavior of running executables.

 

Does anyone harden a default windows install?

It would be extremely easy for the author of Sandboxie to release a default Sandboxie preconfigured so that only IE, Opera and FF can run/connect out but can you imagine the complaints along the lines of - "I can't get this or that app to run sandboxed".
http://www.sandboxie.com/index.php?RestrictionsSettings