What is your security setup these days?

Okay that's right, thanks man

 

You're welcome.

 

Forgive me if I've picked this up wrongly but how would this work against cryptolocker in a Shadow Mode scenario? Excluding a folder means its fair game and the whole Forced Folder thing just wouldn't work I don't think.

In my view Crypto is likely to be delivered by an exploit leading to a drive by attack or social engineering.

If we take the drive by scenario (assuming the brower is NOT sandboxed) the malware is launched outside of the forced folder so will encrypt its contents with no difficulty. If the browser IS sandboxed (and you haven't given direct access to the forced folder) you don't need the forced folder as the malware is contained anyway.

In the social engineering scenario, even if you install in Shadow Mode, again, the malware is not launched from the forced folder so will not be sandboxed and will happily encrypt the contents of your forced folder that you've excluded from SD protection.

Forced Folder only sandboxes anything launched from it. You can encrypt with legitimate software without any effects of sandboxing because nothing is launched from the folder. The encyptor is not opening the file so sandboxing is not invoked. Same goes for crypto style malware. Remember as well that some things, like image files, are never sandboxed regardless of the forced programme/folder status because of the integral link with the OS.

If you're talking about downloading the malware executable into the work folder then I guess I'm not sure why you'd ever do that cause you won't be able to launch it. If yiu don't intend to launch it then, again, you don't need the forced folder./

I think for crypto stuff the answer is stop it executing (AppGuard) or contain it (Sandboxie) and most of all have a good back-up strategy!

Cheers

 

Chris, I was thinking the same thing and your explanation is excellent.
Forced folders option is usable only if you want to test run some files from pre-defined directory and don't want to right click on files and use run sandboxed option. It will save you two clicks for each execution.

 

Should i have to mention the user, Jmonge in our case, is not a total noob, so he has some common sense. Ok that the scenario i had it mind following Jmonge context:

He is browsing on shadow mode , download a crypto wrapped into a safe exe and put it on its excluded working folder (located on D drive ) believing it is a safe file he want to keep.

He reboot so exiting shadow mode , all his shadowed session is reset except the said file. Now he is on normal mode and decide to run the exe. Since the folder is forced, the crypto is isolated.

Please dont reply on a post without knowing the full context.

Thanks

Edit: in this scenario the folder is just forced , no special restrictions or other advanced tweaks. Unlike most of us do.

 

when it comes to sandboxie I am a NOOBie

 

Posted too fast, now it is done ^^

Not to mention he surely run some AVs and didnt turned off UAC.

 

XP Home SP3

*** Trick Sebijk (TH) ***
https://www.wilderssecurity.com/thre...of-doom-struck-yet.362718/page-3#post-2373801

Windows Firewall
DropMyRights
Yandex DNS
System Recovery Off
24 Services Modified (Black Viper)
EMET 4.1 Update 1
SBIE
MBAE

No Silverlight installed
Only NET 4 installed
No JAVA Installed

FIREFOX (ABP,Ghostery,WOT,Noscript,HTTPS EveryWhere,Toggle Referer)

Comodo Dragon Portable (HTTP Switchboard)


On Demand

Hitman Pro
HiJackthis portable

 

with Sbie we all start as noobs and finish as Bo Elam

 

In your scenario wouldn't it be easier to right-click and run sandboxed if user is not sure if file is legit? And if file is truly legit user would have to move it somewhere else to run/install it. Otherwise it would automatically be installed in sandbox. Just my thoughts...

 

If you can point me to a post linked to that conversation that gives that context I'll happily retract.

At any rate this is a public forum not a chat room for those in the know . Visitors and other less savvy members than you and jmonge see posts. If i see something I think gives the wrong impression I'm entitled to point that out within the rules of the forum.

I'll take the views if the mods on that thanks

Cheers

 

This is why I have a separate sandboxed folder and restrictions on the sandboxed browsers. If something were to get downloaded it goes into a separate folder that is forced. All downloads go into that folder. Likewise if I'm using a web browser I have very limited items that are allow to run per restrictions for internet access and running.

 

very true my friend

 

Maybe not easier but it is safer (if you don't feel pretty certain that a file is legit) to right click the file and choose to run it sandboxed. To make it easier, if I download a file that I don't feel certain about what it is, I run Windows explorer sandboxed, navigate to the file and no matter what kind of file is or what it look like it is (but is not), when I click on the file, it will run sandboxed.

I do that exactly for the reasons Chris points out here:

Hqsec, Forced folders works great when used in conjunction with Forced programs. You can use Forced folders to sandbox USB drives, CD and DVD drives as well as your Downloads folder. But is good to know, like Chris pointed out, that some programs like WMP and Windows Photo viewer do not work well out of a forced folder.

To take care of this issue, you can right click on the picture or the video and choose to run it sandboxed or even better, use a sandboxed Windows explorer to navigate to the file. You can also resolve this situation by switching the default movie (WMP) player to something else. For pictures you can do that as well. Personally, I switched my default movie player to something else instead of WMP and for pictures, I use a sandboxed Windows explorer. Never when I download a picture, it runs out of the sandbox and I always use the sandboxed explorer to view pictures.

@guest, a lot of what I know about Sandboxie, I learned it from reading what Chris has to say about SBIE. In my opinion, you should not brush off anything that he has to say about Sandboxie.

Bo

 

Lighten up J_L or you`ll give yourself a hernia.

There`s plenty of threads out there regarding Sandboxie configurations but I was only jesting about renaming this one....the very thought.

Anyway it was your own great "best free security list" that I first chanced upon the "yellow border" and many other top sufficent alternatives.

So thank you J_L .

 

@bo elam thanks for additional explanation. I usually use SBIE for executables files only and don't open data files in SBIE. Running explorer Sandboxed and navigate to downloaded file does make sense when opening those files. But in that case I wouldn't have to set forced folders, right? I just have to make sure I open it from sandboxed Explorer.

 

If so, then every thing you open in a Sandboxed explorer should be sandboxed.....should`nt it ?

 

Should be yes.

 

Hqsec, to run a sandboxed Windows explorer, you don't need to Force anything, it can also be used by people using the free version. You can run one from the Sandboxie folder in the Start menu or by hovering the browser over the sandbox name when you right click the Sandboxie icon (taskbar).

Or to make it easier, you can create a sandboxed Windows explorer shortcut and place it in your desktop or taskbar. Using the sandboxed shortcut its better because by doing so you can choose a separate sandbox for explorer to run. If you use the shortcut out the SBIE folder or use the option to run one out from the SBIE icon, the sandboxed explorer runs in your DefaultBox. The sandboxed shortcut isolates Windows explorer better, sandboxing to the max.

Bo

 

Yes, that's the way I did it Sent Sandboxie's "Run explorer sandboxed" shortcut to desktop, changed icon and pinned it to start menu.

 

Cheers Kjdemuth, just needed that clarified.

Just after placing the icon on the destop as Bo/Hqsec said/did.

 

No, that shortcut opens up Window explorer in the DefaultBox.

To create a sandboxed Windows explorer and have it run in a dedicated sandbox, you first need to create a new sandbox (you can name it WExplorer): SBIE control>Sandbox>Create new sandbox.

Then go to SBIE control>Configure>Windows Shell Integration, Click Add shortcut icons, choose the New sandbox that you have created, Click OK, and look for Windows Explorer in one of the menus. After you click on it, you ll see a sandboxed Windows explorer shortcut in your Desktop. That shortcut will open up Explorer in the new sandbox. You can leave the shortcut in the Desktop or move it to the taskbar. Then you can restrict that sandbox (programs that run, no internet access, etc).

Bo

 

Hi Behold Eck, read my previous post.

Bo

 

Ok Bo I`m on it now.

 

Yes, but if I configured DefaultBox with all restrictions and settings so I can use it to run Explorer in it or will there be any problems using DeafultBox?