Sandboxie Acquired by Invincea

So why do you think i asked you if you want test it...the OS was unusable so for me it seems like a bypass; fortunately Chris was willing to test instead of accusing my so called inexperience (btw i used it since quite a while now and it is not because i dont spray advices and tips that i dont know)

You just had to say "ok let me see" but seems it was not your intention at all. Weird behavior for someone promoting a product...

Thanks for taking the time to read.

 

Exactly, the freezing of the OS it seemed to you as a bypass because:

....and now you know.

Bo

 

guest:

Some of us have not such things as wanting to test our system to some. I did reinstall my computer a few months ago to factory settings. Still I think it was not enough. Not having some darn Windows 7 outside my laptop computer, not some CD to make my system virgin. I know some of you have all the pirated stuff. I don't.

Bo is someone to give instructions and help people using SBIE. I do or have done that that too, like in the above post of mine regarding how I updated my Sandboxie install with AppGuard.

What you asked him to do, to test some malware, is so out of ordinary!
I know so much quota of people here in wilders are also in the hackings etc ****. I am not.

 

4.10 final installed and working flawlessly with no stress or problems. (Used to have stress years ago, but have long since divorced it. Problem solved. )

 

Nice. I know they respect your opinion as much as most here do so looking forward to seeing it soon.

Thanks

 

@Jarmo P : i know Bo since quite a long time now we were co-member in another forum. It is why i asked him such request that seems unusual to you and why we answered to each other quite straightly. and sometimes Bo is quite "rude" to me

Anyway my suspicions were cleared by Chris , that is all i wanted. Time to move on.

 

i redid the test on VM , and i observed that you can click on the numbers above the blank field of the blue windows (in fact it is where you put the password to unlock your system.).

it was not a freeze but the result of the ransomware.

http://i.imgur.com/gojehqB.jpg

but you said in your test that after a hard reboot all went fine, so in a way it is contained but the OS was locked... that is weird because the OS shouldn't be locked in the first place.

unless i miss something.

 

yes that is the most important point indeed , i don't deny this; but i am curious so i wondered how

maybe the devs should do something about it for default setting; of course if we use resources access restrictions , the malware do nothing.

 

guest, nothing needs to be done to default settings. You played your malware game using a default settings sandbox and malware didn't do nothing. The lockup don't mean anything if after you reboot or restart the PC and delete the sandbox, your system is clean. And thats what you experienced. Why would Invincea change something that works as its supposed to?

In all the years that I have used Sandboxie, I never had malware lock up my system but I had programs like Flash lock up the sandbox. That doesn't mean that there is something wrong with Sandboxie. Antiviruses lock up the sandbox all the time. When that happens, to delete the sandbox, you reboot the PC and that takes care of the problem. If little programs like Flash can lock your sandbox, mean bad programs that are malicious can do that and more. But don't lose sight of what its really important. Keeping your system, files, registry and programs remaining as if nothing happened is whats important and that's what SBIE do.

By the way guest, to restrict the programs that run in the sandbox, you use Start/Run restrictions, not Resource access restrictions as you wrote in your post. You can use Resource access restrictions to allow or deny programs that run in the sandbox access to files and folders in your computer but those restrictions don't block programs from running.

Bo

 

if you tell me that Sbie behaved normally in this test so be it. i personally prefer that my system was untouched and fully functional without the need to reboot, it is just my opinion anyway

For the rest i agree with you.

i used resources access restrictions set to put the C drive on read only, because i want the malware to run and see its behavior and implications. By doing as you said of course it couldnt even run (i do Run restrictions with a sandbox dedicated to lock some download folders).

 

I was several years ago surfing porn sites with NoScript on allow all mode. Dangerous yes, but I trusted Sandboxie, which also came to rescue. My mood was not to think of controlling NS as you might guess lol. Suddenly my screen turned blue and white and there was a message from finnish "Police". I think there was a bank account number or something of how to pay the fee to unlock my PC.

Anyways the computer was not operable. I don't remember if I could shut down or needed a power button shutdown. After restart, all was fine. Needed of course to delete the sandbox contents.

 

i totally understand you

 

Hi guest,

I don't think the OS is locked but the malware has taken control of explorer.exe blocking user functions outwith the active malware window. It's not quite the same thing as the OS functions normally, the user just can't access its functions from the desktop. Kind of half-baked Ransomware as nothing is encrypted and it's quite simple to fix.

Run it again with a classic HIPS and you'll see the chain. I haven't done it with this variant but have with this malware strain. It went launch, get control of explorer and that's all it needed. Again using classic HIPS you'll know a lot of processes need to get access to explorer so users might be tempted to agree. 2 yes clicks and your screwed.

With SBIE it's an easy fix as the process controlling explorer is inside the sandbox and as a result has not gained persistence as any changes to the OS have been redirected to the sandbox.

Terminating processes in the sandbox removes the lock. Emptying the sandbox effectively clears the infection. I agree that should be easier than a hard shut down but it does work. Other programmes in the sandbox will need to get to explorer for normal activity so I'm not sure it could be prevented but the keyboard short-cut Bo mentions will help.

Cheers

 

i tried many "classic" way trying to terminate the process or reboot:

- open Task Manager , it did opens but then get frozen as expected
- ran process Hacker before the infection; PH keep running and showing processes activities during it , but i can't use it
- did Alt-F4 , nothing
- did ctrl+alt+del ; got Win8 menu, the various functions are shown but if selected , launched nothing.

Just an hard shutdown solve the issue., as you said it is more an explorer hack than a real ransomware. the keyboard shortcut will indeed solve this kind of issues.

note: i don't like hard shutdowns

 

I could terminate it by a sign out after CTRL-ALT-DEL also.

Definitely only for emergencies

 

Nobody does guest but next time you cry wolf by saying that Sandboxie has been bypasses, 1) Make sure you can prove it and 2) Get your facts straight. First you said that you used Sandboxie with default settings during your test? and now (post#586) you are saying that you used Resource access restrictions. Bottom line: Sandboxie worked as its supposed to.

Bo

 

Did you read "redid" the test? In my country we used to say "learn to read" before blaming people without reasons, as was your first reply to me...

And you also have short memory because i asked you to test the file (i wanted to be sure i didnt missed something) but you went fanboy , denying an observation instead of helping finding if accurate or not.

If feel you still have some grudges against MT members, you should really move on...

And please avoid involving with me anymore since you seems lurking for any mistakes i may do instead of doing constructive posts.

Back to the topic, indeed Sbie act as it should but the explorer lock should not happen, what if i had a important works and then the scenario happen? Hard rshutdown then jump for joy because my system was protected but loose hours of works? No thanks. It was not a bypass, ok you made a point but it was a flaw.

 

I don´t know the details about this attack, but I have to agree with this, SBIE should never give malware (or any other app) the ability to "lock" the system.

On Win 8 I had an issue with StrokesPlus, it took control of my mouse, I could still navigate with the cursor, but my mouse wasn´t responding on any input (left or right-click), I had to reboot my system. If it was run outside the sandbox then there was no issue, however, it was under control by SBIE.

Perhaps y'all can test it?

http://www.strokesplus.com/

 

Just a ransomware that lock explorer even if "contained" in Sbie with default setting.
For strokeplus i will test.

Btw, thanks to give a littlebit of credit to my opinion.

 

If you were doing something sandboxed, you can save your work even if malware comes into play, you just got to know how to do it. Learn Sandboxie.
http://www.sandboxie.com/index.php?GettingStarted

Bo

 

How i can save my works if explorer was locked...look like you read none of my posts.

Another post insinuating i dont know how to use it... :facepalm:

This is my last reply to you. Trolling is not my specialty.

 

It is easy, just learn how to do it. And I am sorry but I wont tell you how. Learning how to get everything out of SBIE takes time. You can use SBIE from day one, as it comes when you first install it but to get everything that you can get out of SBIE, you have to spend sometime learning the program. Do it.

Bo

 

Bo so this program is not for common household users right out of the box for max protection?

 

Hi Controler, I wouldn't say that. I think Sandboxies default settings were designed by Tzuk to make it easier for first time user to use the program from day one. Sandboxie can be used by anyone as it comes out of the box. But to get every drop of juice out of Sandboxie, it takes a little bit of time. The program can be learned as time passes by.

My mom is 77 years old now, she lives in the US and when she comes to visit me, she uses SBIE and she has no idea whatsoever what SBIE is. SBIE can be used by anyone.

I remember the first time that I had a sandbox lock up on me. I didnt know much about Sandboxie, I kind of freaked out and thought it was malware but then I learned that that sort of thing happens sometimes. And also learned what it needs to be done to delete the sandbox after it happens. Now I know what to do so my sandbox doesnt lock up at all. In the last two and a half maybe three years it has only happened once. Thats on my XP, in my two W7s, it has never happened.

Bo