Is this how my security software should work?

Discussion in 'other anti-malware software' started by ratchet, Jun 4, 2014.

Thread Status:
Not open for further replies.
  1. ratchet

    ratchet Registered Member

    Joined:
    Feb 20, 2006
    Posts:
    1,988
    Recently my wife was viewing a page of hair styles and she was requesting my input. Up came the US Dept. of Justice virus. It did seem that for 10 to 30 seconds the PC was locked but then Norton A-V alerted that it blocked it and all was fine.
    A few questions: Should Norton have worked first (prior to Malwarebytes Pro)? Would Mlwrbts have stopped it too? To play safe, I restored an image. That would have worked too if I booted from a CD or flash drive, correct? Thank you!
    I forgot to mention I was sandboxed with Sandboxie also. That would have been enough too, correct?
    Never even having a virus attempt before is the reason for all these stupid questions!
     
    Last edited: Jun 4, 2014
  2. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Sandboxie wouldn't have stopped it from running necessarily, but your system would have been safe. Empty sandbox and virus gone.

    Pete
     
  3. Overkill

    Overkill Registered Member

    Joined:
    Mar 16, 2012
    Posts:
    2,343
    Location:
    USA
    I'm curious, what url did that virus come from?
     
  4. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,738
    Did you or your wife execute it? We're missing some essential details here.
     
  5. shadek

    shadek Registered Member

    Joined:
    Feb 26, 2008
    Posts:
    2,538
    Location:
    Sweden
    Norton did an excellent job. It didn't detect it at first but probably detected it with in-house heuristics and nullified the threat. Probably generic protection in place against these FBI-hijacks.

    As Pete said, if the browser was sandboxed you would've been fine as it would never have reached your system files. If it was launched outside sandbox then we can all agree Norton did a job well done! Not sure if MBAM would've helped you. It depends on if it had definitions for it already.
     
  6. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,144
    Location:
    Nicaragua
    Ratchet, like Pete said, delete the sandbox and the virs is gone. Depending on the Start/Run settings that you are using is what you ll see when hit by malware like the one you described. On a default settings sandbox (I believe thats what you were using at the time), the virus runs and installs in the sandbox and its gone when you delete the sandbox. On the other hand, if you had been using a Start/Run restricted sandbox were only Firefox, Flash, your PDF reader can run, the malware would have just sit in the sandbox and do nothing. You would not even have known that there was a danger, unless Norton had still detected it.

    Bo
     
  7. ratchet

    ratchet Registered Member

    Joined:
    Feb 20, 2006
    Posts:
    1,988
    First, thank you for all of the replies! I'm sorry but have no clue where we were. Relative to Sandboxie, it was the default setup, although I pretty much leave Cyberfox and Firefox profiles not sanboxed.
     
  8. vojta

    vojta Registered Member

    Joined:
    Feb 26, 2010
    Posts:
    830
    If your browser wasn't sandboxed you were not protected by Sandboxie during that attack, if I understand you well. If you leave the browser out of the sandbox you could as well uninstall Sandboxie: It protects the computer from threats inside the sandbox, not the other way around.

    Anyway, I think you did the right thing restoring the system from a backup. Even if Norton seems to have performed brilliantly, there is nothing better than restoring from a clean image.
     
  9. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,738
    Actually, I've yet to see any real-world scenarios that require putting the (up-to-date) browser inside the sandbox rather than just the downloads. That is unless someone answers my question with a negative.
     
  10. vojta

    vojta Registered Member

    Joined:
    Feb 26, 2010
    Posts:
    830
    Will that protect from a drive-by download too? I really don't know, I hadn't thought of that.

    When I read that post I assumed that the browser wasn't sandboxed at all, but maybe the OP puts into the sandbox the downloads, as you say.
     
  11. FleischmannTV

    FleischmannTV Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,094
    Location:
    Germany
    From my understanding his browser was sandboxed but had direct access to its profile folder. This is how I would run Firefox myself by the way because the system is still protected.
     
  12. Jarmo P

    Jarmo P Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    1,207
    I certainly would not do that. The main thing with Sandboxie is at least to try not get browser profiles corrupted.
     
  13. FleischmannTV

    FleischmannTV Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,094
    Location:
    Germany
    I thought the main thing was to keep the system from getting corrupted, which will not happen just because of direct access to the profile folder. I simply wanted to point this out because there seemed to be some confusion whether the browser was sandboxed at all or not.
     
  14. ratchet

    ratchet Registered Member

    Joined:
    Feb 20, 2006
    Posts:
    1,988
    You are correct! I like the convenience of keeping the browser tweaked.
     
  15. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,738
    Drive-by downloads occur easily with javascript, just don't execute them without virtualization. It's drive-by installs you have to worry about, and I've yet to see those work on modern browsers unless you're being actively targeted.

    Looks like his is after all, but with profile unsandboxed. I remember doing that with Firefox back then, it was just so much more convenient for a heavy tweaker like me. As for the security of that, well I think it's a point of diminishing returns.
     
  16. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    5,869
    off your problem - drop cyberfox - its always outdated. latest update from v28 to 29.0.1 had a delay of 5 weeks and firefox 28 has 14 important issues: http://www.mozilla.org/security/known-vulnerabilities/firefox.html
    (same for waterfox and others)

    i am sure this was a drive-by - triggered with javascript and passed to java, or a prepared pdf file. flash at least is the most secure plugin of all three. the main problem behind - if it was a drive-by is found in the hacked website or bad 3rd party advertisement. no java and no pdf in browser and all is nearly fine. at least there is no need for a 64bit firefox.

    MBAM wont have stopped it, its web capabilities are too poor.
     
  17. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
  18. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    5,869
    the main infection was obviously stopped. nevertheless i suggest a more secure browser like firefox or chrome with an adware and script filter. since /me using such filters (different thru the years) i never had any issue with my security.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.