Sandboxie Acquired by Invincea

To me, it is clear that it does. If I was using an Standard user account, I would use the setting whenever possible since using the setting would stop any installer (could be malware) that gets downloaded into the sandbox if it attempts to Start and run. Using the setting is probably more important if we are using a non restricted sandbox than if the sandbox is restricted (as only a few programs are allowed to run in the one that's restricted).

Bo

 

Same here, Pete. I gave it a hell of a ride last night in my XP. All flying colors. And I am now in my W7. Same results.

Bo

 

An explanation of Drop Rights in 2012 (no doubt accurate) from a Wilders member:

https://www.wilderssecurity.com/threads/sandboxie-drop-rights-setting.331391/#post-2109216

This augments Bo's explanation (also accurate )

 

I remember Tzuk saying something like, Drop rights was not "ground breaking". That was in a thread from I think 2010 and about Drop rights. The setting had been implemented a short while earlier. If someone likes to find that thread, it should be easy to find or I can find it. It is a very long thread.

One thing that I can add about Drop rights is that just about all if not all POCs or weakness found in Sandboxie that I remember reading about, fail when Drop rights is in place. That's pretty solid. I mean, if the setting is ticked, POCs don't work and vulnerabilities can not be taken advantage (to escape the sandbox).

Bo

 

Earlier today in a different thread, I surmised hackers don't seem to challenge Sandboxie in contests probably because they know it will be a waste of time and effort for them, resulting in no prize money for their efforts. That said, I'm really hoping, for interest sake, the top hackers who attend PWN2Own and such will attempt escaping through a tightly configured Sandboxied browser just to see what kind of progress, if any, they would make. I suppose it would at the very least require a kernel exploit to be successful.

 

Bo - I have to thank you for your endless patient and detailed advice on SBIE. I am sure everyone else on this thread feels the same.
I think you should host a SBIE Masterclass at some resort in Nicaragua.

 

Helping with Sandboxie is my way of giving something back. This program turned my computer and internet experience into something truly enjoyable. No worries of any kind. It wasn't like that before. I owe that feeling to Sandboxie.

Bo

 

Paul, I read your post in the Firefox addons thread about Hello showing as false in about:support but you are not sure why. I think your Firefox profile is either corrupted or you changed a preference in about:config that did it.

Like I said there, you can create a new profile and do it under Sandboxie. After Firefox runs, check Hello and then close the browser and delete the sandbox. Creating, using and testing new profiles under SBIE can be done quickly.

Right click your Desktop and do the steps to create a shortcut with the path below:

"C:\Program Files\Sandboxie\Start.exe" /box:All "C:\Program Files\Mozilla Firefox\firefox.exe" -no-remote -P "NewProfile"

If you create the shortcut as I wrote it, Firefox will run with the new profile in a sandbox named All. You can create a new sandbox and name it All, and that's where Firefox will run. Or you can change the name to another one or DefaultBox. But make sure in Sandbox settings all programs are allowed to run and have access to the internet.

Bo

 

FWIW ~ little test > Paranoid Fish report w Sandboxie.
http://betanews.com/2016/03/23/malware-detect-sandbox/

Spoiler: Paranoid Fish report w Sandboxie

with Sandboxie and Active vaccination disabled

* Pafish (Paranoid fish) *

Some anti(debugger/VM/sandbox) tricks
used by malware for the general public.
[-] Debuggers detection
[*] Using IsDebuggerPresent() ... OK

[-] CPU information based detections
[*] Checking the difference between CPU timestamp counters (rdtsc) ... OK
[*] Checking the difference between CPU timestamp counters (rdtsc) forcing VM ex
it ... OK
[*] Checking hypervisor bit in cpuid feature bits ... OK
[*] Checking cpuid hypervisor vendor for known VM vendors ... OK

[-] Generic sandbox detection
[*] Using mouse activity ... OK
[*] Checking username ... OK
[*] Checking file path ... OK
[*] Checking common sample names in drives root ... OK
[*] Checking if disk size <= 60GB via DeviceIoControl() ... OK
[*] Checking if disk size <= 60GB via GetDiskFreeSpaceExA() ... OK
[*] Checking if Sleep() is patched using GetTickCount() ... OK
[*] Checking if NumberOfProcessors is < 2 via raw access ... OK
[*] Checking if NumberOfProcessors is < 2 via GetSystemInfo() ... OK
[*] Checking if pysical memory is < 1Gb ... OK
[*] Checking operating system uptime using GetTickCount() ... OK
[*] Checking if operating system IsNativeVhdBoot() ... OK

[-] Hooks detection
[*] Checking function ShellExecuteExW method 1 ... traced!
[*] Checking function CreateProcessA method 1 ... OK

[-] Sandboxie detection
[*] Using GetModuleHandle(sbiedll.dll) ... traced!

[-] Wine detection
[*] Using GetProcAddress(wine_get_unix_file_name) from kernel32.dll ... OK
[*] Reg key (HKCU\SOFTWARE\Wine) ... OK

[-] VirtualBox detection
[*] Scsi port->bus->target id->logical unit id-> 0 identifier ... OK
[*] Reg key (HKLM\HARDWARE\Description\System "SystemBiosVersion") ... OK
[*] Reg key (HKLM\SOFTWARE\Oracle\VirtualBox Guest Additions) ... traced!
[*] Reg key (HKLM\HARDWARE\Description\System "VideoBiosVersion") ... OK
[*] Reg key (HKLM\HARDWARE\ACPI\DSDT\VBOX__) ... OK
[*] Reg key (HKLM\HARDWARE\ACPI\FADT\VBOX__) ... OK
[*] Reg key (HKLM\HARDWARE\ACPI\RSDT\VBOX__) ... OK
[*] Reg key (HKLM\SYSTEM\ControlSet001\Services\VBox*) ... OK
[*] Reg key (HKLM\HARDWARE\DESCRIPTION\System "SystemBiosDate") ... OK
[*] Driver files in C:\WINDOWS\system32\drivers\VBox* ... OK
[*] Additional system files ... OK
[*] Looking for a MAC address starting with 08:00:27 ... OK
[*] Looking for pseudo devices ... OK
[*] Looking for VBoxTray windows ... OK
[*] Looking for VBox network share ... OK
[*] Looking for VBox processes (vboxservice.exe, vboxtray.exe) ... OK
[*] Looking for VBox devices using WMI ... OK

[-] VMware detection
[*] Scsi port 0,1,2 ->bus->target id->logical unit id-> 0 identifier ... OK
[*] Reg key (HKLM\SOFTWARE\VMware, Inc.\VMware Tools) ... traced!
[*] Looking for C:\WINDOWS\system32\drivers\vmmouse.sys ... OK
[*] Looking for C:\WINDOWS\system32\drivers\vmhgfs.sys ... OK
[*] Looking for a MAC address starting with 00:05:69, 00:0C:29, 00:1C:14 or 00:5
0:56 ... OK
[*] Looking for network adapter name ... OK
[*] Looking for pseudo devices ... OK
[*] Looking for VMware serial number ... OK

[-] Qemu detection
[*] Scsi port->bus->target id->logical unit id-> 0 identifier ... OK
[*] Reg key (HKLM\HARDWARE\Description\System "SystemBiosVersion") ... OK
[*] cpuid CPU brand string 'QEMU Virtual CPU' ... OK

[-] Bochs detection
[*] Reg key (HKLM\HARDWARE\Description\System "SystemBiosVersion") ... OK
[*] cpuid AMD wrong value for processor name ... OK
[*] cpuid Intel wrong value for processor name ... OK

[-] Cuckoo detection
[*] Looking in the TLS for the hooks information structure ... OK

YMMV

 

Excellent post, bjm. I hope people who use Sandboxie for testing "suspicious" files, read the article and stop doing it. Using Sandboxie for testing unknown or suspicious files to see their behavior is totally wrong.

Bo

 

Sandboxie working well here as always. Matter of fact, I can't remember anytime in the past, that Sandboxie has not worked well.

 

Does anyone know what needs to be allowed for Amazon videos to work while firefox is sandboxed? I just tried it unsandboxed and it works fine. The player uses silverlight and I'm sure there is some sort of DRM in the mix. I'm not getting a pop-up saying anything was not permitted to run and I do have run and internet restrictions in the sandbox.

 

Innerpeace try viewing the video in a non Start Run restricted sandbox. If that dont work, if you have Drop rights enabled, untick it.

I am not familiar with Amazon videos. Seems like a paid site, maybe? Get me a link that I can check and I ll try the site. I found previews, can you watch the trailers in the sandbox?

www.amazon.com/gp/product/B005DNPFMC/ref=pd_cbs__4/190-7712269-7396913

Are you using W7, what?

Bo

 

Movies run in the default (no run/internet restrictions) sandbox. I have amazon prime to watch the prime movies (included with prime) but I think you can watch the free ad supported movies if you log into your amazon account (if you have one). I'm using windows 8.1.

Edit: Internet access restrictions.
firefox
dllhost
plugin-container

Start/run restrictions.
firefox
dllhost
plugin-container
plugin-hang-ui
agcp
foxitreader.

 

The, thats what it is. You have to use a non Start Run restricted sandbox to view videos at Amazon videos. Some sites work that way in some systems. I found that to be the case in one site in XP. While in W7, at the same site, I can restrict the sandbox and the videos play. For the future. If videos don't play at a particular site, play with Sandbox settings. Same with DR.


Bo

 

Reply to the Edit. I dont see Silverlight being allowed to run and connect. So, that could be the reason Silverlight doesn't run in the restricted sandbox you are using. You need to allow the exe or exes that the program uses when you are using a restricted sandbox (I dont have Siverlight installed so I cant tell you what they are).

And the reason you are not getting messages from Sandboxie about Silverlight attempting to run could be that you have disabled the option to be notified. Look in Sandbox settings>Restrictions>Start/Run access, look at the bottom left of the windows. Either that, or you Hidden the message.

Bo

 

Hi bo. Thanks for your replies. A search shows AGCP.exe is silverlight. Maybe I need to allow it internet access. When I try running a video with IE in default box I get a pop-up error about mfpmp.exe which seems to be some sort of drm.

Your preview worked fine in IE default box but a movie gives the above error. The movie works find outside the sandbox in IE just like firefox.

Messages are allowed but I may have hidden one by accident. I looked around and clicked on "Forget hidden messages" so hopefully that restores anything I may have screwed up.

I'll play around with agcp.exe and mfpmp.exe in the restrictions and see what I can come up with.

Edit: Ok, I added both programs in both restrictions and it works .

 

Great.

About "Forget hidden messages". I think you did good clicking it. That unhides all messages you have hidden. Thats all it does, you can do no harm to hide or unhide messages

Bo

 

New beta 5.11.2 is out. Looks for Chrome in W10 only. I dont use W10 or Chrome but even so, I like testing and installing all Sandboxie betas for two reasons. One, it helps the development of Sandboxie, and Two, if changes to the code breaks SBIE working smoothly in my computers, I want to know as soon as possible, so I can report it soon afterward, this makes it easy to detect the change causing my issue. Rarely happens but it has happened.

http://forums.sandboxie.com/phpBB3/viewtopic.php?f=57&t=22660#p119291

Bo

 

Beta 5.11.3 is out.

http://forums.sandboxie.com/phpBB3/viewtopic.php?f=57&t=22660#p119291

Hey Rasheed. Look at Change 2. Looks to me like this restriction fixes what you found and reported in the post below, and later, I reproduced and made Curt aware of it.
https://www.wilderssecurity.com/threads/sandboxie-acquired-by-invincea.357312/page-86#post-2541548

Bo

 

Interesting, I wonder why they all of a sudden decided to block this.

 

appreciated that change. nevertheless i dont like lasso to create another power config because mine is perfect. but... lasso is preventing my monitor going to sleep while some programs are running and i have no clue why. this sucks - deleted!

 

At the time, this is what Curt told me about it.

https://www.wilderssecurity.com/threads/sandboxie-acquired-by-invincea.357312/page-88#post-2542417

They probably thought about it and decided to block it. I think this is a good change.

Bo

 

Yes, that's why I reported it, apps shouldn't be able to change things on the real system, so why not block it.

 

This morning, suddenly I started receiving a pop-up window with the following Sandboxie's message:


I've upgraded Sandboxie to 5.11-3 but the problem persists.