VoodooShield/Cyberlock

Kind of confused about the statement:
" Why would I want to....for the same reason I want it to even the process isn't sandboxed."

 

Got it, Thanks.

 

There were safe and unsafe files added to the training data sets... around 33% unsafe and 66% safe. The original training data sets had a lot more unsafe than safe, so this will balance it out a little better (hopefully).

 

What happens when you uncheck the Automatically Allow by Parent Process feature in VS? Does SB and VS behave exactly how you would like?

What happens when you uncheck the Automatically Allow by Parent Process feature (or similar feature) for the other AE's?

 

Great to know, thank you! About half of the ML/Ai engines detected the file as Unsafe... I suspect the ones that detected it as safe whitelisted it.

BTW, I think I have their phone number somewhere in case you need to call them to restore the file from quarantine .

 

Here is SB and VS Free (default settings). From what I remember, I think Vlad made an exception for SB, so the sandboxed files were blocked (at the request of wilders users... my opinion was overruled ). We can look back through this thread to confirm this.

Anyway, does everything look right here?

https://voodooshield.com/artwork/Sandboxie.mp4

Also, please keep in mind that the whole point of VS is to safely allow as many safe items as possible, and to reduce the dangerous affirmative user prompts as much as possible. Thank you!

 

http://www.novirusthanks.org/help-files/exe-radar-pro/#sbie-erp

 

@bjm_... I am not sure what your point is (please let me know). VS uses completely different drivers, so I am not even sure this would apply to us anyway.

If I thought there were a lot of SB + VS combo users, then we would create an option in VS... but there simply are not enough users to add another option.

 

I thought you asked about other AE's?

 

Ohhh, I see, that is why I am confused. Thank you for the info!

 

I have a portal that I can sign into and waive the file. Thanks for offering.

 

Hehehe, I am extremely confused at this point. In the video that I posted above (and below), VS is blocking a Sandboxie sandboxed processes at 0:50 and 0:59 (the file that I downloaded from majorgeeks.com)... and this is with VS Free / all default settings.

https://voodooshield.com/artwork/Sandboxie.mp4

1. Checkout the Cuckoo analysis of Leaktest and click on the "Behavioral Analysis" tab and you will clearly see the who's who of malicious actions.

http://voodooshield.ddns.net:8080/analysis/6336/#

ML/Ai is infinitely more adept at detecting malicious features of a file compared to almost all humans, including most seasoned professional malware analyst. ML/Ai examines roughly 300 features of the file, and can detect / spot malicious features that no human would ever be able to detect / spot. The average user does not even know how to check the digital signature, and a malware analysis would have to manually inspect the 300 or so features of the file with specialized PE tools... and even then the human mind cannot comprehend the inner relationships between the features, not to mention that over half of the features are not available in any of the PE tools. The absolute vast majority of users do not know how to inspect a file for maliciousness, and even the top malware analysts make mistakes... a lot more mistakes that a ML/Ai model ever would. The Cuckoo analysis of Leaktest confirms this. And this is why a file should never be blindly blocked without providing the user file insight.

2. I agree, SBIE is very secure so I completely understand why you feel strongly about SBIE. This is exactly why I feel strongly about VS... we have quite a few users now, and they do not become infected either.

Thank you!

 

I am finding the Sandboxie/VS discussion somewhat convoluted so apologies if I am stating the “bl**ding” obvious.
VS works with Sandboxie if “Automatically allow by parent process…” is disabled. Otherwise it doesn't.

Totally agree.

 

In this discussion, I am hearing two eminently reliable people who are giving two very different reports. Just try it on your system, and see what works. It's a super easy test. Just download any installer file in SBIE, run it, and see if VS reacts or not.

 

That is why I made the video... I do not know how to use SBIE properly, so I wanted to confirm that I was testing properly. From what I remember, I think Vlad made it so VS would block SBIE processes either way... whether the Parent Process setting was checked or not. I can look in VS's code to confirm this, but until I can understand what is not being blocked, it will not do any good to do so.

 

Okay, we might be getting somewhere now. In the video I posted, it showed that executables that originate from a web app, that are sandboxed by Sandboxie, are blocked by VS... even though they are sandboxed by Sandboxie, right?

What you are talking about is when the user right clicks on a file, and wants to execute that file sandboxed with Sandboxie, correct?

If these two statements are true, then we are on the same page, and I have a response. Thank you!

 

Hi Peter2150.

The old grey matter isn't what it used to be so sorry if I am being obtuse.

Say I download something like Freemake Video Convertor via a sandboxed web browser, Freemake is contained within that that sandbox and is harmless until such time as I decide to recover it or otherwise from the sandbox. Obviously VS doesn't need to react at this stage as there is no execution.

Then let's say I decide to recover/release this programme from Sandboxie. It is now situated, for example, on the desktop.

In respect of Sandboxie and VS I have three options:

(1) run the programme and VS will check the programme automatically in either Autopilot, Smart Or Always On mode
(2) right click on the programme and do a VS scan
(3) right click on the programme and run it sandboxed

In the latter scenario VS will activate in Sandboxie if “Automatically allow by parent process…” is disabled. Otherwise it doesn't and the programme will run sandboxed without any intervention from VS.

Well that’s my experience anyway on my Windows7 64bit machine.

 

VS goes into action when a file is run. It doesn't prevent something from being downloaded.