Bad news for testers, but good new for SBIE users. 35-40% of malware stops just by detecting sandbox app.
but malware may wait until the users let them escape, because the keygen show no threats when isolated so the average user think it was safe...
Yes, but if doesn't perform anything visible, user might think it doesn't work and wouldn't run it unsandboxed at all.
My thoughts as well . I think probably a lot more than 40% of malware detects its been run sandboxed. Bo
Using Sandboxie for telling if a program is clean or not is wrong. Sandboxie should not be used that way. No ifs. Bo
Bad news? I think tester/malware testers/pentesters/betatesters and testers of all kinds should work on real machines, dedicated for such.
I agree, but sometimes it's more convenient to just run it inside sandbox or virtual machine. Some malware also uses other indicators to detect non standard environment and could detect real machine dedicated for testing also (lack of personal files, installed tools that researcher uses...).
Back on topic which is the shade Sandbox. Not Bad. It's not quite as polished as SBIE, but it protected the system against all the malware I threw at it. Couple of short comings. Biggest was It wouldn't take script files. That's huge. Also had no easy process kill
You right, but unfortunately many does... Exactly. yes when i tested it , it was decent, i think it is more a "sandbox for beginners" , made to be used "out-of-the-box" and it does its job quite well.
The percentage of environmental aware malware is a great deal less than 40%! Also the primary techniques used are not product specific at all, so the probability of malware not running in Shade will be as high as malware not running in SBIE, but would instead be dependent on the the "fingerprints" that VirtualBox or VMware leaves. And as to testers not running things in a VM- the virtual environment awareness of malware doesn't make the malware itself something brand new- the payload will be the same as malware without this function, so it is just a matter of finding and running the same stuff without VM awareness, and that is up to the experience of the tester. Finally, recent malware seem to be using a lag time feature- they may not activate for a few minutes or a few hours whether it is in a VM or not. So does that mean that running it in an actual production system is also invalid because it does not infect immediately?
Well I had a reason to be enthused, so I installed on my host machine this morning, made the appropriate exclusions for other software, and had a whirl. Never got Opera to do anything but basically do a freeze on the machine. Guess I wait until the next release. WHen I tested in the VM i had all other software disabled.
Found Shade very disappointing. Compared with Sandboxie browsers took a fair while to load. Also on shutting down Opera it consistently failed to unload its process so that it was not possible to clear the sandbox. I had to use the task manager to shut down Opera. Then clear the sandbox. Two out of three browsers found problems running in Shade. Also lots of notices appeared in the system tray with long gibberish file names asking one to click on the notice to transfer the files from the virtual folder to the real folder! And this is for beginners?? Terry
I didn't receive any code from Shade via email and its been a few days but it did seem to work with Firefox but didn't work with Tor - I got an error message instead, something to do with the torrc file. Should I still try to contact Shade and source the password or code or whatever they call it? Does Shade remember saved bookmarks in Firefox? What happens when I want to download an mp3 under Firefox Shade? Is there a recovery like in SBIE?
Has anyone figured how to print from Firefox in Cybergenic Shade? I can get Print Preview, but I can't get anything to print to a printer or to pdf. Is there a solution?
I right-clicked on firefox icon and tried: Open in default sandbox Put into Shade Nothing happened. Any clues? I received the license key.
The user downloads an application and is executing it in the sandbox. No sign of malicious activity can be seen (because the malicious activity is delayed) and the user thinks it is safe. Because it "seems to be safe", the user is executing it outside of the sandbox, and after some time the malicious activity is performed.