Internet Acess Control in Sandboxes and malware

Sandboxes are popular among Wilders members who use them exclusively as a security measure or in different combinations with other antimalware software.

An important aspect of these Sanbozes is that: None of them limits the intenet access of sandboxed applications by default. Obvious reason is that the Sandboxes are used to protect internet facing applications and addition of Internet Access Control might add complexity for a norma sandbox user.

However in my opinion Internet Access Control is very important in a sandbox and the complexity of this feature can be over come by adding a default DENY rule for all applicatiosn while specifying exemptions for common applications like Browsers, Mail Clients and Messengers etc.

I did a very small experiment with twoi internet worms:

1- NetSky worm
2- Warezo worm

Both of these are mass mailing worms with their own SMTP engines. I used then in GesWall and SafeSpace with default rules. Both were able to execute within the sandbox and they were able to send malicious mails while running in the Sandbox. A reboot of PC/ Termination of all sandboxed applications/ Cleaning of Sandbox contents would have stopped this behaviour but at least the two worms were able to send malicious mail during the session until I killed them or rebooted my PC.

Here are some screenshots to explain, first for Netsky worm.

 

Here are same screenshots for Warezo worm.

 

Now I made a Rule in GW to DENY internet access for any application running in GW, while allowing internet access for my browsers etc
See my post here for deatlis.

https://www.wilderssecurity.com/showpost.php?p=1279672&postcount=42

Down are the screenshots shwoing that Network Access is denied for both worms. No e-mails sent by both worms obviously. GW logs are attached as well.

 

With SafeSpace, also both worms were able to run and send e-mails.

Unfortunately there seems no way to add custom rules in SafeSpace to deny such malicious actions( atleast I am not aware of it).

 

This is just one example, I think in the same way, a malware can leak personla data from a sandbox if Internet Access Control is absent in a Sandbox.

 

Very interesting this Aigle. If I'm not mistaken SandboxIE also offers the possibility to limit the number of programs/executables that can run in a sandbox.

I believe you can configure it so that only your browser is allowed Internet Access (IE/Firefox) etc. and no other applications/executables.

 

Yes I think SBIE has two options.

1- Deny internet access for all sandboxed applications except those spoecified
2- Deny execution of all programs in one sandbox exccet those specified.

Double protection IMO.

 

Here's a kraken botnet test I did with Sandboxie set where only allowed apps can run and connect out.

First try to unrar the malware stopped cold.

Unrarred the malware to desktop then tried to run it Sandboxed and it was stopped cold.

 

Can u test about Intenet Access also? I mean just allow to execute but deny to access intenet.

 

Setup another sandbox with no restrictions.

On first install of Kraken there was some inet activity and it's process was running in the sandbox.Terminated all processess and deleted the contents which Sandboxie seemed to have no problems doing.

On the second install of Kraken I set the sandbox that only FF could use inet resources with Kraken seeming to install then couldn't instigate any inet activity and went dormant.

 

Thanks Franklin.

 

Real danger is some hijack the browser,luckely we have '' restricted '' Wraitdu rules with SBIE,so nothing can escape.

 

Hi Huupi, can you post or PM me those rules?

 

As I know with GW or DW, browser can,t be hijacked by an untruted/ isolated malware, even on default configuration.

 

Hi aigle.
Thanks for another interesting test.
With Sandboxie, with certain rules, you get a "default deny" internet conncetion, and just the apps that you configured to do so can reach out.

And Ilya has said that in a future version, DW will have outbound control for untrusted apps.

 

As allways DW has a built-in and simpler solution for this problem.

DefenseWall has resource protection, meaning it puts a policy wall between untrusted application (so by default it is okay). You can even strengthen your defense further by adding you WAB (wndows address book) and email directory as additional protected resources to your email application.

Another advantage of DW is that you do not have to enter rules with dificult questions/syntax, just standard Windows communication dialog are used to add these additional resources (via the click and browse metaphore).

Regards Kees

 

Repeat this test with your e-mail application also sandboxed

 

Kees why don't you run the test with both your e-mail app and Kraken as trusted.

 

So what is the conclusion? Aorry as I did not understand what you want to say. Will it stop the mails by these worms or not, using default configuration.

 

sorry to bump this thread but I have just paid for the registered version.

I have found the Deny internet access for all sandboxed applications except those specified settings.


But I can't find Deny execution of all programs in one sandbox exccet those specified. setting where is it

 

Hi All

I was very interested in the commentary in the preceding posts.

What I would like to know is this:

1) If you have Sandboxie set up to allow only Firefox to run in it using Process groups <restricted> etc

2) Then you add DownloadStatusBar to Firefox as an addon.

In 2) above there is an option to activate your antivirus on download of any program/file. The problem is if Avast is used, ashquick.exe needs an exception to the process group to allow it to run.

Like so:
ProcessGroup=restricted1>,firefox.exe,Start.exe,SandboxieDcomLaunch.exe,SandboxieRpcSs.exe,ashQuick.exe

Question

In allowing this exception ashquick.exe to run un the sandbox, on the one hand it gives a benefit (of scanning a file) but on the other is there any disadvantage in that Firefox is not now the only exe that can run. Could ashquick.exe be used for malicious purposes?

Thanks

Terry

 

Franklin,

That is the point: can SBIE isolate sandboxed processes from each other. When your mail application is outsied the sandbox and the malware is in, it is easy. It is more difficult when both are in the sandbox.

So seriously I ask, would you please test again?

 

As from version 2.45 it will, because Resource Protection draws a policy restriction wall between untrusted processes. Resource Protection has teh same options as GeSWall console, except for the device option. DW does not have the outbound protection option of GeSWall, but leaktest will fail (like with GeSWall). For Power users DW can be tweaked to the same extend as GW, only Ilya is implementing most of the tweaks suggested by Power Users, SO BELIEVE IT OR NOT, DEFENSE WALL IS THE ONLY SECURITY APPLICATION RUNNING WITH DEFAULT SETTINGS

NB. I am on the GeSwall image to refresh my rusty knowledge of GeSWall. I hope the GW guys will survive, because GW and DW pick up good ideas of each other

Regards Kees