Is this a Sandboxie error / bug?

Not sure really, but if I understand the way Sandboxie works, the following scenario shouldn't have taken place.

1. Start your browser via a sandbox which has auto recovery disabled. Set the only recovery directory to your desktop. Start your browser inside that sandbox.

2. Download any file from the internet, doesn't matter which. Save it to your desktop, but do not recover the file.

3. Go to VirusTotal.com (would probably work for other websites as well, but I haven't tested) and click "Choose File" to browse for a file from your drive to scan. Navigate to your desktop.

I can both view and upload the sandbox-downloaded file for scanning via VirusTotal.

Any idea why?

EDIT: using Sandboxie 3.68

 

It's normal. The file is still located in the sandbox- that's where the sandboxed browser reads it from. Nothing to do with recovery.

 

Ahh, got it, thanks.

 

First off I've assumed the file has not actually been recovered.

Somethings to consider. When you download to your desktop in a sanboxed browser but don't recover SBIE will create a copy of the desktop folder inside the sandbox with the downloaded file in it. If you then visit VirusTotal with the browser still sandboxed the navigation will take you to the file stored in the sandbox. The download still exists its just in the sandbox not the real system.

Remember sandboxie redirects activity spawned from a sandboxed app to the sandbox container but the apps themselves still think the sandboxed environment is the real system.

Try downloading the file. Close the browser. Empty the sandbox and then go to VirusTotal and see if its still there.

Cheers

Edit: I see you already got a reply. Sorry for the duplication!

 

Yeah I was aware of that but it somehow eluded me that when browsing for a file through a sandboxed browser, the desktop file contents will be those of the sandbox. thanks for the further explanation.

 

because you are running VIrustotal from the sandbox it's normal

 

At the risk of sounding ignorant I will press the subject a little further.

We've established that when browsing to, say, VirustTotal.com, with a sandboxed browser, and then attempting to select a file from from the desktop or wherever, what I will see are the files contained within the virtualized, sandboxie version of the desktop (meaning any files that have not been recovered will be seen there).

However, after I have recovered the file to the real desktop, and then navigate to Virustotal from within the sandboxed browser and attempt to find the file on my desktop, I can actually find it - even though it is no longer inside the sandbox.

Does this mean that when browsing for a file from within a sandboxed browser, that I will see both the contents of the sandbox, as well as those outside the sandbox, simultaneously? Or am I missing something?