New Leaktest / Security Tool Released - System Shutdown Simulator

Discussion in 'other anti-malware software' started by dmenace, Nov 20, 2007.

Thread Status:
Not open for further replies.
  1. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Has anyone tested Sandboxie??
     
  2. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    Running sandboxed within Vista.

    Eicar and Autostart creation both state "successful - fail" and are contained to the sandbox.

    Shutdown test is unsuccessful with sandboxie showing the below top message.

    The ping test seems unsuccessful in Sandboxie/Vista but seems to get through with Sandboxie/XP when SB is configured to stop outbounds.
    SB Message.JPG
    Error message when attempting the ping test SB/Vista.
    ping.JPG
    Quote a fellow poster, Mitch, over at SB's forum on the ping test in XP.
    I'm just not quite sure on this test though - I pinged myself, I pinged no address and I pinged xxx.xx.xx.xx and each time it said I failed. Hmmm....
     
    Last edited: Nov 21, 2007
  3. Cerxes

    Cerxes Registered Member

    Joined:
    Sep 6, 2005
    Posts:
    581
    Location:
    Northern Europe
    @Denis: Well-designed exploit/leak test (& for adding another attack vector for the script-kiddies... :D.)


    Anti-Executable (2.20.0255): Passed (So it won´t work as a runtime executable.)

    Eicar-test:
    Online Armor (2.1.0.31): Passed (Showing an Allow/Block prompt when trying both write and execute.)
    Avast (4.7.1074): Failed
    AVG AS (7.5.1.43): Failed

    Autostart-test:
    Online Armor (2.1.0.31): Passed
    DefenceWall (2.09): Passed
    ThreatFire (3.0.8 ): Failed
    WinPatrol (12.2.2007): Failed (Intercepted the autostart change after reboot, but then it would be to late.)
    Limited User Account: Failed (Its purpose isn´t to prevent programs from running/autostart, its purpose is to prevent malware from doing too much harm without an extra privilege elevation. But if you don't want the user-specific autorun entry, you can disable it either directly in the regeditor or by group policy.)

    Leak-test:
    Didn´t run this test since I don´t use an outbound filter.

    /C.
     
    Last edited: Nov 23, 2007
  4. Stephen2_Aus

    Stephen2_Aus Registered Member

    Joined:
    Feb 17, 2007
    Posts:
    37
    A beautiful piece of work by the designer...

    Using Windows XP SP2, here's my findings:

    1) Eicar creation: Kaspersky Anti Virus 7 - Failed to detect

    2) Autorun key creation: EITHER ProSecurity 1.4PB2 blocked it, OR Limited User Account blocked it. I'm inclined to think Limited User Account because ProSecurity failed test 3

    3) Ping-test:
    Outpost 4 (Latest build): failed (hmm, 30 mins later and not at my computer, I'm thinking maybe I've globally allowed pings out with Outpost). ProSecurity 1.4PB2 failed.

    Damn, how demoralizing....:ninja:
     
  5. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    So why and or where is it pinging if you leave the address field blanko_O?
     
  6. Stephen2_Aus

    Stephen2_Aus Registered Member

    Joined:
    Feb 17, 2007
    Posts:
    37
    Sorry Franklin, you lost me?

    I left the ping field with the default IP SSS.exe uses... It said it got a response no problem.

    What I meant above was that I think I have allowed any program to ping anywhere in my firewall setup, so I don't think I really tested Outpost 4 properly.

    Still, maybe I did and it doesn't block all network activity during shutdown.
     
  7. dmenace

    dmenace Registered Member

    Joined:
    Nov 29, 2006
    Posts:
    275
    Sorry Franklin, Thats a bug that I'll fix in Version 1.21. Because this is a one-man operation, I haven't had the time to do extensive testing. :(

    Thanks Stephen, its good to know that its useful... :)

    To clarify on the shutdown question earlier, you should shutdown your computer manually from the start menu. The shutdown button has been left there for convenience but like I said your HIPS would probably detect that...

    Thanks gkweb for all your time and help :thumb: :thumb: :thumb: :thumb: :thumb:
     
  8. dmenace

    dmenace Registered Member

    Joined:
    Nov 29, 2006
    Posts:
    275
    Franklin, sorry for the confusion. :ouch:

    By default SSS is configured to ping www.yahoo.com

    If you ping yourself, (127.0.0.1) it will probably succeed (ie it will say firewall fails). This is ok, and not a fault of the firewall as loopback connections are not accessible to outsiders and thus usually allowed by firewalls (Correct me if I'm wrong)

    If you ping another IP address like the default one, and it fails then you have a problem.

    I haven't tested this in Vista so it'll be hard to replicate that error message. If the firewall test component doesn't work in Sandboxie, I'll try to contact Tzuk. Otherwise I'll have to rewrite SSS to not use pings and instead send a TCP packet. o_O

    Does anyone know eqsecure's email?
     
  9. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    Thanks for the reply dmenace.:)
     
  10. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    support[at]eqsecure.com
    but I never got a reply from them. Solcroft can help u to convey ur message to them.
     
  11. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    Seems somehow u misunderstood it. There is no shutdown test. While testing any sandbox, u must use normal shutdown button instead of shutdown via leaktest. System will be shutdown partially, then try step 3 that is actual leak test and see the results.
     
  12. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
  13. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    Yep, the test did prevent Vista from shutting down!

    The app has to be left running in order for this to happen with Sandboxie showing there is an active process still running if hidden.
     
    Last edited: Nov 21, 2007
  14. ggf31416

    ggf31416 Registered Member

    Joined:
    Aug 20, 2006
    Posts:
    314
    Location:
    Uruguay
    A suggestion for next version: Replace the ping test with TCP. For example download some harmless text file or upload some text written by the user.
    Currently the leaktest is not only testing whether the firewall is working or not but also the ability of the firewall to block outbound pings with current rules. Many firewalls (e.g. Kerio 2.15) doesn't allow application rules for ICMP, only global rules.
     
  15. Eh_Greg

    Eh_Greg Registered Member

    Joined:
    Oct 21, 2007
    Posts:
    64
    Location:
    US.
    The creator of this should explain things alot more clearly before people start calling this such a great test. instead of just throwing a post about it on other forums... Only causing confusion and not just by me obviously.
     
  16. boonie

    boonie Registered Member

    Joined:
    Aug 5, 2007
    Posts:
    238
    It seems pretty straight forward. I've made a few pics to: confirm I'm running it correctly. Help anyone who may be confused.

    First step: Open SSS and click on "Intercept System shutdown call".
    Step 1.jpg

    Second Step: Shutdown/Restart PC through Start menu (avoiding any interception of the Shutdown command by a HIPS program)
    Step 2.jpg
    Step 2a.jpg
    Step 2b.jpg

    After this is done the GUIs of your programs will shutdown, and Systray icons will disappear.
    Step 2c.jpg

    Whether their services are running, and they will be effective remains to be seen.
    Will continue.
     
  17. boonie

    boonie Registered Member

    Joined:
    Aug 5, 2007
    Posts:
    238
    Step three: Run the tests (Eicar, Auto Start Registry Key, Outbound Connection) and check results
    Step 3a.jpg
    Step 3b.jpg
    Step 3c.jpg

    Pass or fail, you can now clean up the Eicar and registry entries (if the Reg test ended in a fail) and close SSS
    2007-11-21_165515.jpg
    Step 4a.jpg

    Then just restart your PC.

    So, is that it? Hope this can help.
     
    Last edited: Nov 21, 2007
  18. Cerxes

    Cerxes Registered Member

    Joined:
    Sep 6, 2005
    Posts:
    581
    Location:
    Northern Europe
    @boonie: Which security programs did you test?

    Edit: Sorry, missed the programs in your sig.

    /C.
     
  19. boonie

    boonie Registered Member

    Joined:
    Aug 5, 2007
    Posts:
    238
    NOD32 and Online Armor (Paid)
    Should be noted that I have Allow Echo Request in OA's firewall unchecked (default is allow).
     
  20. Eh_Greg

    Eh_Greg Registered Member

    Joined:
    Oct 21, 2007
    Posts:
    64
    Location:
    US.
    OK. I Had done it correctly for the apps I had on at the time... I think. Avira antivirus passed without any other protection. While I had comodo 3 on, pretty sure it passed the firewall part even with a global rule as long as you dont give all permissions to this app. Blows by windows firewall (XP) only to be stopped by el cheapo router. This ICMP going out from router is totally unecessary to be enabled: right ? Havent looked at other apps yet.
     
    Last edited: Nov 22, 2007
  21. dmenace

    dmenace Registered Member

    Joined:
    Nov 29, 2006
    Posts:
    275
    My apologies to Eh_Greg and anyone else who is confused.

    Big thanks to Boonie for their excellent explanation. It is a completely correct understanding. The actual test is at step 3 where you can see if you pass/fail.

    I've released 1.0.21 to fix a possible bug with the ping results.
     
  22. Eh_Greg

    Eh_Greg Registered Member

    Joined:
    Oct 21, 2007
    Posts:
    64
    Location:
    US.
    Good to see those passed. The confusion wasn't really how to run the test on this end. Was just the apps I was looking at during testing, and some Sandboxie confusion it seemed. SSS seemed to hang a couple times and took about a minute to clear the systray.

    Greg
     
  23. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    Quote Tzuk, the author of Sandboxie:
     
  24. MitchE323

    MitchE323 Registered Member

    Joined:
    Nov 22, 2007
    Posts:
    156
    Hello everyone, thought I would register and say Happy Thanksgiving to everybody since Franklin mentioned a thread over at SandboxIE that coincides with this thread. Very interesting program indeed dmenace, keep up the good work. Anyone that hasn't visited SandboxIE as yet are of course very welcome, it's a pretty fun setup over there. (I'm not connected in any way, just a frequent poster). I'll lurk around a little bit here and see what I can learn. I am of the 'less is more' philosophy when it comes to computer security, but there is merit in many different approaches. Anyway, hope everyone stays happy and safe this holiday. C ya.
    mitche323
     
  25. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    Hello,

    You are welcome :) Thanks to you for your great tool ;)

    Regards,
    gkweb.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.