A virus pass sandboxie

Discussion in 'sandboxing & virtualization' started by a256886572008, Oct 24, 2009.

Thread Status:
Not open for further replies.
  1. a256886572008

    a256886572008 Registered Member

    Joined:
    Oct 26, 2007
    Posts:
    103
    There are two anti-malware programs in my computer.

    COMODO Firewall 3.12.111745.560

    Sandboxie 3.40

    XP SP3,NTFS

    1.I execute a virus with sandboxed.

    2.COMODO displays an alert"virus access the memory of explorer.exe"

    3.I click allow

    4.The virus pass sandbpxie,because it creat a file
    "C:\WINDOWS:svchost.com"
    out of the sandbox

    --------------
    Then, I unistall COMODO Firewall.

    The virus can not pass sanboxie.
     
    Last edited: Oct 25, 2009
  2. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    did you delete the sandbox?
     
  3. subset

    subset Registered Member

    Joined:
    Nov 17, 2007
    Posts:
    825
    Location:
    Austria
    Keep Sandboxie.

    Cheers
     
  4. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    i mean if he delete the sandbox the virus will be gone:)
     
  5. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,055
    Check the sandboxie forum. I believe there was an issue between Comodo stuff and Sandboxie.

    I agree that I'd keep Sandboxie myself.
     
  6. Doodler

    Doodler Registered Member

    Joined:
    Dec 23, 2007
    Posts:
    219
    Be sure to read the entire thread: http://www.sandboxie.com/phpbb/viewtopic.php?t=5253&highlight=comodo
     
  7. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    There was a similar issue when testing some of Matousec's POCs sandboxed with Malware Defender present. The POCs would bypass Sandboxie when Malware Defender was installed. Uninstalling Malware Defender was the only workaround at the time. Tzuk fixed the issue with 3.40. I would post your findings at the Sandboxie forum along with a link to your sample.
     
  8. cheater87

    cheater87 Registered Member

    Joined:
    Apr 22, 2005
    Posts:
    3,125
    Location:
    Pennsylvania.
    What if you have only some programs be the only programs allowed to run in Sandboxie? I'm sure that will stop this problem.
     
  9. reinwald

    reinwald Registered Member

    Joined:
    Apr 4, 2009
    Posts:
    54
    Location:
    Philippines
    thats way sandboxie is the best:D
     
  10. cheater87

    cheater87 Registered Member

    Joined:
    Apr 22, 2005
    Posts:
    3,125
    Location:
    Pennsylvania.
    Heh take that malware. :p
     
  11. ccomputertek

    ccomputertek Registered Member

    Joined:
    Jul 27, 2009
    Posts:
    371
    Isn't this the same guy who allways posting links directly to viruses, trying to get members of this forum infected ? check his post history, I'm pretty sure it's the same guy.That being said, who really cares if he got a virus on his PC ? I for one could care less :cautious:
     
  12. reinwald

    reinwald Registered Member

    Joined:
    Apr 4, 2009
    Posts:
    54
    Location:
    Philippines
    well looking again at his username.. looks kind a fishy already!
     
  13. a256886572008

    a256886572008 Registered Member

    Joined:
    Oct 26, 2007
    Posts:
    103
    Which one is your file system?

    NTFS FAT32
     
  14. SammyJack

    SammyJack Registered Member

    Joined:
    Aug 19, 2009
    Posts:
    129
    That's it!! Dump a full clip of hollow points on the messenger!!

    No,seriously,I have never understood why people post these "I have found a giant hole in,or this maleware owns, Sandboxie,Returnil,DefenceWall,etc!!"
    Threads here,before they raise the issue at the website-forum of the application concerned.
    If the issue is real,it will be from there, it is solved.
     
  15. a256886572008

    a256886572008 Registered Member

    Joined:
    Oct 26, 2007
    Posts:
    103
    Last edited: Oct 25, 2009
  16. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
  17. Cadillakin

    Cadillakin Registered Member

    Joined:
    May 22, 2007
    Posts:
    18
    When you click "allow", you are letting Comodo take control of that file and remove it from Sandboxie's protection. Comodo is doing what you wouldn't normally allow - it is taking an infected file out of the secure sandbox and moving it to your real hard drive. Sandboxie does not prevent a user from moving files out of the sandbox. This process is called "recovery" and is normally used when a downloaded file has been deemed safe to move on to the real hard drive.

    Rule #1 for Sandboxie. We don't ourselves move programs out of the sandbox and execute them unless we are reasonably certain that they are safe.
    Rule #2 for Sandboxie. We don't allow programs on our computer to move programs out of the sandbox and/or execute them unless we are reasonably certain they are safe.
     
    Last edited: Oct 25, 2009
  18. Hugger

    Hugger Registered Member

    Joined:
    Oct 27, 2007
    Posts:
    1,003
    Location:
    Hackensack, USA
    Clicking allow should not mean that the end user is letting any program dictate actions to SB.
    That just does not make sense.

    "Sandboxie runs your programs in an isolated space which prevents them from making permanent changes to other programs and data in your computer. "

    I don't understand why people are saying it's user error when SB has allowed another program, in this case Comodo, to recover a file.
    Also, telling people to modify propgrams to stop this action would leave the novice or average user, those not involved in this forum, in the position of not being protected properly.

    I use SB paid and enjoy the protection it affords. But the posts here and at the SB forum which was linked to in this thread do make me feel vulnerable.
    Nothing should be able to get to my drive when I'm running SB.
    However, I also know that Tzuk is fantastic about addressing problems.
    Hugger
     
  19. Cadillakin

    Cadillakin Registered Member

    Joined:
    May 22, 2007
    Posts:
    18
    Doesn't make sense to you, perhaps..

    Sandboxie only controls the sandbox and what is initiated from within. It doesn't make the user smart, nor does it prevent the user from doing things to harm their own computer. If you take something out of the sandbox or allow other programs to take something out of the sandbox, all bets are off. These actions referred to in this thread are not occuring remotely, by outside users or those interested in doing you harm..The actions of Comodo in this instance are essentially user-initiated or user-condoned actions - imo not much different than allowing a batch file to copy files out of your sandbox...

    If you allowed a batch file to copy files out of the sandbox, I would say you were foolish to do so.. I wouldn't blame it on Sandboxie... And if you allow Comodo to do the same thing, I say the same thing.... It's your fault.
     
  20. Hugger

    Hugger Registered Member

    Joined:
    Oct 27, 2007
    Posts:
    1,003
    Location:
    Hackensack, USA
    Cadillakin,
    I understand what you are saying.
    But 'or allow other programs to take something out of the sandbox' is where I have a problem.
    When I read the SB web site and then read your statement I think that they are conflicting statements.
    Sandboxie has it's control over what goes to the hard drive.
    Shouldn't that be the only way for SB to be manipulated?
    Thanks.
    Hugger
     
  21. Scoobs72

    Scoobs72 Registered Member

    Joined:
    Jul 16, 2007
    Posts:
    1,108
    Location:
    Sofa (left side)
    Doesn't make sense to me either. Clicking 'allow' on Comodo is surely allowing the action that would otherwise have occurred without Comodo installed. I don't see any "actions of Comodo". Clicking allow means "don't take any action" for Comodo. The virus was initiated from within the sandbox after all.

    EDIT: or are you saying that by clicking "allow" then Comodo proactively performs the action that would otherwise have been allowed? i.e. it didn't just suspend the action.
     
    Last edited: Oct 25, 2009
  22. cheater87

    cheater87 Registered Member

    Joined:
    Apr 22, 2005
    Posts:
    3,125
    Location:
    Pennsylvania.
    Tried it out and Avast alerted me to a virus and had me disconnect.
     
  23. Scoobs72

    Scoobs72 Registered Member

    Joined:
    Jul 16, 2007
    Posts:
    1,108
    Location:
    Sofa (left side)
  24. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Your understanding is definitely wrong. Comodo is neither taking any control nor it,s moving the file anywhere. Allow only means that it,s allowing the said application to access explorer.exe in memory. That,s all.
     
  25. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    I can confirm what you see. If I execute XueTr before I run vvv.exe sandboxed (on a clean XP SP3), LADS and GMER will detect new alternate data streams. The real registry is written to as well...

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5C866437-FC0B-FAE8-6D9C-920BD098F52B}]
    "StubPath"="C:\\WINDOWS:svchosv.com"
     

    Attached Files:

Loading...
Thread Status:
Not open for further replies.