Antivirus software is 'increasingly useless' and ...........

With fileless malware, while I've never tested with Sandboxie I suppose you could add a few more precautions to the mix by looking at the methods through which they work.
Taking Poweliks, Gootkit, and Angler EK as a examples, the utilise things like rundll, powershell, and the registry to run scripts:
http://blog.trendmicro.com/trendlab...e/poweliks-malware-hides-in-windows-registry/
http://blog.trendmicro.com/trendlab...eliks-levels-up-with-new-autostart-mechanism/
https://www.symantec.com/security_response/writeup.jsp?docid=2010-051118-0604-99&tabid=2
https://blogs.sophos.com/2015/07/21/a-closer-look-at-the-angler-exploit-kit/

Blocking rundll outright might not be useable, and looking at the Sandboxie documentation you can't block write access to the virtual registry within a sandbox. You could however blacklist things like powershell.exe, wscript.exe, etc and get a warning that way. Also you'd easily see excessive rundll processes running.

Also there's the fact that many of these malware use sandbox/virtualisation detection in order to make it harder for security researchers, so if they detected Sandboxie then many of these probably wouldn't run anyway.

 

Yes, you can block sandboxed program from writing to registry keys within the sandbox by using either of this two Sandbox settings (ReadKeyPath or ClosedKeyPath).
http://www.sandboxie.com/index.php?ClosedKeyPath
http://www.sandboxie.com/index.php?ReadKeyPath

Better to use ReadKeyPath, better usability. Regarding allowing rundll to run. I don't and it doesn't cause me any usability issue for not doing so. When I see the message (something rare for me, only see it in IE when doing specific things and I don't use IE) about rundll attempting to run, I close it, and continue doing what I am doing.

So, I don't allow rundll but in my opinion, if someone experiences browser freezing when rundll attempts to run (this can happen in some computers), then rundll should be allowed in Sandbox settings. There is nothing dangerous about doing that. If we allow rundll.exe to run, the only rundll.exe that's allowed to run is the one that's installed in our computer. If malware using the name rundll.exe gets downloaded in the sandbox and attempts to run, it wont be allowed. I think that works very nice.

Bo

 

Thanks for the clarification. I had misread this line:
"Note: this setting does not apply to sandboxed items. It only blocks access to items outside the sandbox, that have not yet been copied into (or created) in the sandbox."

I've just installed Sandboxie and tried to merge a .reg in a blocked registry location. Unfortunately it doesn't seem to give a warning that a registry write attempt was blocked, so looks like we can't use the registry blocking feature as a detection method.

It's still useful to block access to Autorun locations anyway, especially the Windows Thumbnail Cache trick in HKEY_CURRENT_USER\Software\Classes\CLSID which would mean something like Poweliks would activate any time you saw icons in explorer.

The main danger of dllhost or rundll32 is more about them being used to host a malware DLL or to run malicious Javascript, such as seen with fileless malware like Poweliks.

The problem with blocking these in Sandboxie using the Save As dialogue to download a file in the browser, dllhost will run due hosting the Windows Thumbnail Cache (thumbnails.dll). This will mean getting SBIE1308 warning repeatedly. It's possible to suppress all such warnings, but then you won't know have the "early warning" if an exploit was ever successful. Alternatively you can allow dllhost in Sandboxie, but this means that there is a potential security hole.

In reality a browser with a low surface area for attack will make it unlikely to ever be vulnerable to an exploit kit.

 

Yes, you don't get Sandboxie messages about blocked registry keys. The only kind of messages you ll get regarding blocked keys is a Windows error message that might get triggered when a program running in the sandbox cant work well if it requires access to a key you are blocking. If that happens, change the setting to ReadKeyPath. Its very likely the sandboxed program will work well afterward and without error.

About allowing dllhost. I allow it to run in W7. In the past I also had the message hidden or were I just close the message and continue using File explorer. I feel confident dealing with rundll and dllhost whichever way.

Bo

 

I wouldn't say they are useless, but the question is how effective they truly are. But I would still advice standard users (90% of the world) to use one. More experienced users can do without them. I would also use one if they weren't so bloated and privacy invading. Here is another article:

http://www.cbc.ca/news/technology/antivirus-software-1.3668746

 

Windows and browsers are progressively becoming more secure out of the box. Hence, the reason why AVs are becoming less relevant.

 

i agree , take Edge for example, now you have no reasons not to use it as main browser (except some personal taste about the design or customization) ; it has extensions and run in Appcontainer (only chrome-based browser can do it).

 

Agree completely.
Also, I see that with AU, Edge14 sandboxes flash in a separate app container process