GMER and Sandboxie

Discussion in 'other anti-malware software' started by overworkedmonkey, Oct 9, 2011.

Thread Status:
Not open for further replies.
  1. overworkedmonkey

    overworkedmonkey Registered Member

    Joined:
    Jan 31, 2011
    Posts:
    55
    I ran GMER today and it returned a list of files in path %systemdrive%\sandboxie\windows\*.* that GMER detected as possible malware and rootkit. Is there a list of files or services that Sandboxie hooks into that may cause GMER to detect it as malware or rootkit activity?
     
  2. tomazyk

    tomazyk Guest

    I tried to scan and it didn't find anything in sandbox (even when I had opened programs under sandboxie supervision). Try to terminate all programs in sandbox and delete the content and see if that will change things.
     
  3. overworkedmonkey

    overworkedmonkey Registered Member

    Joined:
    Jan 31, 2011
    Posts:
    55
    Thanks Tomazyk. I don't have the PC in front of me but have included the results below. I'll give your suggestion a go but would be keen why GMER detected it as possible malware or rootkit.

    Library C:\Sandbox\*****\DefaultBox\drive\C\Windows\system32\SSPICLI.DLL (*** hidden *** ) @ C:\Program Files\Sandboxie\SandboxieRpcSs.exe [580] 0x754D0000
    Library C:\Sandbox\*****\DefaultBox\drive\C\Windows\system32\SspiCli.dll (*** hidden *** ) @ C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe [1184] 0x754D0000
    Library C:\Sandbox\*****\DefaultBox\drive\C\Windows\system32\USERENV.dll (*** hidden *** ) @ C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe [1184] 0x74C50000
    Library C:\Sandbox\*****\DefaultBox\drive\C\Windows\system32\profapi.dll (*** hidden *** ) @ C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe [1184] 0x75590000
    Library C:\Sandbox\*****\DefaultBox\drive\C\Windows\system32\WINSPOOL.DRV (*** hidden *** ) @ C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe [1184] 0x6FFD0000
    Library C:\Sandbox\*****\DefaultBox\drive\C\Windows\system32\MPR.dll (*** hidden *** ) @ C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe [1184] 0x70080000
     
  4. PJC

    PJC Very Frequent Poster

    Joined:
    Feb 17, 2010
    Posts:
    2,959
    Location:
    Internet
    Well, any news?
     
  5. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    1,734
    if those files are hooked bei Sandboxie RPCSS and DCOM it may be normal.
     
  6. overworkedmonkey

    overworkedmonkey Registered Member

    Joined:
    Jan 31, 2011
    Posts:
    55
    Sorry no as I haven't been able to get in front of my PC due to work commitments. I'll definitely give it a go today. I also ran a scan using Malware Bytes and SuperAntiSpyware which yielded no results.
     
  7. overworkedmonkey

    overworkedmonkey Registered Member

    Joined:
    Jan 31, 2011
    Posts:
    55
    Is there a list of files that SandBox hooks into?
     
  8. overworkedmonkey

    overworkedmonkey Registered Member

    Joined:
    Jan 31, 2011
    Posts:
    55
    I ran GMER without any application being sandboxed and it was absolutely fine however what does this mean? Why does it return the message when I have an application sandboxed.
     
  9. PJC

    PJC Very Frequent Poster

    Joined:
    Feb 17, 2010
    Posts:
    2,959
    Location:
    Internet
    Did you notify the Sandboxie Forum ?
     
  10. overworkedmonkey

    overworkedmonkey Registered Member

    Joined:
    Jan 31, 2011
    Posts:
    55
    Yes I have. Seems odd that GMER would consider Sandboxie as malware or a rootkit.
     
  11. tomazyk

    tomazyk Guest

    Which applications were running under Sandboxie in time of detection. Which version of Gmer and Sandboxie did you use? Which OS?
     
  12. overworkedmonkey

    overworkedmonkey Registered Member

    Joined:
    Jan 31, 2011
    Posts:
    55
    I was running Firefox. The scan was completed using the latest version of GMER. Again, sorry am not in front of my PC but I believe it was 3.4.8. The OS is Windows 7.
     
  13. tomazyk

    tomazyk Guest

    I've tested it again and got similar resaults.

    I've got two kind of detected anomalies:

    .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[2432] ntdll.dll!RtlAdjustPrivilege 7781BC3A 5 Bytes JMP 00402010 C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe (Sandboxie COM Services (DCOM)/SANDBOXIE L.T.D)
    .text C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[2432] ntdll.dll!NtAdjustPrivilegesToken 77855268 5 Bytes JMP 7D24F7B7 C:\Program Files\Sandboxie\SbieDll.dll (Sandboxie User Mode DLL/SANDBOXIE L.T.D)

    and

    IAT C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[2432] @ C:\Windows\system32\advapi32.dll [KERNEL32.dll!GetProcAddress] [758EFFF6] C:\Windows\system32\AppHelp.dll (Application Compatibility Client Library/Microsoft Corporation)
    IAT C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[2432] @ C:\Windows\system32\user32.dll [KERNEL32.dll!GetProcAddress] [758EFFF6] C:\Windows\system32\AppHelp.dll (Application Compatibility Client Library/Microsoft Corporation)
    IAT C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[2432] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [758EFFF6] C:\Windows\system32\AppHelp.dll (Application Compatibility Client Library/Microsoft Corporation)
    IAT C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[2432] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [758EFFF6] C:\Windows\system32\AppHelp.dll (Application Compatibility Client Library/Microsoft Corporation)
    IAT C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe[2432] @ C:\Windows\system32\rpcss.dll [KERNEL32.dll!GetProcAddress] [758EFFF6] C:\Windows\system32\AppHelp.dll (Application Compatibility Client Library/Microsoft Corporation)

    I guess that SBIE hooks into some system resources so it can do it's work. I would not be concerned about it.

    I doubt that there is a list of objects SBIE hooks into. It probably all depends what applications are running under SBIE control and what resources those applications require to run in virtual environment.

    I tested it with FF 7.0.1 under SBIE 3.58, Gmer 1.0.15.15641, Windows 7 SP1.
     
  14. overworkedmonkey

    overworkedmonkey Registered Member

    Joined:
    Jan 31, 2011
    Posts:
    55
    Interesting. So does this mean it is a false positive?
     
  15. tomazyk

    tomazyk Guest

    You can say it is a "false positive", but I wouldn't call it that.

    A lot of legit programs (especially security software) use hooking for security purposes. Let's say Malware Defender uses SSDT hooks to control a lot of system functions. That way it can intercept all calls to functions from programs and also malware. On 32 bit system this is an advantage software can use against badware. So you don't have to worry about those detections and just ignore them.
     
Thread Status:
Not open for further replies.