Icesword cuts through Sandboxie like butter

Discussion in 'other anti-malware software' started by TNT, Nov 3, 2005.

Thread Status:
Not open for further replies.
  1. oldBear

    oldBear Registered Member

    Joined:
    Dec 3, 2004
    Posts:
    37
    Which "this" are you referring to?

    cheers
     
  2. khazars

    khazars Registered Member

    Joined:
    Jun 8, 2005
    Posts:
    124
    Location:
    Glasgow, Scotland
    icesword!
     
  3. oldBear

    oldBear Registered Member

    Joined:
    Dec 3, 2004
    Posts:
    37
  4. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    Just in case somebody is reading this without reading the rest of the thread, I'll repeat what I said here in a later message and in the other: unlike what the subject says, IceSword is actually NOT able to break out of Sandboxie in normal conditions. I mistakenly thought I had found a Sandboxie security flaw at first, but this was not the case: Sandboxie DOES block IceSword from running in kernel level, unless IceSword is executed outside the sandbox before.

    If IceSword is executed outside the sandbox, it loads its kernel driver, which is not "unloaded" when the IceSword program is shut down; only because of this reason Sandboxie is unable to stop it later on. If you start IceSword only in the sandbox, it won't run, because Sandboxie will block it from loading its driver. So this is not a flaw in Sandboxie. :)
     
  5. nicM

    nicM nico-nico

    Joined:
    Jul 15, 2004
    Posts:
    631
    Location:
    France
    Hm :doubt: , I recognize I didn't test it at the time this thread was active, as I didn't want to be polemical, but now that you raised it back...

    I've tried the same procedure as yours, loading Icesword out of BufferZone, using it and closing it;
    here I sent Icesword into BZ, and I must say my result is still different than yours: though the driver was previously loaded, Icesword is unable to gain access to it, and I get the "Initialization Failed[3]" error message. Icesword is running in Task Manager, but the GUI doesn't load, and you can't kill its process (which is using 80-90% cpu :ouch: in such circumstances). So yes it's loaded somehow in BZ, but in a way you couldn't use it: seems BZ driver protection is complete: it can't stop it neither, but can prevent its access outside the BZ.

    Cheers,
    nicM
     
  6. Joliet Jake

    Joliet Jake Registered Member

    Joined:
    Mar 1, 2005
    Posts:
    911
    Location:
    Scotland
    Should apps like Ice Sword unload all drivers or is it proper that they don't?
     
  7. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    Well, I don't think it really matters whether a malware reaches out of a sandbox or not, if it was already allowed to work in kernel level outside of the sandbox before: it sure would have been able to do any damage it wanted anyway, and the defense mechanism could not be trusted anymore (they could have been modified by the malware itself). The flaw in my analysis of the scenario in the first message is simply that I had not considered that IceSword could have left the kernel modified even when the executable was shut down (which in fact it did: its driver was still loaded).

    The purpose of the sandbox is to test the file and contain the possible malware, stopping it from modifying the operating system or files outside the sandbox. If the malware had the 'upper hand' already (working as part of the kernel), and it 'knew' about the sandbox, the sandbox mechanism might be toast already.

    I don't consider that Sandboxie scenario a flaw at all: the purpose of Sandboxie is to contain anything executed in the sandbox, not outside of it.
     
  8. Ranger Bob

    Ranger Bob Registered Member

    Joined:
    Nov 9, 2002
    Posts:
    53
    Location:
    Florida
  9. nicM

    nicM nico-nico

    Joined:
    Jul 15, 2004
    Posts:
    631
    Location:
    France
    Yes, I concur :) , is just a difference of behaviour in communication between the sandboxed zone and the normal one: in all case NOT the way the sandbox protection is mean to be used, for both Sandboxie and BufferZone.

    Cheers,
    nicM
     
  10. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,569
    Location:
    The Netherlands
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.