Is there malware that can beat sandbox programs?

Discussion in 'sandboxing & virtualization' started by Subgud, Dec 12, 2009.

Thread Status:
Not open for further replies.
  1. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    I have played with sandboxie in the early days. Like GeSWall, DefenseWall those occasional bypasses, never forced me to restore an image. There are bypasses where you can touch thing swhich should not be possible and there are bypasses where you own the system. I can't recall any of the latter (with DW or SBIE).

    Regards Kees
     
  2. Subgud

    Subgud Registered Member

    Joined:
    Nov 6, 2008
    Posts:
    151
    Location:
    Norway
    I have been trying to be infected going to malwaredomainlist and loading many of the latest malware there. Everytime I shut down sandboxie, everything that as been loading has been deleted.

    I like sandboxie and I will keep it. The one ting that I am not sure about is if I should stick with MSSE or move to a security suite with a firewall. I am using my computer on different networks(wireless) and I am thinking maybe I should have a firewall. But this is probably something to discuss on another thread!

    Cheers guys!
     
  3. Serapis

    Serapis Registered Member

    Joined:
    Nov 15, 2009
    Posts:
    241

    How about you post any findings like these on the Sandboxie site forum where you will not be banned but appreciated for alerting helping Tzuk find any holes in his program. ;) Otherwise dont post baseless acqusations without your specific type of proof. The case could be that you forgot to run your browser sandboxied etc.:argh:

    Sure Sandboxie has been bypassed before, but that was due to it letting a type of sandboxed program requests slide (ones concerning shared service memory if I recall) Also you keep talking about how an annoying joke program "supposedly bypassed" SBIE, well it doesn't modify files or the registry outside. It also doesn't inject code. Anyways, this annoyance has been mitigated in the current Beta release of Sandboxie. Bear in mind guys that this all one developer's work and this is a beast of a program that provide VM grade security, - if not even more:shifty:
     
  4. Serapis

    Serapis Registered Member

    Joined:
    Nov 15, 2009
    Posts:
    241
    Subgud this is by far a great technique you are using to test Sandboxie's capabilities against malware in general and specifically drive bys. But I gotta ask, do you have start/run restriction enforced or not? If your mission is to test this software then try having your browsing session done in a defaultbox which should still block anything. If you ever find a breach be sure to let us know at http://sandboxie.com/phpbb/
     
  5. culla

    culla Registered Member

    Joined:
    Aug 15, 2005
    Posts:
    504
    i never said anything about a joke program
    if it happens again i'll put it in sandboxie forum
    browser was sandboxed as it is now
    you want proof a link would be against the tos
    call it a baseless accusation if you want but it ain't
    it is what happened to me
    like it or lump it
    i still use sandboxie + returnil2008 :rolleyes:
     
  6. Dregg Heda

    Dregg Heda Registered Member

    Joined:
    Dec 13, 2008
    Posts:
    830
    Yea I meant the former, where you restrict the sandbox to only running your browser for example.
     
  7. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    Imho, the question should never be if it can be bypassed, but how likely is it to be. The answer to question number one is, yes, it can. Everything can be bypassed. Just because there is no Proof of Concept, doesn't mean it can't. However, that leads us to question two, being how likely is it to be bypassed. That answer is, very unlikely.

    Malware can't just "show up" and own your system, there have to be open windows for malware to climb through, be that un-patched browser holes/improper settings, downloading files and running them without scanning them with a good security program first, in which case you deserve to be infected, and lack of any security on the system.

    If you close all the windows, you're 99% safe, never 100%. The reason for that is simple, the fight between the good guys and bad guys is never-ending. Sometimes the bad guys get the upper hand, it's called life and as long as imperfect humans create anything, there will always be that slight risk. Secure your system as best you can, and go sleep peacefully.
     
  8. Subgud

    Subgud Registered Member

    Joined:
    Nov 6, 2008
    Posts:
    151
    Location:
    Norway
    Hi!

    When I tested it, I used internet explorer 8 in a default sandbox and with default settings. I have not tweaked sandboxie in any way. And that is what is so nice about it. Using it straight out of the box and it is really good. The only thing I have done with sandboxie is that I force IE8 and Chrome to run in the default sandbox.

    I must say that I am not a tester in any way. My data skills are far from that point. I tested this for my own knowledge and understanding.
     
  9. demoneye

    demoneye Registered Member

    Joined:
    Dec 30, 2007
    Posts:
    1,356
    Location:
    ISRHell
    in that way u achieve less protection (maybe 85%), u must tweak SB (which is easy when u learn how) in order to make it 99.999999% :)
     
  10. Subgud

    Subgud Registered Member

    Joined:
    Nov 6, 2008
    Posts:
    151
    Location:
    Norway
    I dont know how to tweak sandboxie. I only know how to use it with default settings. Is there a easy way to tweak it?
     
  11. andyman35

    andyman35 Registered Member

    Joined:
    Nov 2, 2007
    Posts:
    2,336
    It's easy enough to tweak Sandboxie.Just open up the SBIE control panel,click on the 'sandbox' tab,highlight the sandbox you wish to modify and click 'Sandbox Settings'

    You'll then see the screen pictured where you can adjust numerous settings.
     

    Attached Files:

  12. Subgud

    Subgud Registered Member

    Joined:
    Nov 6, 2008
    Posts:
    151
    Location:
    Norway
    I have been making some adjustments to the settings. Not much though. Forcing all browser to run sandboxed, deleting the content of the sandbox when shutdown.

    I dont see anything else I should "tweak". But I dont know more than that.
     
  13. Blackcat

    Blackcat Registered Member

    Joined:
    Nov 22, 2002
    Posts:
    4,024
    Location:
    Christchurch, UK
    Take a look here ; a number of optimising threads listed ;)
     
  14. david banner

    david banner Registered Member

    Joined:
    Nov 24, 2007
    Posts:
    721
    Do you mean you only have sandboxie and MSE, no av firewall etc?
     
  15. TheMozart

    TheMozart Former Poster

    Joined:
    Jan 6, 2010
    Posts:
    1,486
    In regard to sandboxie, when I come across an MPG file I want to download, sandboxie doesn't give me an option to save it in the sandbox. It only opens a window where I have to select C:/users/mozart/downloads

    So how do I tell sandboxie to save files inside itself?
     
  16. andyman35

    andyman35 Registered Member

    Joined:
    Nov 2, 2007
    Posts:
    2,336
    I'm not sure I follow exactly what you mean because any file that you download from a sandboxed browser will be automatically sandboxed itself unless you choose to recover it to one of the designated locations.
     
    Last edited: Jan 16, 2010
  17. TheMozart

    TheMozart Former Poster

    Joined:
    Jan 6, 2010
    Posts:
    1,486
    Ok let me give an example.. When browsing through IE sandboxie, and I visit a website which has an MPG file. I need to right click on that file and choose "Save as". So I then need to scroll to the C:/Sandboxie/ folder and save it, right?

    Isn't there a way to tell Sandboxie to automatically save everything into the Sandbox?
     
  18. pidbo

    pidbo Registered Member

    Joined:
    Dec 25, 2006
    Posts:
    198
    If you want to know how Sandboxie works there is a
    lot of information on the Sandboxie site.

    I get the feeling that you are thinking it works differently than it does.

    Go through the Help file slowly

    Main page
    http://www.sandboxie.com/

    Forum
    http://www.sandboxie.com/phpbb/

    Help
    http://www.sandboxie.com/index.php?HelpTopics
     
  19. andyman35

    andyman35 Registered Member

    Joined:
    Nov 2, 2007
    Posts:
    2,336
    The point is that anything you download using a sandboxed browser will be automatically saved within that sandbox unless recovered to an area designated in the settings or by manually recovering it.All disk writes will be redirected to the sandbox.
     
  20. Doodler

    Doodler Registered Member

    Joined:
    Dec 23, 2007
    Posts:
    237
    Hi Mozart. If you are in a sandboxed session, then everything you do while in that session, including copying a jpg image or downloading a file, is automatically sandboxed (unless you have changed that sandbox's default setting to permit direct or full access to part of your real system). When you click "Save as" (while sandboxed) and then select the location to save the file, it is being saved to a virtual version of that location. You don't have to scroll to the C:/Sandboxie folder to save the file in a sandbox.

    Example:

    The below picture is on How To Geek's web site. If I am browsing that web site while sandboxed and want to save that picture, I will right click it and select Save Picture As.
    image1.jpg


    As a practice, I save all such downloads to my desktop, so that's what I select next, as shown here.
    image2.jpg

    But bear in mind, since I'm sandboxed, the picture is being saved to a virtual version of desktop...not my real one.

    Immediately after clicking Save, Sandboxie will issue a pop-up asking if I want to recover the file (picture) to my real desktop. I can choose to do so, or I can choose not to, depending on whether I believe the file to be safe. If in doubt, I usually decline the recover option and then upload the file from the sandbox to VirusTotal to be scanned. Then I can more confidently recover the file my real desktop after the scan if it all checks out clean.
     
  21. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Wrong. You just specify where you want it and sandboxie will create that area in the sandbox. Then when you recover it from the sandbox it will either save it there or give you the option to put it where you want it.
     
  22. andyman35

    andyman35 Registered Member

    Joined:
    Nov 2, 2007
    Posts:
    2,336
    That's very true but in my experience many of these reported breaches are not quite as they seem when scrutinized.They're often the result of an artificial set of circumstances that wouldn't be replicated in the real world.

    That's not to say that these products are 100% safe,they're not of course.After all they're just code and code can contain flaws.The writers think they have every eventuality covered but that's only until some enterprising individual discovers a new method of infection,not previously thought of.

    In practical terms these products do offer close to complete protection simply because there isn't a huge market for such groundbreaking malware.The bad guys go for the highest profits and the easiest targets as illustrated by the huge rogue explosion where no great innovations are required,just a suficient number of people willing to install them by their own volition.
     
  23. TheMozart

    TheMozart Former Poster

    Joined:
    Jan 6, 2010
    Posts:
    1,486
    Great post Doodler, now I understand. Thanks.

    BTW, does anyone know if I decide to save a MPG file to my REAL desktop, can an infection from the sandboxie "jump out" of the sandbox into my real desktop? Or it just saves the MPG and MPG files cannot contain any virus or malware can it? I then play the MPG files with VLC, can it release an infection if the MPG file is infected?
     
  24. TheMozart

    TheMozart Former Poster

    Joined:
    Jan 6, 2010
    Posts:
    1,486
    Yep, that makes sense, thanks Peter.
     
  25. CogitoErgoSum

    CogitoErgoSum Registered Member

    Joined:
    Aug 22, 2005
    Posts:
    641
    Location:
    Cerritos, California
    FYI, the DW bypass that you are referring to that was reported on 1-15-10 at Kafan has been fixed by Ilya several hours ago.

    It has been my personal experience that security applications such as HIPS, behavioral anti-malware, sandboxes and virtual programs receive the bulk of scrutiny by way of penetration testing for good or bad intentions. Not surprisingly, the more public or private testers and/or regular users that a particular security application has naturally results in the quicker uncovering of vulnerabilities. In the end, the most important thing is that the developer addresses these issues in a timely manner. To that end, Ilya of DW and Tzuk of Sbie can be commended for their efforts.


    Peace & Gratitude,

    CogitoErgoSum
     
    Last edited: Jan 17, 2010
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.