MBR rootkit under a sandbox + Returnil

Discussion in 'Returnil releases' started by lolpop, Jul 22, 2010.

Thread Status:
Not open for further replies.
  1. lolpop

    lolpop Registered Member

    Joined:
    Jul 15, 2010
    Posts:
    9
    I wonder if an MBR rootkit is executed in a sandbox program like Sandboxie,
    will it bypass Returnil or not?

    I don't have any sample of MBR rootkits so I can't try it out by myself.
     
  2. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,981
    Location:
    USA
    RVS/RSS all include MBR protection that is activated automatically when you turn on the virtualization.

    Mike
     
  3. andyman35

    andyman35 Registered Member

    Joined:
    Nov 2, 2007
    Posts:
    2,336
    It won't even escape Sandboxie let alone bypass RVS ;)
     
  4. Dark Star 72

    Dark Star 72 Registered Member

    Joined:
    May 27, 2007
    Posts:
    747
    These screenies show RSS 2011 detecting Eicar and Trojan Simulator still in Sandboxie's sandbox:
     

    Attached Files:

  5. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,726
    Empty your sandbox then, Returnil has a built-in antivirus.

    Edit:
    Actually one of them points to a .part temporary file used by most browsers. It's not executable unless you change the file extension.
     
  6. cheater87

    cheater87 Registered Member

    Joined:
    Apr 22, 2005
    Posts:
    3,174
    Location:
    Pennsylvania.
    You mean one of those .ex files? :p
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.