MBR rootkit under a sandbox + Returnil

Discussion in 'Returnil releases' started by lolpop, Jul 22, 2010.

Thread Status:
Not open for further replies.
  1. lolpop

    lolpop Registered Member

    Joined:
    Jul 15, 2010
    Posts:
    9
    I wonder if an MBR rootkit is executed in a sandbox program like Sandboxie,
    will it bypass Returnil or not?

    I don't have any sample of MBR rootkits so I can't try it out by myself.
     
  2. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,981
    Location:
    USA
    RVS/RSS all include MBR protection that is activated automatically when you turn on the virtualization.

    Mike
     
  3. andyman35

    andyman35 Registered Member

    Joined:
    Nov 2, 2007
    Posts:
    2,336
    It won't even escape Sandboxie let alone bypass RVS ;)
     
  4. Dark Star 72

    Dark Star 72 Registered Member

    Joined:
    May 27, 2007
    Posts:
    703
    These screenies show RSS 2011 detecting Eicar and Trojan Simulator still in Sandboxie's sandbox:
     

    Attached Files:

  5. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    Empty your sandbox then, Returnil has a built-in antivirus.

    Edit:
    Actually one of them points to a .part temporary file used by most browsers. It's not executable unless you change the file extension.
     
  6. cheater87

    cheater87 Registered Member

    Joined:
    Apr 22, 2005
    Posts:
    3,122
    Location:
    Pennsylvania.
    You mean one of those .ex files? :p
     
Thread Status:
Not open for further replies.