New sandbox/virtulization bypass under ring3

For someone running classical HIPS, an alert of low-level disk access should raise big eyebrows, IMO.
According to solcroft, Returnil passes this "test"

 

This product's results continue to prove very encouraging, and to think not so long ago i wouldn't have even gave it but least attention if at all. Early versions proved incompatible for some reason, but boy has it really taken off the gloves.

tzuk's efforts is done a great service for many users.

 

Thx Pete, usefull info

 

Even if Sandboxie had failed Tzuk would have it fixed in about 5 seconds!

Thanks for the testings Peter.

 

Hello Pete,
The current beta should not be vulnerable to this. Please send us a copy of the variant you have so we can test

Thanks
Mike

 

Thanks for the tests Peter !!!
What surprises me is that even ISR-softwares, working with a virtual environment, failed.
I thought they would offer a better recovery, obvious not.

On the other hand VMWare and Sandboxie didn't fail and have probably a better coded virtual environment than the rest.
That some security softwares fail, isn't new to me.

One thing is certain : users without Image Backup can learn from this.
1. A reliable Image Backup software on CD.
2. A off-line external harddisk
3. A zero tool on CD
4. A partition software on CD, that is able to repair damaged partitions.

 

What about ProSecurity and Eqsecure?

 

Hi Pete,
Thanks for the quick post and verification - greatly appreciated.

Mike

 

Peter
Thanks for testing those apps.Good information.
If you still have AE on your computer would it be possiable to see if AE blocks this.
If you have the time and are able to.
I imagine it would (at least I hope it would)

 

anyone with a test machine have a chance to test either safespace, comodo v3 or geswall?

 

Yes, I was thinking along those lines too, but it's nice to have another opinion on the matter. Thanks.

 

If I decide to recover a bad object from a sandbox and run it, I'm also infected.
Nothing helps to protect a computer, if the user doesn't care or doesn't know.

 

If this was true, then I can imagine every computer in the world would be infected, because the simple fact remains that most people who execute malware have no idea what it was. Fortunately your claim is nonsense and plenty of computers remain safe, as there are plenty of security software that protect the user even though he/she doesn't know the program they're about to run is a virus, or at least help them make an informed guess.

 

Were these simple execution alerts or some type of direct disk access type alerts?

If i remember well you are using PS. Did u test that as well?

Thanks

 

Yes, I have seen this at SWI how good users protect their computer, one HijackThis Log after another and that is just one Malware Forum.

 

So you have. No doubt you also believe that, because you've often heard of car crashes in the news, it must happen the majority of time to the majority of people.

 

OK. You win. All these Malware Forums are fake. Silly discussion, if you ask me.

 

And more nonsensical rubbish from you, as expected.

 

Can't argue with that. Those who wax lyrical about the wonders of Sandboxie seem to forget that at some point the driver made decide to save a nastie. Same goes, of course, for Returnil, Deepfreeze......... FD-ISR.

Without wishing to put words into your mouth I read this as "If a user is hell bent on getting infected, either because they don't care or don't know what they are doing the all the protection in the world may not save them"

I certainly find it interesting that so many have so much protection and yet seem to catch cold on a regular basis and yet others have little or nothing in the way of protection and seem to remain clean.

If we reverse your quote to read "There are programs that guarantee protection even if the user doesn't know or doesn't care" then I would think that Sandboxie, Returnil, DeepFreeze...... FD-ISR might qualify but only up to the point where the user saves.

Oh and by the way if either of you 2 protagonists think the above is rubbish
please remember that I don't mind and have a Happy Christmas.... we are only talking about computers for ..... sake

 

Discussion (Chinese) and source on EQSecure forums:

http://www.eqsecure.com/bbs/read.php?tid=9001&fpage=0&toread=&page=1

Is there any dialog to this software? Will it do its dirty deed as soon as it's executed or will it give me time to reconsider?