New sandbox/virtulization bypass under ring3

Discussion in 'sandboxing & virtualization' started by R8y, Dec 22, 2007.

Thread Status:
Not open for further replies.
  1. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    For someone running classical HIPS, an alert of low-level disk access should raise big eyebrows, IMO.
    According to solcroft, Returnil passes this "test" :doubt:
     
  2. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,207
    Location:
    U.S.A. (South)
    This product's results continue to prove very encouraging, and to think not so long ago i wouldn't have even gave it but least attention if at all. Early versions proved incompatible for some reason, but boy has it really taken off the gloves.

    tzuk's efforts is done a great service for many users.
     
  3. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Thx Pete, usefull info
     
  4. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    Even if Sandboxie had failed Tzuk would have it fixed in about 5 seconds!:D

    Thanks for the testings Peter.
     
  5. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,981
    Location:
    USA
    Hello Pete,
    The current beta should not be vulnerable to this. Please send us a copy of the variant you have so we can test

    Thanks
    Mike
     
  6. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    I don't know. A good percentage of my legit software asks for low level disk access. I don't know if I'd catch it in all honesty.
     
  7. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Retested Returnil and it passed.

    Trying to figure out the difference, but am going to retest the others also.

    Pete
     
  8. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Thanks for the tests Peter !!!
    What surprises me is that even ISR-softwares, working with a virtual environment, failed.
    I thought they would offer a better recovery, obvious not.

    On the other hand VMWare and Sandboxie didn't fail and have probably a better coded virtual environment than the rest.
    That some security softwares fail, isn't new to me.

    One thing is certain : users without Image Backup can learn from this.
    1. A reliable Image Backup software on CD.
    2. A off-line external harddisk
    3. A zero tool on CD
    4. A partition software on CD, that is able to repair damaged partitions.
     
  9. Gargoyle

    Gargoyle Registered Member

    Joined:
    Jun 2, 2007
    Posts:
    67
    What about ProSecurity and Eqsecure?
     
  10. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Okay, cleaned the vm machine up after discovering the test error. First went back to the vm snapshot, I tested with and returnil passed. Go figure.

    Anyway restested, and

    Shadowdefender still fails.
    Defense Wall still fails. Note all I did is install it and run the test exe untrusted.

    Returnil passes with either memory or disk cache.
    Sandboxie passes.

    Gargoyle. Going to play tomorrow, but any classic hips is going to challenge what's going on. If user answers wrong, it's all over. That is the problem.

    Pete
     
  11. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,981
    Location:
    USA
    Hi Pete,
    Thanks for the quick post and verification - greatly appreciated.

    Mike
     
  12. LoneWolf

    LoneWolf Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    3,786
    Peter
    Thanks for testing those apps.Good information.
    If you still have AE on your computer would it be possiable to see if AE blocks this.
    If you have the time and are able to.
    I imagine it would (at least I hope it would)
     
  13. zopzop

    zopzop Registered Member

    Joined:
    Apr 6, 2006
    Posts:
    642
    anyone with a test machine have a chance to test either safespace, comodo v3 or geswall?
     
  14. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Hi Lonewolf

    By definition if it is an exe that was slipped on your machine by something AE would stop it from executing. However if you thought it was valid, and were going to run it you would first have to disable AE, and that as they say would be that.
     
  15. LoneWolf

    LoneWolf Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    3,786
    Yes, I was thinking along those lines too, but it's nice to have another opinion on the matter. Thanks.
     
  16. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    If I decide to recover a bad object from a sandbox and run it, I'm also infected.
    Nothing helps to protect a computer, if the user doesn't care or doesn't know.
     
  17. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    If this was true, then I can imagine every computer in the world would be infected, because the simple fact remains that most people who execute malware have no idea what it was. Fortunately your claim is nonsense and plenty of computers remain safe, as there are plenty of security software that protect the user even though he/she doesn't know the program they're about to run is a virus, or at least help them make an informed guess.
     
  18. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    Were these simple execution alerts or some type of direct disk access type alerts?

    If i remember well you are using PS. Did u test that as well?

    Thanks
     
  19. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Yes, I have seen this at SWI how good users protect their computer, one HijackThis Log after another and that is just one Malware Forum.
     
  20. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    So you have. No doubt you also believe that, because you've often heard of car crashes in the news, it must happen the majority of time to the majority of people. :rolleyes:
     
  21. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    OK. You win. All these Malware Forums are fake. Silly discussion, if you ask me.
     
  22. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    And more nonsensical rubbish from you, as expected.
     
  23. Long View

    Long View Registered Member

    Joined:
    Apr 30, 2004
    Posts:
    2,295
    Location:
    Cromwell Country
    Can't argue with that. Those who wax lyrical about the wonders of Sandboxie seem to forget that at some point the driver made decide to save a nastie. Same goes, of course, for Returnil, Deepfreeze......... FD-ISR.

    Without wishing to put words into your mouth I read this as "If a user is hell bent on getting infected, either because they don't care or don't know what they are doing the all the protection in the world may not save them"

    I certainly find it interesting that so many have so much protection and yet seem to catch cold on a regular basis and yet others have little or nothing in the way of protection and seem to remain clean.

    If we reverse your quote to read "There are programs that guarantee protection even if the user doesn't know or doesn't care" then I would think that Sandboxie, Returnil, DeepFreeze...... FD-ISR might qualify but only up to the point where the user saves.

    Oh and by the way if either of you 2 protagonists think the above is rubbish
    please remember that I don't mind and have a Happy Christmas.... we are only talking about computers for ..... sake
     
    Last edited: Dec 24, 2007
  24. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Not sure I get the point here. Sandboxie doesn't just "decide" to save a driver, it either blocks all driver installs or allows them based on settings. If blocked none are installed. Returnil is the same, unless you exclude certain folders. FDISR isn't designed to block anything, so it won't.
     
  25. Espresso

    Espresso Registered Member

    Joined:
    Aug 1, 2006
    Posts:
    976
    Last edited: Dec 24, 2007
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.