Sandbox Question?

Discussion in 'sandboxing & virtualization' started by chinook9, Jan 29, 2008.

Thread Status:
Not open for further replies.
  1. chinook9

    chinook9 Registered Member

    Joined:
    Jan 27, 2008
    Posts:
    439
    My computers are well secured with antivirus, firewall and assorted other protections but I am considering trying Sandboxie. One thing I'd like to understand.

    If I download a file into the Sandbox (i.e. .jpeg, mpeg, .avi, .exe), except for scanning with antivirus and antispyware, how do I confirm there is no malware in the file so I can move it out of the Sandbox and use it?

    Is it feasible to just leave it in the Sandbox?

    Any clarification or recommendations would be appreciated.
     
  2. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,047
    What you can do is invoke the file in the sandbox and observe what it does. Even if you recover the file from the sandbox you can right click on it and run it sandboxed.

    I don't even bother with an AVAS anymore. I do run two hips programs, Online Armor, and System Safety Monitor. So say I download a jpg file. I'll run it sandboxed, and shouldn't expect anything from either hips program. Should they alert to something, I'd be very suspicious and would delete the file and empty the sandbox.

    Pete
     
  3. innerpeace

    innerpeace Registered Member

    Joined:
    Jan 15, 2007
    Posts:
    2,095
    Location:
    Mountaineer Country
    Hi, you could also upload the file to be scanned by online scanners. Virus Total and Jotti are two that you could use if the file is under 10MB.

    This link has more scanners listed that vary from full scans to single file scans. http://wiki.castlecops.com/Online_antivirus_scans

    Edit: Please keep in mind that you may receive false positives with any scanner. Then it's a judgment call with what knowledge you have or you can submit the file for expert analysis.
     
  4. demoneye

    demoneye Registered Member

    Joined:
    Dec 30, 2007
    Posts:
    1,356
    Location:
    ISRHell
    i am with you on that 100%.... i dont use no AV for ages....no needed... use DEEPFREEZE +SANDBOXIE(which ownz ;) )

    cheerso_O
     
  5. chinook9

    chinook9 Registered Member

    Joined:
    Jan 27, 2008
    Posts:
    439
    Thank you. I have Sandboxie installed and running fine.
     
  6. Hermescomputers

    Hermescomputers Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    1,069
    Location:
    Toronto, Ontario, Canada, eh?
    I would not just run Sandboxie by itself... Too risky.

    Read this post: https://www.wilderssecurity.com/showpost.php?p=1177742&postcount=81
     
  7. Terror_Eyez

    Terror_Eyez Registered Member

    Joined:
    Nov 22, 2007
    Posts:
    23
    Location:
    Your moms bed...
    So you quoted yourself? Saying that you worked on 2 systems that got infected, both which were running multiple programs (labled as "layering") and the systems still got infected..
    Then you said here in this quote:
    https://www.wilderssecurity.com/showpost.php?p=1177871&postcount=87
    That the layering infact didn't work, and that you are disappointed in the layering and the tools installed...
    Yet you turn around and recommend layering after it was proven to fail?
    Then you say that running Sandboxie alone is too risky, even though people in this thread as well as people over at Sandboxie.com run only Sandboxie, and they never get infected..?

    I'll agree with Peter, that Sandboxie (or any tool) in a morons hands aren't going to do crap for you, but someone who knows what they are doing, can run just one security program (like Sandboxie) and be just fine.
    Hell, I've been known to run an OS without any protection, and still not get infected with anything...
    You just have to know what you are doing..
     
  8. Chuck57

    Chuck57 Registered Member

    Joined:
    Sep 2, 2002
    Posts:
    1,422
    Location:
    New Mexico, USA
    I think you're right on, Terror_Eyez. I've used Sandboxie for a while now along with Returnil. I've tried other similar programs but always come back to Sandboxie and Returnil as being the best combination. Neither has ever failed me. And, DeepFreeze is always there if they do.
     
  9. Hermescomputers

    Hermescomputers Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    1,069
    Location:
    Toronto, Ontario, Canada, eh?
    Are both you and terror eye's... missing the inconvenient truth about the both sandboxie and returnil being on a system where we discovered an inconvenient ROOTKIT?

    Hahaha... :)
     
  10. Drew99GT

    Drew99GT Registered Member

    Joined:
    Jun 27, 2006
    Posts:
    338
    Location:
    Colorado Springs
    Did you miss the inconvenient truth that perhaps both weren't enabled? By the looks of it, from your website and the posts you make, you deal with customers who don't know jack about computer security.
     
  11. WSFuser

    WSFuser Registered Member

    Joined:
    Oct 7, 2004
    Posts:
    10,632
    Did you see the post where EraserHW said its probably a false positive?
     
  12. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,047
    Yeah, but were they being used. Returnil, will protect from lots, but it has to be on. Same with Sandboxie. If you didn't set up forced programs you could open your browsers without them being sandboxed. Thats why I was curious how the machines were infected.

    I've tested sandboxie against some live nasties and it contained them all.
     
  13. Chuck57

    Chuck57 Registered Member

    Joined:
    Sep 2, 2002
    Posts:
    1,422
    Location:
    New Mexico, USA
    If a rootkit manages to sneak through both Sandboxie and Returnil, I'm sure on reboot DeepFreeze will take care of it when I shut down for the night.

    Good point, Drew99GT. Our neighbor is a fine example. She recently purchased a Dell computer that came with Norton. It wasn't installed but the trial was available. She thought because the Norton icon was on the desktop that she was protected.
     
  14. muf

    muf Registered Member

    Joined:
    Dec 30, 2003
    Posts:
    926
    Location:
    Manchester, England
    I'm not a pc security expert but i'm fairly clued up about things so that I can keep my pc clean. I have Sandboxie set up to alert whenever firefox or IE are launched unsandboxed. I have to confess that a few times in the last couple of weeks that i've clicked the icon on my desktop for IE and got the message that IE was launched outside the sandbox. It's easily done and I suspect this is what your Rootkitted user did. Sandboxie isn't going to stop jack if you run your browser unsandboxed.

    muf
     
  15. LUSHER

    LUSHER Registered Member

    Joined:
    Feb 28, 2007
    Posts:
    440
    Hmm interesting
     
  16. Hermescomputers

    Hermescomputers Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    1,069
    Location:
    Toronto, Ontario, Canada, eh?
    Actually they are both used but obviously not all the time... Besides many users will download something in the sandbox and scan the executable with an av before allowing it to install in the primary system... If the AV fails you have the stated result.

    I have read somewhere that some Trojans did manage to escape sandboxie in the past... Just not sure what it was that did... someone might want to comment on this one...
     
  17. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,047
    That might have been the case with a much older version, but I don't believe so recently.
     
  18. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    You have to tell us what they said.
    Was it SBIE free? Then what muf said is the probable answer.
    If it was paid, it either was badly configured (1), the user intentionally recovered the files from the sandbox(2), or they simply feel SBIE is a hassle to use, and don't(3).

    SBIE being broken is the last scenario imo.
     
  19. Terror_Eyez

    Terror_Eyez Registered Member

    Joined:
    Nov 22, 2007
    Posts:
    23
    Location:
    Your moms bed...
    Are you missing the inconvenient truth that perhaps the people you deal with are morons <removed personal comment>, and either do not use the tool(s) they have installed, or don't have it set up correctly?
    Maybe the rootkit is already there do to the fact that your articles inspired them to surf without protection cause they were falsely led to believe that their PC being setup to your standards would keep them safe?

    Hahaha... :)

    Other than that, everything else has already been said by everyone else.

    So now you are admitting they most likely didn't use the tool(s) all the time, and thats why they got infected!
    Hahaha... :)

    Wrong, your thinking of something else.
    Go check Sandboxie.com, there have been no trojans breaking out of Sandboxies protection, or is Wilders the only site you know about?
     
    Last edited by a moderator: Feb 7, 2008
  20. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,047
    Please refrain from personal comments about posters, and just discuss the subject.

    Pete
     
  21. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    I think there was 1 that could (with earlier version), it was discussed here somewhere. Perhaps someone can confirm.
    But the problem here is how comfortable is SandboxIE for the "average" person. Education still is the no.1 tool.
     
  22. MitchE323

    MitchE323 Registered Member

    Joined:
    Nov 22, 2007
    Posts:
    156
    Yes there was one a while back. I do not like being less than complete and I have searched within the SandboxIE forum for the thread, but I can not find it. SandboxIe had isolated a file (something like pueblo.exe or pweblo.exe - I do not recall). But there was another security product involved with that. That 'security product' was able to yank the bad file out of the sandbox and then the malware was able to thwart that programs quarantine. A lot of time was spent trying to figure out how that bad file was able to escape before it was realized that the weakness was actually involved with the security product and not with the bad file itself. And when that was finally discovered - the next mornings upgrade was issued and Tzuk had it fixed. I apologize for not being able to be more exact in that, but the forum is right there for anyone that wants to dig deeper.
     
  23. Hermescomputers

    Hermescomputers Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    1,069
    Location:
    Toronto, Ontario, Canada, eh?
    Aaaah.... Finally some truth... Thanks!

    Now here is the kicker... you guys are saying only "Relatively slow" users with the IQ of a flea on crack might of got that rootkit? right?

    Not so! One of those system was mine, and I have an awful lot of experience with those products as I use them regularly, as a side note I have over 15 years experience as a technical Janitor, and I must confess this one had me dumbfounded... Besides I'm as paranoid as it gets as far as security on my system...

    But please assuming that only inexperienced idiot could get infected is obviously wrong... and oh... by the way, I make most of my income by cleaning rootkits and Trojans from infected systems where their security effectively failed... As this rather unpleasant event shows "We" the tech types are not immune no matter how much protection or how skilled we think we are given the right circumstances, and a single moment of distractions and we can get hit just like everyone else...

    I stand by my recommendations as I do not have the pretension to know anything for sure, other than eventually even the best equipped ones will still get hit.

    Something to ponder!
     
    Last edited: Feb 7, 2008
  24. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
  25. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Hmmm....DeepFreeze and Returnil together. :eek: :eek: Not need IMO. Either one should be sufficient.
     
Loading...
Thread Status:
Not open for further replies.