Sandbox Question?

My computers are well secured with antivirus, firewall and assorted other protections but I am considering trying Sandboxie. One thing I'd like to understand.

If I download a file into the Sandbox (i.e. .jpeg, mpeg, .avi, .exe), except for scanning with antivirus and antispyware, how do I confirm there is no malware in the file so I can move it out of the Sandbox and use it?

Is it feasible to just leave it in the Sandbox?

Any clarification or recommendations would be appreciated.

 

Hi, you could also upload the file to be scanned by online scanners. Virus Total and Jotti are two that you could use if the file is under 10MB.

This link has more scanners listed that vary from full scans to single file scans. http://wiki.castlecops.com/Online_antivirus_scans

Edit: Please keep in mind that you may receive false positives with any scanner. Then it's a judgment call with what knowledge you have or you can submit the file for expert analysis.

 

i am with you on that 100%.... i dont use no AV for ages....no needed... use DEEPFREEZE +SANDBOXIE(which ownz )

cheers

 

Thank you. I have Sandboxie installed and running fine.

 

I would not just run Sandboxie by itself... Too risky.

Read this post: https://www.wilderssecurity.com/showpost.php?p=1177742&postcount=81

 

So you quoted yourself? Saying that you worked on 2 systems that got infected, both which were running multiple programs (labled as "layering") and the systems still got infected..
Then you said here in this quote:
https://www.wilderssecurity.com/showpost.php?p=1177871&postcount=87
That the layering infact didn't work, and that you are disappointed in the layering and the tools installed...
Yet you turn around and recommend layering after it was proven to fail?
Then you say that running Sandboxie alone is too risky, even though people in this thread as well as people over at Sandboxie.com run only Sandboxie, and they never get infected..?

I'll agree with Peter, that Sandboxie (or any tool) in a morons hands aren't going to do crap for you, but someone who knows what they are doing, can run just one security program (like Sandboxie) and be just fine.
Hell, I've been known to run an OS without any protection, and still not get infected with anything...
You just have to know what you are doing..

 

I think you're right on, Terror_Eyez. I've used Sandboxie for a while now along with Returnil. I've tried other similar programs but always come back to Sandboxie and Returnil as being the best combination. Neither has ever failed me. And, DeepFreeze is always there if they do.

 

Are both you and terror eye's... missing the inconvenient truth about the both sandboxie and returnil being on a system where we discovered an inconvenient ROOTKIT?

Hahaha...

 

Did you miss the inconvenient truth that perhaps both weren't enabled? By the looks of it, from your website and the posts you make, you deal with customers who don't know jack about computer security.

 

Did you see the post where EraserHW said its probably a false positive?

 

If a rootkit manages to sneak through both Sandboxie and Returnil, I'm sure on reboot DeepFreeze will take care of it when I shut down for the night.

Good point, Drew99GT. Our neighbor is a fine example. She recently purchased a Dell computer that came with Norton. It wasn't installed but the trial was available. She thought because the Norton icon was on the desktop that she was protected.

 

I'm not a pc security expert but i'm fairly clued up about things so that I can keep my pc clean. I have Sandboxie set up to alert whenever firefox or IE are launched unsandboxed. I have to confess that a few times in the last couple of weeks that i've clicked the icon on my desktop for IE and got the message that IE was launched outside the sandbox. It's easily done and I suspect this is what your Rootkitted user did. Sandboxie isn't going to stop jack if you run your browser unsandboxed.

muf

 

Hmm interesting

 

Actually they are both used but obviously not all the time... Besides many users will download something in the sandbox and scan the executable with an av before allowing it to install in the primary system... If the AV fails you have the stated result.

I have read somewhere that some Trojans did manage to escape sandboxie in the past... Just not sure what it was that did... someone might want to comment on this one...

 

You have to tell us what they said.
Was it SBIE free? Then what muf said is the probable answer.
If it was paid, it either was badly configured (1), the user intentionally recovered the files from the sandbox(2), or they simply feel SBIE is a hassle to use, and don't(3).

SBIE being broken is the last scenario imo.

 

Are you missing the inconvenient truth that perhaps the people you deal with are morons <removed personal comment>, and either do not use the tool(s) they have installed, or don't have it set up correctly?
Maybe the rootkit is already there do to the fact that your articles inspired them to surf without protection cause they were falsely led to believe that their PC being setup to your standards would keep them safe?

Hahaha...

Other than that, everything else has already been said by everyone else.

So now you are admitting they most likely didn't use the tool(s) all the time, and thats why they got infected!
Hahaha...

Wrong, your thinking of something else.
Go check Sandboxie.com, there have been no trojans breaking out of Sandboxies protection, or is Wilders the only site you know about?

 

I think there was 1 that could (with earlier version), it was discussed here somewhere. Perhaps someone can confirm.
But the problem here is how comfortable is SandboxIE for the "average" person. Education still is the no.1 tool.

 

Yes there was one a while back. I do not like being less than complete and I have searched within the SandboxIE forum for the thread, but I can not find it. SandboxIe had isolated a file (something like pueblo.exe or pweblo.exe - I do not recall). But there was another security product involved with that. That 'security product' was able to yank the bad file out of the sandbox and then the malware was able to thwart that programs quarantine. A lot of time was spent trying to figure out how that bad file was able to escape before it was realized that the weakness was actually involved with the security product and not with the bad file itself. And when that was finally discovered - the next mornings upgrade was issued and Tzuk had it fixed. I apologize for not being able to be more exact in that, but the forum is right there for anyone that wants to dig deeper.

 

Aaaah.... Finally some truth... Thanks!

Now here is the kicker... you guys are saying only "Relatively slow" users with the IQ of a flea on crack might of got that rootkit? right?

Not so! One of those system was mine, and I have an awful lot of experience with those products as I use them regularly, as a side note I have over 15 years experience as a technical Janitor, and I must confess this one had me dumbfounded... Besides I'm as paranoid as it gets as far as security on my system...

But please assuming that only inexperienced idiot could get infected is obviously wrong... and oh... by the way, I make most of my income by cleaning rootkits and Trojans from infected systems where their security effectively failed... As this rather unpleasant event shows "We" the tech types are not immune no matter how much protection or how skilled we think we are given the right circumstances, and a single moment of distractions and we can get hit just like everyone else...

I stand by my recommendations as I do not have the pretension to know anything for sure, other than eventually even the best equipped ones will still get hit.

Something to ponder!

 

Prueba? I think there was one with that name.

EDIT: https://www.wilderssecurity.com/showthread.php?t=179003&highlight=prueba.exe

 

Hmmm....DeepFreeze and Returnil together. Not need IMO. Either one should be sufficient.