Sandboxie Acquired by Invincea

> how can I (find) delete eyck6rf.exe.part in d:\sandbox
> eyck6rf.exe.part seems to be calling amazonaws
-------------------------------------
more pics

after restart

 

Hi bjm, that file (eyck6rf.exe.part), doesn't belong to Sandboxie or Firefox. I cant find it in my computer and a Google search dont bring any results. To delete it from inside the sandbox, navigate to D>Sandbox and follow the path.

Bo

 

Thats what I thought you were going to say. But I cant figure nothing, only guess.

If you run Firefox out of the sandbox, I guess the file still shows up in the logs. Maybe malware, bjm. Maybe part of Amazons. I don't know. Search Google for amazonaws. Be careful.
https://www.bleepingcomputer.com/forums/t/606622/data-theft-by-amazon-server-amazonaws/


Bo

 

Yeah, it's a curious concern.
Edit: I think amazonaws is related to Webroot, like akamai is related to Norton. CDN
Curious concern is what amazonaws IP's have to do with d:\sandbox & eyck6rf.exe.part.
eyck6rf.exe.part in d:\sandbox\ item, did not allow > Remove this entry.

Clean install Webroot sorted eyck6rf.exe.part in d:\sandbox\ item.
Maybe, eyck6rf.exe.part was corrupt WRData.

 

What app are those screenshots from?

 

WebrootSA

 

BTW, I had a bit of a weird problem. From out of nowhere, Firefox constantly started using 25% of the CPU, without any browsing activity or opened websites. I cleaned the files in the sandbox, and this behavior stopped. Has anyone ever seen this behavior?

 

When you first open Firefox, there is some activity going on for a few seconds (Safe browsing updates automatically). In my case, this activity might even take a second or two longer than in your computer due to myself not enabling the sandbox setting that allows this updates to be saved out of the sandbox.

Bo

 

OK, so I'm guessing nobody has ever seen this weird behavior. Like I said, FF will constantly use 25% of the CPU on my system, until I clean all files. This behavior often starts after I have cleared recent history, but this time it started out of the blue. BTW, when I use CCleaner to clean the FF sandbox there is no problem. So seems to be a "freak bug" on my system.

 

Um, do you use Firefox Sync.?

 

If Firefox constantly uses 25% of the CPU even when doing nothing, I would check the addons, plugins (specially the ones from security programs) and rest of security programs you are using. If the high CPU only occurs when running sandboxed, it can mean you are using something that's conflicting with SBIE. I would try a new Firefox profile and disable or uninstall (Better) security related plugins. Also, if multi-process is enabled, I would test disabling it.

Bo

 

> another question re SandboxieBITS.
I downloaded KeePass 1.32 Installer as test (reported Webroot block) in Firefox (daily use) and Chrome (seldom use).
Webroot quarantined dl from Firefox sandbox. Drop Rights checked. All good.
Webroot quarantined dl from Chrome sandbox. Drop Rights not checked. All good.
ERP in LockdownMode threw Blocked C:\Program Files\Sandboxie\SandboxieBITS.exe
Sandboxie Holdings, LLC 4ACA16BAD0A42AC5B7AEBE68B19E5677
Um, is SandboxieBITS.exe something I need to ERP WhiteList.

Edit: added 3 missing Sandboxie exe to EXE Radar Pro WhiteList.
Forgot to add after EXE Radar Pro, Reset to default.

 

I don't know whether this has already been asked, would Sandboxie with restrictions be enough to stop any ransomware? I've tried an anti-executable but it ended up freezing one of my machines. Like many users even if I got infected, restoring an image would solve the problem, but for the sake of argument, theoretically SB should be able to contain a ransomware attack, shouldn't it?

 

Yes it should contain it, if malware is run inside sandbox and you don't enable direct access to your personal files.

 

If I was using NVT, I would allow SandboxieBITS.exe.

Side note. Sorry, I refuse using the acronym ERP for a nice program like NVT. It brings bad memories.
https://en.wikipedia.org/wiki/People's_Revolutionary_Army_(Argentina)

Bo

 

If the ransomware has to run an exe to infect, the start run restriction would block it from running. And Sandboxie would issue a message telling you about it.

Bo

 

Thanks Bo, I'm aware this is what theoretically should happen. As you know SB is most of the time ignored when tests are carried out by malware tests organizations, presumably because its configuration can be so eclectic and therefore results can be difficult to be judged in a standardized situation. However I was wondering whether anybody has put SB through a set of ransomware threats and see what actually happens...

 

Of course this goes without saying, but do you know of any tests, even video tests by individuals who might have confirmed this is actually what happens?

 

@Osaban
There,s a video that was made by Invincea
https://www.youtube.com/watch?v=aMtyGNviiRY, on another matter a video made by CS
https://www.youtube.com/watch?v=Rs4FokfBeCo this one involves RATS.

 

Thanks Peter, coming from you, it is certainly hard evidence that it really works, and I don't have to add anything to my system, great news...

 

Thanks Duotone, I will certainly take the time to watch these videos as soon as I can...

 

I kind of think the best test is our own usage of a security program. What are the results of using a program for me. Am I getting infected or not since I started using this or that program? For me personally there is a clear cut line, there's a before SBIE, that was a time when I got infected once or twice a year every year. This cycle of getting infected came to an end the day in early 2009 when I became a Sandboxie user. There is no gray line here. Osaban, thats the test I trust best.

Bo

 

About the restrictions, I see them as extra hurdles for the malware. The more we make use of them, the harder for the malware to run, to install or get out of the sandbox. To this day, they havent fail me once in real time usage of SBIE. They truly work real world.

Bo