Sandboxie Acquired by Invincea

Q: has there any real world scenario/report where a malware or the browser was exploited and it got out of the box?! Lab test or POC not included...

 

Duotone, as far as I know, never, none whatsoever.

Ever since I became a Sandboxie user, I read and heard people time and time again claiming that the day its coming but never happens.

Bo

 

Yes, Sandboxie exe WhiteListed. BITS threw me as I seldom run Chrome.
My Bad. NoVirusThanks EXE Radar Pro

 

I agree the best test is whether one gets infected, but in my case before I became a SB user (don't remember when I first used it) I was using systematically Shadow Defender and ShadowUser from Storagecraft (which is now defunct), and as you can imagine it is almost impossible to get infected with anything. Lately with all the news about these ransomware families and lack of tests about SB, I was wondering how it would behave with this type of malware.

Peter with his tests has removed any doubts about the effectiveness of SB in this scenario...

 

@bo...
As expected

As you already know what the outcome will be...

That's what I really like about it, other protection are just meant to stop the initial attack.

 

I trust Pete's test for two reasons. Attacking Sandboxie is not part of his agenda and he understands and knows how Sandboxie works.

I think ramsonware can interact with Sandboxie in 3 ways.

1. Default settings sandbox. The malware detects is running sandboxed and doesnt do nothing, it doesnt infect, expecting to fool the user into running the malware unsandboxed. This is probably more likely to happen with attachments. And in my opinion is a good reason to run files that get created in our PC sandboxed during their lifetime in the PC.

2. Default settings sandbox. It could also happen that the malware runs and infects. If this takes place, the infection remains inside the sandbox and it might even feel that the malware took over the PC. So, what do we do now? Delete the sandbox, if we cant, then reboot, thats what we want.

If for some reason, the ransonware doesn't allow us to delete the sandbox or reboot, then force a shutdown and restart the PC. After restarting the PC, the ransonware or malware is terminated automatically. It cant do nothing anymore. And now you can easily delete the sandbox and the infection is gone.

3. Restricted sandbox. The ransonware wont run or even if it runs, it cant install or connect to the internet. Something in the process that it needs to do to infect fails. Dead malware.

I also believe what minimalist said here is very important to prevent ransomware from doing damage. I avoid allowing access to folders or files as much as possible. I only allow acces to browser bookmarks.
https://www.wilderssecurity.com/threads/sandboxie-acquired-by-invincea.357312/page-132#post-2644291

Bo

 

As a matter of fact I tested Voodooshield as I thought it would be the natural companion to SB when dealing with 0 day malware, unfortunately on one of my Win 10 machines it froze the system so badly that even in shadow mode I had to do a hard reboot to recover normal functionality... This is not the thread to discuss it, but I've decided that SB and Avira are more than adequate, especially now considering how well SB performed in your tests...

 

Appreciate not the right place for the discussion but by way of comparison I find SBIE and VS a brilliant combo on Win10. They compliment each other very well IMO. True VS has blocked SBIE executables occasionally when first released or in beta but that is the fault of the VT blacklisters rather than VS itself. There was also an issue with command lines associated with SBIE auto delete functions flagging on VS but those are things of the past.

I've used SBIE for years and have had various strategies for ensuring the stuff I allow to leave the sandbox is safe. VS is the simplest and most effective I've found to date.

Just finished my usual annual round of checking out all the major suites. VS easily matches the best of them and outperforms most with minimal system impact or user input. Add SBIEs prowess at restriction threat-gates behaviour and access to your key files/folders and the ability to remove the seemingly unstoppable tide of rubbish that browsers etc. seem to absorb during their normal functions you're on to a real winner I think.

If there is an issue with VS and SBIE I'm sure Dan would love to help you get it resolved.

Cheers

 

That's a really important message Bo. On default SBIE eats up ransomware no problem as long as the user does not choose to recover the encrypted files as even if it malware is allowed to run the encryption is taking place on files copied to the sandbox, not the real system. However if you open up a path in SBIE to save documents etc. you open yourself up to ransomware attacking the real system.

Before the advent of ransomware I had lots of open file paths to make recovering things easier for other users and but the very real requirement nowdays to protect important files has pushed me into closing as much off as possible.

Cheers

 

With all due respect Singollo, I’ve joined this forum in 2005, I have sort of “learned “here at Wilders to fix my own problems by layers, my last resort for all contingencies being restoring an image/backup. I have tried in the past several anti-executables namely Faronics AE, NVT EXE Radar Pro, and just recently Voodooshield.

I spent weeks on end trying to fix Faronics AE to no avail, NVT Exe Radar Pro almost boiled my most expensive machine (it blocked the sleep function, letting the machine on all night with the lid closed) and Voodooshield completely freezing one machine with Win 10, and refusing to install on Vista Ultimate.

Now I’m sure there is a work out for just about anything, but my beta days are over, if a program doesn’t work straight away, I’m not prepared to spend time trying to fix it. This is the reason I have not posted my problem in the Voodooshield thread. I know that Voodooshield seems to work very well with most people, it didn’t with me, hence my curiosity about how effective SB is on its own vis-a'-vis ransomware…

 

I'm not clear what longevity has to do with it but can say I am aware of how long you've been contributing positively to this forum and enjoyed reading your posts for the 8 years I was a member before opening this account as well as since. I'm therefore sure you're not suggesting the longevity and current post count on this account means I'm not allowed to express a different view.

I've used SBIE (on and off until I got my lifetime license 8 years ago) since Belgammin introduced it to the forum before either of us were members (but I lurked) and VS since Clone Ranger did the same here but don't think it conveys any expertise or right to prevent anyone else holding a different opinion, merely some experience of the products mentioned others might benefit from.

My original post was only to suggest to others less knowledgeable than you that not everyone has had problems with the combo and that Dan is a developer open to helping resolve issues with problems not a challenge to the approach you've taken. You're view is valid and you're entitled to it.

Regards

 

Just want to state that I am running Sandboxie along with Voodooshield and they a both running great together. Question to @Peter2150 and @Elwe Singollo, "are you runnging MBAE in Sandboxie as well?" I know that you must install the MBAE template in configuration in order for it to work. My browsers are FF and PM. Now does adding the MBAE template doing more harm than good such as opening more holes in Sandboxie? In conclusion, If one is running Voodooshield with Sandboxie, is MBAE really necessary? Bo, chime in also if you like.

 

Hi Wolfrun, I don't use MBAE although have used HMPA with the other 2 in the past but the license expired and I couldn't justify the the expenditure given the other 2 largely cover the bases their own. I used it for anti-ransom rather than anti-exploit at any rate..

I don't think the template puts you at additional risk so if you're happy using it, why not. It's very light from memory. The others likely have it covered though particularly with SBIE reducing integrity to untrusted in your browsers of choice. Others disagree I know but my tuppence worth for what its worth.

Cheers

 

Does VoodooShield need Sandboxie template / Sandboxie Resource Access ?

 

Try to start not whitelisted applications within a sandbox. Do you get a prompt from VS? If yes, then you don't need a special template for VS.

 

Well, that test may satisfy one resident application. Does that test carry over to all VS activity re Sandboxie.
Do you have Sandboxie template / Sandboxie Resource Access for VoodooShield?

Does Bo reply #5231 from Nov 2014 stand today

 

Regarding Voodoodshield, on both above, the answer is no, bjm. MBAE yes, you need a template in Sandboxie Config..

 

Thanks Pete and Elwe for the feedback.

 

To clarify, the problem is already fixed, simply by cleaning all files in the sandbox, and it hasn't re-emerged. BTW, Firefox also has direct access to the profile.

No I don't, it definitely is a problem related to the SBIE + FF combo.

 

I am not familiar with VoodooShield but that reply from Nov 2014 is as good now as it was then.

Bo