Sandboxie Acquired by Invincea

Discussion in 'sandboxing & virtualization' started by ad18, Dec 16, 2013.

  1. Mattchu

    Mattchu Registered Member

    Joined:
    Nov 8, 2008
    Posts:
    54
    Location:
    UK
    Would someone kindly tell Sophos they have given the SHA256 in the hash lists instead of the SHA1. I don`t have a Sophus forum account...

    From here:

    Code:
    https://www.sandboxie.com/AllVersions
    The MD5 numbers are correct, for anyone wanting the SHA1, here they are for the combined and x64.

    sbieSHA1.png

    Here`s the x32 MD5 and SHA1

    MD5: 99EF84FFF797B6A1E05646136F5DE247
    SHA1: 3F40D870723A9F05E09D76D83BB7522750A0B052
     
  2. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    5,459
    Location:
    Nicaragua
    It includes the files in Safebrowsing folders and files cert and blocklist.

    Sin título.jpg


    bjm, I searched my computer for \google4, I don't have anything with that name in my computer (I am in W10 right now), but I don't allow access to Safebrowsing. Perhaps thats a new folder, but if its within Safebrowsing it should be getting updated if you have the Phishing setting enabled. Those files get updated for me only when I run Firefox unsanboxed which I do only to do updates.

    If you have the Phishing setting enabled, you can check the files that get updated by looking at the timestamp of the files after you get out of the sandbox. Or, run Firefox in a sandbox without allowing nothing out, and set it not to delete on closing. After closing the browser, navigate to the sandbox folder and look at the files that got modified. You ll see cert, safebrowsing and perhaps the blocklist. Then afterward, this same updates should apply to the same files when you run Firefox again in your regular sandbox with access to Safebrowsing enabled.

    Bo
     
  3. Mattchu

    Mattchu Registered Member

    Joined:
    Nov 8, 2008
    Posts:
    54
    Location:
    UK
    The google4 folder should be covered/allowed access by the safebrowsing* wildcard as it`s a subfolder.
     

    Attached Files:

    • g4.png
      g4.png
      File size:
      19 KB
      Views:
      6
  4. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    5,459
    Location:
    Nicaragua
    Hi Mattchu. A few days ago, someone did report that at the Sophos forum. So, they know (and dont care).

    Bo
     
  5. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    3,375
    Location:
    .
    I was wondering specifically what direct access to Phishing database includes.
    ....direct access to Phishing database has been around long time.
    I'm thinking I need direct access to >
    %Local AppData%\Mozilla\Firefox\Profiles\nxnxnx.default-release\safebrowsing\google4\
    since date n' time only seem to change in sub folder \google4\
    Does * still work?
    %Local AppData%\Mozilla\Firefox\Profiles\nxnxnx.default-release\safebrowsing\*
    Thanks
     
    Last edited: Oct 28, 2019
  6. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    3,375
    Location:
    .
    Yes, I see
    png_2062.png
    I'm wondering if something changed since -- direct access to Firefox phishing database was added, years back. I imagine Google Safe Browsing (and Firefox) has changed over years.
    png_2059.png png_2060.png
    I'm wondering whether safebrowsing folder does periodic house keeping or just keeps accumulating data.
    Thanks
     
    Last edited: Oct 28, 2019
  7. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    5,459
    Location:
    Nicaragua
    I am sure it has. That google4 folder is something fairly recent. I don't have it. Thats a change from how Safebrowsing was (at least) months ago. One reason perhaps why I dont have that folder is because I disable all of that stuff below:

    1.jpg

    I dont know bjm, but I can tell you this. In total, I have 59 files, and of those files, 2 are timestamped with the date from when I bought my W10, and installed Firefox. This files are from early July 2017.

    Bo
     
  8. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    3,375
    Location:
    .
    Yeah, I recently checked
    png_2066.png
    and recently noticed google4 folder.
    That got me curious whether not relevant Safe Browsing data is purged thru housekeeping updates.
    And curious whether Safe Browsing database moved to the cloud.
    And wondering whether "direct access to Phishing database" still works.

    I've observed Google Safe Browsing work without "direct access to Phishing database"....so, database loads AppData each sandbox session? Correct me.
     
    Last edited: Oct 28, 2019
  9. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    2,706
    Location:
    Canada
    I'm running FF v70 in Linux enforced by an Apparmor policy, and I've got those Google4 entries profiled as:

    Code:
      owner /home/*/.cache/mozilla/firefox/jy8kmldv.default-release/safebrowsing/google4/ r,
      owner /home/*/.cache/mozilla/firefox/jy8kmldv.default-release/safebrowsing/google4/goog-*.vlpset rw,
      owner /home/*/.cache/mozilla/firefox/jy8kmldv.default-release/safebrowsing/google4/goog-badbinurl-proto.metadata r,
      owner /home/*/.cache/mozilla/firefox/jy8kmldv.default-release/safebrowsing/google4/goog-downloadwhite-proto.* r,
      owner /home/*/.cache/mozilla/firefox/jy8kmldv.default-release/safebrowsing/google4/goog-malware-proto.* r,
      owner /home/*/.cache/mozilla/firefox/jy8kmldv.default-release/safebrowsing/google4/goog-phish-proto.* rw,
      owner /home/*/.cache/mozilla/firefox/jy8kmldv.default-release/safebrowsing/google4/goog-phish-proto.vlpset r,
      owner /home/*/.cache/mozilla/firefox/jy8kmldv.default-release/safebrowsing/google4/goog-unwanted-proto.metadata rw,
      owner /home/*/.cache/mozilla/firefox/jy8kmldv.default-release/safebrowsing/google4/goog-unwanted-proto.vlpset r,
    Some require only read permission, while others require both read & write permissions. I use some wildcards just to reduce the AA profile size.
     
  10. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    5,459
    Location:
    Nicaragua
    Yes, thats correct. The reason to allow direct access to phishing database is so the entire database is not downloaded over and over every time you run the browser in the sandbox.

    Bo
     
  11. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    3,375
    Location:
    .
    Well, in recent opened sandbox. I don't find safebrowsing folder.
    png_2072.png
    and then after a while I'll see safebrowsing folder.
    png_2073.png
     
    Last edited: Oct 28, 2019
  12. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    3,375
    Location:
    .
    So, the database is pushed down with & without "allow direct access to phishing database"?
    So, the database is pushed down with & without "boxes checked"?
    png_2074.png
     
  13. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    5,459
    Location:
    Nicaragua
    When I want to see files inside the sandbox, I always use regular file explorer. To me, it is more comfortable than using the SBIE UI for that.

    Look at this picture, on top, you see Safebrowsing after running Firefox in a sandbox. The Safebrowsing database updates whenever there is an update available. This is gonna happen, regardless of whether you are allowing direct file access to Safebrowsing or not.

    The role of allowing access to Safebrowsing is to pass the updates to your real system. So, next time you open Firefox sandboxed, if there is an update, the updates are smaller in size.

    The bottom picture shows my Safebrowsing folders as they are right now, outside the sandbox. They were last updated on Oct 25th, that day was the last time I ran Firefox outside the sandbox (to update to Firefox 70 or do something regarding Firefox after updating to 70). Remember, I don't allow direct file access to Safebrowsing.

    Sin título.jpg

    Bo
     
    Last edited: Oct 29, 2019
  14. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    3,375
    Location:
    .
    Yes, bad habit looking thru SBIE UI. Yes, it's easier looking thru File Explorer.

    Um, since safebrowsing database is pushed down, regardless >
    with & without "allow direct access to phishing database"
    with & without "boxes checked"

    May I inquire....what you gain by not checking boxes?
     
  15. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    5,459
    Location:
    Nicaragua
    Yes, is downloaded into the sandbox only, if you dont allow direct file access.

    And

    The database outside the sandbox, also gets the update, if you allow direct file access.

    I cant be a 100% sure on this. But I would say, some database is not downloaded if you untick those options. Remember, I untick them and I dont have the google4 folder.

    My reason for not ticking those options is so Firefox doesnt block pages its database considers as malicious.

    Bo
     
  16. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    5,459
    Location:
    Nicaragua
    I gave you my reason in the post I just posted but I ll give it to you again. My reason for not ticking those options is so Firefox doesnt block pages its database considers as malicious. I want to browse free from any kind of signatures, databases, list, the kind of stuff that blocks you from visiting websites.

    If I want something blocked, I ll do it myself via NoScript. No worries, with Sandboxie as a safety net, nothing is gonna get thru.

    Bo
     
  17. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    3,375
    Location:
    .
    Yes, you don't have google4 folder with untick boxes and I noticed google4 after I tick'd boxes.
    Yes...tick vs untick .... interesting.
    Thanks
     
    Last edited: Oct 29, 2019
  18. Mattchu

    Mattchu Registered Member

    Joined:
    Nov 8, 2008
    Posts:
    54
    Location:
    UK
    :thumb:

    Gits!

    @ Bjm_ Pretty sure wildcards still work fine as the`re infront and after the database files/folders and iv`e had a few "alerts" here and there. It seems Google safebrowsing have recently moved to a v4 api whereby the SHA256 is used in the VLPrefixset.
    I would think the database is always downloaded, whether it refers to them depends on if you have the boxes checked. I`ll test this theory in a bit...
     
  19. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    3,375
    Location:
    .
    Hi @Mattchu
    Hi,
    Yeah, v4 had me wondering whether "allow direct access" still worked.
    Appears "allow direct access to phishing database" = AppData Roaming 'blocklist.xml' and 'cert9.db' + AppData Local \safebrowsing*.
    png_2086.png
    I've tested Google Safe Browsing against: vxvault, openphish, urlhaus.
    Thanks
     
    Last edited: Oct 29, 2019
  20. Mattchu

    Mattchu Registered Member

    Joined:
    Nov 8, 2008
    Posts:
    54
    Location:
    UK
    :thumb:
     
  21. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    3,375
    Location:
    .
    https://www.ghacks.net/2019/10/29/how-to-use-sandboxie-for-browsing-downloading-and-installing-programs/
     
  22. imdb

    imdb Registered Member

    Joined:
    Nov 2, 2011
    Posts:
    1,683
    they should've asked elam to write it. just saying.
     
  23. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    3,375
    Location:
    .
    +1
     
  24. Bellzemos

    Bellzemos Registered Member

    Joined:
    Jan 25, 2009
    Posts:
    107
  25. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    When have we heard this before
     
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.