Sandboxie Acquired by Invincea

Okay, my confusion.
Just found: https://community.sophos.com/products/sandboxie/f/forum/116304/sandboxie-leaking/420741

Edit: just found re deprecated.cookie n' Windows automatically recreates some files: https://forum.piriform.com/topic/56057-suggestion-for-ccleaner/?tab=comments#comment-312391

 

the picture on sophos is fake. ccleaner cumulates found cookies in that option which do not apply to the real existance of cookies. never ending story.

the existant of cookes is as bjm_ shows up when you ticked IE > cookies - or IE direkt (internet options).

 

Thank Bo.. maybe they are spy us I will block it that connection

 

Microsoft account login fix per Akhilesh@Sophos 11-21-2019
https://community.sophos.com/products/sandboxie/f/forum/116358/microsoft-accounts/421336#421336

 

Guys, did you see this? Browsers like Chrome and Edge were hacked, I assume this means that they were able to bypass their sandboxes. In other words, if you ran Sandboxie on top, the malware would most likely be contained.

https://www.wilderssecurity.com/thr...kers-have-gathered-at-hacking-contest.423249/

 

no BS please - bypassing chrome or edge means bypassing windows sandbox and this dont matter whether inside or outside sandboxie to gain access to any data and send it out.

https://chromium.googlesource.com/chromium/src/ /master/docs/design/sandbox.md

 

Probably, but 0-days are astoundingly rare and Sandboxie doesn't really seem worth the program breakage that everyone seems to be having, me included on my laptop.

 

Does the Sandboxie offline activation page still work to generate the 400-character
activation key?
https://www.sandboxie.com/license/activate-offline.php

Is that completely done away with since the Sophos change?

 

At the risk of shooting myself in the feet I find fault with your short argument because SBIE does not rely solely on the built in windows uac controls or integirty levels (aka in this instance what I took to be your description of the 'windows sandbox') but instead relies on hooks [OM*G the number of user mode hooks is insane!] and then has requests sent to the SBIE service asking for permission to do THIS OR THAT.

They are both using lower integrity levels as a starting point (and this is mostly good). It does not, however, instantly translate into fact that if someone can trick or bypass the Chrome broker it also applies to Sandboxie.

Sandboxie has both service and driver components to aid in it's decision making and enforcement, chrome does NOT. How helpful that ends up being is not something I can properly attest to as I haven't investigated either in this scenario but with the little experience I do have with SBIE I'm tempted to believe that it still has a greater chance of preventing an escape.

Don't get me wrong. I find the sheer number of user mode hooks which SBIE currently uses alarming. They are more often than not responsible for the compatibility issues you read about here or there. I don't even use SBIE anymore and while not particularly related to the number of hooks I have found things to simply be easier to handle these days.

That said I still disagree with your statement that one cannot protect against something just because the other doesn't simply because they both start off by relying on a principle of 'least privilege' even if that means they initially start off at the same disadvantage by relying on the OS to limit what they can do and both use brokers to check the rest. SBIE has many 'extra' checks. It also has a bunch of other 'options' a user could choose to enable in order to block even more things.

 

bypassing windows sandbox means to break out of untrusted or low integrity process - this means bypassing DEP, ASLR, CFG Integrity - one or combo of those. if sandboxie has "extra" checks this would mean you can bypass or harden these mechanisms, even they were deep hidden under the hood (ini file). if you have set sandboxie to limit processes, access, rights or web ofc this would limit the damage. if not anything is possible. i dont know how many special switches sophos built into sandboxie to eliminate incompatibility for chromium based browsers.

 

Are you sure this is BS? AFAIK, these hackers used holes in Chrome to break out of the sandbox. Sandboxie implements the sandbox in a different way, so if Chrome and Firefox get hacked, this doesn't mean that Sandboxie will fail to protect the system automatically. Hackers will also need to exploit Sandboxie. So I'm afraid you're the one who is talking BS.

 

Would auto-denying admin access help with this at all?

 

I won't argue with you there.
I don't even use it atm so while once upon a time I might have bothered to some test stuff ~ that isn't where I currently am.

Hopefully people who care and have some real insight will take a look once the source is finally released and be able to tell actual users more!

 

No of course not. They are using holes in Chrome to get remote code execution and then elevate rights. The point is that if Sandboxie is not targeted, it will still contain the malware.

 

You know this based on what information? So far I've seen nothing but an obscure tweet on this hack. If this was the Pwn2own tournament, details on this nature of exploit would have been posted within a week of it happening.

 

Wait wait. So seeing as how LOTS of people use chrome and not that many people use sandboxie, if only by comparison, how likely is it that someone would target sandboxie as well as chrome using the same exploit method?

Okay, while proofreading this post, I scrolled up and saw that you weren't the one nay-saying sandboxie. Hopefully @Brummelchen will see this post.

The whole point of using sandboxie is to have a safety net in case of exploited vulnerabilities in any applications that you'd run inside of sandboxie. If you're worried that something might bypass sandboxie as well, then get HitManPro.ALERT! to go with it and set the rule that allows HMPA to work with sandboxie. But what you'll want to do is set the rule for just one sandbox and then go into the configuration file and cut&paste the rule into the global rules.

 

Don't just hope, make sure he can read it. How? Mention him in the post by clicking @ followed by his name. A notification will be showed when the user signs in.

 

Oh, by the way, I was talking about auto-denying admin access within the supervision of sandboxie's sandboxes, not windows.

 

Servers for offline activation are working again.
Was able to reactivate my lifetime license for older version of Sandboxie.

 

That's exactly my point. But some were also saying that Sandboxie on top of Chrome, would actually make Chrome easier to hack. I'm not buying that stuff, because you will still need to find holes in Chrome.

No that won't help either, assuming that hackers can elevate rights.

 

Yes correct, they didn't publish any information. But there are two ways to exploit a browser like Chrome:

1 By using holes in Chrome to get remote code execution and elevation of rights.
2 By using holes in Chrome + Windows to get remote code execution and elevation of rights.

In the first case, Sandboxie will most likely still contain the malware. In the second case, Sandboxie might still interfere with malware. I say this based on the Bromium report that was published years ago about sandbox escapes.

 

i have read it but why repeat my own words? and its not my problem when some people think they are more clever but run always in trouble here.

target of the TianfuCup was to break chrome and get elevated rights to compromise the system which is not possible with only user rights. so the breach got admin rights for its purpose. sandboxie can (or better: should be able) to deny admin rights with settings. but i can not prevent the chrome breach. another target was vmware exsi to reach host system. maybe sandboxie is not interesting enough.
if the box has admin rights the chrome breach was successful and malwarwe can do anything it wants inside the box. and if sandboxie would be vulnerable malware can break it too and jump like the vmware breach into the host.

yep.

 

Sure, very likely they achieved the breech one of these ways, no arguments here, but I'd like to see details on exactly how they achieved it, rather than speculation. The details of an exploit of that magnitude should have been posted long ago. The Tianfu cup had far more members than any pwn2own contest, yet the latter posts details of these kinds of hacks within a few days of them happening.

 

Brummelchen, regardless of your claims (this past few days), the truth is that is harder for malware to infect if you are using Sandoxie to sandbox Chrome, and it gets even harder if the user is able to use Drop rights in the sandbox were he runs Chrome. You can claim all you want, but that's the honest truth and all I would care about if I was a Chrome user.

Rasheed used a very important word in his last post that perfectly describes what Sandboxie attempts to do if and when we are under attack, that word is "interfere".

Thats what Sandboxie tries to do in every step the malware takes to infect, by interfering with what the malware does, is more likely than not that the malware will fail somewhere along the process it takes to infect. The malware might succeed in steps 1 and 2 but fail in step 3 so it cant continue or escape out of the sandbox. If it cant break out of the sandbox, it cant infect.

Bo