Sandboxie and Cryptolocker issue

Discussion in 'sandboxing & virtualization' started by KeyPer4Life, Apr 16, 2014.

Thread Status:
Not open for further replies.
  1. KeyPer4Life

    KeyPer4Life Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    974
  2. syrinx

    syrinx Registered Member

    Joined:
    Apr 7, 2014
    Posts:
    334
    My understanding [from what buster said] is that the picture file was not actually compromised or encrypted but the paths displaying the (sandbox) folder path were actually supposed to be shown as they would unsandboxed (like the picture path was) and is a glitch in sandboxie that somehow "exposed" the sandbox path instead.

    I don't have a cryptolocker sample to test (wish I did so I could be sure) so I can only hope that's actually the case (better than the alternative) and eagerly await more news/clarification on the matter myself.
     
    Last edited: Apr 16, 2014
  3. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    Would be quite a serious bug. :blink:

    But I can´t imagine it being true.
     
  4. KeyPer4Life

    KeyPer4Life Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    974
    Update on Sandboxie Isolation Demonstration: Cryptolocker


    Curt@invincea wrote:

    Buster and Hamy are correct. A sandboxed app should not be able to see the "real", sandboxed
    path. To Cryptolocker, they should all look like C:\Users\Public\Pictures\Sample Pictures\penguins.jpg.

    This does not present any kind of a leak or hole. The sandboxed app cannot access the file
    outside the sandbox. The only issue here is that the sandboxed app can determine that it
    is inside a sandbox by looking at the file path. But there are many others ways to
    accomplish that goal already (that cannot be plugged). We will attend to these as soon
    as we can get to them.

    http://forums.sandboxie.com/phpBB3/viewtopic.php?f=5&t=18694&sid=6e7747f4787c4511acf97f2a56943afe
     
  5. pling_man

    pling_man Registered Member

    Joined:
    Feb 11, 2010
    Posts:
    463
    Location:
    UK
    I found I can just prevent Sandboxed programs from accessing my Sandbox folder using

    ClosedFilePath D:\Sandbox

    (my Sandbox is on the D: drive as C: is an SSD).

    This doesn't prevent Sandboxie from accessing the folder (as it needs to), just programs running inside it.

    This should prevent malware from figuring out if it is sandboxed. The Sandbox can be found as it has a fairly
    structured folder layout. One method is write to a file somewhere then see if the file content is also echoed in
    the sandbox folder. Then change the contents and check again. If it is echoed in the Sandbox both times,
    the program is running in a Sandbox.

    I suppose I could also change the name of the Sandbox folder to something which doesn't hint at its purpose.

    This doesn't fix all of the issues, but is one step.

    Unless ... someone tell's me I shouldn't block access to the Sandbox folder like this?
     
  6. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,497
    I also would like to hear feedback regarding possible ramifications of this action? And to you, whom I quoted, do you have any first hand feedback to offer? Have you been using this approach?

    And by "using" do you mean entering that string into the command line?... exactly like that? Might seem like common sense but I just wanna be sure.
     
  7. pling_man

    pling_man Registered Member

    Joined:
    Feb 11, 2010
    Posts:
    463
    Location:
    UK
    I have been using this approach about 1 week, I have had no problems or issues so far.

    I added the sandbox folder (in my case D:\Sandbox) to the list of blocked folders using the Sandboxie Control GUI

    Sandbox Settings>Resource Access>File Access>Blocked Access.

    You can also enter the command ClosedFilePath D:\Sandbox to the .ini file instead, but using Sandboxie Control is easier.
     
  8. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,497
    I've been using this tweak now too for the past week, with no issues. Until/unless I hear otherwise... that it's unsafe or whatnot, I'm staying with it.

    Thanks. I'm always up for taking in more info. to tweak/harden my setup. Just when I think I've learned all I possibly can regarding hardening/trimming XP + my setup, I learn something new. It's a never ending process. That's why I keep coming back here once in awhile.
     
  9. Techwiz

    Techwiz Registered Member

    Joined:
    Jan 5, 2012
    Posts:
    539
    Location:
    United States
    I've been using this tweak as well, now going on three weeks with no issues.
     
Loading...
Thread Status:
Not open for further replies.