SandBoxie bypassed by a legitimate program

Discussion in 'sandboxing & virtualization' started by pandlouk, Jan 25, 2009.

Thread Status:
Not open for further replies.
  1. pandlouk

    pandlouk Registered Member

    Joined:
    Jul 15, 2007
    Posts:
    2,549
    I wanted to give a try of todays Giveaway of the Day MovieShop Browser, but without been sure if I would like it or not I downloaded the trial version and run the installation in sandboxie.

    Everything went fine but the problem is that the default font of my windows was changed to that of the program. :eek: :ouch: :blink:

    Not a really problem but... lol ; I have seen sandboxie get bypassed by malware but never from a legitimate application. :p

    ps. It was a nice reminder, not to be overconfident with the security applications.*puppy*

    Panagiotis
     
  2. LoneWolf

    LoneWolf Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    3,408
  3. pandlouk

    pandlouk Registered Member

    Joined:
    Jul 15, 2007
    Posts:
    2,549
    Not yet. It happened an hour ago.
    I'll report it later today if I find the time. If not tomorrow.

    For the moment I'm playing with the various settings of xp fonts. :D
     
  4. pandlouk

    pandlouk Registered Member

    Joined:
    Jul 15, 2007
    Posts:
    2,549
    Now I got more confused.

    I installed the giveaway version (not sandboxed) and by magic my font settings were restored. o_O
     
  5. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,039
    I'd be curious to know what malware bypassed sandboxie, and if it still does with the latest versions.

    PS. Downloaded Movieshop Browser and will test laster
     
  6. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,039
    Well I downloaded the trial version. The only sandbox I can try it in is my default box which would block all internet access.

    First attempt failed as I had the drop rights feature turned on. Turned it off and it installed. I didn't see any issue with fonts on my computer, but what did bother me is it did install in the real program area. Even after deleting the sandbox contents it was still there.

    I rolled back since I was using ShadowDefender, and took another shot, this time blocking access to the c:\program area. The install never got off the ground.

    I am going to post about this now in the sandboxie forum.

    Pete
     
  7. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,039
    Posted in the sandboxie forum under problems with 3.0 or later. Title of thread is A leak or me

    Pete
     
  8. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,039
    Well it was me. No leak in Sandboxie, the leak was me.

    What happened:oops: was when I went to check the unsandboxed area I saw MoveMaker(which is MS) and made a giant, but incorrect mental link. Movieshop installs as c:\program\framering\movieshop, and it wasn't there.

    So Sandboxie didn't leak, and I didn't see the font issue. Several users on the sandboxie forum tested with the same result.

    Pete
     
  9. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    Thanks peter that is good news indeed.Now I wonder what happen in pandlouk case if it got outside the box.
     
  10. chris2busy

    chris2busy Registered Member

    Joined:
    Jun 14, 2007
    Posts:
    477
    maybe a bug if he used a different sbie skin?
     
  11. pandlouk

    pandlouk Registered Member

    Joined:
    Jul 15, 2007
    Posts:
    2,549
    It was a file infector that I had tested about 2 years ago.
    Version 2.86 was imune to that one. After that I never retested it.

    I suspect that the font problem is caused by a conflict between sandboxie and outpost.( I have to do some tests to find out).

    Here are two screenshots of my firefox before and after installing sandboxed the mentioned app (I tested it 4 times, always with the same results).
     

    Attached Files:

    Last edited: Jan 25, 2009
  12. andyman35

    andyman35 Registered Member

    Joined:
    Nov 2, 2007
    Posts:
    2,336
    Despite all my efforts I've yet to find anything that bypasses SandboxIE of late.Not saying there isn't anything but if there is it's a rare breed.The thing is too well coded,it's not playing fair with the malware writers.:p
     
  13. Saraceno

    Saraceno Registered Member

    Joined:
    Mar 24, 2008
    Posts:
    2,404
    Thanks for your effort Pete, posting on the sandboxie forum. Another case closed. :D
     
  14. PiCo

    PiCo Registered Member

    Joined:
    Apr 9, 2008
    Posts:
    352
    Location:
    Athens, Greece
    Oh wait a minute, I had this boldness on fonts pandlouk is talking about, but I din't notice untill I saw the screen shots.

    The fonts didn't change in size or type, they just became bolder in some parts, like filehippo.com, but I thought it was my eyes :p

    After a reboot, everything was normal again!

    I must say I did't notice this boldness anywhere in Windows files or folders, just in my browser and I had deleted the sandbox before I open a new sandboxed browser.

    Will report it on SandboxIE forum too :)
     
  15. pandlouk

    pandlouk Registered Member

    Joined:
    Jul 15, 2007
    Posts:
    2,549
    Ok. After some more tests I can conferm that it slipped snadboxies registry protection. I do not know if it is a bug or if ir is by design.

    Here are the registry directories that definitly got modified.

    "HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU"
    "HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\Bags"
    "HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache"
    "HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\ShellNoRoam\MUICache"

    (If you do not have a multilanguage pack installed, probably you will not have the muicache directories.)

    Pete or anyone registered at the sandboxie forum could you report it there, since you already opend a thread?

    thanks,
    Panagiotis
     
  16. Huupi

    Huupi Registered Member

    Joined:
    Sep 2, 2006
    Posts:
    2,024
    hi pan. just as mitch explain in SBIE thread on SB forum,its just a default behavior from windows itself so no worries,no breaches.

    thanks Mitch and Wraithdu.
     
Loading...
Thread Status:
Not open for further replies.