Sandboxie - good enough to protect from ransomware?

Discussion in 'malware problems & news' started by r45, Jul 24, 2016.

  1. r45

    r45 Registered Member

    Joined:
    Aug 9, 2013
    Posts:
    2
    I have a question - is Chrome run in Sandboxie good enough to protect PC from ransomware attacks? Previously I used VirtualBox with Linux inside with "clean" browser setup (without any protection tools) for testing purposes. After browsing a while on high risk pages I had two ransomware attack.
     
  2. RJK3

    RJK3 Registered Member

    Joined:
    Apr 4, 2011
    Posts:
    855
    I would say that browsing with Sandboxie with the "DefaultBox" would be enough to contain any ransomware attacks. Changes to the file system would only occur within the Sandbox.

    You could tighten the rules to only allow whitelisted processes to execute or access the internet, which would stop any malware that relies on dropped PEs to execute. As for those relying on scripts or making use of other processes (cmd.exe, explorer.exe, etc), then it would depend on your settings.

    There are only two ways I can see you possibly being at risk for this class of malware:
    (1) somehow accidentally running a malicious file outside of the sandbox
    (2) setting up a sandbox where one or more programs have "Full" or "Direct" access to files outside of the Sandbox.

    You might notice that "Direct access" setting doesn't apply to programs downloaded or installed into the Sandbox, so how could there be any risk? The problem is that exploit kits like the now defunct Angler EK can inject their code into existing processes like the browser and load that as a new thread. If you can't trust the integrity of a whitelisted process, then IMO it's risky to give it write access to files outside of the sandbox.
     
    Last edited: Jul 24, 2016
  3. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,069
    Just to add to JRK3 post: you can also use blocked access setting for your personal files, so that malware can't access and upload your data to their server.
     
  4. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    3,770
    Location:
    Nicaragua
    r45, check this report from yesterday at the Sandboxie forum. :)
    http://forums.sandboxie.com/phpBB3/viewtopic.php?f=58&p=122399#p122391

    Bo
     
  5. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,038
    Location:
    The Netherlands
    As others already said, SBIE will protect all files that are outside the sandbox. That's the beauty of virtualization and file redirection, malware can't modify the real files. You should be aware that ransomware will be able to modify files inside the virtual sandbox, so you shouldn't store anything important in these folders.
     
  6. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,485
    Location:
    Poland - Cracow
    Any?...I think you mean only that malware that is launching in Sandbox...how Sandboxie will deal with ransome outside?
    How...no data leaking?...no possibility to modyfi files outside lokal disk?
     
  7. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    3,770
    Location:
    Nicaragua
    Sandboxie protect the system from programs that run under the supervision of Sandboxie. If you download a file and run it outside the sandbox, Sandboxie wont protect you. Thats why I sandbox files in my computers for their lifetime. The way I see it is like this, if a file is a going to run in my PC, its going to run sandboxed from the day it gets created in the PC to the day it gets deleted. Its a simple rule that's easy to get used to as files get sandboxed automatically by SBIE. Works nice.
    If ransonware gets to run within the sandbox, files that get encrypted are copies of the real files created by Sandboxie within the sandbox. The real files are untouched. Please read the real world example of ransonware within the sandbox that I posted earlier in this thread

    Thats real world, from a couple of days ago, relayed to us by a Sandboxie user about what he saw in his rookie friends computer after getting attacked by ransonware. Ichito, thats Sandboxie at work. Personally, I love that kind if stories as they show Sandboxie as what it is. :)

    Data leaking? Its very easy to tighten up what sandboxed programs can access in the computer and what they can do with what they have access to. If you want to completely shut down sandboxed programs from having access to your personal and sensitive files and folders, you can set it up that way. The settings are available for you to restrict the access as much as you want. Beside access settings, you also have available Start Run and Internet access settings. With this settings you can restricts the programs that can run in the sandbox and the programs that are allowed to have access to the internet.

    Examples, if a program can not run, it wont access your files, or if a program is allowed to run but not internet access, the program can not phone home any data that it has access to. So, you have the settings to do what you want. Is up to you, the user, what you do with them. Me personally, I look for the perfect balance in each sandbox that I create, I make them as restricted as possible without giving up usability. Sandboxes get restricted according to what I am going to run in them or their purpose for creating them. The result is that all my sandboxes are convenient to use, and secure.

    Bo
     
  8. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,038
    Location:
    The Netherlands
    Yes good point. I assumed the topic starter was familiar with SBIE. But obviously, SBIE does not protect against ransomware that runs outside the sandbox, it's not designed to do so, you need other anti-ransom tools for that.

    I'm not sure what you mean with this, but files outside the sandbox are protected against modification. If you want to protect them against data stealers, you need to configure the "File Access" settings in SBIE or use a third party tool, like SpyShelter for example.
     
  9. RJK3

    RJK3 Registered Member

    Joined:
    Apr 4, 2011
    Posts:
    855
    I suggest you read the whole thread fully first - or indeed the rest of my post you quoted, as I've already addressed this point.

    We're discussing Sandboxie and ransomware in the context of browsing.
     
  10. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,485
    Location:
    Poland - Cracow
    Thanks Bo and Rasheed...your explanation are quite useful especialy in contex of new Sbie features mentioned on its forum
    "1) Added new Sbie setting BlockNetworkFiles. It is available under Sandboxie Settings -> Restrictions.
    When BlockNetworkFiles=y, sandboxed applications are blocked from reading network files or folders. Individual files/folders can be opened for reading/writing using the normal Resource Access settings.
    This option is enabled by default for new sandboxes."


    OK...and it means that others question are baned.
    See on title...good question is more than half of geting good answer.
     
  11. RJK3

    RJK3 Registered Member

    Joined:
    Apr 4, 2011
    Posts:
    855
    Now you're putting words into my mouth. It would be easier if you would just read what I've actually said, instead of deciding I mean something else.

    I'm happy to answer genuine questions, but it's simply a waste of our time when you pose an argumentative question when the answer is in the post you selectively quoted:
    If you were genuinely just after information or didn't understand, then there are much less rude ways to ask. Since you plainly struggle with language, I'm going to give you the benefit of the doubt that you are simply unaware of your rudeness.
     
Loading...