Sandboxie technical tests and other technical topics discussion thread

Discussion in 'sandboxing & virtualization' started by MrBrian, Oct 17, 2014.

  1. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,247
    It seems to me that is no use to explain you that theories mean nothing without evidences-that is my crucial point here, if it was in your case we would still live in Dark Ages and believe everything what others tell us without any form of any concrete evidence.
    I will stop now, this not a time or a place for such a debate, besides, we are going in circles.
     
    Last edited: Feb 4, 2015
  2. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,174
    Location:
    Nicaragua
  3. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    There are some locations within the Windows folder that accounts with non-admin privileges can write to unsandboxed, so doing this might cause some programs to fail.
     
  4. 142395

    142395 Guest

    Currently can't find particular problem, but maybe.
    However, I guess that's bad manner and not many program do this, tho I may be wrong.
     
  5. 142395

    142395 Guest

    Wow, I didn't know there's already such extensive setting post!
    Thanks for the link!;)
    Is Sully still active in this forum? I haven't seen him at least after I entered Wilders. Can I see such info in somewhere?

    [EDIT] looks like they are for XP. Some thing are same or can easily be translated to Vista, 7 or 8, but others not. It seems MS changed many of those things. I'll look into those things on my Win7x64.
     
    Last edited by a moderator: Feb 5, 2015
  6. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,174
    Location:
    Nicaragua
    I think some of the settings in that thread are perfect for the extra paranoid, like you, Yuki.;)

    I can tell you, in my XP, I use the ones for the registry and the ones below. Never an issue or a message from Sandboxie. But never tried any of them in W7.

    ReadFilePath=C:\AUTOEXEC.BAT
    ReadFilePath=C:\boot.ini
    ReadFilePath=C:\Config.sys
    ReadFilePath=C:\IO.sys
    ReadFilePath=C:\MSDOS.sys
    ReadFilePath=C:\ntldr
    ReadFilePath=C:\NTDETECT.COM

    Yuki, I discovered Sandboxie on my own, not in a forum or anyone telling me about it. I found Wilders while I was searching for information about Sandboxie. And when I first landed here, there was Sully talking about Sandboxie. He went away some time ago and I surely miss his posts. If he is still reading Wilders, he probably loves reading your posts like most of us do.

    Bo
     
  7. 142395

    142395 Guest

    Thanks, as to difference with new Windows I added in previous post.
    That's too bad, surely we could learn much from him if he was still here. But thanks for kind words!;)
     
  8. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,174
    Location:
    Nicaragua
    Hi Mr Brian, I have never used the Read only setting for Windows. But I know there are many SBIE users who do use that setting. I think its probable that using the setting would work in almost all sandboxes. Read only files can still be used by sandboxed programs. The only difference is that Read only files can not be modified within the sandbox.:)

    Edit: I just tested with a program that's easy for me to test, Flash. I don't have Flash installed in my W7. So, when I tried to install Flash in a sandbox with Windows set as Read only, the installation fails.

    And if I install Flash in the sandbox and after installing Flash, I set Windows as Read only, Flash does not show up in the Firefox plugins window. So, with Windows as Read only, things work as if Flash was not installed.

    Bo
     
    Last edited: Feb 5, 2015
  9. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,832
    Location:
    UK
    My feeling is that any application program that wants to write to the Windows directory can go ... away!
     
  10. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,919
    Location:
    .
    Except for Sandboxie I guess you missed to say! LOL
     
  11. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,174
    Location:
    Nicaragua
    Huge exception.:D

    Bo
     
  12. SLE

    SLE Registered Member

    Joined:
    Jun 30, 2011
    Posts:
    361
    At least all programms that install drivers must do so. Of course, they mostly can't be installed in Sandboxie.
     
  13. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,832
    Location:
    UK
    And I do my best to keep them to a minimum, particularly given the scandals around the subversion of code certificate signing.
     
  14. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    For those making folders "Program Files", "Windows" etc. read-only in a sandbox: another thing that should be tested is if doing so interferes with UAC Virtualization.
     
  15. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,247
    Can anyone please confirm or beat this argument from malwaretips.com written by Littlebits:
    "As I have said before software level of security can be bypassed much easier than OS level security. That's why UAC is much better than HIPS, behavior blocking and sandboxing, etc. Just make sure you have UAC enable at defaults and utilize its protection, avoid downloading suspicious files and visiting unknown sites. Pay attention to Windows digital file warnings when running files and you should be safe.

    There is not a single type of security protection that can't get bypassed.
    However software level is the most easier for malware to bypass, next OS level then last BIOS level which is most secure.

    There has been malware known to bypass all levels, but not as common and widespread.

    Sandboxie has been bypassed before in the past but I believe the issue was fixed by the developer. Sandboxie is the best in its category but all software have vulnerabilities and malware writers look for them and eventually will find them and exploit them. Even though UAC and Windows OS has had vulnerabilities as well, it is much more difficult for malware writers to find a way to exploit them. Even system BIOS has vulnerabilities but it is so hard for malware writers to find a way to get exploit them which makes them extremely rare. They are usually used as attacks on large businesses.

    Malware that is most common for home users doesn't even use vulnerabilities just simple fake alert sites that trick users into manually running infected files
    ."

    First question: is this all true or false (which parts are true and which parts are false)?
    And second question: this is they bypass Littlebits is talking about: you have to be logged in to see this thread:
    http://forums.sandboxie.com/phpBB3/viewtopic.php?t=9812&sid=6c7a98e7a8a4e768f990a8d817732cf7

    However. what I have noticed that all Sandboxie bypasses and pocs were because DropMyRights feature was not enabled/checked, so what would protect more UAC (maximum settings) or DropMyRights feature of Sandboxie, it seems to me that you get the same results and equal protection level?
    Also, UAC is some sort of virtualization, so it could cause conflicts with Sandboxie and its enabled DropMyRights feature if you use both UAC on maximum level and Sandboxie with enabled DropMyRights feature, right?
     
  16. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,740
    Location:
    The Netherlands
    Yeah, I mean enough is enough. But apparently they seem to think differently. :D

    This is nonsense, it's just silly to compare UAC to HIPS and sandboxing. UAC can't give the same level of security.
     
  17. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,080
    Location:
    Canada
    Can't confirm but I would agree completely. At least I would say they are more common, if not easier to bypass than the O/S is. Malware attacks are more likely to use code that exploits some kind of vulnerability on existing software running on the O/S. One need look no further than Java and Flash exploits for some evidence.
     
  18. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,919
    Location:
    .
    I can't either, but one thing I might highlight is that Windows releases every Patch Tuesday several updates regarding OS security vulnerabilities and for me this means Windows is as vulnerable as any other software, maybe more.
     
  19. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Groan. I must tell a story here because it fits. Years ago when I was trying to learn futures trading, I had a knowledgeable mentor. He used what are called "indicators" which are mathematical constructs based on price data. One of the ones he used, yield mathematical errors under certain data conditions. So I wrote him and explained it to him. His response stunned me in it's clarity of thinking. What he said to me: If I understood everything you said to me I probably won't use this indicator to trade and make money, but since I don't understand it, I will just continue to use it and make money.

    Same with Sandboxie. I know it hasn't be bypassed in the live, only poc, and I know all my tests with real live malware have been successful, I just relax and continue to let it protect me. All the rest of the angst here i classify as "Tilting at Windmalls"
     
  20. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,247
    What about the following Littlebits claims:
    "My understanding is that one of the main much quoted benefits of Sandboxie , is that by sandboxing the browser, drive by download attacks due to browser vulnerabilities, can be prevented.
    I quote findings from joint research by three eminent universities in Usa ,France & Austria:
    "Drive-by downloads work by exploiting vulnerabilities in web browsers, plugins or other components that work within browsers,Drive-by download attacks are among the most common methods for spreading malware today. These attacks typically exploit memory corruption vul-nerabilities in web browsers and browser plug-ins to execute shellcode, and inconsequence, gain control of a victim’s computer. Compromised machines are then used to carry out various malicious activities, such as joining botnets, send-ing spam emails, or participating in distributed denial of service attacks."

    I presume this part is true.

    What about this part:
    "Drive by downloads no longer exist if you are using an updated browser and plugins. Internet Explorer, Firefox and Google Chrome already blocks drive by downloads by default, the user has to click to download files and execute them. I haven't seen a drive by download since about 2007 because browsers now have better security to block them. Even if one happen to get by it will still be blocked by UAC, the user would have to approve it in order for it to be successful infecting your system.

    All downloads require user actions to manually download and execute unless you are using out-dated browsers, Java plugin, Adobe Flash, Shockwave or PDF plugins.

    Keep your browsers and plugins updated and disable Java and you will probably never see any drivebye downloads. If you happen to encounter one that slips by keep UAC on default settings and make sure to check the file before approving it. If the file is not digitally signed by a trusted publisher then it could be malicious, UAC will let you know if the file is digitally signed."

    True or false?

    Also, Littlebits wrote:
    "I never sandbox my browsers or web applications, it is not necessary if you always download files from safe sources and never execute files without checking them first. If you use Internet Explorer never select "Run" on a download always select "Save" because you can check it before running it. That is the most common way users get infected.

    All known malware that infects users today requires the user to manually download and manually execute the malicious file. I think only paranoid users actually sandbox their browsers and web applications or users that just don't know how to safely download files.

    If you download a file that appears to be suspicious then you can add VirusTotal right click menu "send to VirusTotal" then right click and select "Run Sandboxed" on the suspicious executable file and it will run in Sandboxie.

    If you are an advanced user you can see what the suspicious executable file does by opening the Default Box by selecting "Explore Contents". Windows Explorer will open sandboxed and you can view files that the suspicious executable created safely.

    I never use the Recover Files on Sandboxie, if the executable is verified to be safe then I will just run it out of the sandbox on my system if it is something that I want to run or install.

    The only benefit of using the Recover Files is if parts of the executable file has mix content of both safe and malicious files created. This however is very rare, either the executable file is malicious or it is safe most of the time. Some installers have forced adware because this can benefit advanced users that want to install a software without any adware included, but this is also rare, most installers now days has opt-out opinions if you pay attention the adware can be bypassed easily."

    What do you all think?
     
  21. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Read my post above. Any Windmills handly
     
  22. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,247
    OK, I understand now, Peter.
     
  23. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,247
    I need info about something regarding Sandboxie:
    My configuration is:
    ClosedFilePath=C:\WINDOWS\system32\t2embed.dll
    ClosedFilePath=C:\WINDOWS\system\
    ClosedFilePath=C:\WINDOWS\system32\kernel32.dll
    ClosedFilePath=C:\WINDOWS\system32\win32k.sys
    ClosedFilePath=C:\WINDOWS\system32\drivers\

    Which of drivers, processes, dlls and etc. are unblockable, as far as I know, kernel32.dll and win32k.sys are unblockable, right what other drivers, processes, dlls and etc are unblockable by Sandboxie?
    If they are unblockable can they be configured so they are write-protected/read-only so even file-less memory exploits and file-less malwares in general cannot write to Windows drivers, processes, dlls and etc.?
    So, if nothing can write to them (only read), than you are 100% protected: right or wrong?
     
    Last edited: Feb 7, 2015
  24. Compu KTed

    Compu KTed Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    1,414
    ClosedFilePath settings have no effect.
    You cannnot block a driver with ClosedFilePath in Sandboxie.

    ClosedFilePath=C:\WINDOWS\system32\drivers\
    ClosedFilePath=C:\WINDOWS\system32\win32k.sys
     
  25. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,247
    Read my entire post above, please, again, you did no respond what I asked; is it possible for those drivers, processes, dlls, sys and etc. to be write-protected/read-only so malware, exploits and etc. cannot write anything the way it wants to that driver, process, dll, sys and etc.?
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.