Sandboxie technical tests and other technical topics discussion thread

Discussion in 'sandboxing & virtualization' started by MrBrian, Oct 17, 2014.

  1. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    My question here is why bother. I've never done anything like that and no malware I've tried has gotten past.
     
  2. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,247
    I'm simply curious, because as far as I know, if any form of malware and exploit or anything else is forbidden to write/read-only (this is not the same as blocking), than it can do any form of damage at all (not even the slightest).
     
  3. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    5,087
    Location:
    .
    AppGuard perhaps?
     
  4. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,247
    Yes, I also meant on AppGuard as well, but the fact is Sandboxie can be configured as read-only those drivers, processes, dlls, sys, bat and etc. since they cannot be blocked/access to these drivers, processes, dlls, sys, bat and etc. cannot be blocked that the same way.
     
  5. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    5,087
    Location:
    .
    How it can be configured? I'm a bit lost.
     
  6. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Remember what curiosity did to the cat. Messing with all this all your going to do is mess up your setup. Relax and let sandboxie do it's job. It does great on default and even better with a few start/run restrictions.
     
  7. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,247
    Oh, trust me, I have my own configuration and I'm stick with it, some of that configuration I have stolen from Bo and that's about it.
     
  8. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,247
    I presume you mean on Sandboxie, because this is what I meant.
     
  9. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,096
    Location:
    Canada
    Those are protected directories, so unless malware elevates, it can't write to those locations anyways. That's why one of the most basic and prudent steps to computer security is to run as a Standard user. Of course with newer Windows you can run with UAC enabled (preferably at maximum) and that will restrict your administrative account with Standard rights.

    You will so often see in Microsoft Security Bulletins:

     
  10. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    5,087
    Location:
    .
    Yes you presume right.
     
  11. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,247
    I'm curious if malware can write to these locations when Sandboxie on default level, I have DropMyRights enabled, I guess this covers those locations?
    But I was talking about read-only thing, specifically.
     
  12. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,247
    Go resource access-file access-read-only, and also resource access-registry access-read-only (check out Bo's link to Sully's Sandboxie configuration thread on previous page).
     
  13. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,096
    Location:
    Canada
    I don't see how it could unless it's elevated, although someone with more knowledge about Sandboxie might know. Attached is a list of Windows directories that are not protected. Typically if I run an anti-executable of HIPS, they are the ones that are monitored. hopefully I didn't miss any.
     

    Attached Files:

  14. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    5,087
    Location:
    .
    Thank you.
     
  15. Compu KTed

    Compu KTed Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    1,443
    Microsoft IIRC had a fix for t2embed.dll vulnerability and Sandboxie blocking that dll would have
    prevented access AFAIK.

    ClosedFilePath=C:\WINDOWS\system32\t2embed.dll

    Sandboxie blocking an exploit from affecting users system is contained within the sandbox
    Not saying it stops malware from running inside the sandbox, but is contained and once
    sandbox is deleted your good to go.

    As mentioned it's good idea to run as Standard/limited user and apply restrictions to the
    sandbox for better protection.

    Test Sandboxie with Read-Only Access to a Windows file and see what happens.

    My Question is - Why are you blocking win32k.sys and the drivers folder in Sandboxie?
     
    Last edited: Feb 7, 2015
  16. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,195
    Location:
    Nicaragua
    On default, the whole system is Read only to sandboxed programs. Sandboxed programs can not write to unsandboxed files unless you allow it, with default settings or not. The Read only setting in Sandbox settings has to do with what sandboxed programs are allowed to do within the sandbox with files that are outside the sandbox. Unsandboxed files and folders that you set as Read only, can be accessed/used by sandboxed programs but they can not be modified within the sandbox.

    I personally have never set windows or anything within Windows as Read only. It has never even crossed my mind to do it. Just the other day, when I tested Flash in a sandbox with Windows set as Read only, I couldn't use Flash. In my opinion, setting Windows or anything within Windows as Read only is not convenient and unnecessary.

    The files and registry keys that Sully set up as Read only are OK and make sense. Those are files and keys that sandboxed programs have no reason to change at all. Thats why you can use those settings and your sandboxed programs still work great.

    Bo
     
  17. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    5,087
    Location:
    .
    Thanks Bo.
     
  18. Compu KTed

    Compu KTed Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    1,443
    If you tried installing Flash inside sandbox then yes you would get install error if you
    set C:\WINDOWS to Read-Only Access in Sandboxie.

    If you installed Flash inside sandbox minus the C:\WINDOWS Read-Only Access setting then
    it will install correctly and your able to play Youtube videos.

    If you installed Flash outside sandbox (on real system) and set C:\WINDOWS to Read-Only
    Access you can still play youtube videos. Plugin-container.exe if not disabled would
    need Start/Run Access in Sandboxie as well.

    I do use Read-Only Access settings in Sandboxie. I don't want certain files and/or folders being modified.
     
  19. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,195
    Location:
    Nicaragua
    That is what I was testing. Same result.
    That is how I handle Flash in W7. I hardly ever need Flash in W7 so I don't keep the program installed in the system. In this computer, I temporarily install Flash in a sandbox when its required for something and delete the sandbox after using it.

    Bo
     
    Last edited: Feb 7, 2015
  20. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,247
    What I was trying is to make these locations read-only so that even sandboxed (inside/under Sandboxie) malware cannot write anything.
     
  21. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,247
    Locations like win32k.sys and kernel32.dll needs to be protected from modifying it-maybe you can't block access to them but you can block exploits, file-less exploits/malware from writing and modifying them with Read-only option inside Sandboxie-that was my point, read-only option is the perfect protection from writing/modifying win32k.sys, kernel32.dll and all other locations on Windows from memory file-less exploits their payloads, file-less malware, drive-by downloads, user intervention and etc., that includes unblockable locations like win32k.sys and kernel32.dll, maybe you can't block access to them but you sure can prevent their modifications using read-only option-that was my point here, I'll wait others to confirm these claims or to disprove these claims!?
    Anyone?

    Again, I'm asking you what would happen if I disable writing/which means enable read-only to win32k.sys and kernel32.dll?
    So you see this is not about blocking access to those locations right now, it's about read-only without ability to write anything to wins32k.sys and kernel32.dll and all other locations?
    Read-only is not the same ClosedFilePath-completely/entirely different things.

    Just for the record, what would happen if I block win32k.sys and kernel32.dll (ClosedFilePath, not Read-only) and all other similar unblockable locations, to be honest I'm too scared to do it, would my computer freeze, so I would need entire re-installation from scratch?
     
    Last edited: Feb 8, 2015
  22. Jarmo P

    Jarmo P Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    1,207
    I would say and repeat what Pete already told you CWS. Relax, you have Sandboxie and AppGuard as your protection.

    Myself I don't much bother myself with trying to tweak SBIE too much. It is probable you can make your computer totally unresponsive etc. if you try. But most times it will come only if you try go too far with forced programs and try make them only run sandboxied.

    Next step of course is for you to go try some hips program, to be in "total control" and then you are not running your computer to enjoy but instead running your security apps trying to make your PC work ;)
     
  23. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    @Jarmo P You are right on the money

    @cws I hope you have a good imaging program you tested recovery on. You seem bound and determined to break your system
     
  24. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    5,087
    Location:
    .
    @ CoolWebSearch
    I was having second thoughts and are you kidding us? With all due respect a person with your knowledge level is supposed to know about Imaging/backup system partition precisely to recover from disasters of any nature.
    Of course you can test those templates in SBIE and screw your system up but there's no need to re-install from scratch as long you have a system image.
     
  25. Compu KTed

    Compu KTed Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    1,443
    I'm only going by what you had posted.(#998 ) You have win32k.sys and drivers folder listed
    as blocked (ClosedFilePath) not Read-Only (ReadFilePath) unless you changed the settings.
    As stated before ClosedFilePath would have no effect. You can't block a driver with
    that setting in Sandboxie and yes I'm aware of difference between the two settings.
    Also remember blocked access setting takes precedence over other file access settings
    you may use.

    It also may depend on what programs you have running in the sandbox and the OS your using.
    What works for me might not necessarily work for you, although there will be common ground.
    Some app for example might not work with a user when "Drop Rights" setting is enabled in Sandboxie
    where it may work for me.
    If I set win32k.sys and kernel32.dll to Read-Only Acccess nothing happens.(sandboxed browser)
    Usually a Sandboxie message pops up when something is configured wrong or doesn't
    work, but I can't say that will happen all the time.

    If your uncertain about particular Sandboxie settings then you could post at Sandboxie
    forum to devs.

    NOTE: When I do testing,installing or change settings in Sandboxie it's done on virtualized
    system as a pre-cautionary measure. Especially if any HIPS program is involved. Freezes/lockups
    can and have happened because of a changed setting(s) or compatibility issue. I would be very
    careful about changing certain Sandboxie settings without some type of backup in place.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.