Sandboxie technical tests and other technical topics discussion thread

Discussion in 'sandboxing & virtualization' started by MrBrian, Oct 17, 2014.

  1. 142395

    142395 Guest

    It is already answered, but as a note Chrome also have its own DNS cache which should be deleted when you purge sandbox.
    As to vulnerability, only possible scenario I can think of is DNS cache poisoning but it is not what SBIE should/can protect against.
    Even if SBIE flashed all DNS cache, still you're vulnerable unless you remove fundamental cause of poisoning such as MITM.
     
  2. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,789
    Location:
    The Netherlands
  3. icestorm82

    icestorm82 Registered Member

    Joined:
    Mar 9, 2015
    Posts:
    5
    Would it possible create and develop a way to use scripts (e.g. flush dns) when sandbox content is deleted?
     
    Last edited: Mar 12, 2015
  4. Lumikai

    Lumikai Registered Member

    Joined:
    Jan 5, 2015
    Posts:
    8
    Hi Icestorm,

    See posts towards the end of the following thread:
    http://forums.sandboxie.com/phpBB3/viewtopic.php?f=4&t=19265

    You can delete the content of a sandbox via a batchfile by running sandboxies start.exe with specific commandline strings (http://www.sandboxie.com/?StartCommandLine)

    If you use a batchfile to delete your sandbox you can then also tag on any other commands you want to run, e.g. ipconfig /flushdns

    Thanks Rasheed, I was missing this from my forced programs list.
     
    Last edited: Mar 11, 2015
  5. icestorm82

    icestorm82 Registered Member

    Joined:
    Mar 9, 2015
    Posts:
    5
    Thank you so much, this and others (like arp cache) could be useful for a deeper sandbox wipe in case of running malicious sw.
     
  6. 142395

    142395 Guest

  7. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,031
    Location:
    Mexico
  8. 142395

    142395 Guest

    From Rasheed's link in #1102,
    But why you added if you didn't know what it is?
     
  9. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,031
    Location:
    Mexico
    No Yuki, lol. I added hh.exe but hh.exe.mui, that's why I'm asking about it and if it needs to be added as well.
     
  10. 142395

    142395 Guest

    Sorry, that is Multilingual User Interface file which is to use on a PC with multi language.
     
  11. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,031
    Location:
    Mexico
    No problem. Well, I can deduce then, there's no need to add it as a forced program to SBIE, right?
     
  12. 142395

    142395 Guest

    Yes, and that is actually not .exe.
     
  13. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,031
    Location:
    Mexico
    Thank you.
     
  14. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,789
    Location:
    The Netherlands
    Actually, I already knew about this possible threat, but forgot to add it to "forced programs". If I'm correct "hh.exe" is basically a browser that's using the IE engine.
     
  15. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,789
    Location:
    The Netherlands
    I have discovered something weird about Help Files (.chm) if I open them directly, then "hh.exe" will start, but when you open them via some app (like SpeedFan) I don't get to see a separate process opened. Can someone verify? You can open it in SpeedFan, via the "S.M.A.R.T" tab, and then click on the "?" sign.

    Also, a couple of weeks ago we spoke about my Firefox "high CPU problem" inside the sandbox, I have now given it direct access to the whole profile folder, and so far it seems to have fixed the problem. So now I'm once again running both Firefox (and Opera 12) inside the sandbox, without any anti-exploit, but I will soon install the newest HMPA.
     
  16. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,031
    Location:
    Mexico
    I confirm, it doesn't run in a separate process, unsandboxed.
     
    Last edited: Mar 21, 2015
  17. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,789
    Location:
    The Netherlands
    No, it isn't necessarily a bug. Without SBIE it also does not run as a separate process, so SBIE can't force it, that's why I don't get it.
     
  18. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,031
    Location:
    Mexico
    Yes I figured it out a while ago but forgot to edit my previous post, lol.
     
  19. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,789
    Location:
    The Netherlands
    I think runtimebroker.exe or dllhost.exe plays a role in this, but I haven't looked into it yet.

    I spoke too soon, but I already know what's causing it. The problem started after trying to clean my cache, FF was using 90 to 100% of CPU time, so I had to kill it, after restart it started again without any website open. I could fix it by deleting the cache folders inside the sandbox. So hopefully using CCleaner (inside the sandbox) will be a workaround.
     
    Last edited: Mar 22, 2015
  20. RJK3

    RJK3 Registered Member

    Joined:
    Apr 4, 2011
    Posts:
    862
    Well it's false, although safe browsing practices can make a big difference and reduce the likelihood of a successful exploit. They just can't be relied on exclusively.

    Firstly, exploit kits are very capable of bypassing UAC. In my own testing years ago, I can't recall ever having UAC be a factor in preventing an infection post exploit.

    Secondly, as MrBrian pointed out, zero day vulnerabilities mean that any attack surface may be targeted: browser, browser plugin, and OS. While in practice most exploit kits have targeted long patched vulnerabilities, there are plenty of examples where this is not the case.

    Basic methods to stop exploit kits from running are script blocking (e.g. Noscript), exploit script detection (e.g. AV), Adblocking (to remove malvertising); IP and domain blocking (including Malware Domains in adblock); anti-exploit (EMET, MBAE, HMPA); disabling plugins or activating with a whitelist only.

    If an exploit is successful, then what happens next depends on security policies, HIPS, firewalls, AV/AM detections, or the strength of Sandboxie settings, etc. Remember that exploit kits like Angler reportedly run from memory, so restricting what information the Sandbox has access to is important. So too might setting a master password in the browser, but I need to look into that more to see how effective it really is in practice.
     
  21. 142395

    142395 Guest

    Maybe I missed sth, but isn't it normal behavior? When you open html file via firefox, do you expect iexplore.exe to be revoked?
    Oh, pls don't awake slept baby...

    Well, all currently known in-memory malware I'm aware of can be prevented by strictly configured HIPS or sandbox, but theoretically there can be attack which those solution can do nothing unless they mess in memory. I.e. after successful exploit, just locate a frag which enforce same origin policy (in Chrome, it's WebSecurityEnabled) and turn it off. Now you can send info via XHR w/out causing sandbox or HIPS alert. I once thought it is hard as in recent version those browser encrypt all cookies as well as credentials in memory, but at least it can steal current session cookie, and even if it was impossible still attacker can use HTML injection to steal user input, as most HIPS/sandbox don't monitor it.
     
  22. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,247
    I didn't know that so bad and that I have so bad influence on people on this forum.
     
  23. zmechys

    zmechys Registered Member

    Joined:
    Dec 29, 2012
    Posts:
    957
    Location:
    usa
    Due to some technical issues, I needed to re-install my Windows 7. Now, I cannot get Eraser working after I terminate All Sandboxie programs.
    My settings are: "Automatically delete contents of Sandboxie (check-marked) and Delete Command - Eraser 6.
    Erases does not start.
    When I open Sandboxie's folder, it has a new folder "_Delete...", but Eraser does not start.
    I even placed Eraser in the Sandboxie's program folder.
     
  24. 142395

    142395 Guest

    I don't know if it's good or bad, I only know explaining things to you was exhausting for me.
    I experienced the same issue of _Delete folder before but w/ default setting, don't know what was the cause but after I manually added RMDIR command it was fixed. Maybe better to ask in SBIE forum.
     
  25. zmechys

    zmechys Registered Member

    Joined:
    Dec 29, 2012
    Posts:
    957
    Location:
    usa
    Yes, my RMDIR command is working without any issues. It's just not that "secure" deletion of Sandboxie's contents.

    On the other hand, now I can manually delete that "_Del...." directory with Privazer.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.