Sandboxie test with eicar file

Discussion in 'Prevx Releases' started by TonyW, Aug 9, 2009.

Thread Status:
Not open for further replies.
  1. TonyW

    TonyW Registered Member

    Joined:
    Oct 12, 2005
    Posts:
    2,633
    Location:
    UK
    This is just an experiment to discuss the testing of detection using Sandboxie to narrow down what is and what isn't happening so that I and maybe others can understand. This is with the eicar test file, but could be relevant to other files as discussed recently in relation to Spyblaster/Spyware Cease.

    I'm using Sandboxie 3.38. I created a sandbox called Software and downloaded the eicar test file then put it into that sandbox.

    If I right-click the Software folder, eicar is detected as one would expect. If I go into the folder and scan the eicar file itself, it's not detected, but extra items are created in that sandbox when the scan takes place.

    These are a Reghive and corresponding log and a user folder containing a csidb.csi file a few folders in. Even with those files/folders created, the eicar test file is not detected with Prevx. On reflection, this also occurred on my previous scans with Spyware Cease, but didn't notice them as much because of so many other extra files.

    I'm just wondering if Prevx should be detecting further into the sandbox folder than it is. If this is not how it works, then the answer is to scan the sandbox folder anyway as we know it does detect that way assuming the cache is clear.
     
  2. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    I suspect that not scanning the sandbox is a non-issue (being that Sandboxie does the job of protecting it anyway), but the creation of csidb.csi is an issue - could you see if Prevx itself is being sandboxed? csidb.csi is the scan database which is required to be in C:\ProgramData\PrevxCSI\ (or C:\Documents and Settings\All Users\Application Data\PrevxCSI).

    Also, it would be worth checking if these drivers/services are loaded:

    pxsec
    pxscan
    CSIScanner
     
  3. TonyW

    TonyW Registered Member

    Joined:
    Oct 12, 2005
    Posts:
    2,633
    Location:
    UK
    I re-created the above scenario with a Test sandbox just to be doubly sure, and added the eicar.com file in there. When I right-click scan on that file within the sandbox, the other files are added as per the screenshot:

    sboxtest.png

    None of the other files you mention are in there. Prevx does not alert.

    However, if I right-click the Test folder, I get a detection as evidenced here:

    scanrestest.png
     
  4. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Could you run in a command prompt:

    sc query pxsec

    then

    sc query pxscan

    and then

    sc query csiscanner

    and let me know what it says? They should all say "RUNNING".
     
  5. TonyW

    TonyW Registered Member

    Joined:
    Oct 12, 2005
    Posts:
    2,633
    Location:
    UK
    They're all running. That's what the status says anyway:

    cmdquery.png
     
  6. Habakuck

    Habakuck Registered Member

    Joined:
    May 24, 2009
    Posts:
    544
    Same for me here with one difference:

    If i try to right click scan the eicar Testfile in the sandbox windows asks me if i want to execute the file?!
    If i click on "execute" nothing happens. The file is not executed but not detected anyway.

    If i try to execute the Testfile in the sandbox by double clicking it windows asks me if i want to execute the file. If i click "execute" PrevX detects and blocks it.

    The files RegHive.log and some other RegHive{123456-CLSID}.TM.blf are created.
     
  7. TonyW

    TonyW Registered Member

    Joined:
    Oct 12, 2005
    Posts:
    2,633
    Location:
    UK
    I get that anyway, in or out of the sandbox; I think a .com file is considered to be an executable so if the publisher is unknown, you should get that warning asking if you want to run it.
    I hadn't tried that as was concerned with scanning the file without executing it; I do agree though that Prevx alerts when double-clicking the file, and Windows throws up a 'cannot access device/path/file' message, certainly on XP anyway.
     
  8. Pleonasm

    Pleonasm Registered Member

    Joined:
    Apr 9, 2007
    Posts:
    1,201
    PrevxHelp, the Prevx blog entry A puzzle called SafeSys seems to suggest that sandbox approaches to security have limitations and flaws. Can you elaborate?

    Do these same considerations apply to virtual machines (e.g., VMware Workstation)?

    Thank you.
     
  9. Dark Star 72

    Dark Star 72 Registered Member

    Joined:
    May 27, 2007
    Posts:
    703
    I suggest you go back and read it again, it does not refer to or mention anything to do with Sandboxie's. It is referring to virtualization/rollback apps such as Returnil, Shadow Defender, Deep freeze etc.

    If you read this:

    https://www.wilderssecurity.com/showthread.php?t=247937&highlight=safesys

    you will see that Sandboxie, DefenseWall and GeSWall, anti-executables etc were all able to contain this.

    PS: Not wishing to seem rude but if you wish to start one of your endless dialogues with Prevx Help please start a new thread and don't hi-jack this one.
    Thank you.
     
  10. Keyboard_Commando

    Keyboard_Commando Registered Member

    Joined:
    Mar 6, 2009
    Posts:
    690
    I notice when I click a Sandbox and explore contents, I am unable to use Prevx to scan any folders, a no restriction rule sandbox (access to internet for all/start run for all). No Prevx scanning instance appear and close in taskmanager.

    I added some extra rights to the box to see if any helped.

    Added Prevx.exe to: • Direct access file path • Full access file path, but still no go.

    If I open the eicar dos test inside the same no restriction sandbox Prevx doesn't alert me, OA is alerting the execution.

    Do you reckon it's worth seeing if Tzuk could fix it? It would seem to be more of a Sandboxie restriction.
     
  11. Pleonasm

    Pleonasm Registered Member

    Joined:
    Apr 9, 2007
    Posts:
    1,201
    Dark Star 72, thank you for the clarification. (My bad.)
     
  12. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    I suspect there are a few issues here - OA alerting on the execution will most likely prevent Prevx from scanning the file, but based on everyone else's comments, I'm going to sit down with Sandboxie and our QA dept. today to see what's going on.

    I'll report back as soon as I get something definitive - thanks for all of the input! :)
     
  13. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    before sitting down make sure you prepare a strong colombian coffee:D
     
  14. TonyW

    TonyW Registered Member

    Joined:
    Oct 12, 2005
    Posts:
    2,633
    Location:
    UK
    So after drinking the Colombian coffee, what was the prognosis?
     
  15. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    We still have yet to investigate it - we will get to it ASAP, however :)
     
Thread Status:
Not open for further replies.