sandboxie v4 out Jan 10, 2013

Discussion in 'sandboxing & virtualization' started by soccerfan, Jan 10, 2013.

Thread Status:
Not open for further replies.
  1. shadek

    shadek Registered Member

    Joined:
    Feb 26, 2008
    Posts:
    2,538
    Location:
    Sweden
    Would Sandboxie contain the Sinowal worm within the sandbox? There's a discussion in the inofficial Shadow Defender thread where SD does not protect the user against the worm through virtualization. Would this be the case with Sandboxie as well?
     
  2. aladdin

    aladdin Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    2,986
    Location:
    Oman
    Excellent Question?

    +1

    Best regards,
     
  3. chris1341

    chris1341 Guest

    Sandboxie has protected from this malware in the past. I've seen several tests confirm it and my own experience is either Sinowal fails in the sandbox because I strip admin rights or with admin it just fails in the sandbox or simply doesn't start (perhaps because it is sandbox aware?)

    However this thing constantly morphs and changes so I don't know what the most recent variances do. I do know though that start/run restrictions should prevent it running inthe first place but if you let it out, well.......

    SBIE is more than virtualisation it is also restriction. I've yet to see or hear if an in the wild non-POC bypass.

    Cheers
     
  4. shadek

    shadek Registered Member

    Joined:
    Feb 26, 2008
    Posts:
    2,538
    Location:
    Sweden
    Yes, but what if I started it within a sandbox without Drop My Rights activated? Would it espace the sandbox just as it escaped the protection of SD? As you said, I'm also yet to see or hear if a wild variant bypasses Sandboxie. That's partially why I'm asking. :)
     
  5. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    I've installed the lastest beta version (I skipped the first two), and all is going well.

    I checked Process Explorer and Sandboxie now makes process under its supervision to run with an Untrusted/AppContainer integrity level (Windows 7).

    That's cool. I really like what he's achieving! It actually made want to sandbox apps that I don't usually sandbox.

    So, even though Sandboxie breaks Internet Explorer Protected Mode, it actually makes both the broker process and renderer processes run as Untrusted/AppContainer (AppContainer appears after applying an AppLocker hotfix). :D

    I really like version 4!!!
     
  6. The Shadow

    The Shadow Registered Member

    Joined:
    Jan 24, 2012
    Posts:
    814
    Location:
    USA
    At this time no one really knows if the 'Backdoor Sinowal' trojan can be contained in the sandbox. Whatever you hear now is just speculation (until valid tests are conducted).

    TS
     
    Last edited: Mar 11, 2013
  7. shadek

    shadek Registered Member

    Joined:
    Feb 26, 2008
    Posts:
    2,538
    Location:
    Sweden
    Thank you, your answer is much appreciated.

    I and I think the rest of the Wilders would like to know ASAP if Sandboxie is vulnerable. So far no malware ever has escaped Sandboxie when used correctly as far as I know. It'd be extremely interesting to know if this piece of malware evades Sandboxie as well... at the same time, I understand why no one would want to test on their own machines. I would if I only had a sample of the new variants. But as it is now, all the malware I'm getting (thousands a day) are mostly unclassified.
     
    Last edited: Mar 11, 2013
  8. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,162
    Location:
    Nicaragua
    In a restricted sandbox, I have never seen anything that is not allowed to run, actually run even when Drop rights is disabled.

    Bo
     
  9. shadek

    shadek Registered Member

    Joined:
    Feb 26, 2008
    Posts:
    2,538
    Location:
    Sweden
    Exactly. But these new variants of Sinowal might pass Sandboxie. No one knows at the moment. I and certainly many others here at Wilders surely want to know.
     
  10. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,077
    Location:
    Canada
    What makes you feel Sinowal is any more of a threat to break out of the sandbox than other trojans? It seems to be a typical dropper that puts files in selected directories, some of them userspace, some of them protected. As long as they're sandboxed, why would they break out?

    BTW, running Sandboxie b4.01.03 in XP Pro. Very nice so far :thumb:
     
  11. Cruise

    Cruise Registered Member

    Joined:
    Jun 10, 2010
    Posts:
    1,239
    Location:
    USA
    Perhaps for the same reason it is able to break-out of SD's virtualized environment (Shadow Mode)?

    Cruise
     
  12. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,162
    Location:
    Nicaragua
    By the way, I asked TestZabezpieczeń as well as someone else, to test SBIE against this malware. He said, he ll check it out soon. I guess, you ll have your wish.

    Look in the comments

    -http://www.youtube.com/watch?v=N-Cku8V4TiQ-

    Hi Cruise, there is no reason to believe that SBIE would not do as it has in the past when it gets tested. Take a look at this test, also done by TestZabezpieczeń in May of last year.

    -http://www.youtube.com/watch?v=U0bTvPLkIBw-

    Bo
     
  13. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,077
    Location:
    Canada
    Well that's just it, I'm having a hard time finding anything conclusive in the SD thread with mixed test results in a VM with different combinations of host/guest O/S', with VM's not being the best test environment, and very fast playing, hard-to-follow youtube videos. Being pressed for time when I looked, maybe I missed a definitive result?
     
  14. Cruise

    Cruise Registered Member

    Joined:
    Jun 10, 2010
    Posts:
    1,239
    Location:
    USA
    Bo, I didn't intend to imply that SBIE would not contain Sinowal/TDL4, I just meant that we shouldn't assume anything until it is tested under the same conditions as the aforementioned tests (I don't see either Sinowal or TDL4 in the test you referenced above).

    Cruise
     
  15. Cruise

    Cruise Registered Member

    Joined:
    Jun 10, 2010
    Posts:
    1,239
    Location:
    USA
    If I understand you correctly, the SD Malware Test in question displays a very conclusive finding (readable in English) to the effect that SD v1.2.0.370 is unable to contain the Backdoor Sinowal trojan (the infection persisted after the system was restarted)!!! Furthermore, I didn't see anything to make me believe that this test was conducted in a VM. :doubt:

    Cruise
     
  16. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,077
    Location:
    Canada
    Then could you kindly explain what VMWare was used for in the video? Testing using host/guest combos is mentioned several times as well in the SD thread, which is why I brought it up in the first place.
     
  17. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,162
    Location:
    Nicaragua
    Cruise:cool:, I know you didn't imply that SBIE would fail against Sinowal/TDL4. I believe SBIE would handle this malware just like it does any other file that's in the sandbox, I got no reason to believe differently.

    Bo
     
  18. shadek

    shadek Registered Member

    Joined:
    Feb 26, 2008
    Posts:
    2,538
    Location:
    Sweden
    Surely that is what most of us think as well. But the news of the trojan bypassing SDs' defense, albeit SDs' development was on a halt for two years, is disturbing.

    It's only natural to think that if it bypasses one similar security application, it could bypass another (in this case Sandboxie). As someone already mentioned, Sandboxie is also about restrictions while in a virtualized environment, so it's potentially stronger than SD.

    Be that as it may, I'd like to see some tests done! :)
     
  19. chris1341

    chris1341 Guest

  20. Wendi

    Wendi Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    643
    Location:
    USA
    Oh my, a couple of weeks ago I was shocked to learn of a rootkit that can bypass Shadow Defender! ...and now Sandboxie? :eek:

    Wendi
     
  21. Cruise

    Cruise Registered Member

    Joined:
    Jun 10, 2010
    Posts:
    1,239
    Location:
    USA
    Anyone running v4.01.03 with IE9 (W7)? I'm finding that IE will stop responding quite often (when running under SBIE v4.01.03). :(

    Cruise
     
  22. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,077
    Location:
    Canada
    Last edited: Mar 18, 2013
  23. chris1341

    chris1341 Guest

  24. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,162
    Location:
    Nicaragua
    Great news. My issue in XP related to forced programs, according to Tzuk, its also fixed in version .04. Tonight, when I am in my XP, I ll try .04.

    By the way, other than the forced programs issue that I have in XP when Drop Rights is enabled, I also have a problem launching Excel and Word sandboxed. I have a couple of ideas to try tonight, if they work for me, I ll let you know what they are for you to try.

    Bo
     
  25. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,162
    Location:
    Nicaragua
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.