SBIE against ransomware

Discussion in 'sandboxing & virtualization' started by stvs, Jan 26, 2016.

  1. stvs

    stvs Registered Member

    Joined:
    Mar 17, 2013
    Posts:
    25
    Location:
    greece
    hi. if a compromised site with exploits hacks the sandboxed firefox to prepare a ransomware invasion ,will sbie protect the real system?
     
  2. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,054
    Yep, sure will. The ransomware will encrypt away, writing all the new files in the sandbox. Once the sandbox is deleted no problems left. I've tested it and it works.
     
  3. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,046
    Location:
    The Netherlands
    Keep in mind that files inside the sandbox will all be encrypted, so you should always move or make a back up of the important files. Or even better, use a dedicated anti-ransomware app that stops ransomware from running even inside the sandbox.
     
  4. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,054
    Assuming every thing you do is in the sandbox nothing extra is needed. Ransomware will run, but your regular files will be untouched. Encrypted files will be contain in the sandbox and deleted when you exit assuming you set it that way.
     
  5. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    2,283
    Do you Direct Access > C:\Windows\CryptoGuard ....?
     
  6. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,054

    Actually I did.
     
  7. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    2,283
    so does CryptoGuard rollback in sandbox....or, Alert was silent....?
     
  8. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,054
    Not sure. I don't remember when testing what I did. Going to be trying something else, and may be able to tell you
     
  9. mantra

    mantra Registered Member

    Joined:
    Jan 25, 2005
    Posts:
    5,156
    Hi Pete
    can you ask you 2 questions ?
    1)
    do you think firefox or chrome update do they need sandboxie for exploits hacks ?

    2) may i know a good sandboxie configuration to use with firefox and chrome ?

    thanks
     
  10. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,054
    Hi Mantra

    First I don't at all use Chrome, so can't help you there.

    1. On any updates to firefox or addons they have to be outside of Sandboxie. Also any software you update would have to be done out side of SandboxieOther than that I do all in Sandboxie.

    2, Basically I force only sandboxie, but I allow everything I need to do in Sandboxie. I also give it internet access if it needs it. Only file direct access I allow is the windows/cryptoguard for HMPA. Some full access for ERP and HMPA as required. I block access to all my data folders. Does this help?

    Pete
     
  11. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    3,770
    Location:
    Nicaragua
    Hi Mantra, I think the best Sandboxie configuration is the one in which you achieve a perfect balance between usability and security. Thats what I recommend you try doing. Thats the goal I try to achieve whenever I create a new sandbox. So, I restrict the programs that can run and connect to the internet as much as possible but allow all and anything that is required to make each sandbox comfortable. In my case use, I dont give up usability for security. By doing what I just wrote, I am always able to do what I need to do and hardly ever get any Sandboxie messages of any kind. All my programs that I run sandboxed pretty much feel exactly the same as if I was not running them sandboxed. Thats a great feeling and the feeling I get by using balanced sandboxes.

    Try to do what I just wrote for your browsers. I don't use Chrome but same principle applies to Chrome and Firefox. Firefox is my everyday browser. In my W7, I have one dedicated Firefox sandbox and there is another one in which sometimes I run Firefox. But in my XP, I have three dedicated Firefox sandboxes. And there is a fourth one in which sometimes I run Firefox. Which sandbox I use to run Firefox it depends on what I am doing. Each of those Firefox sandboxes is restricted differently and I created them for different purposes. All of them are very secure and I feel very comfortable using any of them.

    Drop rights. Try using Drop rights whenever you can. Using that setting keeps programs from installing in the sandbox. So, if you are browsing using a non restricted Start Run sandbox and a page you visit starts downloading malware and the malware tries to install something., that setting alone will keep the malware from installing in the sandbox.. So, is a good setting to use whenever you can. In some computers that setting and Chrome don't get along too well. So, see what happens. If Drop rights conflicts in your PC, don't use it. If it doesn't conflict in your PC, use it.

    Like Peter said, blocking sandboxed programs from having access to your personal files and folders is a great idea. Do it so programs running in the sandbox can not steal your sensitive data.

    Bo
     
  12. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    3,770
    Location:
    Nicaragua
    Mantra, I think Pete meant, that he only forces the browser. That really is the only exe you need to force to run your browser automatically sandboxed, firefox.exe for Firefox and chrome.exe for Chrome. And then allow in Start Run restrictions, the exes for programs that you regularly use when you run the browser. Let me give you a quick example. If you use webmail and you get DOC files all the time and you use Word to open this files, then allow winword.exe in Start Run restrictions so you can open DOC files in your browser sandbox.

    Bo
     
  13. mantra

    mantra Registered Member

    Joined:
    Jan 25, 2005
    Posts:
    5,156
    hi Pete
    thanks
    for me firefox is my favorite browser
    seeing you run firefox always inside sandboxie , You lost bookmarks , passwords and other stuffs while you run firefox sandboxie.... right?
     
  14. mantra

    mantra Registered Member

    Joined:
    Jan 25, 2005
    Posts:
    5,156
    Hi Bo
    i know, i run firefox and chrome under sandboxie w10 and w7 64bit both, but hearing about
    , i want to most strong configuration


    i agree 100%

    thanks Bo
     
  15. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    3,770
    Location:
    Nicaragua
    Mantra, ransomware? thats nothing for Sandboxie. Yesterday, in this thread, Pete described exactly what would happen if you encounter ransomware while browsing using a non restricted sandbox. On the other hand, if you restrict your browser sandbox so only a few programs can run, I doubt the malware would run. If you use a restricted sandbox, the compromised site might download the malware into the sandbox but thats all. The malware is just gonna lay there in the sandbox and do nothing.

    For your Firefox sandbox, allow firefox.exe and also allow the rest of programs that you normally use in an everyday basis when you run Firefox. This Start Run restrictions are beautiful, they are designed in a way in which only programs that are installed out of the sandbox can run. In other words, if you allow firefox.exe to run, and the compromised site downloads malware that uses the name firefox,.exe, it wont run, it wont be allowed to run. And dont forget, use Drop rights if you can.

    Bo
     
  16. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,054
    Bo was right, I meant I only force Firefox. Sometime brain and fingers get out of sync. Mantra what I do about bookmarks when in Sandbox is cut and paste them to a file. Then later I'll open FF unsandboxed and add them all.

    Pete
     
  17. mantra

    mantra Registered Member

    Joined:
    Jan 25, 2005
    Posts:
    5,156
    hi
    thanks to both of you
    i have created 3 sandoboxies , for firefox and chrome , the third is very restricted

    thanks
     
  18. Elwe Singollo

    Elwe Singollo Registered Member

    Joined:
    Oct 30, 2015
    Posts:
    70
    Sandboxie is really good at containing Ransomware out of the box and as noted can be configured to be even more restrictive. For balance though I think it is good to point out that there are settings that if inappropriately used can weaken that protection.

    Direct Access to files and folders from inside the sandbox can be convenient for those who want to upload or save things directly to their docs, pictures, video etc folders without quick recovery etc kicking in. It is important to realise though that if you give Direct Access without restricting what can be run or what has the Direct Access then Ransomware can get access to the real system without SBIE protections.

    You can of course give read-only access to folders that still allow you to navigate to and upload files but not download to that location or change the contents (thus nullifying the Ransomware), give Direct Access only to one programme or group of programmes and/or use start/run restrictions to plug any gaps in your Direct Access rules if you must use them.

    The granularity of configuration is the reason I've used SBIE for more than 10 years but, as with all granular products, lack of care in the set-up can l make you less rather than more secure.

    So I guess my answer to the OP would be yes it does but only if you haven't opened holes for the Ransomware to escape through.

    Not an issue for those who just use 'out of the box' with a few customisations but for the constant tweakers and tinkerers like me you need to consider Ransomware and what it can do when building your config.

    Cheers
     
  19. mantra

    mantra Registered Member

    Joined:
    Jan 25, 2005
    Posts:
    5,156
    good point

    what do you mean with granular?

    thanks Elwe Singollo
     
  20. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    3,770
    Location:
    Nicaragua
    I think by granular, Elwe is saying that Sandboxie has a large amount of settings. He is also saying that some of this settings, if misused, a user can open holes in Sandboxie that could be used by something like ransomware to have access to files outside the sandbox.

    We have to be careful when we make changes in Sandbox settings, thats the bottom line, we have to know what we are doing when we change something in Sandbox settings. With default settings, ransomware can not touch files and folders outside the sandbox. But as an example, if someone for convenience, allows direct file access to his Downloads folders to bypass sandboxing/eliminate the recovery function and is not careful to make sure only the browser exe is allowed this access, then if he gets hit by ransomware, the malware would also have access to this folder.

    This potential issue is taking care of by not allowing direct file access to any folder or file outside the sandbox (default settings). Myself, I dont allow access to any folder or file outside the sandbox. Or, if you do, then only allow specific exes to have this access. Using Start Run restrictions also takes care of this.

    Bo
     
  21. Elwe Singollo

    Elwe Singollo Registered Member

    Joined:
    Oct 30, 2015
    Posts:
    70
    Hi Bo, long time no speak. I was chris1341 last time I was here. Can't seem to reactivate that one though so started again.

    mantra Bo is right as usual. You can have very finely tuned rules for start/run, internet access, full, direct, read-only, blocked file actions and more. For each of those rules you can have per application, per group of applications, everything except specific applications and combos of all that. Brilliant for me but a mistake in there can cause issues.

    Not a problem for most but worth considering I think.

    Cheers
     
  22. mantra

    mantra Registered Member

    Joined:
    Jan 25, 2005
    Posts:
    5,156
    hi Bo
    thanks Bo always very kind !

    about
    hope the ransomware coders won't find out how by pass sandbox protection
     
  23. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    3,770
    Location:
    Nicaragua
    To me is like you never been away, I read and I am always in the lookout for your posts at the Sandboxie forum but it is great that you decided to come back here :). This forum is richer today. Your posts on SBIE are loaded with quality, I learn something about SBIE whenever I read them.

    Bo
     
  24. Elwe Singollo

    Elwe Singollo Registered Member

    Joined:
    Oct 30, 2015
    Posts:
    70
    I would PM if I could but as 'newbie' I'm not allowed (I guess 7 years as a member is not enough:D).

    Thank you my friend, I look forward to fighting the good fight with you again.

    Cheers
     
  25. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,046
    Location:
    The Netherlands
    Like I said, people might sometimes store files in the sandbox, those files will all be encrypted. Of course, files outside the sandbox are always safe. So combining anti-exe or anti-exploit with SBIE is the best thng you could do, because ransomware is mostly delivered via exploits. If you execute ransomware yourself, then behavior based anti-ransomware will do the trick.

    Good point, I forgot to mention this.
     
Loading...
Similar Threads
  1. syrinx
    Replies:
    44
    Views:
    2,522