SBIE against ransomware

Discussion in 'sandboxing & virtualization' started by stvs, Jan 26, 2016.

  1. wolfrun

    wolfrun Registered Member

    Joined:
    Jul 26, 2009
    Posts:
    703
    Location:
    North America
    I asked this question at the Sandboxie forum.

    Re: MBARW(compatibility)
    http://forums.sandboxie.com/phpBB3/styles/prosilver/imageset/icon_post_target.gifby w0lfrun » Mon Feb 01, 2016 7:23 pm

    @Curt and Craig. Do we actually need an "anti-ransomware" program to be running within Sandboxie to be protected from ransomware? Will Sandboxie on it's own be enough, for protection against ransomware. And if so, what settings are best recommended in Sandboxie to prevent such. There is much discussion over at Wilders about this and I think we best hear from the tech experts themselves here to put this discussion to rest.

    The answer was replied here. http://forums.sandboxie.com/phpBB3/viewtopic.php?f=17&t=22423&start=15

    Pretty much the same as what Peter is stating.
     
  2. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,738
    They can be accessed multiple ways, whether it's integrated with Windows explorer, FTP, or even a website. Malware can infect it all, as long as they have your password or simply access to the cloud folder.

    Unless you set the proper restrictions or access rights, SBIE wouldn't make much of a difference unless they're the type to shut down when virtualized to escape detection.
     
    Last edited: Feb 2, 2016
  3. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    But again if the ransomeware is running in Sandboxie, it may be able to access your data, but the encrypted files will remain in the sandbox. This is the key thing.
     
  4. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,738
    Have you forgotten the main point, which is online server or cloud? I don't see how it can be any less clear.

    You get infected within the sandbox. They steal your password or access your Dropbox folder. Then they infect your online files.

    Without restrictions or access blocking, those files are in danger. Simple as that.
     
  5. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,907
    Location:
    .
    You guys should up a video demonstrating your point... and your SBIE settings for that matter of course.
     
  6. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,740
    Location:
    The Netherlands
    I don't get it, what is supposed to happen? I did do another much simpler test, I deleted and renamed files inside the c:\Sandbox via the browser. As expected, the files were modified. Then I did the same with files outside c:\Sandbox. And as expected, the real files were not modified, they were only modified in the specific sandbox. So I hope it's now clear that ransomware will be able to touch files inside c:\Sandbox, and they will be lost.

    What about child processes of the browser? Will they also be denied access to the desktop?
     
  7. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,162
    Location:
    Nicaragua
    Yes, you ll get an access denied to the Desktop type of message. Look at the picture.

    Sin título.jpg


    Bottom line about that, Rasheed. Overtime, you should not keep sensitive files inside the sandbox. Doing that is a bad idea. Not only you might lose them but they can be accessed by anything running in the sandbox. If you download something that's important, save it, and forget about it.

    I don't use direct access to any download folder and usually I delete all my sandboxes when I finish using them. It is rare for me to keep contents in a sandbox over night. I avoid doing that. I usually download files and then in the next few minutes or maybe an hour, before deleting the sandbox, I manually recover whatever I am going to recover.

    Bo
     
  8. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Okay, I had enough of this stuff. With an once of common sense Sandboxie will protect me from Ransomware. Yes I am sure you can find some scenario where it might not. So be it.
     
  9. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,740
    Location:
    The Netherlands
    OK cool, because normally ransomware will run as child process of the browser, after it has been exploited.

    Yes, but that's what I'm trying to explain to Peter2150, he seems to think that files inside the sandbox are safe from modification, while they are not. Once in a week I do move all files to the real system. But it's highly unlikely that malware will be able to run inside the sandbox because of my combo of SBIE + anti-exploit. I also don't run any untrusted apps manually inside my dedicated browser sandbox.
     
  10. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,740
    Location:
    The Netherlands
    It's a quite common scenario, I'm sure that a lot of people download files into the sandbox (via the browser) without instantly moving them to the real system. So that's why people need to be aware of this.
     
  11. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Well if they do this they are being foolish. SBIE is there to protect the system, so nothing should be left in the sandbox after the browsing session. It's kind of like locking your house when you leave.
     
  12. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,162
    Location:
    Nicaragua
    I agree, Pete. Sandboxie gives us the settings to make the sandbox as tight or loose as we want it. Is up to us on what we do with them. To me personally, whatever happens inside the sandbox doesn't mean anything. My only concern is with files that I recover, specially the ones that I am going to run unsandboxed (if any, cause this is very rare for me).

    Bo
     
  13. Elwe Singollo

    Elwe Singollo Registered Member

    Joined:
    Oct 30, 2015
    Posts:
    114
    I use a Ram Disc for my SBIE container so Direct Access is good for me but I cut down the potential for escapes by using start/run restrictions and limiting the direct access to either a single app or a process group of trusted apps (using OpenFilePath=trustedapp, type settings) and cutting off access to others through the ClosedFilePath=!trustedapp,) type settings).

    Any folders I allow direct access to are forced to run sandboxed. The settings for those are very tight - limited start/run, no internet access, no access to data partition, no quick or instant recovery etc. That way you can get a look at them before they go onto the real system comfortable they are completely contained meantime.

    This thread has been more interesting than I thought it would be but it only proves to me how flexible SBIE is with multiple ways to cut off ransomware before it does damage. Default settings are is fine for the bog standard drop a file in appdata or wherever an execute approach some ransomware uses but you can still use additional settings to cover any variances you need for your own personal convenience or requirements or cover off more sophisticated attack approaches.

    Win/win really.

    Cheers.
     
  14. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,162
    Location:
    Nicaragua
    In my personal opinion, ransomware has no chance in my computers. Its not even fair to the ransomware. If I go to a site and the site downloads that kind of malware, it wont run, I wont even know that I was in a close encounter. If I recover an attachment infected with ransonware, it would work the same. If the attachment is an Office file, the file is gonna run in a sandbox where only Office exes are allowed to run. Like you, Elwe, they ll run in a sandbox with no internet access in which sandboxed programs dont have access to personal files and folders. With other programs like video players or PDF readers, I do the same, I use a dedicated sandbox and tailor it according to the program or the purpose for creating the sandbox.

    Bo
     
    Last edited: Feb 2, 2016
  15. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Totally with you guys. But to go back to JL and Rasheeds points. And this is just me expressing my approach. Most of the local people that I know that use Sandboxie, use it because I recommend it to them. I also help them set it up and how to use it. I teach them how Sandboxie empties the sandbox on exit and how to know where to put there files. Then it's up to them. They can chose to do what they want, but if they get into trouble the problem is theirs. I just can't waste my time on speculating how doing this or that might be a risk. I just know and teach folks what to do to make it work.
     
  16. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,162
    Location:
    Nicaragua
    About friends and family who are using Sandboxie. None and I mean none of my friends are using a restricted sandbox. All of them use a default settings sandbox in which the only changes I made for them are the ones related to saving files out of the sandbox, saving bookmarks and setting the sandbox to delete on closing automatically. All are using MSE or Windows defender and none gets infected anymore. Note: I believe none of them know that there is a section in the GUI that is called Sandbox settings :D. ....thats the power of the default settings sandbox.

    The default settings sandbox is a beauty, sometimes misunderstood and seen as being weak by some here, like our good friend J L, but the reality is that it is well balanced (security and convenience) and was created by Tzuk with first time users in mind.

    Bo
     
  17. wolfrun

    wolfrun Registered Member

    Joined:
    Jul 26, 2009
    Posts:
    703
    Location:
    North America
    I have a setup pretty much the same as Bo. I don't use direct access at all. My download folder is a forced folder and use quick recovery to it. Will try to run the download while in the forced folder with Sandboxie explorer and scan with MBAM and Hitman pro. If clean will go on to real system. I also use quick recovery for ublock.squlite to extension-data folder and not direct access. If no changes, just delete the sandbox. If an update, quick recover then click move and replace. Anyway, after 5 years of using Sandboxie and no problems thats good enough for me. Ransonware be damned.
     
    Last edited: Feb 2, 2016
  18. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,738
    I don't actually find it weak, just imperfect and not the holy grail as some would describe it. Anything can be hardened IMO.
     
  19. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,740
    Location:
    The Netherlands
    That's nonsense, there is nothing wrong with storing files inside the sandbox, as long as you're confident that malware won't be able to run in the virtual container. That's why I always advise to combine SBIE with some form of HIPS.

    And besides, it's not about you or me, it's about answering the question. So yes, SBIE does protect against ransomware, but keep in mind that files inside the sandbox and folders with direct/full access are still at risk. So either harden SBIE settings, or combine it with HIPS.
     
  20. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    The whole problem with your argument is what I outlined above. Leave the files in the sandbox and if you are wrong, so sad. Move them out and they are safe period.

    I'll say it again and I think Bo agrees with me. DON'T LEAVE FILES in THE SANDBOX. You can chose to disagree and do so, but if you lose something.....
     
  21. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,740
    Location:
    The Netherlands
    Well, I can't argue with that, of course it's a smart to move files to the real system, but I'm just saying that if people choose not to do so, it's not automatically foolish. Because as long as you know what you're doing there is hardly any risk. But that isn't even what this misunderstanding was about.
     
  22. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,162
    Location:
    Nicaragua
    I agree about sensitive files. We shouldn't leave them inside a sandbox and then use the sandbox for regular browsing. When we do sensitive browsing or download something personal/business that's important, we should do it in a fresh browsing session, and delete the sandbox when we finish, before going back to regular browsing.

    Bo
     
  23. @bo_elam @Rasheed187

    I thought you once posted that you had different sandboxes for everything and kept a sandbox for your mail in which you kept your mail.

    So the idea of Rasheed is not as akward as you (Peter and Bo) suggest (keeping mails for ever in a seperate sandbox).

    To be honest at the time of DefenseWall and GeSwall I allways kept my mail as untrusted, so I never changed them from untrusted to trusted.

    Regards Kees
     
  24. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    I also use separate Sandboxes for the different things I might Sandbox, but I still don 't see any need to keep things in the sandbox. I feel safer with the concept that when I exit the program, everything in the sandbox starts fresh.
     
  25. @Peter2150

    On a second thought GeSWall, DefenseWall are policy based sandboxes. With policy sandboxes this may be different because they are seamlessly integrated in the real system. You use AppGuard as a policy sandbox (running vulnarable/threat gate programs in a LUA-box with a default deny execute in user space), backed up with an anti-executable, so with two layers behind sandboxie there is little need for keeping anything in SBIE's sandbox.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.