SBIE against ransomware

Discussion in 'sandboxing & virtualization' started by stvs, Jan 26, 2016.

  1. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    5,985
    Location:
    Nicaragua
    Some time back, maybe two or three years ago, I remember you saying that you had a license but lost it or doesn't work anymore. Anyway, you did temporarily open your PM so I was able to send you the test license. I think if for nothing else, you should test to see how the mail client interacts with SBIE so you get a good feeling how it works in the sandbox.

    You really dont need a license to protect your mail client with SBIE but with the license, you can force the mail client exe and after creating a dedicated sandbox for the client, you can restrict the programs that run in the sandbox to only the ones you regularly use when you send and receive mails. An an example, you can allow the clients exes, Chrome, perhaps your PDF reader, Word, etc. You could also forbid most programs from having access to the internet. Other than allowing Chrome and the client exe, all other programs can be forbidden You could also tick Drop rights, that setting alone would stop most malware if allowed to run, from installing in the sandbox. A sandbox like this, is really tight and at the same time, still very comfortable to use.

    Bo
     
  2. stvs

    stvs Registered Member

    Joined:
    Mar 17, 2013
    Posts:
    34
    Location:
    greece
    now another question :i have start-run-internet access only the sandboxed firefox.exe then it gets exploited from a bad site and infected from ransomware.
    but now the original sandboxed firefox.exe its tampered and the hash md5 or sha1 will change,iam curious if the sandbox can see from hash that change to stop run the infected firefox.exe or not.if not then any malware with the name firefox.exe will be able to start run with interent access.
    its very important to know if the start run internet restrictions of sbie are depented by hash or by filenames only.
     
  3. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    5,985
    Location:
    Nicaragua
    And infected firefox.exe that gets downloaded into the sandbox when you visit an infected site would not be allowed to run in an Start Run restricted sandbox where only firefox.exe is allowed to run. This is so because when you Start Run restrict your sandbox, only programs that are installed outside the sandbox will be allowed to run. Nice, aint it? :)

    Bo
     
  4. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    3,300
    Location:
    Canada
    I think, please correct me if wrong, stvs is asking if the original firefox.exe, which is already allowed start-run-internet access, is exploited, then will it still be allowed to run?
     
  5. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    5,985
    Location:
    Nicaragua
    Hi Wat, if the exploit runs free in the sandbox, it might infect the sandboxed Firefox. If that happens, the infection is gone when the sandbox is deleted.

    But I think if someone is running Firefox in a sandbox, like stvs, where only firefox.exe is allowed to run, its got to be very hard for the infection to take place, even within the sandbox.

    Bo
     
    Last edited: Feb 8, 2016
  6. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    3,300
    Location:
    Canada
    Yeah, I guess it comes down to exactly how the browser or an extension is exploited. This Chrome exploit from the renowned Pinkie Pie might work in a sandboxie session, but of course this is way beyond my realm of understanding so I really don't know for sure. I'm guessing either the sandbox creates more attack surface for the exploit attempt (we know this topic has been discussed to death :D ) or it will present another obstacle for the exploit attempt, as it's a sandboxed browser running within a sandbox.

    Sorry I don't mean to veer of topic since this is specifically about SBIE against ransomeware.
     
  7. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,542
    Location:
    The Netherlands
    If you read the discussion you would already know that the payload would be contained by SBIE, unless it was designed to attack SBIE, but most of the time hackers will use a second kernel exploit for this. So in other words, this is a perfect example why it does make sense to run Chrome under SBIE's protection. You can't compare it with running 2 AV's at the same time, like some did.
     
    Last edited: Feb 9, 2016
  8. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    3,973
    Location:
    Mexico
    :thumb: +1
     
  9. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,247
    Not unless you use Chrome configured with MemProtect, AppContainer feature and ACL deny execute on download folder it is even tighter and more secure than even if you use Chrome with properly and tightly configured Sandboxie:
    https://www.wilderssecurity.com/threads/chrome-sandboxed.377440/page-26#post-2571804
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.