Would sandboxie save an unpatched system?

Discussion in 'sandboxing & virtualization' started by SpongeGuard, Sep 19, 2010.

Thread Status:
Not open for further replies.
  1. SpongeGuard

    SpongeGuard Registered Member

    Joined:
    Sep 16, 2010
    Posts:
    22
    The reason I ask is, last night after reinstalling Win7 on my secondary harddrive, I checked for updates. It found 4, so I figured "what the hell, might've downloaded then while installing."
    I installed firefox + noscript + adblock, and sandboxie. Then, two hours later, Win7 prompted me to update. I checked how many updates - 42.
    So basically, I was browsing on an unpatched system. I wasn't donig any suspicious browsing, just gamefaqs/youtube/gmail.

    So.. shoudl I worry at all, or did I likely get off unharmed?
     
  2. Boost

    Boost Registered Member

    Joined:
    Feb 2, 2007
    Posts:
    1,293
    Your fine,relax.

    The main thing is,you realized you had updates available and got them installed,have fun and use your computer!
     
  3. cheater87

    cheater87 Registered Member

    Joined:
    Apr 22, 2005
    Posts:
    3,122
    Location:
    Pennsylvania.
    Your ok :) Just stay away from dodgy site when unpatched.
     
  4. Boost

    Boost Registered Member

    Joined:
    Feb 2, 2007
    Posts:
    1,293
    If you know how to setup Sandboxie,it's entirely possible to surf anywhere at anytime unpatched,been there did that,never had an issue.

    Too many people on this forum,never totally understand software that their using.
     
  5. SpongeGuard

    SpongeGuard Registered Member

    Joined:
    Sep 16, 2010
    Posts:
    22
    I've been using Sandboxie for years, so I'm pretty sure I know most of the recommended security settings. Only problem is, I'm using Win7 x64, so there's really no 100% secure setting for sandboxie.
     
  6. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    It's about as good as you're going to get. There is no 100% secure for anything, at all, never. I'd sure as hell rather be inside Sandboxie with an unpatched system than any other security method mentioned around here.
     
  7. Serapis

    Serapis Registered Member

    Joined:
    Nov 15, 2009
    Posts:
    241
    First off, to anwser the OP's question; running sandboxie on an unpatched system is a great way to still protect it from drivebys. However, this is up to the point where there are no vulnerabilities in the OS at the kernel level, if there is -- you are DONE. Literally no security solution can save a exploit at the kernel level. (I dont know if using virtualbox in that case can keep one safe - maybe someone can clarify this?)

    Sponge, I have requested on numerous occasions for enthusiasts to test out malware on sandboxie's x64 edition so we can know where we stand in terms of protection level. I would advise you to utilize all the settings provided to the max on x64; including start/run restricitions and firewall options. Also use a non default browser and you should be safe when surfing into the minefield. On the sandboxie forum, a suggestion has been posted for Tzuk to utilize the TLD3 mbr techniues to get his driver to load with full protections as those of a x86 system with no problems from patchguard. Unfortunately he is not willing to give it a spin, fearing that sandboxie might be blacklisted for utilizing rootkitesque lowlevel mods of the system.
     
  8. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    @Serapis

    Is there a place that contains the results of SBIE x64? I am curious to see what issues there might be. Not theories, but actual proven issues.

    Also, if an unpatched system were running SBIE, and the browser was forced to start in SBIE since install, what harm could be done to the system? Not the virtual system in the sandbox, but the real system?

    I think it should go without saying that if you browse with SBIE, and you get exploited, the contents of the sandbox cannot be trusted. So those who never delete the contents of their sandboxes stand the most chance of issues.

    What do you think would happen on an unpatched system if the sandbox were deleted every time. Would it change your opinion?

    Sul.
     
  9. andyman35

    andyman35 Registered Member

    Joined:
    Nov 2, 2007
    Posts:
    2,336
    It seems to me that it's mainly been Tzuk warning about reduced functionality on 64bit systems rather than actual examples of bypasses.
     
  10. trismegistos

    trismegistos Registered Member

    Joined:
    Jan 29, 2009
    Posts:
    365
  11. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    No, there's still a good fallback solution: Having a recent backup image of the OS.
     
  12. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    I've been following this thread since I'm always interested in different types of protection for the average home user.

    While Sandboxie is certainly a very robust product, looking at the 16 steps in those recommendations, I can't see the average user without some expertise, being able to fully understand what she/he is doing, such as #16 about renaming cmd.exe and changing the Delete Command.

    As far as the WMF, exploit, that (and any remote code execution exploit) is so easily blocked with any simple anti-execution program which automatically creates a White List and requires no configuration on the part of the user, as I showed five years ago:

    http://www.urs2.net/rsj/computing/tests/wmf_zeroday

    regards,

    -rich
     
  13. Serapis

    Serapis Registered Member

    Joined:
    Nov 15, 2009
    Posts:
    241
    Hi Sully, I believe that a sandboxie forum member has decided to take on this task. I too am eagerly anticipating the outcome and will post the results when he gets back to us.

    What I mean in the last post is indeed, yes, running an unpatched system will get the real system compromised rather than just the virtual environment in some cases. One major one that convinced me to always keep windows updated was the EOT font exploit. Where accessing a specifically crafted webpage that had some specific compressed font (!:argh: ) type (even sandboxed) can cause a kernel level driver to BSOD and even execute driveby code. wraithdu tested the POC from milworm and confirmed that the code has a carte blanche to the kernel unhindered. What is scary about this example, that even having LUA and start/run enabled cant do a thing to stop this as no exe is downloaded in the first place. Opening a webpage is the equivalent of running the exe!! This is a serious flaw which has since been fixed but still a great example of why patching is necessary. I used to think MS updates are stupid and time consuming when surfing with sandboxie, but this has opened my eyes to the contrary state of reality.

    Deleting a sandbox does nothing by then - aka too late, if you get the drift of what I am saying...
     
  14. Serapis

    Serapis Registered Member

    Joined:
    Nov 15, 2009
    Posts:
    241
    Hi Rich,
    I am interested in any specific anti-exceutables you can recommend. Free solutions are my top pick. How do you think sandboxie's start/run compares to other robust AE solutions? I am aware that it wont be system wide, but thats really no problem as I am concerned about the browser threat gate.
     
  15. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Or, you could simply tell your browser not to allow iframes. And, a great way of doing it, is of course, having multiple browser profiles for different sort of tasks.

    But, just like what you mentioned, it isn't something, though easier, that the Joe/Jane would be willing to have the hassle to deal with.
     
  16. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    I haven't kept up with the many new products, and I don't know of any free solutions, unless the free Returnil includes anti-execution protection.

    You might post your question in the other antimalware software forum.

    Peter2150 has tested remote code execution exploits for me, and nothing gets by. He uses it in his office but he configures it on the computers (I assume) so that the office workers don't have to do that.

    ----
    rich
     
  17. wtsinnc

    wtsinnc Registered Member

    Joined:
    Oct 3, 2008
    Posts:
    943
    Hardly a scientific test, but in my experience I say "yes";
    at least as much as anything else could do.

    I'm using XP Home SP-2 which has had no MS updates since July.
    No patches, no hotfixes, ...nothing...,
    not even the Malicious Software Removal Tool.
    I use the XP firewall.
    My web browser is Internet Explorer 7.

    With WinPatrol Plus and the free versions of Sandboxie, Keyscrambler, Malwarebytes, and Adblocker, no known infections.
    Yesterday, I installed Sunbelt's ClearCloud and have confirmed I had over the past months visited on numerous occasions websites that were now being blocked by ClearCloud, so I have no doubt my computer has been exposed to malware.

    It's my belief that Sandboxie has contained all of it because it's been months since Malwarebytes has found anything and I'm experiencing nothing that would indicate the presence of malware.
    Prior to wiping the drive and installing a new image, I always install and scan with at least two top-notch antivirus applications such as Avira, Emsisoft, Avast, Eset, Norton, etc.
    I have also used Prevx, and in every case, absolutely nothing was detected in either the normal or safe mode scans.
    If malware does indeed exist on my computer it's undetectable by the above, so if it is there, I'm pretty much powerless to remove it or even be aware of the infection.
    -Based on the above, I see no need to use a resident antivirus.

    As I stated in the opening, not a scientific test by any means, but real-world for sure.
     
  18. trismegistos

    trismegistos Registered Member

    Joined:
    Jan 29, 2009
    Posts:
    365
    I understand that Sandboxie as simple it is can be made user friendly and the setups by SSJ are for the paranoid users like me. ;)

    For the home user, I would recommend a user friendly Imaging software, a system wide sandboxing or lite virtualizing software-AE combo and/or any decent anti-malware scanner.
     
  19. trismegistos

    trismegistos Registered Member

    Joined:
    Jan 29, 2009
    Posts:
    365
    Did he tested this also in 32bit Windows? After BSODs, did the writes to the real system occured or the Sandboxing bypassed? For me as long as malware codes is not written outside of the Sandbox, no matter the inconvenience of any BSod, that is not a bypass. Would really like to get hold of that POC. Pls send by PM. TIA
     
  20. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,040

    Yes indeed. It's configured so the browsers and Outlook are all sandboxed. The two girls that use my computers understand it's there, and also understand should they need to download something what the risks are and how to do it.
     
  21. Serapis

    Serapis Registered Member

    Joined:
    Nov 15, 2009
    Posts:
    241
    Yes the POC was in fact tested on a 32bit OS. If the malware author wanted to inject code via this exploit it would have worked successfully, however as this is only a POC, no real harm was done. It was only intended to induce a deliberate BSOD on the system. (Just so that you know, no sandboxed program in theory is permitted to shutdown or crash windows -- this is a bypass by all means, but not the fault of Tzuk as its a kernel level vulnerability aka microsoft's fault)
     
  22. wtsinnc

    wtsinnc Registered Member

    Joined:
    Oct 3, 2008
    Posts:
    943
    Referring back to the question that started this thread;

    I know absolutely nothing about computer forensics or test methodology.
    My earlier post related my personal experience with Sandboxie in what would be described as a hostile environment.

    To pursue this even further, I installed an XP Home/SP-2 image created January 19 of this year.
    The chosen browser was IE 7.

    Running this install unpatched since 01-19-2010 and using only Sandboxie free edition version 3.46, Keyscrambler free edition, SimpleAdblock free edition, Malwarebytes free edition (on-demand only), and WinPatrol Plus, I have surfed the internet for four days during which I also downloaded several files and software applications, sent and read e-mail, and posted in several forums.
    After each session on the internet, I emptied the sandbox and ran CCleaner.

    At the end of this four day exercise I downloaded several top-tier security applications and scanned for malware. Even after this severe test no malware has been detected by MBAM 1.46, Prevx 3.0, Emsisoft Antimalware version 5.0.0.68, or Avira 10.0.0.567.

    So what does this prove ?
    Nothing, really, except my best effort to detect malware in my computer following slightly over 97 hours of exposure to websites of every description (including xxx chat rooms and Warez) with an install having numerous known vulnerabilities has led me to conclude that if any is there, it's very well hidden.

    So what should be the threshold of and for proof as to Sandboxie's effectiveness ?
    Perhaps, had I scanned with Norton or Avast or Kaspersky or G Data or Eset or.... I would have discovered something, but I really doubt it.
    I believe that what I used is equivalent in detection capability to anything else out there.

    No, I don't recommend making what I did a practice, but in answer to the original post, I believe in Sandboxie even more now that I've relied on it so heavily during this "stress test".

    To the best of my knowledge, it protected a severely unpatched system with other vulnerabilities as well.
    I can't ask for more.
     
  23. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I think it,s just an assumption that needs proof. If it was possible why the author did not wrote such an exploit. A POC with a malicious action must had been more meaningful than a POC just crashing the system. An if such a POC was possible, most probably SBIE will contain it. Crashing a system is different from code execution.
    This is not a bypass. Sandbxx or any other security software can,t prevent a system crash down due to an OS vulnerability. It,s never a goal of any security software.
     
  24. Serapis

    Serapis Registered Member

    Joined:
    Nov 15, 2009
    Posts:
    241
    Kernel level vulnerabilities are know to bypass (yes i said it again) security on a machine protected by any security software. These words have been uttered by Tzuk himself before. This is not a baseless fanboy argument; I hardly feel the urge to write here unless I am sharing very accurate information meant to put questions and assumptions to rest. If you dont believe what ive wrote, ask the man himself on sandboxie forums.
     
Loading...
Thread Status:
Not open for further replies.