Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

help with sandboxie.


  • Please log in to reply
11 replies to this topic

#1 bigrobifer

bigrobifer

  • Members
  • 92 posts
  • OFFLINE
  •  
  • Local time:04:34 AM

Posted 24 June 2014 - 12:37 PM

Just a few questions that I couldn't find an answer for in the documentation. 

Does sandboxie actually work if you open a zip file containing a virus, just one example. I guess it might be better stated- will it work if you allow admin priveleges to a corrupted program?

Second, can i run the entire user profile in a sandbox for protection against above reasons? And third, is the microsoft version of sandbox better at what it does because it would seem to be able to integrate better.

Thanks for your replies. I'm actually considering running my user profile in a sandbox, or possibly my entire drive, or the entire drive minus the operating system components. (that could be another topic for later because i have no idea how to even start to do that one.)



BC AdBot (Login to Remove)

 


#2 Guest_Kaosu_*

Guest_Kaosu_*

  • Guests
  • OFFLINE
  •  

Posted 28 June 2014 - 02:21 AM

Just a few questions that I couldn't find an answer for in the documentation. 

Does sandboxie actually work if you open a zip file containing a virus, just one example. I guess it might be better stated- will it work if you allow admin priveleges to a corrupted program?

Second, can i run the entire user profile in a sandbox for protection against above reasons? And third, is the microsoft version of sandbox better at what it does because it would seem to be able to integrate better.

Thanks for your replies. I'm actually considering running my user profile in a sandbox, or possibly my entire drive, or the entire drive minus the operating system components. (that could be another topic for later because i have no idea how to even start to do that one.)

 

Does sandboxie actually work if you open a zip file containing a virus?

All programs opened with Sandboxie will remain isolated from the system unless the malware targets a specific vulnerability within Sandboxie that allows it to escape the sandbox. An application being ran in Sandboxie with administrative rights shouldn't be any different. However, allowing these isolated programs to have administrative rights can come with its own set of problems. I strongly recommend configuring Sandboxie to drop the rights of all programs that it runs. Not only will dropping the program's rights afford you better security, but it will also allow Sandboxie to do its job more effectively.

Open Sandboxie's control center -> Right-click on your sandbox - > Click "Sandbox Settings" -> Expand "Restrictions" -> Select "Drop Rights" -> Enable the checkbox

Second, can i run the entire user profile in a sandbox for protection against above reasons?

This is not a job that is suitable for Sandboxie. Here is a list of reputable software that is more on-par with what you're looking for:

Deep Freeze is used by a lot of schools in North America to prevent students from infecting the machines and making unwanted changes. Once you reboot a computer that is using Deep Freeze, it will automatically restore itself from a system image. This image can be easily updated to make persistent changes if you know the correct password, so you are still able to update the operating system and things like that. However, unwanted changes or malware is instantly removed after a simple reboot. I have deployed this software before at a local school and I absolutely loved it.

 

Clean Slate works about the same as Deep Freeze. I have not personally used Clean Slate, so I can't comment on its effectiveness. It seems pretty popular with Internet cafe operators, so it is worth checking out.

 

And third, is the microsoft version of sandbox better at what it does?

Windows SteadyState has been discontinued since 2010. It isn't even compatible with Windows 7 and beyond, so this isn't anything you need to worry about.


Edited by Kaosu, 28 June 2014 - 02:29 AM.


#3 bigrobifer

bigrobifer
  • Topic Starter

  • Members
  • 92 posts
  • OFFLINE
  •  

Posted 28 June 2014 - 11:41 AM

Thanks for the explanation and the other options you pointed out. When i was talking about the microsoft version I had in mind the virtual box. Went back and read the description and I see its more of an os emulator than a sandbox. Might still do that, you know have a virtualized os and run everything from inside that and still use deepfreeze or sandbox to mess around in. Seems like that would be 3 extra layers a bug would have to get through. I'm dealing with a backdoor right now and i swear i never been so paranoid in my life lol.



#4 Guest_Kaosu_*

Guest_Kaosu_*

  • Guests
  • OFFLINE
  •  

Posted 28 June 2014 - 03:01 PM

Thanks for the explanation and the other options you pointed out. When i was talking about the microsoft version I had in mind the virtual box. Went back and read the description and I see its more of an os emulator than a sandbox. Might still do that, you know have a virtualized os and run everything from inside that and still use deepfreeze or sandbox to mess around in. Seems like that would be 3 extra layers a bug would have to get through. I'm dealing with a backdoor right now and i swear i never been so paranoid in my life lol.

 

If you're interested in running a virtual machine then I would highly recommend one of the following:

Both of these options are very easy to use and work well. You can choose either of these options and have a good experience. Here are some additional links to help get you started:

Here is some additional reading that can help you learn how to secure your host and guests, in addition to what realistic security benefits virtual machines can provide:



#5 bigrobifer

bigrobifer
  • Topic Starter

  • Members
  • 92 posts
  • OFFLINE
  •  
  • Local time:04:34 AM

Posted 28 June 2014 - 03:14 PM

Thanks alot. I bought a laptop(from walmart) with a built-in rootkit for the fbi ransomware. So once i get it out and cleaned i will be doing something along these lines. My hardware doesnt support virtualization. I'm guessing , far from a techie, that that is the reason i was able to detect it to begin with. I have open problems in another thread if your interested in lookin into what goin on i can post the thread link. Thanks again for the guidance.



#6 Guest_Kaosu_*

Guest_Kaosu_*

  • Guests
  • OFFLINE
  •  

Posted 28 June 2014 - 04:38 PM

Thanks alot. I bought a laptop(from walmart) with a built-in rootkit for the fbi ransomware. So once i get it out and cleaned i will be doing something along these lines. My hardware doesnt support virtualization. I'm guessing , far from a techie, that that is the reason i was able to detect it to begin with. I have open problems in another thread if your interested in lookin into what goin on i can post the thread link. Thanks again for the guidance.

 

You're very welcome.

 

Bleeping Computer has strict guidelines when it comes to who can help with malware removal. They enforce this rule to protect innocent users from bad advice, which is completely understandable. Since I do my best to follow the rules, I cannot chime in on your current support thread.

 

For further help, please read this link and follow the instructions:

 

http://www.bleepingcomputer.com/forums/topic34773.html


Edited by Kaosu, 28 June 2014 - 04:41 PM.


#7 bigrobifer

bigrobifer
  • Topic Starter

  • Members
  • 92 posts
  • OFFLINE
  •  

Posted 28 June 2014 - 04:54 PM

srry wasn't trying to get you to tell me how to fix it just what your thoughts were on it. Same goes about my compaint about buying this comprimised computer labeled brand new. Not cause I want your lawyerly advice but just what your take might be. I guess it would amount to the same though. I was told to start a topic on this in the windows 7 section after the help guy declared his inabilty to help me further. What i need is some one who can help me understand the partition table and interrupt call from the bios because thats where it occurs, I believe this because I cant boot from dvd or usb. I got a hex/dec editor but know better than to play trial and error on that. 

Thanks for the help on the choices of  virtual machine software. 



#8 Guest_Kaosu_*

Guest_Kaosu_*

  • Guests
  • OFFLINE
  •  

Posted 28 June 2014 - 05:13 PM

srry wasn't trying to get you to tell me how to fix it just what your thoughts were on it. Same goes about my compaint about buying this comprimised computer labeled brand new. Not cause I want your lawyerly advice but just what your take might be. I guess it would amount to the same though. I was told to start a topic on this in the windows 7 section after the help guy declared his inabilty to help me further. What i need is some one who can help me understand the partition table and interrupt call from the bios because thats where it occurs, I believe this because I cant boot from dvd or usb. I got a hex/dec editor but know better than to play trial and error on that. 

Thanks for the help on the choices of  virtual machine software. 

 

I have replied to your latest support thread in the Windows 7 section.



#9 Offset

Offset

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:04:34 AM

Posted 28 June 2014 - 08:04 PM

It's worth pointing out that running a program in Sandboxie won't keep you completely safe unless you configure it properly. For example, on default settings, a virus running in Sandboxie would be able to access your Documents folder and upload these files somewhere on the internet. If you have passwords saved in your browsers (so you are automatically logged into a website when you visit) then the virus will also have access to these and can upload them.

 

Just be careful not to fall into the common trap of getting a false sense of security when using sandboxie, don't open anything malicious (even if you're 95% sure it's safe.. "Doubt means Don't"), and exercise the usual precautions when browsing online and you should be alright :)



#10 Guest_Kaosu_*

Guest_Kaosu_*

  • Guests
  • OFFLINE
  •  

Posted 28 June 2014 - 08:21 PM

It's worth pointing out that running a program in Sandboxie won't keep you completely safe unless you configure it properly. For example, on default settings, a virus running in Sandboxie would be able to access your Documents folder and upload these files somewhere on the internet. If you have passwords saved in your browsers (so you are automatically logged into a website when you visit) then the virus will also have access to these and can upload them.

 

Just be careful not to fall into the common trap of getting a false sense of security when using sandboxie, don't open anything malicious (even if you're 95% sure it's safe.. "Doubt means Don't"), and exercise the usual precautions when browsing online and you should be alright :)

 

I agree. Sandboxie really should have its restrictions properly configured for optimal results. Personally, I like removing as much access as possible using the sandbox restrictions and then give specific programs just enough access to be functional. Doing so will allow Sandboxie to better protect you.

 

No form of sandboxing will provide complete security, it isn't a license to go install anything you can find. Sandboxing should be used as a single layer of defense and shouldn't be expected to be a cure.

 

Good catch, Offset. I could have sworn I had talked more about using Sandboxie's restrictions, but I guess I only covered dropping rights.


Edited by Kaosu, 28 June 2014 - 08:24 PM.


#11 NickAu

NickAu

    Bleepin' Fish Doctor


  • Moderator
  • 13,562 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:127.0.0.1 Australia

Posted 28 June 2014 - 09:11 PM

I bought a laptop(from walmart) with a built-in rootkit for the fbi ransomware

I would take it back, There is no way I would use it. This is a new machine?, They have to exchange it or give you your money back, First thing I would do is find out when the built-in rootkit for the fbi ransomware was installed, I am sure that can be done, If you can show that the PC was infected before you got it, That should be reason enough for a refund or exchange. You could also threaten legal action, Isnt there a law about knowingly spreading malware.
And people wonder why when I get a new or used PC the first thing I do is format and start again from a known clean ( other than built in backdoors for the NSA) install disk, I did that little trick with a windows ISO that allows you to select Win7 starter to Win7 Ultimate.
 
This gets rid of all that bloat ware and what not. I tend to be a bit paranoid.
 
Anyhow thats my 2c worth.
 

For example, on default settings, a virus running in Sandboxie would be able to access your Documents folder and upload these files somewhere on the internet.

Do people keep password lists in my documents? Me being paranoid again, I keep my passwords on an encrypted USB that only gets plugged into my PC when needed.
 
Used properly Deep Freeze can be quite good. I used to use it on another site to test 3r party software ( mostly 3rd part Yahoo) to see it it worked and if it was clean before it was posted , As long as the software did not need a reboot to finish installation.  When done all I had to do was reboot and all that stuff I installed was gone.
 
Please Note.
And even back then this was   NOT a 100% sure method.
 

 

If you're interested in running a virtual machine then I would highly recommend one of the following:

 

Use Portable VirtualBox to Take Virtual Machines With You Everywhere


Edited by NickAu1, 28 June 2014 - 11:37 PM.


#12 Offset

Offset

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:04:34 AM

Posted 28 June 2014 - 10:45 PM

Do people keep password lists in my documents? 

 

Unfortunately, in my experience a lot of people do :( The bigger worry though is that Sandboxie has access to the browser profiles on default settings so if you've ever clicked "Save My Password" in the browser then those stored passwords are easy pickings. A friend of mine had this unfortunate experience, ran a binary in a sandbox with the default settings thinking "it's a sandbox, whatever I run in it is separate from my computer".. An hour later he couldn't log in to any sites, it was a password stealer (script kiddie had joined a usb stealer to a random stub file). From that day forward I had it etched in my mind, never run any sandbox, virtual machine, virtual environment etc without checking the settings first.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users