App Review Basic sandbox demo(for beginners)

[Prayag]

This is a really basic video explaining sandbox.
This video for some unknown reasons,has unclear quality level.
Sorry for the inconvenience caused.

 

[Maxwell Sien]

As far as i know, Rebooting PC can't revert back to the prior state in Sandbox. But in Deep Freeze and Shadow Defender, it can.

 

[Prayag]

As far as i know, Rebooting PC can't revert back to the prior state in Sandbox. But in Deep Freeze and Shadow Defender, that's true.

I mean that rebooting pc or clearing sandbox will have same effect.(both will reset the sandbox as far as I know)

 

[Maxwell Sien]

I mean that rebooting pc or clearing sandbox will have same effect.(both will reset the sandbox as far as I know)

Nope, I just tried once again it to make sure. Without Reset Sandbox, after reboot, the files/folders and the registries changed inside the Virtual Ennvironment are still here. Reboot has not affect to the Virtual Environment created by Sandbox.

You can try to check it too..

 

[Prayag]

I think I have read it somewhere about that reboot thing.
But no problem I will try it now and if find something interesting,I will update the thread accordingly.
Thanks.

 

[nikos200]

This is a really basic video explaining sandbox.
This video for some unknown reasons,has unclear quality level.
Sorry for the inconvenience caused.

you already know that is ransomware....but if didnt....and belive that is a safe file ....that will you do???.......( i will said pff its not working in sanbox....so i will run it normaly out of sandbox...)..and then what???will comodo sandbox protect you??i think not....thats why i dont suggest sandbox and comodo to novice users.

 

[Maxwell Sien]

you already know that is ransomware....but if didnt....and belive that is a safe file ....that will you do???.......( i will said pff its not working in sanbox....so i will run it normaly out of sandbox...)..and then what???will comodo sandbox protect you??i think not....thats why i dont suggest sandbox and comodo to novice users.

That is a Human mistake. AntiVirus cannot protect Human mistake. If you use another AV, you will get the same result.

Same case, if someone turn off RTP of an AV Engine to execute a *rack file and then Virus come in, can you blame the AntiVirus?

 

[jamescv7]

I've confirmed that the data where you've stored in sandbox will just retain either you shutdown or restart.

You need to remove it manually; likely because that's how a typical sandbox works.

Sandbox is definitely a storage for your testing which isolates on your actual system behavior therefore you can resume anytime within the test.

 

[nikos200]

That is a Human Error.. AntiVirus cannot protect Human Error. If you use another AV, you will get the same result.

Same case, if someone turn off RTP of an AV Engine to execute a *rack file and then Virus come in, can you blame the AntiVirus?

behavior blocker can

 

[Maxwell Sien]

behavior blocker can

Comodo have HIPS that act like Behaviour blocker too..

In case of Human mistake, Behaviour blocker can be bypassed easily by the user too, just to execute a bad file that he/she believe is safe.

 

[nikos200]

Comodo have HIPS that act like Behaviour blocker too..

In case of Human mistake, Behaviour blocker can be bypassed easily by the user too, just to execute a bad file that he/she believe is safe.

thats why novice users need good av and good behavior blocker ..to take decisions for them because they cant

 

[Maxwell Sien]

thats why novice users need good av and good behavior blocker ..to take decisions for them because they cant

Good behaviour blocker to take decision for them? But how? As far i know, behaviour blocker just intercept a process and give a alert. User must take a decision, not behavior blocker. Behaviour blocker just ask.

If so, No matter how good behavior blocker is, as user believe this file is safe to run, they will ignore even the alert from the best behaviour blocker.

 

[nikos200]

Good behaviour blocker to take decision for them? But how? As far i know, behaviour blocker just intercept a process and give a alert. User must take a decision, not behavior blocker. Behaviour blocker just ask.

If so, No matter how good behavior blocker is, as user believe this file is safe to run, they will ignore even the alert from the best behaviour blocker.

an alert from behavior blocker means 90% malware.. but from hips and sandbox no...sandbox and hips are not for novice home users...whays why i dont suggest comodo to my novice user friends

 

[Prayag]

Nope, I just tried once again it to make sure. Without Reset Sandbox, after reboot, the files/folders and the registries changed inside the Virtual Ennvironment are still here. Reboot has not affect to the Virtual Environment created by Sandbox.

You can try to check it too..

Hey,I have tried. Here are my findings:
1. As I have explained how the normal sandbox works, my statement seems right as a normal sandbox will clear its contents on reboot,as I have seen with sandboxie.
2.Comodo has a sandbox with many unique features.
One of them is that it will continue to run services created by the software in containment even after reboot, by default.
But you can change this setting to ensure that even the services created will be deleted on reboot.
Comodo, at my settings, would not allow any untrusted process to register its services.(the HIPS would block it).
But even at default sandbox level without any other protection,you can see a ransomware cannot encrypt your files.
After all,this video is just about introducing sandbox and not to go into its deep details.
That will be covered later on.
So all in all,if you use a sandbox software like sandboxie,you will get reboot restore feature.
And if you use comodo,then other components are there to disallow any untrusted process to register services and all that unwanted stuff.

 

[Prayag]

you already know that is ransomware....but if didnt....and belive that is a safe file ....that will you do???.......( i will said pff its not working in sanbox....so i will run it normaly out of sandbox...)..and then what???will comodo sandbox protect you??i think not....thats why i dont suggest sandbox and comodo to novice users.

The answer for your question lies in the actual title of my video.
Go see my channel-"Prayag Infosec" at YouTube to see the official title of my latest video.
Hope that will satisfy you

 

[Maxwell Sien]

an alert from behavior blocker means 90% malware.. but from hips and sandbox no...sandbox and hips are not for novice home users...whays why i dont suggest comodo to my novice user friends

Do you mean that Behaviour Blocker from emsisoft also learn behaviour of process and give alert when bad process detected? Comodo has it too, i.e. Viruscope. Even Comodo let u reverse it's change.

Yes, you're right, Comodo maybe not suitable for novice home users. But if they want to learn a bit, Sandbox in Comodo Record every change in Files, Folders, Registry by the unknown process and let u see it before you reset the sandbox. If user take time to see it, they can determine Correctly that this file is safe or not. Not just Rely on Engine's Decision.

So, Sandbox is not just Run in Virtual, but also read their track too.

 

[nikos200]

Yes, you're right, Comodo maybe not suitable for novice home users.[/QUOTE]

thats the bad thing...comodo is not for everyone

 

[Maxwell Sien]

Hey,I have tried. Here are my findings:
1. As I have explained how the normal sandbox works, my statement seems right as a normal sandbox will clear its contents on reboot,as I have seen with sandboxie.
2.Comodo has a sandbox with many unique features.
One of them is that it will continue to run services created by the software in containment even after reboot, by default.
But you can change this setting to ensure that even the services created will be deleted on reboot.
Comodo, at my settings, would not allow any untrusted process to register its services.(the HIPS would block it).
But even at default sandbox level without any other protection,you can see a ransomware cannot encrypt your files.
After all,this video is just about introducing sandbox and not to go into its deep details.
That will be covered later on.
So all in all,if you use a sandbox software like sandboxie,you will get reboot restore feature.
And if you use comodo,then other components are there to disallow any untrusted process to register services and all that unwanted stuff.

But i use Sandboxie too, all of it's trace and content still appear after reboot. How do you trace the content left after sandbox process had been terminated? Please expalin In Comodo and in Sandboxie too.

Maybe we have misunderstood in read the sandbox content.

 

[Maxwell Sien]

thats the bad thing...comodo is not for everyone

Nice share with you..

 

[AtlBo]

After all,this video is just about introducing sandbox and not to go into its deep details.
That will be covered later on.

Could be you saw a reference in @cruelsister's videos where she states that rebooting will shut down the malware from running in the sandbox. You are also correct that the sandbox must be cleared manually. Reboot as you mention doesn't clear the sandbox with Comodo.

OK, if I am wrong about the below please correct me. This is how I understand Comodo's auto-sandboxing.

I believe the reason @cruelsister mentioned that malware cannot hurt the system even when running while a reboot is begun was that some malware in the sandbox can affect a system such that is makes a system mildly unstable. Depends on the sandbox settings for restriction level, where restricted is basically a block for all purposes. However, I believe with Partially Limited or straight Virtualized with no limitations, malware could open some things and maybe even drop some files sometimes or make the processor race. At any rate running malware in the sandbox could still lead someone to want to try a reboot, and there is no harm in doing so. Malware can't do harm to the system or files, and rebooting will mean the malware is no longer running.

You may have noticed that in some of @cruelsister's videos malware running in the sandbox changed the wallpaper and dropped ransom note. That's an example of what can happen at some sandbox restriction levels (settings). I guess partly she does this to show what the malware attempts to do. Reboot and you will have to fix those problems manually (with or without reboot actually), but the malware will not still be running in the sandbox when the PC restarts. To run it must be restarted manually (bad idea o/c). At that point you can just empty the sandbox manually and its traces will be gone. Just make sure to delete the malicious file too.