Cowpipe

New Member
Good question and one I'm not best placed to answer, but here's a couple of things to start.

Nice guide here on MalwareTips with some useful info, particularly about blocking sandboxie access to certain folders, anything that contains passwords or other sensitive information should be blocked (eg: Internet Files, App Data, My Documents etc). http://malwaretips.com/threads/how-to-use-sandboxie.4418/

Or safer still you can disable network access as well, I keep a separate ('No Internet') sandbox for testing Malware, where it is set to 'No programs can access the internet'. You should consider the fact that any C&C trojan that is executed in sandboxie might be isolated but you're still giving a server and potentially a hacker access to your computer or analysis environment ;)

Disable any low level access, importantly, don't allow hooking into the kernel, hooking into other processes (I'm not sure of the degree to which other processes outside of the sandbox are protected from DLL injection etc), and make sure the option to allow changing user password is off (I think this is the default).

There seems to be a general consensus that you should configure C:\Windows to be read-only as well, I'm not sure of the exact risks if you don't do this, perhaps someone more educated will be better placed to answer that.

One other tip is to have separate sandboxes for each application you test, configured so as only that application is allowed access to the internet. This prevents any dropped files from 'phoning home' but still allows them to be downloaded for analysis.

Hope that helps, if anyone notices anything critically wrong with what I've said here, please give me a shout and I'll edit it out, but I should point out once again, I'm no sandboxie expert! :D:p
 

Cats-4_Owners-2

Level 37
Trusted
Verified
Good question and one I'm not best placed to answer, but here's a couple of things to start.

Nice guide here on MalwareTips with some useful info, particularly about blocking sandboxie access to certain folders, anything that contains passwords or other sensitive information should be blocked (eg: Internet Files, App Data, My Documents etc). http://malwaretips.com/threads/how-to-use-sandboxie.4418/

Or safer still you can disable network access as well, I keep a separate ('No Internet') sandbox for testing Malware, where it is set to 'No programs can access the internet'. You should consider the fact that any C&C trojan that is executed in sandboxie might be isolated but you're still giving a server and potentially a hacker access to your computer or analysis environment ;)

Disable any low level access, importantly, don't allow hooking into the kernel, hooking into other processes (I'm not sure of the degree to which other processes outside of the sandbox are protected from DLL injection etc), and make sure the option to allow changing user password is off (I think this is the default).

There seems to be a general consensus that you should configure C:\Windows to be read-only as well, I'm not sure of the exact risks if you don't do this, perhaps someone more educated will be better placed to answer that.

One other tip is to have separate sandboxes for each application you test, configured so as only that application is allowed access to the internet. This prevents any dropped files from 'phoning home' but still allows them to be downloaded for analysis.

Hope that helps, if anyone notices anything critically wrong with what I've said here, please give me a shout and I'll edit it out, but I should point out once again, I'm no sandboxie expert! :D:p
Not bad, Cowpipe, especially for a non-expert of Sandboxie.o_O I shall therefore believe everything you've said here
..except for the very last sentence!:rolleyes:;)
I thank you as well.:D
 

Overkill

Level 31
Trusted
Verified
Sandboxie at default is very secure, but I like to tweak things...
For example, my chrome sandbox
Delete Invocation>>>Ticked
Restrictions>Internet/start-run access>>>Chrome only
Dropped rights ticked
I force Chrome to run sandboxed and allow bookmarks

I have tested this against tons of malware and nothing is able to run