Advice Request Is this an escape from the Sandbox?

Please provide comments and solutions that are helpful to the author of this topic.

Status
Not open for further replies.
N

Nebz

New Member
Thread author
Oct 3, 2020
8
Last night I noticed that an installer, which I was running sandboxed, wrote files to C:\windows\Temp
That's a breach of the sandbox, right?

Stupidly I had trusted this installer, and so I wasn't in shadow mode (Shadow Defender), but BitDefender deleted the files.
JFYI, I was running the new Sandboxie-Plus 5.43.5.
 
  • Like
Reactions: Protomartyr, bayasdev, [correlate] and 5 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,512
Nebz said:
Last night I noticed that an installer, which I was running sandboxed, wrote files to C:\windows\Temp
That's a breach of the sandbox, right?

Stupidly I had trusted this installer, and so I wasn't in shadow mode (Shadow Defender), but BitDefender deleted the files.
JFYI, I was running the new Sandboxie-Plus 5.43.5.
Click to expand...
Do you have a link to this installer?
 
  • Like
Reactions: Protomartyr, Nebz, bayasdev and 6 others
N

Nebz

New Member
Thread author
Oct 3, 2020
8
I don't have it any more. Deleted.

It was a free VST plugin, downloaded from -VST free zone- sometime in the last year. It looked like a legitimate site at the time, like VST4FREE. They probably didn't screen their uploads well enough though.

It's the first time that I've noticed anything escaping from Sandboxie.
 
Last edited:
  • Like
Reactions: Protomartyr, bayasdev and [correlate]
N

Nebz

New Member
Thread author
Oct 3, 2020
8
> Sandboxie Plus (Sbie fork)

I'd love to be able to participate in that forum, about Sandboxie and Shadow Defender and some other software, but a mod there kept deleting every post I made. I think it was because one of them is prejudiced against the country I live in - I'm certain it had nothing to do with the content of my posts. I tried to ask for another mod to help out and stop them, but no-one did anything. I'm still pretty angry about my experience there. Very unprofessional moderating. This forum is much better anyway. ;)

I'd post it on David's/Sandboxies' github, but since I don't have any details about how the installer circumvented Sandboxie, it's kind of pointless.
 
  • Like
Reactions: Protomartyr and [correlate]
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,512
Your second post suggests that this probably was not a Sandboxie bypass.
  1. The file was several months old. If it was truly malicious then it would be immediately deleted by Bitdefender.
  2. The installer was not detected initially by Bitdefender, so it was probably Adware or PUA. Such applications do not use sandbox escaping.
  3. The installer was intended to assure the user that it is a legal application. Such programs do not need to escape from sandbox, because users will be fooled to install them in the real system, anyway.
Are you sure that you did not allow Sandboxie to move some files to the real system?
Are you sure that the files in c:\Windows\temp folder were really dropped by this installer?

Bypassing Sandboxie is possible, but your observations give us too little information to confirm such an event.
 
  • Like
Reactions: Protomartyr, harlan4096, Nebz and 7 others
N

Nebz

New Member
Thread author
Oct 3, 2020
8
BitDefender did not alert me about the actual installer; it only recognised the trojan signatures (or the behaviour heuristically) once files were being written to the Temp folder. As for Sandboxie Plus, it's possible that I inadvertently gave the installer enough room for manoeuvre by relaxing the sandbox for previous installers. I'll be looking over my SB settings to see if there's anything I can tighten up on, and I'll look into using a freshly created sandbox each time I want to run something like this, instead of re-using the same one.

Yes, you're right. I wasn't diligent enough this time to be able to definitively say that Sandboxie failed, instead of just user error.
 
  • Like
Reactions: Protomartyr, [correlate], Gandalf_The_Grey and 1 other person
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,512
Nebz said:
...
Yes, you're right. I wasn't diligent enough this time to be able to definitively say that Sandboxie failed, instead of just user error.
Click to expand...
It happened to me several times. It is hard to be certain about bypassing something if you did not prepare the controlled environment in advance. But, it would be interesting to find Sandboxie bypass.:)(y)
 
  • Like
Reactions: Protomartyr, ZeroDay, Nebz and 3 others
mazskolnieces

mazskolnieces

Level 3
Well-known
Jul 25, 2020
117
Nebz said:
Last night I noticed that an installer, which I was running sandboxed, wrote files to C:\windows\Temp
That's a breach of the sandbox, right?

Stupidly I had trusted this installer, and so I wasn't in shadow mode (Shadow Defender), but BitDefender deleted the files.
JFYI, I was running the new Sandboxie-Plus 5.43.5.
Click to expand...
Probably not. Sandboxie by default most likely has write access to C:\Windows\temp. Go over to Wilders and ask. That is the support forum for new open-source Sandboxie.
 
  • Like
Reactions: [correlate], struppigel, Protomartyr and 3 others
struppigel

struppigel

Super Moderator
Verified
Staff Member
Well-known
Apr 9, 2020
667
Nebz said:
> Sandboxie by default most likely has write access to C:\Windows\temp

Shouldn't Sandboxie create a c:/windows/temp folder in the sandbox itself?
Click to expand...
Sandboxie has to save its own data somewhere on the actual drive. I would assume the TEMP folder makes sense as a location for that.

Hard to tell what happened without having the installer.
Can you access Bitdefender logs to see what kind of file it detected and which detection name it had? Maybe it is still in quarantine.
 
  • Like
Reactions: Protomartyr, plat, [correlate] and 5 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,512
Sandboxie always sandboxed such folders by default. I have installed Sandboxie-Plus 5.43.5 to check it. Both "%LocalAppdata%\Temp" and "%SystemRoot\Temp" are sandboxed by default.(y)

@Nebz,
You can look into the config file C:\Windows\Sandboxie.ini to check if one of the sandboxes allows writing to "c:\Windows\Temp" folder.
 
Last edited:
  • Like
Reactions: Protomartyr, Nebz, struppigel and 3 others
Status
Not open for further replies.

Similar threads

lokamoka820
    • Like
Hot Take How to Remove or Install a Store App Package for All User Accounts (Provisioned Apps)
Replies
1
Views
113
Windows 11
Bot
Bot
DavidXanatos
    • Like
    • Thanks
New Update Sandboxie-Plus v1.10.1
Replies
0
Views
761
Sandboxie
DavidXanatos
DavidXanatos
DavidXanatos
    • Like
    • +Reputation
  • Sticky
Serious Discussion Sandboxie Plus Insider Program
Replies
0
Views
815
Sandboxie
DavidXanatos
DavidXanatos

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top