Q&A Is this an escape from the Sandbox?

Status
Not open for further replies.

Nebz

New Member
Oct 3, 2020
8
Last night I noticed that an installer, which I was running sandboxed, wrote files to C:\windows\Temp
That's a breach of the sandbox, right?

Stupidly I had trusted this installer, and so I wasn't in shadow mode (Shadow Defender), but BitDefender deleted the files.
JFYI, I was running the new Sandboxie-Plus 5.43.5.
 

Andy Ful

Level 69
Verified
Trusted
Content Creator
Dec 23, 2014
5,899
Last night I noticed that an installer, which I was running sandboxed, wrote files to C:\windows\Temp
That's a breach of the sandbox, right?

Stupidly I had trusted this installer, and so I wasn't in shadow mode (Shadow Defender), but BitDefender deleted the files.
JFYI, I was running the new Sandboxie-Plus 5.43.5.
Do you have a link to this installer?
 

Nebz

New Member
Oct 3, 2020
8
I don't have it any more. Deleted.

It was a free VST plugin, downloaded from -VST free zone- sometime in the last year. It looked like a legitimate site at the time, like VST4FREE. They probably didn't screen their uploads well enough though.

It's the first time that I've noticed anything escaping from Sandboxie.
 
Last edited:

Nebz

New Member
Oct 3, 2020
8
> Sandboxie Plus (Sbie fork)

I'd love to be able to participate in that forum, about Sandboxie and Shadow Defender and some other software, but a mod there kept deleting every post I made. I think it was because one of them is prejudiced against the country I live in - I'm certain it had nothing to do with the content of my posts. I tried to ask for another mod to help out and stop them, but no-one did anything. I'm still pretty angry about my experience there. Very unprofessional moderating. This forum is much better anyway. ;)

I'd post it on David's/Sandboxies' github, but since I don't have any details about how the installer circumvented Sandboxie, it's kind of pointless.
 

Andy Ful

Level 69
Verified
Trusted
Content Creator
Dec 23, 2014
5,899
Your second post suggests that this probably was not a Sandboxie bypass.
  1. The file was several months old. If it was truly malicious then it would be immediately deleted by Bitdefender.
  2. The installer was not detected initially by Bitdefender, so it was probably Adware or PUA. Such applications do not use sandbox escaping.
  3. The installer was intended to assure the user that it is a legal application. Such programs do not need to escape from sandbox, because users will be fooled to install them in the real system, anyway.
Are you sure that you did not allow Sandboxie to move some files to the real system?
Are you sure that the files in c:\Windows\temp folder were really dropped by this installer?

Bypassing Sandboxie is possible, but your observations give us too little information to confirm such an event.
 

Nebz

New Member
Oct 3, 2020
8
BitDefender did not alert me about the actual installer; it only recognised the trojan signatures (or the behaviour heuristically) once files were being written to the Temp folder. As for Sandboxie Plus, it's possible that I inadvertently gave the installer enough room for manoeuvre by relaxing the sandbox for previous installers. I'll be looking over my SB settings to see if there's anything I can tighten up on, and I'll look into using a freshly created sandbox each time I want to run something like this, instead of re-using the same one.

Yes, you're right. I wasn't diligent enough this time to be able to definitively say that Sandboxie failed, instead of just user error.
 

Andy Ful

Level 69
Verified
Trusted
Content Creator
Dec 23, 2014
5,899
...
Yes, you're right. I wasn't diligent enough this time to be able to definitively say that Sandboxie failed, instead of just user error.
It happened to me several times. It is hard to be certain about bypassing something if you did not prepare the controlled environment in advance. But, it would be interesting to find Sandboxie bypass.:)(y)
 

mazskolnieces

Level 3
Jul 25, 2020
119
Last night I noticed that an installer, which I was running sandboxed, wrote files to C:\windows\Temp
That's a breach of the sandbox, right?

Stupidly I had trusted this installer, and so I wasn't in shadow mode (Shadow Defender), but BitDefender deleted the files.
JFYI, I was running the new Sandboxie-Plus 5.43.5.
Probably not. Sandboxie by default most likely has write access to C:\Windows\temp. Go over to Wilders and ask. That is the support forum for new open-source Sandboxie.
 

struppigel

Moderator
Verified
Staff member
Apr 9, 2020
403
> Sandboxie by default most likely has write access to C:\Windows\temp

Shouldn't Sandboxie create a c:/windows/temp folder in the sandbox itself?
Sandboxie has to save its own data somewhere on the actual drive. I would assume the TEMP folder makes sense as a location for that.

Hard to tell what happened without having the installer.
Can you access Bitdefender logs to see what kind of file it detected and which detection name it had? Maybe it is still in quarantine.
 

Andy Ful

Level 69
Verified
Trusted
Content Creator
Dec 23, 2014
5,899
Sandboxie always sandboxed such folders by default. I have installed Sandboxie-Plus 5.43.5 to check it. Both "%LocalAppdata%\Temp" and "%SystemRoot\Temp" are sandboxed by default.(y)

@Nebz,
You can look into the config file C:\Windows\Sandboxie.ini to check if one of the sandboxes allows writing to "c:\Windows\Temp" folder.
 
Last edited:
Status
Not open for further replies.
Top