Need your input for NEW zero config application sandbox

Peter2150

Level 7
Verified
Oct 24, 2015
280
Couple of things. People keep saying office 2007, What about Office 2010,2013,2016. Then there is office Pro.

Then I have a question. How many people in this thread are actively using any Execubits drivers currently that you can say you feel competent with them. They are not simple. For example

I use as an Anti Exe Novirusthanks Exeradar Pro. It's been on my system a long time and I probably give it less then 1/2 of 1% of my attention a month. On the contrary MZwritescanner probably needs attention once or twice a week if not more.
 

Windows_Security

Level 24
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 13, 2016
1,298
So, installing the new software will be possible only after turning off the Sandbox.

No when it is initiated by safe parents it is allowed, no need to turn of anything. It is hard to explain when you have not used al Excubits programs (or drivers more accurately).
 

Windows_Security

Level 24
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 13, 2016
1,298
Couple of things. People keep saying office 2007, What about Office 2010,2013,2016. Then there is office Pro.

Then I have a question. How many people in this thread are actively using any Execubits drivers currently that you can say you feel competent with them. They are not simple. For example

I use as an Anti Exe Novirusthanks Exeradar Pro. It's been on my system a long time and I probably give it less then 1/2 of 1% of my attention a month. On the contrary MZwritescanner probably needs attention once or twice a week if not more.

Yep all office versions, but the reason for business would be end or life. By using ??? wildmarks I only have extra rule for ClickToRun.

That is the art of defining rules which are tight enough to JAIL (essentially different than blocking) malware and wide enough to require no maintenance.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,538
No when it is initiated by safe parents it is allowed, no need to turn of anything. It is hard to explain when you have not used al Excubits programs (or drivers more accurately).
I used all of them. I am afraid that Sandbox will not know, that picture.exe with pdf document icon should not be run from Explorer, but a standard installer.exe file should. I understand that double extension files like *.pdf.exe. can be blocked by the predefined blacklist rules.
.
Edit.
Anyway, it will be a very good and pretty useful protection when safe parents are applied.:)
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,538
I am not accustomed to details of safe parents, so I have a question. Which parent will be recognized by Sandbox in the below example of parents chain:
loader.exe --> explorer.exe --> payload.exe
 

overdivine

Level 2
Verified
Aug 21, 2013
90
I am not accustomed to details of safe parents, so I have a question. Which parent will be recognized by Sandbox in the below example of parents chain:
loader.exe --> explorer.exe --> payload.exe
if loader.exe has admin rights all the rest have admin rights i think
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,538
well yes. parent will be explorer.exe. but giving loader.exe admin rights i don't think it matters much
It matters, because Explorer is a safe parent and the malware will run. If the loader.exe is recognized as parent, then the malware will not run.
 

overdivine

Level 2
Verified
Aug 21, 2013
90
i study environmental engineering so i may be wrong lol
but for me is like this for loader.exe --> explorer.exe --> payload.exe
run as limited account loader.exe<explorer.exe-->no payload.exe
run as admin account loader.exe=explorer.exe-->payload.exe
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,538
i study environmental engineering so i may be wrong lol
but for me is like this for loader.exe --> explorer.exe --> payload.exe
run as limited account loader.exe<explorer.exe-->no payload.exe
run as admin account loader.exe=explorer.exe-->payload.exe
You are wrong. On both accounts (from Windows Vista) loader.exe is started by default as standard user, so for users on both accounts the chain usually looks like:
loader.exe --> explorer.exe --> payload.exe
except when the user uses "Run as administrator" or a specialized program to run loader.exe with admin rights.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,538
I am not accustomed to details of safe parents, so I have a question. Which parent will be recognized by Sandbox in the below example of parents chain:
loader.exe --> explorer.exe --> payload.exe
When I look at Process Explorer then the parent is explorer.exe, which is a 'safe parent'. But maybe Excubits drivers can see the difference.
.
Edit
If not, then the 'safe parent' restriction could be simply bypassed by using the below command in the loader.exe:
Run("explorer.exe path_to_payload\payload.exe")
 
Last edited:

Windows_Security

Level 24
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 13, 2016
1,298
As said rules are not 100% (except exploit prevention), but it is the combination: how is the loader.exe started in this scenario and how does it circumvent dangereous commands restrictions?
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,538
Wow. I downloaded Bouncer_demo.exe from the developer web-page:
Code:
https://excubits.com/content/files/bouncer_demo.exe
This file is digitally signed, but was quarantined by Defender (high cloud level). The first submission on VirusTotal was three months ago, and still Kaspersky, Qiho0-360, Avast, G-Data, Ikarus, and some other (total 17/65) flag this file as Trojan.
 
Last edited by a moderator:

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,538
As said rules are not 100% (except exploit prevention), but it is the combination: how is the loader.exe started in this scenario and how does it circumvent dangereous commands restrictions?
It is simple. The loader can be executed by exploited software that is not protected by the Sandbox (using the Run command with explorer.exe). That was supposed to be covered by the point 6 (Limit execute access of Download folder (and Desktop) to 'safe' parents). This vulnerability follows from usability (as usual).
Also, the user can run any 0-day malware (script, malicious EXE) by himself from the Download folder or Desktop.
But as I said in my previous post, malicious loaders usually do not drop files to Desktop and Download folders, so those files will be often blocked by point 7 (Block executables (MZ-header) located in user folders), except when related to Appdata 'hole'.
Anyway, on Windows 8+, it would be safer to use obligatory SmartScreen instead of points 6 and 7.
 
  • Like
Reactions: Handsome Recluse

Peter2150

Level 7
Verified
Oct 24, 2015
280
Andy

If this thing is going to be worth anything we don't need Smartscreen or my other windows security like Windows Defender
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,538
Andy

If this thing is going to be worth anything we don't need Smartscreen or my other windows security like Windows Defender
Why not?:)
.
Edit1.
I meant how SmartScreen can spoil this project? It is the best free anti 0-day online reputation service. Do you suspect some issues with Microsoft patents?
Edit2.
In fact, the obligatory SmartScreen check will work best with Defender on Windows 8+.
So, Microsoft should not be angry, for covering the holes in Defender security. But, the Sandbox will also be a paid solution, so maybe the developer should contact with Microsoft guys?
 
Last edited:
  • Like
Reactions: Handsome Recluse

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top