Need your input for NEW zero config application sandbox

[Andy Ful]

No Download and Desktop will be allowed when triggered by safe parents.

So, installing the new software will be possible only after turning off the Sandbox.

 

[overdivine]

then they should focus the development for enterprise environment not for the average user

 

[Peter2150]

Couple of things. People keep saying office 2007, What about Office 2010,2013,2016. Then there is office Pro.

Then I have a question. How many people in this thread are actively using any Execubits drivers currently that you can say you feel competent with them. They are not simple. For example

I use as an Anti Exe Novirusthanks Exeradar Pro. It's been on my system a long time and I probably give it less then 1/2 of 1% of my attention a month. On the contrary MZwritescanner probably needs attention once or twice a week if not more.

 

[Windows_Security]

So, installing the new software will be possible only after turning off the Sandbox.

No when it is initiated by safe parents it is allowed, no need to turn of anything. It is hard to explain when you have not used al Excubits programs (or drivers more accurately).

 

[Windows_Security]

Couple of things. People keep saying office 2007, What about Office 2010,2013,2016. Then there is office Pro.

Then I have a question. How many people in this thread are actively using any Execubits drivers currently that you can say you feel competent with them. They are not simple. For example

I use as an Anti Exe Novirusthanks Exeradar Pro. It's been on my system a long time and I probably give it less then 1/2 of 1% of my attention a month. On the contrary MZwritescanner probably needs attention once or twice a week if not more.

Yep all office versions, but the reason for business would be end or life. By using ??? wildmarks I only have extra rule for ClickToRun.

That is the art of defining rules which are tight enough to JAIL (essentially different than blocking) malware and wide enough to require no maintenance.

 

[overdivine]

do Execubits drivers work under hyper-v?

 

[Andy Ful]

No when it is initiated by safe parents it is allowed, no need to turn of anything. It is hard to explain when you have not used al Excubits programs (or drivers more accurately).

I used all of them. I am afraid that Sandbox will not know, that picture.exe with pdf document icon should not be run from Explorer, but a standard installer.exe file should. I understand that double extension files like *.pdf.exe. can be blocked by the predefined blacklist rules.
.
Edit.
Anyway, it will be a very good and pretty useful protection when safe parents are applied.

 

[Andy Ful]

I am not accustomed to details of safe parents, so I have a question. Which parent will be recognized by Sandbox in the below example of parents chain:
loader.exe --> explorer.exe --> payload.exe

 

[overdivine]

I am not accustomed to details of safe parents, so I have a question. Which parent will be recognized by Sandbox in the below example of parents chain:
loader.exe --> explorer.exe --> payload.exe

if loader.exe has admin rights all the rest have admin rights i think

 

[Andy Ful]

if loader.exe has admin rights all the rest have admin rights i think

I am afraid that safe parents have not much to do with admin rights.

 

[overdivine]

I am afraid that safe parents have not much to do with admin rights.

well yes. parent will be explorer.exe. but giving loader.exe admin rights i don't think it matters much

 

[Andy Ful]

well yes. parent will be explorer.exe. but giving loader.exe admin rights i don't think it matters much

It matters, because Explorer is a safe parent and the malware will run. If the loader.exe is recognized as parent, then the malware will not run.

 

[overdivine]

i study environmental engineering so i may be wrong lol
but for me is like this for loader.exe --> explorer.exe --> payload.exe
run as limited account loader.exe<explorer.exe-->no payload.exe
run as admin account loader.exe=explorer.exe-->payload.exe

 

[Andy Ful]

i study environmental engineering so i may be wrong lol
but for me is like this for loader.exe --> explorer.exe --> payload.exe
run as limited account loader.exe<explorer.exe-->no payload.exe
run as admin account loader.exe=explorer.exe-->payload.exe

You are wrong. On both accounts (from Windows Vista) loader.exe is started by default as standard user, so for users on both accounts the chain usually looks like:
loader.exe --> explorer.exe --> payload.exe
except when the user uses "Run as administrator" or a specialized program to run loader.exe with admin rights.

 

[Andy Ful]

I am not accustomed to details of safe parents, so I have a question. Which parent will be recognized by Sandbox in the below example of parents chain:
loader.exe --> explorer.exe --> payload.exe

When I look at Process Explorer then the parent is explorer.exe, which is a 'safe parent'. But maybe Excubits drivers can see the difference.
.
Edit
If not, then the 'safe parent' restriction could be simply bypassed by using the below command in the loader.exe:
Run("explorer.exe path_to_payload\payload.exe")

 

[Windows_Security]

As said rules are not 100% (except exploit prevention), but it is the combination: how is the loader.exe started in this scenario and how does it circumvent dangereous commands restrictions?

 

[Andy Ful]

Wow. I downloaded Bouncer_demo.exe from the developer web-page:

https://excubits.com/content/files/bouncer_demo.exe

This file is digitally signed, but was quarantined by Defender (high cloud level). The first submission on VirusTotal was three months ago, and still Kaspersky, Qiho0-360, Avast, G-Data, Ikarus, and some other (total 17/65) flag this file as Trojan.

 

[Andy Ful]

As said rules are not 100% (except exploit prevention), but it is the combination: how is the loader.exe started in this scenario and how does it circumvent dangereous commands restrictions?

It is simple. The loader can be executed by exploited software that is not protected by the Sandbox (using the Run command with explorer.exe). That was supposed to be covered by the point 6 (Limit execute access of Download folder (and Desktop) to 'safe' parents). This vulnerability follows from usability (as usual).
Also, the user can run any 0-day malware (script, malicious EXE) by himself from the Download folder or Desktop.
But as I said in my previous post, malicious loaders usually do not drop files to Desktop and Download folders, so those files will be often blocked by point 7 (Block executables (MZ-header) located in user folders), except when related to Appdata 'hole'.
Anyway, on Windows 8+, it would be safer to use obligatory SmartScreen instead of points 6 and 7.

 

[Peter2150]

Andy

If this thing is going to be worth anything we don't need Smartscreen or my other windows security like Windows Defender

 

[Andy Ful]

Andy

If this thing is going to be worth anything we don't need Smartscreen or my other windows security like Windows Defender

Why not?
.
Edit1.
I meant how SmartScreen can spoil this project? It is the best free anti 0-day online reputation service. Do you suspect some issues with Microsoft patents?
Edit2.
In fact, the obligatory SmartScreen check will work best with Defender on Windows 8+.
So, Microsoft should not be angry, for covering the holes in Defender security. But, the Sandbox will also be a paid solution, so maybe the developer should contact with Microsoft guys?