- Dec 23, 2014
- 8,538
So, installing the new software will be possible only after turning off the Sandbox.No Download and Desktop will be allowed when triggered by safe parents.
So, installing the new software will be possible only after turning off the Sandbox.No Download and Desktop will be allowed when triggered by safe parents.
So, installing the new software will be possible only after turning off the Sandbox.
Couple of things. People keep saying office 2007, What about Office 2010,2013,2016. Then there is office Pro.
Then I have a question. How many people in this thread are actively using any Execubits drivers currently that you can say you feel competent with them. They are not simple. For example
I use as an Anti Exe Novirusthanks Exeradar Pro. It's been on my system a long time and I probably give it less then 1/2 of 1% of my attention a month. On the contrary MZwritescanner probably needs attention once or twice a week if not more.
I used all of them. I am afraid that Sandbox will not know, that picture.exe with pdf document icon should not be run from Explorer, but a standard installer.exe file should. I understand that double extension files like *.pdf.exe. can be blocked by the predefined blacklist rules.No when it is initiated by safe parents it is allowed, no need to turn of anything. It is hard to explain when you have not used al Excubits programs (or drivers more accurately).
if loader.exe has admin rights all the rest have admin rights i thinkI am not accustomed to details of safe parents, so I have a question. Which parent will be recognized by Sandbox in the below example of parents chain:
loader.exe --> explorer.exe --> payload.exe
I am afraid that safe parents have not much to do with admin rights.if loader.exe has admin rights all the rest have admin rights i think
well yes. parent will be explorer.exe. but giving loader.exe admin rights i don't think it matters muchI am afraid that safe parents have not much to do with admin rights.
It matters, because Explorer is a safe parent and the malware will run. If the loader.exe is recognized as parent, then the malware will not run.well yes. parent will be explorer.exe. but giving loader.exe admin rights i don't think it matters much
You are wrong. On both accounts (from Windows Vista) loader.exe is started by default as standard user, so for users on both accounts the chain usually looks like:i study environmental engineering so i may be wrong lol
but for me is like this for loader.exe --> explorer.exe --> payload.exe
run as limited account loader.exe<explorer.exe-->no payload.exe
run as admin account loader.exe=explorer.exe-->payload.exe
When I look at Process Explorer then the parent is explorer.exe, which is a 'safe parent'. But maybe Excubits drivers can see the difference.I am not accustomed to details of safe parents, so I have a question. Which parent will be recognized by Sandbox in the below example of parents chain:
loader.exe --> explorer.exe --> payload.exe
https://excubits.com/content/files/bouncer_demo.exe
It is simple. The loader can be executed by exploited software that is not protected by the Sandbox (using the Run command with explorer.exe). That was supposed to be covered by the point 6 (Limit execute access of Download folder (and Desktop) to 'safe' parents). This vulnerability follows from usability (as usual).As said rules are not 100% (except exploit prevention), but it is the combination: how is the loader.exe started in this scenario and how does it circumvent dangereous commands restrictions?
Why not?Andy
If this thing is going to be worth anything we don't need Smartscreen or my other windows security like Windows Defender