PUA/PUP-Testfile can be execute inside Sandbox. Security hazard?

Status
Not open for further replies.
NulFunction

NulFunction

Level 2
Thread author
Verified
Jun 2, 2018
96
Hi
I Just installed Sandboxie so it should be the newest Version.

I found that downloading and executing this testfile is no problem if I download it using sandboxed Chrome.
Feature Settings Check – Potentially Unwanted Applications – AMTSO
Downloading it with unboxed Chrome is possible too, but execution is prevented by Windows Defender. (Even before NVT ERP could block it)

Does this mean that basically every Malware can be executed inside the Sandbox? This seems a little hazardous to me. Malware must only be able to escape sandboxie somehow, and then it can wreak havoc on my PC/RAM because no protection sees executables inside the Sandbox.

Am I correct? is this same nontheless?
Thanks!
 
  • Like
Reactions: upnorth, SumTingWong and CoherentCrayon
bjm_

bjm_

Level 15
Verified
Top Poster
Well-known
May 17, 2015
705
In my opinion, for testing programs, the virtual machine its the better choice since it can be used for trying all kind of programs. In my personal case, I use Sandboxie for trying browsers, Firefox addons, to temporarily install Java or Flash in my W7, that kind of thing but to try any other type of program, I use Shadow Defender. #17
Click to expand...
I don't test malware but if I did, I would not use Sandboxie for that. Sandboxie was not created for testing malware. #24
Click to expand...
Sandboxie VS VirtualBox...

Application Sandboxes: A pen-tester’s perspective
 
Last edited:
NulFunction

NulFunction

Level 2
Thread author
Verified
Jun 2, 2018
96
I don't know why you wrote this. I don't want to test Malware or try out programs. I want to increase my computer security.
So I am using it to sandbox Chrome.
 
NulFunction

NulFunction

Level 2
Thread author
Verified
Jun 2, 2018
96
So... running a web browser in sandboxie has significant security flaws: Keylogger can run freely and would not be detected by software running on your system outside the box. (For example: Zamana AntiLogger) They would log everything system wide, wouldn't they?

Also:
Q. Can the anti-virus detect a virus in the sandbox?
A. Yes. Files contained in the sandbox are stored in the hard disk, typically in the folder SANDBOX in drive C. Programs under the supervision of Sandboxie can only operate within this folder, but there is nothing special about the folder itself. The anti-virus software may detect viruses as they arrive into this folder, or at any later time.
Click to expand...
I just proved this false, didn't I?

The second Link suggests that it isn't necessary to run Chrome in Sandboxie, because it is already sandboxed. Is that true? I can't believe that is sufficiently secure.

EDIT: I tried intentionally running Shadow_KeyLogger but it got blocked by Sandboxie itself. Interesting.
Also NVT ERP does now ask for programs to run first. I don't know why it didn't do that before.
I also changed Sandboxies settings to only allow Chrome

Edit: I tried running the PUP file from OP in a sandboxed explorer window. That doesn't work. It gets blocked by Zemana AntiLogger. So ... I don't know why it worked before when executed using Chrome. (from the Downloads menu)
Next I'll try accessing RAM using a Hex editor from inside Sandbox.
 
Last edited:
  • Like
Reactions: AtlBo
NulFunction

NulFunction

Level 2
Thread author
Verified
Jun 2, 2018
96
A hex editor (HxD) running inside a sandbox with administrator rights can read the whole physical memory. Isn't that problematic?
For example: I can read the contents of a file opened in Notepad.exe using the sandboxed HxD. (HxD is sandboxed and notepad is not.)
This does not work the other way around. (While the file is opened in a sandboxed notepad and HxD is not sandboxed)

Shouldn't malware be able to write itself to RAM from inside the Sandbox and then executes? Also any Spyware that targets opened documents or programs would work inside Sandboxie and could send information outside, I guess

I just want to understand Sandboxie. But shouldn't the outside RAM be protected? Is that even possible?
 
Last edited:
  • Like
Reactions: AtlBo
NulFunction

NulFunction

Level 2
Thread author
Verified
Jun 2, 2018
96
Deadlock said:
God sake looks like I am viewing another thread where you can't just get a straight up answer. OK let me pitch in Definite answer is that it is possible for malicious software to escape the sandbox. That doesn't mean it would be easy for a dude to do it...Plz quote me on that
Click to expand...
bjm_ said:
Application Sandboxes: A pen-tester’s perspective
Click to expand...
I read that article. So basically Sandboxie is no use?
I guess so since even I was able to read the contents of phys RAM from inside the Sandbox with no problem.
 
  • Like
Reactions: AtlBo
bjm_

bjm_

Level 15
Verified
Top Poster
Well-known
May 17, 2015
705
I run Sandboxie for isolation. Isolating programs is how SBIE protects, the isolation keeps sandboxed programs from making changes to the system, registry and other programs.

Why not take your concerns to Sandboxie Forum. Sandboxie Support - Index page
and or google > Sandboxie Tutorials
 
Last edited:
  • Like
Reactions: AtlBo and Freki123
D

Deleted member 178

Sandboxie by default doesn't block programs to run in its sandbox, it just isolate them from the real system.
If a malware manage to escape (very low probability unless the user accidentally permitted it), sandboxie can't do anything about it, it will be the role of your AV/other security soft.
 
  • Like
Reactions: AtlBo, Nightwalker, Deletedmessiah and 2 others
F

Freki123

Level 16
Verified
Top Poster
Aug 10, 2013
753
Have you had a look at the settings? If you want the sandbox to "block" stuff make one for every programm pdf reader/ browser/ office and only allow what is realy needed for that specific program(and cut any not needed internet access). So is firefox wants to run *.exe it shouldnt work unless you choose to allow it.
I trust sandboxie as a sandbox a lot more than any google sandbox. (But thats just gut feeling) I run Firefox in sandboxie but not installed in it.
Unbenannt111 - Kopie.jpg
 
  • Like
Reactions: AtlBo and harlan4096
NulFunction

NulFunction

Level 2
Thread author
Verified
Jun 2, 2018
96
Yes, I know that. Thanks for the effort. :)
Unfortunately, with all the extra safety features enabled, Chrome can't use it's profiles and settings anymore. (Yes, that is enabled too. In the respective settings tab for Chrome. Still)
 
  • Like
Reactions: AtlBo
D

Deleted member 178

NulFunction said:
... I'm not going to use it then.
Core question was: "Does it make sense to run chrome in Sandbox?" Answer is: "No."
Click to expand...
answer is Yes.

NulFunction said:
Unfortunately, with all the extra safety features enabled, Chrome can't use it's profiles and settings anymore. (Yes, that is enabled too. In the respective settings tab for Chrome. Still)
Click to expand...
I run Chrome perfectly in Sandboxie with many tweaks enabled.

Sandboxie Configuration Discussion Thread

People, before stating, do some researches.
 
  • Like
Reactions: harlan4096
Kuttz

Kuttz

Level 13
Verified
Top Poster
Well-known
May 9, 2015
630
NulFunction said:
Hi
I Just installed Sandboxie so it should be the newest Version.

I found that downloading and executing this testfile is no problem if I download it using sandboxed Chrome.
Feature Settings Check – Potentially Unwanted Applications – AMTSO
Downloading it with unboxed Chrome is possible too, but execution is prevented by Windows Defender. (Even before NVT ERP could block it)

Does this mean that basically every Malware can be executed inside the Sandbox? This seems a little hazardous to me. Malware must only be able to escape sandboxie somehow, and then it can wreak havoc on my PC/RAM because no protection sees executables inside the Sandbox.

Am I correct? is this same nontheless?
Thanks!
Click to expand...
While I was testing Anti virus softwares inside VM, Avast installed in my real OS intercepted many malicious web links. As far as I know only the web/network protection component of the Anti Virus installed on the real OS can provide protection to a virtualised OS or inside sandbox and there will be no protection from the host anti virus during file execution happening inside a virtualised OS or sandbox. Since WD don't have any meaningful web protection component it had no way detecting what the web links the sandboxed browser access to.
 
  • Like
Reactions: AtlBo and upnorth
NulFunction

NulFunction

Level 2
Thread author
Verified
Jun 2, 2018
96
Spawn: He could have at least gave a description of what that link is or anything at all. It's rude.
 
  • Like
Reactions: AtlBo
Status
Not open for further replies.

Similar threads

bjm_
    • Like
    • +Reputation
New Update Sandboxie+ Release v1.0.8 / 5.55.8
Replies
0
Views
934
Sandboxie
bjm_
bjm_
Victor M
New Update Chrome 124 Ubuntu 24.04 LTS Apparmor profile
Replies
1
Views
855
ChromeOS & Linux
Victor M
Victor M
SpyNetGirl
    • Like
    • +Reputation
    • Hundred Points
Harden Windows Security | Only with official documented methods | Always up to date
Replies
75
Views
13,852
Other security for Windows, Mac, Linux
Warencom
W

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top