- Jun 2, 2018
- 96
PUA/PUP-Testfile can be execute inside Sandbox. Security hazard?
- Thread starter NulFunction
- Start date
- Status
Who cares of other forums. We are here. if this is rude for you, wait my answers the day you wrote nonsense stuff.
Browser sandboxes and sandbox apps aren't the same; browser sandboxes are limited to web pages. Sandbox apps does more in term of overall security.
- Jun 2, 2018
- 96
What about this: Application Sandboxes: A pen-tester’s perspective respective Application Sandboxes: A pen-tester's perspective - Bromium
I don't think they improved much since 2013.
And what about the easily executable malware inside the box - even though it would've been blocked if run outside instead? (As I've said in OP) Now Combine this with the fact that everything inside it can read the whole RAM anyway.
I don't see much protection in using it at all.
I don't think they improved much since 2013.
And what about the easily executable malware inside the box - even though it would've been blocked if run outside instead? (As I've said in OP) Now Combine this with the fact that everything inside it can read the whole RAM anyway.
I don't see much protection in using it at all.
2013 reports made by a concurrent (bromium) using default settings? things changed since, if i recall well a fix was made.
- Jun 2, 2018
- 96
My points stand though.
EDIT: Well actually only if you don't change the settings. Ok. Yet it troubles me why this is even possible in the first place.
Someone in another thread said it could cause issues with chromes own anti-malware protection measures. Do you know anything about that?
Thanks for your answers
EDIT: Well actually only if you don't change the settings. Ok. Yet it troubles me why this is even possible in the first place.
Someone in another thread said it could cause issues with chromes own anti-malware protection measures. Do you know anything about that?
Thanks for your answers
- Apr 13, 2013
- 3,224
Nul- I don't know if this will help, but I'll try- Two of the best virtualization routines available to the home User are Sandboxie and Comodo. Both are excellent and have withstood the test of time. The main difference is that Sandboxie is On-Demand )ie only the stuff that the user decides to be sandboxed will be sandboxed) whereas with Comodo (auto-sandbox), anything hat is not perceived as legitimate will be sandboxed WITHOUT ANY USER INTERVENTION.
Conclusions:
1). Both SBIE and CF sandboxes are top notch (especially as SBIE closed a hole I pointed out a year ago).
2). both have settings to stop sandboxed stuff from connecting out- absolutely ESSENTIAL to stop data stealers and assorted metasploit crap) .
3). Comodo will protect you from being an Airhead (like me), as it wil sandbox things automatically that you forget to do yourself because you are on the Phone with your Sister. With Sandboxie, if you forget to sandbox something and still run it you are (insert Word here that rhymes with Duct).
Conclusions:
1). Both SBIE and CF sandboxes are top notch (especially as SBIE closed a hole I pointed out a year ago).
2). both have settings to stop sandboxed stuff from connecting out- absolutely ESSENTIAL to stop data stealers and assorted metasploit crap) .
3). Comodo will protect you from being an Airhead (like me), as it wil sandbox things automatically that you forget to do yourself because you are on the Phone with your Sister. With Sandboxie, if you forget to sandbox something and still run it you are (insert Word here that rhymes with Duct).
@cruelsister @NulFunction if you use sandboxie, you can sandbox File Explorer which is even better.
- Apr 13, 2013
- 3,224
Umbra- with SBIE, what would protect me when I'm on the Phone?
- Jun 2, 2018
- 96
I am not sure that I can trust a program that hinders AV solutions to see malware running inside it. (See OP)
Then consider this: Malware on a page interchanges google-update.exe (Which I would have to add to executable programs list in order to use Chrome inside Sandboxie) with it self. Now it can run inside the Sandbox. Also no antivirus detects it because Sandbox.
Or what about Malware-pages running a false chrome.exe? It could run no problem, (Since no hashing of allowed processes or anything similar) yet no anti-virus solution is able to see it. Then it simply writes code to RAM and executes it to escape the sandbox.
I proved it's possible. With something as dumb as a TEST-FILE. I would consider this an EXTREME security flaw.
Then consider this: Malware on a page interchanges google-update.exe (Which I would have to add to executable programs list in order to use Chrome inside Sandboxie) with it self. Now it can run inside the Sandbox. Also no antivirus detects it because Sandbox.
Or what about Malware-pages running a false chrome.exe? It could run no problem, (Since no hashing of allowed processes or anything similar) yet no anti-virus solution is able to see it. Then it simply writes code to RAM and executes it to escape the sandbox.
I proved it's possible. With something as dumb as a TEST-FILE. I would consider this an EXTREME security flaw.
If you are skilled with sandboxie, you dont need an AV. AVs are obsolete in term of security, if they didn't have their HIPS or BB they would be useless.
With sandboxie, you can block processes/programs to run in the sandbox in the first place; when my Chrome is sandboxed, it is the only program authorized to run in its sandbox; all other processes are blocked.
Please learn the software before bashing it.
I can't take you as a serious tester when you don't know how the software works. And seriously? test-files...?
- Jun 2, 2018
- 96
Please read again what I wrote: Any program with the name "chrome.exe" can run perfectly fine in a sandbox configured to only allow "chrome.exe". And it is irrelevant if it is a test-file or not. It could run perfectly fine inside it, but would get blocked if run outside.
You can't even add hashing in the allowed executable tab, let alone specifiy a path.
Try it yourself: Upload a executable on your website or somewhere where you can download it unpacked. It's name should be "chrome.exe" and it should be a safe-to-run malware. Then download it with Chrome inside the sandbox and click the file on the bottom of the browser window to start it.
It can run perfectly fine.
let me tell you once for all.
1- chrome is sandboxed.
2- i download your weaponized fake chrome.exe
3- the download folder is also sandboxed in a different sandbox, preventing ALL processes/programs to run , access network , access any drive including C:
so what now?
I guess you use sandboxie free; so no much clues about how it really works and how to make it a fortress.
Not saying i have some friends who loves sandboxie and tested it against tons of real 0-days malware, none were able to bypass sandboxie...i wish they could, they will get money from Invincea.
1- chrome is sandboxed.
2- i download your weaponized fake chrome.exe
3- the download folder is also sandboxed in a different sandbox, preventing ALL processes/programs to run , access network , access any drive including C:
so what now?
I guess you use sandboxie free; so no much clues about how it really works and how to make it a fortress.
Not saying i have some friends who loves sandboxie and tested it against tons of real 0-days malware, none were able to bypass sandboxie...i wish they could, they will get money from Invincea.
Last edited by a moderator:
- Jun 2, 2018
- 96
In paid version, you can force apps and folders to be automatically isolated in separate sandboxes, then you apply the desired policies to those. It is a huge difference.
- Apr 13, 2013
- 3,224
- Apr 1, 2017
- 1,782
- Jun 2, 2018
- 96
And how does that work with Chrome? Chrome usually starts about 10 instances of chrome.exe. Does it mean you'll have this many sandboxes running? How is yet a another chrome.exe started by chrome a different case to all the other non-malicious chrome.exes?
Remember I said to launch the downloaded, malicious chrome.exe from chrome itself using the button that appears on the bottom. This way it gets called by chrome! Just like any other chrome.exe would do.
(If I would start the malicious chrome.exe by myself in its own sandbox, it would get detected by AV, but not if started from inside chrome browser.)
Did you test it?
Download that test-file i was talking about as "chrome.exe" and start it.
EDIT: Skip testing. I saw that even a downloaded "chrome.exe" can't be executed inside a "chrome.exe only" sandbox. Weird. How does it know that? It should show the path to the allowed application if it uses the path, imo.
Interestingly it does that even if I save it in the same folder as chrome. So it is using hashes?
I'm sorry I'm pestering you.
Last edited:
Anyway my favorite sandboxing app is ReHiPS. Sandbox + application control.
Better than sandboxie to me, i use it on my main computer.
Better than sandboxie to me, i use it on my main computer.
@NulFunction sandboxie has a lot of inner mechanisms and options. Just know that its purpose is to prevent isolated processes to modify what is outside, it does not matter if the malware run in it or not. Once the sandbox is closed, all changes and files in it are deleted.
Last edited by a moderator:
- Status
