PUA/PUP-Testfile can be execute inside Sandbox. Security hazard?

Status
Not open for further replies.

NulFunction

Level 2
Thread author
Verified
Jun 2, 2018
96
Hi
I Just installed Sandboxie so it should be the newest Version.

I found that downloading and executing this testfile is no problem if I download it using sandboxed Chrome.
Feature Settings Check – Potentially Unwanted Applications – AMTSO
Downloading it with unboxed Chrome is possible too, but execution is prevented by Windows Defender. (Even before NVT ERP could block it)

Does this mean that basically every Malware can be executed inside the Sandbox? This seems a little hazardous to me. Malware must only be able to escape sandboxie somehow, and then it can wreak havoc on my PC/RAM because no protection sees executables inside the Sandbox.

Am I correct? is this same nontheless?
Thanks!
 

bjm_

Level 14
Verified
Top Poster
Well-known
May 17, 2015
667
In my opinion, for testing programs, the virtual machine its the better choice since it can be used for trying all kind of programs. In my personal case, I use Sandboxie for trying browsers, Firefox addons, to temporarily install Java or Flash in my W7, that kind of thing but to try any other type of program, I use Shadow Defender. #17
I don't test malware but if I did, I would not use Sandboxie for that. Sandboxie was not created for testing malware. #24
Sandboxie VS VirtualBox...

Application Sandboxes: A pen-tester’s perspective
 
Last edited:

NulFunction

Level 2
Thread author
Verified
Jun 2, 2018
96
I don't know why you wrote this. I don't want to test Malware or try out programs. I want to increase my computer security.
So I am using it to sandbox Chrome.
 

NulFunction

Level 2
Thread author
Verified
Jun 2, 2018
96
So... running a web browser in sandboxie has significant security flaws: Keylogger can run freely and would not be detected by software running on your system outside the box. (For example: Zamana AntiLogger) They would log everything system wide, wouldn't they?

Also:
Q. Can the anti-virus detect a virus in the sandbox?
A. Yes. Files contained in the sandbox are stored in the hard disk, typically in the folder SANDBOX in drive C. Programs under the supervision of Sandboxie can only operate within this folder, but there is nothing special about the folder itself. The anti-virus software may detect viruses as they arrive into this folder, or at any later time.
I just proved this false, didn't I?

The second Link suggests that it isn't necessary to run Chrome in Sandboxie, because it is already sandboxed. Is that true? I can't believe that is sufficiently secure.

EDIT: I tried intentionally running Shadow_KeyLogger but it got blocked by Sandboxie itself. Interesting.
Also NVT ERP does now ask for programs to run first. I don't know why it didn't do that before.
I also changed Sandboxies settings to only allow Chrome


Edit: I tried running the PUP file from OP in a sandboxed explorer window. That doesn't work. It gets blocked by Zemana AntiLogger. So ... I don't know why it worked before when executed using Chrome. (from the Downloads menu)
Next I'll try accessing RAM using a Hex editor from inside Sandbox.
 
Last edited:
  • Like
Reactions: AtlBo

NulFunction

Level 2
Thread author
Verified
Jun 2, 2018
96
A hex editor (HxD) running inside a sandbox with administrator rights can read the whole physical memory. Isn't that problematic?
For example: I can read the contents of a file opened in Notepad.exe using the sandboxed HxD. (HxD is sandboxed and notepad is not.)
This does not work the other way around. (While the file is opened in a sandboxed notepad and HxD is not sandboxed)

Shouldn't malware be able to write itself to RAM from inside the Sandbox and then executes? Also any Spyware that targets opened documents or programs would work inside Sandboxie and could send information outside, I guess

I just want to understand Sandboxie. But shouldn't the outside RAM be protected? Is that even possible?
 
Last edited:
  • Like
Reactions: AtlBo

NulFunction

Level 2
Thread author
Verified
Jun 2, 2018
96
God sake looks like I am viewing another thread where you can't just get a straight up answer. OK let me pitch in Definite answer is that it is possible for malicious software to escape the sandbox. That doesn't mean it would be easy for a dude to do it...Plz quote me on that
I read that article. So basically Sandboxie is no use?
I guess so since even I was able to read the contents of phys RAM from inside the Sandbox with no problem.
 
  • Like
Reactions: AtlBo

bjm_

Level 14
Verified
Top Poster
Well-known
May 17, 2015
667
I run Sandboxie for isolation. Isolating programs is how SBIE protects, the isolation keeps sandboxed programs from making changes to the system, registry and other programs.

Why not take your concerns to Sandboxie Forum. Sandboxie Support - Index page
and or google > Sandboxie Tutorials
 
Last edited:
  • Like
Reactions: AtlBo and Freki123
D

Deleted member 178

Sandboxie by default doesn't block programs to run in its sandbox, it just isolate them from the real system.
If a malware manage to escape (very low probability unless the user accidentally permitted it), sandboxie can't do anything about it, it will be the role of your AV/other security soft.
 

Freki123

Level 15
Verified
Top Poster
Aug 10, 2013
737
Have you had a look at the settings? If you want the sandbox to "block" stuff make one for every programm pdf reader/ browser/ office and only allow what is realy needed for that specific program(and cut any not needed internet access). So is firefox wants to run *.exe it shouldnt work unless you choose to allow it.
I trust sandboxie as a sandbox a lot more than any google sandbox. (But thats just gut feeling) I run Firefox in sandboxie but not installed in it.
Unbenannt111 - Kopie.jpg
 

NulFunction

Level 2
Thread author
Verified
Jun 2, 2018
96
Yes, I know that. Thanks for the effort. :)
Unfortunately, with all the extra safety features enabled, Chrome can't use it's profiles and settings anymore. (Yes, that is enabled too. In the respective settings tab for Chrome. Still)
 
  • Like
Reactions: AtlBo
D

Deleted member 178

... I'm not going to use it then.
Core question was: "Does it make sense to run chrome in Sandbox?" Answer is: "No."
answer is Yes.

Unfortunately, with all the extra safety features enabled, Chrome can't use it's profiles and settings anymore. (Yes, that is enabled too. In the respective settings tab for Chrome. Still)
I run Chrome perfectly in Sandboxie with many tweaks enabled.

Sandboxie Configuration Discussion Thread

People, before stating, do some researches.
 
  • Like
Reactions: harlan4096

Kuttz

Level 13
Verified
Top Poster
Well-known
May 9, 2015
625
Hi
I Just installed Sandboxie so it should be the newest Version.

I found that downloading and executing this testfile is no problem if I download it using sandboxed Chrome.
Feature Settings Check – Potentially Unwanted Applications – AMTSO
Downloading it with unboxed Chrome is possible too, but execution is prevented by Windows Defender. (Even before NVT ERP could block it)

Does this mean that basically every Malware can be executed inside the Sandbox? This seems a little hazardous to me. Malware must only be able to escape sandboxie somehow, and then it can wreak havoc on my PC/RAM because no protection sees executables inside the Sandbox.

Am I correct? is this same nontheless?
Thanks!
While I was testing Anti virus softwares inside VM, Avast installed in my real OS intercepted many malicious web links. As far as I know only the web/network protection component of the Anti Virus installed on the real OS can provide protection to a virtualised OS or inside sandbox and there will be no protection from the host anti virus during file execution happening inside a virtualised OS or sandbox. Since WD don't have any meaningful web protection component it had no way detecting what the web links the sandboxed browser access to.
 
  • Like
Reactions: AtlBo and upnorth

NulFunction

Level 2
Thread author
Verified
Jun 2, 2018
96
Spawn: He could have at least gave a description of what that link is or anything at all. It's rude.
 
  • Like
Reactions: AtlBo
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top