Advice Request Sandbox, how to diag if legitimate ?

[lab34]

Hello,
My life: Thanks to @cruelsister 's video, I'm switching since a week to Commodo Firewall + 360TS.
Since a few years, I was living in a cavern with avira + windows firewall control (sphynx) and was trusting av-comp, and never had heard of behavior blocker. But I've never been infected.

My question is: how can I diagnose if something running in the Sandbox is legitimate ?
Most of the time, the execution in the SB will fail...

There are some simple cases:
- an unique exe or dll: I upload it to Virustotal. (I'm already doing this since many years, with caution of the date of the exe, the date of last analysis...)
- a game bought on steam: I make the assumption it is safe. My last case was Chivalry. I'm tempted to add a rule to ignore the steamlibrary folder (I hope it's safe to do that !).

But, other case are less simple:
- something complex with many dll: I cannot upload everything to VT
- with "heuristic command analysis", the msiexec of clamwin is going to the sandbox. I know clamwin should be safe, but why is it going to SB, and others msiexec not ? How can I trust another piece of software that I want to test ?

In the videos, our sister is watching the activity with killswitch or task manager, ok. In some videos we are seeing some exe running, some doc files beeing screwed (not with CF ;-) ) , but when we are in front of an installer that just crash, how can we handle the diagnosis ?

Other thing: when something is going to the SB, sometimes it's because of the file rating "unknown". But sometimes it's caused by the options of the HIPS (hips off, but I know some options are still operating: command line analysis, embedded code detection...). It's sad that the log is not saying why. (maybe it's a noob remark, sorry)

regards,

 

[shmu26]

It's a good question, and I don't think there is a good answer.
Running a file in sandbox won't tell you for sure if a file is safe or not. But it will protect your system from infection.

If the file has been around for a week or more, and you got it from a public source, then if you upload the installer file to Virus Total, that's a pretty strong indication. Virus Total can also check the download link, if the file is too large to upload.

 

[cruelsister]

Lab- It's actually a superb question, and as Shmu states not an easy one to answer.

Note that CF will sandbox (virtualize) only those things that aren't so much Unknown as they are Unsigned. Running an unsigned application should always be a concern, but sadly quite a number of products are released continually by large organizations without digital signatures. Two cases would be my beloved SeaMonkey browser (from Mozilla; kinda-sorta) as well as VirusTotal Uploader from Google. So how do we differentiate a ransomware file from Seakmonkey? It takes work- assume first that it is Foul by observing what happens in the sandbox; if all seems fine then research is needed. If downloaded from a know developer from their official website one can assume that it is legit. Otherwise it is not worth the risk. This would be a similar scenario to when one gets an alert from an AV- just last week (and maybe an ongoing thing), Kaspersky flagged Zemana Anti-Malware as malicious; further questioning was needed to realize that this was FP.

Now we must also group a user into either a serial installer or one that rarely installs anything "just to try it out". For the former something like either Qihoo Total Security or what is becoming a favorite, Avast Free is an excellent idea. An unsigned application sandboxed by CF that also is considered safe by either of these two AV's will limit any risk. The AV will consider safe a know and unsigned pre-existing (in the Wild) application, whereas CF will nail anything that is a true zero-day that would bypass any AV. For the latter group (including those who know how to properly Vet an application) CF will be enough alone.

As Home users we are left with security applications that always leave a bit to be desired. The traditional AV is prone to bypass by fresh malware, and things that either employ virtualization like CF or have a very restricted Trust list like the superb AppGuard will not in any way allow Universal installs preferable would be a product with real-time forensics like FireEye, but this is not an economically feasible alternative). So we are left to consider what we know about malware, the most common vectors of infection, and the most expeditious way to deal with them. In my personal experience the system Comodo uses in CF will yield the lowest probability of getting infected, even lower when the user is knowledgeable or is without knowledge and puts faith in the product.

But to answer your concern directly, trust CF unless you are absolutely, positively sure it is OK.

(ps- I know that this is an unsatisfying answer, but sadly true in today's world. Remember that you are not being paranoid if everyone is actually out to get you0