App Review Sandboxes against a simple API exploit

[Deleted member 178]

I think she is fair and smart enough to accept that fact. Mistakes are human

Btw, this incompatibility was one of the main reasons i removed CIS from my system. Properly tweaked Sbie is almost unbreachable.

 

[hjlbx]

depends what kind of sandbox you want use.

at least you should tick "drop rights from administrator..."

Just like @Umbra states, SBIE must be configured for greater security - especially sandboxed file access rights.

Comodo, at default settings, has an advantage over SBIE because of other built-in system protections.

 

[Av Gurus]

Properly tweaked Sbie is almist unbreachable.

Can you post this "Properly tweak", please
Tnx

 

[Deleted member 178]

Can you post this "Properly tweak", please
Tnx

Depend what sandbox profile you create...

Note: it is late i go sleep, if no one answered you , i will do tomorrow.

 

[Av Gurus]

Late? 20:15h

 

[cutting_edgetech]

Is the API exploit in this thread signed? My guess is that it is not, but if it is then it would be nice to test it against AppGuard in medium mode of protection to see if the volume information can be deleted by AG running the executable with limited rights. AppGuard runs signed executables with limited rights in the user-space in Medium Mode of protection. In Locked Down Mode only applications on the Guarded Apps list are allowed to execute from the user-space so if it's not signed it would not be allowed to execute.

 

[Deleted member 2913]

But if you were following what Cruelsister post you will have found out that she don't recommend using default settings & why.

I know but still I prefer default settings as IMHO in real world scenario default settings provides excellent protection & usability.
AV+AS+FW defaults are sufficient for majority IMHO.
I only set FW "dont show popups" unchecked & rest default settings.

 

[cutting_edgetech]

I never use default settings for anything. I think default settings are best for novice users. Most products provide a higher level of security when properly configured for the environment, or configured based on user-level knowledge. The developers usually try to balance level of protection vs usability. Since developers target the consumer market they target their products to less knowledgeable users in order to survive. If they don't bring in enough profit then they don't stay in business. They try to make as many decisions for the user as possible to avoid frustration by less knowledgeable users. Most novice users do not know how to configure their security software to avoid application conflicts, and answer wisely to security related prompts.

 

[Moose]

Posts: 15 & 17, 23,30 are waiting for your answer tomorrow.

"Depend what sandbox profile you create...
Note: it is late i go sleep, if no one answered you , i will do tomorrow. "

See your reply soon! And/or anybody else can answer.

 

[Deleted member 2913]

I agree cutting_edgetech. But I do think CIS base is strong with its "AutoSandbox"...plus support from AV + Cloud + FW. So in my opinion especially for average users defaults CIS is very strong security with usability factor.

Experts can always make CIS more powerful with modified settings.

 

[379EXHD]

CFW with cruelsister's recommended settings is all I've used for a long time, it just plain works. I wouldn't consider using any other config. I run browsers and programs outside the sandbox and if CFW throws something in the sandbox you can just about bet it is up to no good. Her settings make it very simple , just leave it alone and it works.

 

[hjlbx]

Experts can always make CIS more powerful with modified settings.

Comodo can be configured to a much, much tighter security than default settings.

In fact, one can probably go too far with the rules and configuration...

In the end, it all depends upon what the user wishes to achieve - and how much time and effort they wish to put into configuring Comodo.

Comodo gives the user over-the-top options if they so choose to go that route.

 

[hjlbx]

Is the API exploit in this thread signed? My guess is that it is not, but if it is then it would be nice to test it against AppGuard in medium mode of protection to see if the volume information can be deleted by AG running the executable with limited rights. AppGuard runs signed executables with limited rights in the user-space in Medium Mode of protection. In Locked Down Mode only applications on the Guarded Apps list are allowed to execute from the user-space so if it's not signed it would not be allowed to execute.

@cutting_edgetech

Send a PM to @cruelsister... perhaps she'll share the API exploit.

It's like Santa Claus... you won't get it unless you ask for it.

 

[cutting_edgetech]

I didn't ask because it would not be an accurate reflection of AG's sandox protection unless it's signed. AG would not allow it to execute to begin with unless it's signed. I could run the exploit as a guarded application if it's not signed. I don't think a guarded application should be allowed to delete volume information.

 

[hjlbx]

I didn't ask because it would not be an accurate reflection of AG's sandox protection unless it's signed. AG would not allow it to execute to begin with unless it's signed. I could run the exploit as a guarded application if it's not signed. I don't think a guarded application should be allowed to delete volume information.

That all depends upon which version of Windows and how System Volume folders are protected by AppGuard.

I cannot ever recall Barb stating that AG protects System Volume infos, but that doesn't mean that AG does not.

 

[hjlbx]

I didn't ask because it would not be an accurate reflection of AG's sandox protection unless it's signed.

@cutting_edgetech

I'm not sure if she has created an unsigned POC or procured a sample from elsewhere.

Best to ask... and not pass up a potentially great opportunity to test AG.

 

[Overkill]

A very short video in reference to a current War Room discussion:

Did you tick drop rights before you tested?

 

[cutting_edgetech]

I just spent the past 30 minutes looking for another DVI cable for my test machine. I loaned the one I was using on my test machine to my parents along with one of my test machines. I have limited space right now so my other DVI cables are probably in storage with my other computers. I will wait until I get another cable for my test machine to do any malware testing. I've just been too busy to go through my storage unit since it is so full. It will probably just be easier to buy another cable. I would use the one i'm using on this machine, but it's a pain to switch them out with my setup right now.

 

[Deleted member 178]

Late? 20:15h

but 1.15am where i live

I never use default settings for anything.

same here

. I don't think a guarded application should be allowed to delete volume information.

i also don't think it will happen in AG

That all depends upon which version of Windows and how System Volume folders are protected by AppGuard.
I cannot ever recall Barb stating that AG protects System Volume infos, but that doesn't mean that AG does not.

i dont recall too , but all my partitions are in user-space

Can you post this "Properly tweak", please
Tnx

as i said what kind of sandbox's profile? i have create different sandbox for various usages.

 

[Tony Cole]

I think the move towards virtualization, is like cruelsister stated a growing trend in the business and public sector(s.) If legacy antivirus products i.e., ESET, Kaspersky, Bitdefender etc., has no such capabilities, nor do you see any movement to this technology for home users, with hackers becoming more and more powerful (especially targeting the general public ID theft) are we able to shield ourselves against such attacks. I use Kaspersky, could that stop API exploits – currently using Windows 10 so Sandboxie is not an option???