Sandboxes against a simple API exploit
- Thread starter cruelsister
- Start date
It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
- Sep 22, 2014
- 1,767
@Umbra
What kind of profile you have?
Let's say profile for:
- surfing
- testing programs
- for USB devices
Please advice settings for free version of Sandboxie.
Tnx
What kind of profile you have?
Let's say profile for:
- surfing
- testing programs
- for USB devices
Please advice settings for free version of Sandboxie.
Tnx
Chrome, Download folders (video, music, etc...), File Explorer, USB,
mostly drop rights, blocked access
- Jun 3, 2015
- 200
(Sorry for being nitpicky here... But there is a minor typo in the topic title.)
- Mar 1, 2014
- 1,708
The exploit is simple yet sinful. Combine them, you get sinple.
- Jun 3, 2015
- 200
That, sir. Epic. Why haven't I thought of that.The exploit is simple yet sinful. Combine them, you get sinple.
?HJLBX,
You & I know that CIS sometimes gives prob like we have talked that sometimes trusted programs generate FW alerts. So as per cruelsister settings i.e block connections for unknown - this settings could be prob as those trusted programs connections will be blocked.
And as you know anything run sandboxed i.e rightclick run in sandboxed - even trusted programs generate FW alerts - those connections will be blocked too as per cruelsister settings. I have read you post regarding this on Comodo forum. Guess its you or Yigido? Dont know if this is solved in the new version or not?
So in my opinion even little customization like this needs user to know how to undo the things.
I agree with any & all users here when it comes too experts.
But when it comes to average users then defaults is very strong. Heck even average users means depends on the user if he is ready to go into the GUI sometimes to solve the things. But even then if the average user has installed CIS he would be fine with defaults with least probs than any other custom settings IMHO.
@yesnoo
What follows is an explanation - not for you since you are fully aware of the issue - but for others...
You are absolutely correct. This is because even when a Trusted file is updated (just by the process of updating legitimately and automatically) it is now "modified." How CIS handles the updating (modification) of Trusted files is problematic.
Once a Trusted file has updated (been modified), CIS changes the file rating from Trusted to Unrecognized. The consequence of this File Rating change is that - depending upon CIS settings - the Trusted file (which has now been re-rated as Unrecognized by the act of updating) will generate alerts (HIPS, Firewall) and be auto-sandboxed.
Remember - the core functionality of CIS is such that only Unrecognized files generate alerts and auto-sandboxing.
On the one hand, this CIS behavior increases security by protecting against malicious file changes - even to Trusted files. On the other hand, the vast majority of CIS users do not know this is how CIS works. So when a bunch of Microsoft files (after Windows update for example) are modified, the user doesn't understand why CIS is now treating Trusted files as Unrecognized.
There's no direct, easy solution to this issue. Since CIS monitors all executable file types, if it were to shoot an alert to the user every time a legitimate file is updated, it would mean a huge number of alerts. So, in the current CIS alert system, that isn't going to work.
The current solution is for user to manage file changes by CIS manually...
My solution is to periodically add the entire WIndows and Program directories to the Trusted File List.
NOTE: Any malware installed to those directories can be white-listed if you are not paying attention !!!
HJLBX,
With CIS default settings I never observed any probs related to Windows files or Microsoft products after update/upgrade too.
For other programs too I observe very little prob...could be new versions are added fast in the whitelists...atleast for popular & most used or most observed programs on majority of the systems.
For ex- Shadow Defender is a popular program but I think not majority of the users run it. I had installed the latest version of Shadow Defender the day itself it was released & CIS find it safe - was good to know whitelist have improved.
On the contrary I have noticed that almost all programs issue automatic updates after certain period of time...one can manually upgrade the programs by downloading the installer/updates/upgrades from the official site. Now with CIS I have noticed that if you wait for the automatic updates of those programs...you will face lesser probs i.e by the time automatic updates are issued Comodo too would have whitelisted the new versions. But if you try to upgrade the programs the day itself it was released or as soon as you can get your hands on the upgrade then you could face the prob like newer versions not yet whitelisted by Comodo.
So in my opinion...to have lesser probs with CIS its best to wait for the automatic updates than manual upgrade of the programs on the release day itself...from my observation.
With CIS default settings I never observed any probs related to Windows files or Microsoft products after update/upgrade too.
For other programs too I observe very little prob...could be new versions are added fast in the whitelists...atleast for popular & most used or most observed programs on majority of the systems.
For ex- Shadow Defender is a popular program but I think not majority of the users run it. I had installed the latest version of Shadow Defender the day itself it was released & CIS find it safe - was good to know whitelist have improved.
On the contrary I have noticed that almost all programs issue automatic updates after certain period of time...one can manually upgrade the programs by downloading the installer/updates/upgrades from the official site. Now with CIS I have noticed that if you wait for the automatic updates of those programs...you will face lesser probs i.e by the time automatic updates are issued Comodo too would have whitelisted the new versions. But if you try to upgrade the programs the day itself it was released or as soon as you can get your hands on the upgrade then you could face the prob like newer versions not yet whitelisted by Comodo.
So in my opinion...to have lesser probs with CIS its best to wait for the automatic updates than manual upgrade of the programs on the release day itself...from my observation.
- Apr 13, 2013
- 3,144
I just got home, logged on and I thought I was seeing things when noting the amount of views and replies. Didn't realize there were so many SB fans!
As a way of an explanation of what I did in the Video-
1). The setup of Sandboxie wasn't my primary focus; the susceptibility of the program to API exploits was. I also prefer very quick videos which by necessity preclude going into any depth (it may seem counter intuitive, but making a 2 minute Video takes a great deal longer than making a 20 minute one). I honestly had no idea it would be received as it was, so please accept my sincerest apologies for the lack of detail.
2). One of the primary complaints was that seperate sandboxes should be set up for different things. This is a valid point and will be addressed.
3). Another issue pointed out was that the malware could be easily stopped by a simple setting (namely by checking the Drop Rights box in Restrictions). This is also very valid as it would most definitely stop the Exploit from proceeding. The issue here, however, is that this would be a form of Reactive Protection- by this is meant that we know the file is malware, we know what it can do, so we set up a system that will stop the malicious activity from occurring. This may look good on a Video test but will it actually be useful in Real-World computer use?
In order to illustrate what I mean a second Video is most definitely needed. I have to beg for your patience for this one as a bit of coding on my part will be needed, and as I just got home a bit ago (and still have to brush my cat Ophelia) and need some sleep it will take a little time to produce, but most assuredly will be posted within 48 hours (hopefully sooner).
Finally thank you for your interest in that little Vid, And thanks even more for the comments (and not a single mean one in the Lot! I love this place!),
M
As a way of an explanation of what I did in the Video-
1). The setup of Sandboxie wasn't my primary focus; the susceptibility of the program to API exploits was. I also prefer very quick videos which by necessity preclude going into any depth (it may seem counter intuitive, but making a 2 minute Video takes a great deal longer than making a 20 minute one). I honestly had no idea it would be received as it was, so please accept my sincerest apologies for the lack of detail.
2). One of the primary complaints was that seperate sandboxes should be set up for different things. This is a valid point and will be addressed.
3). Another issue pointed out was that the malware could be easily stopped by a simple setting (namely by checking the Drop Rights box in Restrictions). This is also very valid as it would most definitely stop the Exploit from proceeding. The issue here, however, is that this would be a form of Reactive Protection- by this is meant that we know the file is malware, we know what it can do, so we set up a system that will stop the malicious activity from occurring. This may look good on a Video test but will it actually be useful in Real-World computer use?
In order to illustrate what I mean a second Video is most definitely needed. I have to beg for your patience for this one as a bit of coding on my part will be needed, and as I just got home a bit ago (and still have to brush my cat Ophelia) and need some sleep it will take a little time to produce, but most assuredly will be posted within 48 hours (hopefully sooner).
Finally thank you for your interest in that little Vid, And thanks even more for the comments (and not a single mean one in the Lot! I love this place!),
M
- Apr 13, 2013
- 3,144
Note to Umbra- Can you please change "sinple" to "simple" in the topic title? I have absolutely no clue as how to do it myself (and can't believe it happened in the first place).
Thanks!!!
Thanks!!!
- Sep 22, 2014
- 1,767
Most programs are added by Comodo to their Safe List by the on-going efforts of many users. If it weren't for them, CIS would detect most safe programs as Unrecognized. Lots of CIS users are unaware of this fact... the white-list\black-list file submission champion is MT's very own @Malware1...
It takes Comodo about a year to add most Windows files to the Safe List - believe it or not... and the process never ends because Microsoft must continually issue Windows updates. Comodo technicians must review each file manually before it is added to the Safe List... as Comodo File Ratings are not Virus Total based.
@yesnoo
After Windows Update - over the course of a week, run a Rating Scan... you will see exactly what I mean.
I will give an example, every time Flash (a Trusted file) is updated via automatic updates, CIS will sandbox it... because it has changed and CIS has changed the rating from Trusted to Unrecognized. This CIS behavior is independent of configuration.
Also, CIS only alerts and sandboxes to files loaded into active memory. So, if a file is updated - but is never loaded into active memory - then CIS will never generate any kind of alert nor sandbox it.
in fact, sandboxie and CIS shouldn't be installed together.
no, because every Sandboxie's user that is a little bit interested by Sandboxie will know to tick the "Drop my right" checkbox. This is the first tweak veterans Sbie's users give as advice.
yes , as i said above.
Similar threads
