Sandboxie, USB's & Malware

Status
Not open for further replies.

Tony Cole

Level 27
Thread author
Verified
May 11, 2014
1,639
Morning Everyone:

I was pondering/wondering if I used Sandboxie and sandboxed my external HHD (which apparently you can do) if you did get infected would that stop it spreading to your USB/external HDD?

Tony :)
 
  • Like
Reactions: Moose

Atlas147

Level 30
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 28, 2014
1,990
Hmmmm I think the answer is no, because if you get infected with say a cryptolocker it will encrypt all files and folders it can find, including the HDD or USB, the sandboxed version of it is basically to protect the rest of your computer if your HDD has malware and has begun encrypting. It will only encrypt within the sandbox and leave the rest of your computer alone.

Think of it like this, your real computer has run files X, Y and Z while inside your sandbox has fake copies that are called X', Y' and Z'. When you run a cryptolocker unsandboxed it will affect all unsandboxed files, meaning X, Y and Z. If you run it in a sandbox it will of course only affect the sandboxed files, X', Y' and Z'. Running your HDD in sandbox will only protect your computer from malware within the HDD because only the HDD is sandboxed. If you run a malware outside the sandbox and your HDD is plugged in, then the malware would encrypt all files, no matter in the sandbox or not.

What happens when you sandbox your HDD is that it makes a copy of the files into your sandbox folder, and temporarily stores it there until you close the session, in which all data is cleared.

I hope you understand my long explanation :)
 

jamescv7

Level 85
Verified
Honorary Member
Mar 15, 2011
13,070
In a such straightforward conclusion; any changes done will be revert and as long you properly configured, the result will be very slim to jump out.

If a serious case like you've run a ransomware (from USB) in sandbox and everything in the Windows Explorer are vanished; there's a possible to execute CMD within the batch file that suppose created earlier. Also helps to assigned prior on shutdown/restart function.

http://forums.sandboxie.com/phpBB3/viewtopic.php?p=94962
 

Av Gurus

Level 29
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
Sep 22, 2014
1,767
He ask if malware can get inside Sandbox, very interesting. :rolleyes:
 

Mr.X

Level 8
Verified
Well-known
Aug 2, 2014
366
How about ClosedFilePath=X:\ Where X is your drive letter.
Close the path to each and every drive you wish.
Except C:\ (assuming this is your system drive/partition)
You can't ClosedFilePath C:\ please don't do that! Otherwise Sandboxie will not work ! Your sandboxed programs won't work !
This sandbox setting line goes into Sandboxie.ini in each sandbox you have. This way if a cryptomalware runs within a sandbox it will not have access to that/those drives. Although by default, i.e. without ClosedFilePath setting, Sandboxie will allow crypto-malware to encrypt the sensitive files within this virtual confined environment (sandbox) only, not in the real filesystem, just close the sandboxed program and delete contents then the encrypted files will be gone and your real sensitive files in the real filesystem are untouched. Yet I still use this ClosedFilePath line as an extra protection, just to "feel" safer. Besides this line will block access to any other sort of malware trying to read and steal/copy your sensitive files.
You can use this setting for USB drives or internal drives/partitions as well.
 
Last edited:
  • Like
Reactions: Moose and bjm_

bjm_

Level 14
Verified
Top Poster
Well-known
May 17, 2015
667
@Mr.X
Following your suggest. I've added C:\ to ClosedFilePath
EDIT: reversed above
I thought application sandbox would Isolate crypto/malware in sandbox.. ?
 
Last edited:
  • Like
Reactions: Moose

Mr.X

Level 8
Verified
Well-known
Aug 2, 2014
366
@Mr.X
Following your suggest. I've added C:\ to ClosedFilePath
I thought application sandbox would Isolate crypto/malware in sandbox.. ?
I forgot to mention: except C:\ (assuming this is your system drive/partition)
You can't ClosedFilePath C:\ please don't do that! Otherwise Sandboxie will not work !
Please undo that change, again if C:\ is your system/OS drive !
Your sandboxed programs won't work !

I thought application sandbox would Isolate crypto/malware in sandbox.. ?
Yes, any sandboxed application/program would isolate encryptors launched in the same sandbox in the first place, no doubt about that.
 
Last edited:
  • Like
Reactions: Moose and bjm_

Mr.X

Level 8
Verified
Well-known
Aug 2, 2014
366
Now if crypto-malware runs outside any sandbox, I think there's nothing Sandboxie can do against it, then I think of AppGuard which can effectively block the threat.
You should know there are other programs well matured able to stop encryptors too.
 
Last edited:

bjm_

Level 14
Verified
Top Poster
Well-known
May 17, 2015
667
Good to know as I run AppGuard and HitmanProAlert
 

Mr.X

Level 8
Verified
Well-known
Aug 2, 2014
366
Morning Everyone:

I was pondering/wondering if I used Sandboxie and sandboxed my external HHD (which apparently you can do) if you did get infected would that stop it spreading to your USB/external HDD?

Tony :)
Re-reading the OP once again, I say sandboxing your USB/external HDD or whatever is meant to stop spreading an infection from those drives to your real system. See? Is the other way around. This setting is to prevent infections from infected USB external drives to the real system.

The other layer of protection is to BACKUP! BACKUP! and BACKUP! Be prepared for a new unknown incredibly advanced threat which can bypass all your security programs (quite unlikely nowadays)... but who knows.
 
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top