broughie

Level 2
hello ive just started using sandboxie freeware for both web browser & outlook email (I right click to sandbox the latter)
Im very unsure about how best to safely download , test and open programmes from the internet. This is the procedure i'm following:
(1)I download from within sandbox browser after checking website with "Virus Total",
(2) I then invoke " immediate recovery" to my computer , downloads folder.
(3)I right click to sandbox the downloads folder then dclick to open programme within the sandbox to test it - with avast and malwarebytes pro running.
(4)if no malware warning given I download prog again to unsandboxed downloads folder then right click to do final check with Spybot and if ok open to instal.
My question is - is this a safe method and if so is there a quicker way to do it ?
any help greatly appreciated.
 

Spawn

Administrator
Staff member
Verified
If you use IE9 or higher, SmartScreen with Application Rating will check the file upon download completion. It may get flagged for two reasons:
1. Not commonly downloaded, so it's flagged as suspicious.
2. The file is malicious and will be deleted.

If you use Chrome with Malware Protection checked, upon download completion the file will be checked with Google's SafeBrowsing. If malicious the download shelf will display the Discard button, while the Downloads page will give you more options.

If you use Firefox, I believe it may be possible to integrate VirusTotal into the Download Statusbar extension - Google this.

If you use Opera, you can use an Extension called Dr. Web AV LinkChecker (also available for IE, Chrome, Firefox and Safari). Right-click the link or download URL and Scan with Dr. Web.

What's I'm saying is that modern browsers have better indicators to determine whether the file you're downloading is safe or not. While it may not guarantee the levels of protection, a full-time Antivirus provides, it does make your experience safer.

If you're browsing within Sandboxie, you should be safe as long as nothing is executed outside the isolated environment.

Using Web-based mail is far more secure and safer than using a desktop client. Services like Gmail offer offline use, without the need for heavy duty spam filters, or extra software.

To check the downloaded files I can suggest a few software and an alternate to Spybot, which frankly has had it's days (just like Windows XP).

VT Hash Check (integrates into WE) - http://malwaretips.com/Thread-VT-Hash-Check
HitmanPro (don't activate) - http://www.surfright.nl/en/hitmanpro/
ESET Online Scanner - http://www.eset.com/us/online-scanner/
VirusTotal for Desktop and Browser Extensions - https://www.virustotal.com/en/documentation/

Looks like I've rambled on. lol
 

Littlebits

Retired Staff
I never sandbox my browsers or web applications, it is not necessary if you always download files from safe sources and never execute files without checking them first. If you use Internet Explorer never select "Run" on a download always select "Save" because you can check it before running it. That is the most common way users get infected.

All known malware that infects users today requires the user to manually download and manually execute the malicious file. I think only paranoid users actually sandbox their browsers and web applications or users that just don't know how to safely download files.

If you download a file that appears to be suspicious then you can add VirusTotal right click menu "send to VirusTotal" then right click and select "Run Sandboxed" on the suspicious executable file and it will run in Sandboxie.

If you are an advanced user you can see what the suspicious executable file does by opening the Default Box by selecting "Explore Contents". Windows Explorer will open sandboxed and you can view files that the suspicious executable created safely.

I never use the Recover Files on Sandboxie, if the executable is verified to be safe then I will just run it out of the sandbox on my system if it is something that I want to run or install.

The only benefit of using the Recover Files is if parts of the executable file has mix content of both safe and malicious files created. This however is very rare, either the executable file is malicious or it is safe most of the time. Some installers have forced adware because this can benefit advanced users that want to install a software without any adware included, but this is also rare, most installers now days has opt-out opinions if you pay attention the adware can be bypassed easily.

Thanks. :D
 

broughie

Level 2
Many thanks for all your suggestions & ideas
-"Earth" I do have VT integrated in sandboxed firefox. Will use Hitman Pro as only prog I used of many (as a 1 off) that detected Zero Access rootkit on my pc prior to reinstall.Will now use regularly as you suggest to scan all downloads. But in defence of Spybot it is one prog I find that detects low level nasties on both sons pc's eg Babylon, Ilivid, Delta ,MyWeb Search etc- Malwarebytes, Avg, Mse & Avast dont detect. So I use it plus ADW to remove them.
"Littlebits" Im now using Right click Virus Total option -great idea also " Explore Contents" procedure .
My concern re not sandboxing browser as you suggest is what about much reported "driveby downloads" threat or infected holes in browsers etc prior to updates? I only scan unknown websites with VT.
"Bro Elam" many thanks for suggested Win Explorer sandboxing , a great tool ,now using .
 

broughie

Level 2
Littlebits said:
Re your comments that only paranoid users sandbox their browsers
My understanding is that one of the main much quoted benefits of Sandboxie , is that by sandboxing the browser, drive by download attacks due to browser vulnerabilities, can be prevented.
I quote findings from joint research by three eminent universities in Usa ,France & Austria:
"Drive-by downloads work by exploiting vulnerabilities in web browsers, plugins or other components that work within browsers,Drive-by download attacks are among the most common methods for spreading malware today. These attacks typically exploit memory corruption vul-nerabilities in web browsers and browser plug-ins to execute shellcode, and inconsequence, gain control of a victim’s computer. Compromised machines are then used to carry out various malicious activities, such as joining botnets, send-ing spam emails, or participating in distributed denial of service attacks"
 

Littlebits

Retired Staff
My concern re not sandboxing browser as you suggest is what about much reported "driveby downloads" threat or infected holes in browsers etc prior to updates? I only scan unknown websites with VT.
Drivebye downloads no longer exists if you are using an updated browser and plugins. Internet Explorer, Firefox and Google Chrome already blocks drivebye downloads by default, the user has to click to download files and execute them. I haven't seen a drivebye download since about 2007 because browsers now have better security to block them. Even if one happen to get by it will still be blocked by UAC, the user would have to approve it in order for it to be successful infecting your system.

All downloads require user actions to manually download and execute unless you are using out-dated browsers, Java plugin, Adobe Flash, Shockware or PDF plugins.

Keep your browsers and plugins updated and disable Java and you will probably never see any drivebye downloads. If you happen to encounter one that slips by keep UAC on default settings and make sure to check the file before approving it. If the file is not digitally signed by a trusted publisher then it could be malicious, UAC will let you know if the file is digitally signed.

Thanks. :D
 

MalwareVirus

New Member
@broughie
I suggest if you like sandboxie so use it as you are using right now ,your methode is right.To reducing time download normally through site like softpedia and i think you don't have a need to scan it with antivirus because they already scanned by softpedia.So its save my time but for other download you are downloading from untrusted site you have to check it with scanner.
Thanks :)
 

broughie

Level 2
thanks littlebits ,
Have removed java as you suggest & see how it goes ,but will continue to use sandboxed browser for time being as my system is XP so no UAC.
Have followed your other good suggestions using virus total rclick to check saved downloads & running them within sandbox then outside if malware free. My Avast Anti virus has auto software updater for Flash, Shockwave & Adobe PDF so no problem there.
Do you have a view on Hitman Pro Alert as an extra browser safeguard when banking and shopping etc? noticed good reports on it here.
thanks