Sunshine-boy

Level 27
Verified
Hello,
Lately, I was testing the QIHOO 360 sandbox against malware samples and random files/installers. I found that the eM Client MSI installer can bypass 360 Sandbox.
Just download their installer from here:

www.softpedia.com


Download eM Client 7.2.34711.0 (Softpedia)
Free Download eM Client - A feature-packed yet intuitive email client that integrates not only calendars, contacts and tasks, but also instant messaging functions

Now, right-click the file, and select "run in 360 Sandbox." Wait for the installer to finish its job.

Now go to Program files folder and you will see emclient folder is there! And emptying the sandbox won't help, either.
This bypass was tested on both 360 Total Security Essential and 360 Total Security.

I'm posting this because 360 never answers my emails.
I like this AV and its smart HIPS and cloud, but the thing is 360 support is worst in the world!

There is another malware that can shut down your PC and disconnect you from Internet connection while running inside 360 sandbox.
You can test it yourself. PM me for link to the malware sample, I can't post it publicly because of forum rules.


Their forum is not even accessible by foreigners and you need to register with a phone number. :(:(:(
 

Spawn

Administrator
Verified
Staff member
May be due the type of installer package (.MSI).
MSI files are executed by an EXE file that is part of Windows, called MSIEXEC.EXE. This application reads the data in the MSI file and executes the installation.
 

shmu26

Level 83
Verified
Trusted
Content Creator
May be due the type of installer package (.MSI).

How would an MSI installer so easily escape the sandbox? I would think that the processes it spawns should be sandboxed, too.
 

shmu26

Level 83
Verified
Trusted
Content Creator
I think the moral of the story is that building a good sandbox isn't so easy. Better to stick to the experts, like Sandboxie and Comodo. The smaller brands have not been tested enough. Who knows if they are any good or if they are getting the necessary updates.
 

shmu26

Level 83
Verified
Trusted
Content Creator
there are some other flaws. you can't run 360 ts on standard acc! they don't wanna fix this issue. the Chinese version is much better and less buggy.
You can't run it at all, or you can't configure it?
I remember that you can install it in admin account, and it will work also in SUA, but you need to switch to the admin account for all configuration changes.
 

Sunshine-boy

Level 27
Verified
360 Total Security 10.6.0.1038
They didn't patch sandbox after 20 days! the MSI installer bypass sandbox and that malware can still disconnect me from the internet and shut down my machine!
it seems they don't care.360 researchers are busy with Apple iPhone and Google chrome bugs! they should first fix the 360 bugs :)
Good cloud and hips but I don't recommend this Av anymore. Peace of crap.chinese version is 10x better than this crap(robust firewall with advanced protection, sandbox use Intel virtualization technologies, banking mode, QEX engine,360 security respond engine and more features that the international version don't have them)
New Chinese Av Huorong is much better than this crap! they don't have a cloud and sandbox but at least they care about bugs and flaws.