I am not very computer literate,but would like the thoughts of other forum members more knowledgeable in this area.
Stopping "cmd.exe" from running sandboxed
Stopping "cmd.exe" from running sandboxed
I found a website where a poster suggested that Sandboxie users edit Sandboxie to prevent "cmd.exe" from running,but didn't spell out how to do it. Is this a good thing to do? Here is the link to the page I found it on ( bottom of comment #16) :http://forums.anandtech.com/showthread.php?t=206173
I am not very computer literate,but would like the thoughts of other forum members more knowledgeable in this area.
I am not very computer literate,but would like the thoughts of other forum members more knowledgeable in this area.
I've seen screen prints from malware writer's sites, in which they show how effective their program is - in infecting, or stealing information from users.
java seems to be high on the list of infection vectors, but I'm not sure that running cmd.exe on a users' computer was even listed.
There would have to already be an existing program for cmd.exe to run, since simply running cmd.exe on it's own doesn't do anything.
So are they talking about placing a program on your computer, and then starting cmd.exe to run it?
Someone more knowledgeable about malware than me would have to say whether anyone does that, or not.
Anyway, I can't think of a way to black-list cmd.exe from running in the sandbox.
What I do is to use Sandboxie's Start/Run Restrictions in 2 of my sandboxes, to white-list programs that are allowed to start and run.
Merely leaving cmd.exe off of the list of white-listed programs is enough to keep it from running sandboxed.
I don't intentionally visit any known malware sites, and then see if I would be infected.
But in my most used Firefox sandbox, I use Start/Run Restrictions - and use the default selection in which I am notified if any non-white-listed program tries to run - and I've never been notified that cmd.exe has tried to run in the sandbox while browsing.
java seems to be high on the list of infection vectors, but I'm not sure that running cmd.exe on a users' computer was even listed.
There would have to already be an existing program for cmd.exe to run, since simply running cmd.exe on it's own doesn't do anything.
So are they talking about placing a program on your computer, and then starting cmd.exe to run it?
Someone more knowledgeable about malware than me would have to say whether anyone does that, or not.
Anyway, I can't think of a way to black-list cmd.exe from running in the sandbox.
What I do is to use Sandboxie's Start/Run Restrictions in 2 of my sandboxes, to white-list programs that are allowed to start and run.
Merely leaving cmd.exe off of the list of white-listed programs is enough to keep it from running sandboxed.
I don't intentionally visit any known malware sites, and then see if I would be infected.
But in my most used Firefox sandbox, I use Start/Run Restrictions - and use the default selection in which I am notified if any non-white-listed program tries to run - and I've never been notified that cmd.exe has tried to run in the sandbox while browsing.
Paul
Win 10 Home 64-bit (w/admin rights) - Zone Alarm Pro Firewall, MalwareBytes Premium A/V, Cyberfox, Thunderbird
Sandboxie user since March 2007
Win 10 Home 64-bit (w/admin rights) - Zone Alarm Pro Firewall, MalwareBytes Premium A/V, Cyberfox, Thunderbird
Sandboxie user since March 2007
Yes, that should work. The system won't be able to find cmd.exe, so it can't run it either.Mike wrote:I haven't tried this, but what about: ClosedFilePath=C:\Windows\System32\cmd.exe
Sandbox Settings > Resource Access > File Access > Blocked Access
Click on "Add" and navigate to, and select, cmd.exe in the Windows\System32 folder
OK
I would also like to hear what others think, about keeping cmd.exe from running in the sandbox.
Does that add anything of real value to the user?
Paul
Win 10 Home 64-bit (w/admin rights) - Zone Alarm Pro Firewall, MalwareBytes Premium A/V, Cyberfox, Thunderbird
Sandboxie user since March 2007
Win 10 Home 64-bit (w/admin rights) - Zone Alarm Pro Firewall, MalwareBytes Premium A/V, Cyberfox, Thunderbird
Sandboxie user since March 2007
For people like you and me, who don't intentionally visit malware sites, maybe the value is more theoretical. But as you know, you can do a lot from cmd.exe - start any program, delete directory trees, create or host scripts, etc. It may or may not matter, depending on whether you have anything important in the sandbox, or if you have any OpenFilePaths. I was going to create a thread which touched on this... will do so in a couple days when I have time.Guest10 wrote:I would also like to hear what others think, about keeping cmd.exe from running in the sandbox.
Does that add anything of real value to the user?
Agreed, Start/Run whitelists are the way to go since they're more complete. If you were addressing Guest10's question though, I think it was more about the value of preventing cmd.exe from running sandboxed in general.Ruhe wrote:As all my sandboxes have Start/Run Access in action there is in general no need for this cmd tweak.
Thanks,guys.I was looking at that Start/Run whitelist feature,and whether it was what to use to prevent cmd.exe from running.I am not a techie,so what I would do is list all the programs that are white listed in this box,such as my browser,email client,etc,and that would prevent things like cmd.exe from running in the sandbox?
Correct, any program not explicitly listed will not be able to run in that sandbox. Note that, with Start/Run restrictions, no program installed inside the sandbox will be allowed to run - presumably, this is a safety precaution.Newbeak wrote:I am not a techie,so what I would do is list all the programs that are white listed in this box,such as my browser,email client,etc,and that would prevent things like cmd.exe from running in the sandbox?
For your reference, the help page is here: http://www.sandboxie.com/index.php?Rest ... s#startrun
It will take you some time to develop a Start/Run list for the sandbox.
You will quickly find that there will be programs that you need to add to the list.
If you are using a recent version of Sandboxie, when it notifies you that a program cannot run due to the restrictions, you don't have to end the sandboxed programs and then revise the list.
You should be able to just open the Sandboxie Control icon, and add the program from:
Sandbox Settings > Restrictions > Start/Run Access > "Add Program" button
and look for the program's name in the lists that are there.
Add it, and the change takes effect immediately.
You will likely find yourself adding things like: Windows Media Player, your pdf viewer, a download manager (if used), unzip utility, Firefox's Plugin-Container.exe, etc.
I also had to add some print spooler .exe's, for a seldom used ink jet printer.
You will quickly find that there will be programs that you need to add to the list.
If you are using a recent version of Sandboxie, when it notifies you that a program cannot run due to the restrictions, you don't have to end the sandboxed programs and then revise the list.
You should be able to just open the Sandboxie Control icon, and add the program from:
Sandbox Settings > Restrictions > Start/Run Access > "Add Program" button
and look for the program's name in the lists that are there.
Add it, and the change takes effect immediately.
You will likely find yourself adding things like: Windows Media Player, your pdf viewer, a download manager (if used), unzip utility, Firefox's Plugin-Container.exe, etc.
I also had to add some print spooler .exe's, for a seldom used ink jet printer.
Paul
Win 10 Home 64-bit (w/admin rights) - Zone Alarm Pro Firewall, MalwareBytes Premium A/V, Cyberfox, Thunderbird
Sandboxie user since March 2007
Win 10 Home 64-bit (w/admin rights) - Zone Alarm Pro Firewall, MalwareBytes Premium A/V, Cyberfox, Thunderbird
Sandboxie user since March 2007
When I discovered that change (a while back), it was a most welcome new feature (not having to interrupt the then current session).Guest10 wrote:If you are using a recent version of Sandboxie, when it notifies you that a program cannot run due to the restrictions, you don't have to end the sandboxed programs and then revise the list.
You should be able to just open the Sandboxie Control icon, and add the program from:
Sandbox Settings > Restrictions > Start/Run Access > "Add Program" button
and look for the program's name in the lists that are there.
Add it, and the change takes effect immediately.
Blues
Real-Time: Sandboxie (Lifetime), Online Armor Premium, Webroot SecureAnywhere AV
On Demand: Shadow Defender, MBAM Pro, HitmanPro, Drive Snapshot / Macrium Reflect
Real-Time: Sandboxie (Lifetime), Online Armor Premium, Webroot SecureAnywhere AV
On Demand: Shadow Defender, MBAM Pro, HitmanPro, Drive Snapshot / Macrium Reflect
It's not quite as nice as it could be, if you could just add the program to the Start/Run Restriction list when the SBIE1308 message is generated.Blues wrote:When I discovered that change (a while back), it was a most welcome new feature (not having to interrupt the then current session).
Paul
Win 10 Home 64-bit (w/admin rights) - Zone Alarm Pro Firewall, MalwareBytes Premium A/V, Cyberfox, Thunderbird
Sandboxie user since March 2007
Win 10 Home 64-bit (w/admin rights) - Zone Alarm Pro Firewall, MalwareBytes Premium A/V, Cyberfox, Thunderbird
Sandboxie user since March 2007
Well, yeah, but I'm not complaining...Guest10 wrote:It's not quite as nice as it could be, if you could just add the program to the Start/Run Restriction list when the SBIE1308 message is generated.Blues wrote:When I discovered that change (a while back), it was a most welcome new feature (not having to interrupt the then current session).
Blues
Real-Time: Sandboxie (Lifetime), Online Armor Premium, Webroot SecureAnywhere AV
On Demand: Shadow Defender, MBAM Pro, HitmanPro, Drive Snapshot / Macrium Reflect
Real-Time: Sandboxie (Lifetime), Online Armor Premium, Webroot SecureAnywhere AV
On Demand: Shadow Defender, MBAM Pro, HitmanPro, Drive Snapshot / Macrium Reflect
Who is online
Users browsing this forum: No registered users and 1 guest
